What You Need to Know about Spam Filters
Email has become the lifeblood of many companies. It is the primary way for most businesses to communicate both among their own staff as well as with other companies and customers. We email questions, answers, order confirmations, alerts, bills, documents, meeting appointments, and so much more. It’s used so much now that we joke about comparing how excited we used to get hearing the ‘ding’ of a new email message (because everything used to come as physical mail) to how we’re far more excited to see an actual paper letter now because everything seems to be emailed!
The point is, email is critical. So how do you make sure you send and receive what you need without also bringing in everything else?
There are multiple acronyms in this article. For any you may not know or may want additional info about, please click here to view our Alphabet Soup collection of tech abbreviations. It will open in a separate tab so you can click back and forth.
A (Very) Brief History of Email
Email is sent via SMTP, which is a very basic framework standard. SMTP was designed in the early 1980’s when people started to communicate between dissimilar computer systems and needed to set a standard for sending email. At that time, there were so few people using such things that security wasn’t even a thought. With the SMTP framework in place, you could just connect to any email server and craft any email you wanted to. You could even pretend it was from anyone else. People would have fun sending an email to a colleague and having it come from firstname.lastname@example.org or email@example.com. Nothing checked to verify that the emails came from a valid domain, or from a server that was allowed to send that email.
As businesses started to use email more often, spam came into play (thank Monty Python for this term! – click to read the Did You Know section of our September 2020 newsletter about this). Most of us think of spam as unsolicited “junk” email, those messages typically for advertising that fill up our mailbox and take forever to clean up because they never stop coming in.
As email use increased, however, spam became more malicious and fraudulent. Criminals saw a new way to make money by stealing and reselling information or by demanding ransoms. We saw attempts to falsify emails and get credentials with phishing, or to send viruses in emails to get access to corporate information, health records, or to hold your company ransom by encrypting your data. These emails typically use some form of targeted social engineering to make you believe that they are valid.
The Spam Filter
This all culminated in the creation of spam filters. Spam filters are programs that basically ‘read’ every email as it comes in and make one of 3 determinations: It is a valid email, it is an invalid email (known spammer, virus or malware detected, etc.), or the filter is unsure (Quarantine). Valid emails will be sent on to the recipient; invalid ones blocked; and the unsure emails will be sent as a quarantined notification to allow the receiver to determine if the email is valid or not.
In a spam filter, there are various tests used to determine what type of email has been sent. We are going to go through a basic version of this process for two reasons. One, knowing this process could help you think about tightening up the settings on your own spam filter (if you’re not already one of our clients). Two, seeing these tests could help you address issues you may be facing in your company when people say they don’t receive your messages.
Spam Filter Verification Tests:
- Greylisting – This looks at the sender. If the filter doesn’t recognize the sender, it basically tells them to resend the email in a few minutes. Many spam senders do not have their email server set up to do this, so the spam email never gets resent to pass through the filter.
- Invalid Recipient – Does the email address being sent to even exist? No point in forwarding an email to the mail server if no one can receive it.
- Virus – If the email contains a known virus, the filter blocks the email.
- RBL – Checks for maintained lists of known spammers.
- SPF/DKIM/DMARC – This check is important—it is the first step that really looks at who is sending the email and tries to determine if it is valid. SPF and DKIM are ways of determining if an email comes from an allowed source. DMARC is a determination and reporting tool that tells the spam filter what to do with emails that fail the SPF/DKIM checks. When configured correctly, this reduces the amount of phishing and fraudulent emails.
- Banned Attachments – This looks at any files attached to the email. Typically, executable files will be banned when sent via email. PDFs and Word or Excel documents are typically allowed, but watch out for macros.
- Whitelist / Blacklist – This is one of the cleanest determinations, but one that relies heavily on the DKIM/SPF check. If a sender is whitelisted and passes the earlier check, no further checks are made and the email is delivered to the recipient. If the sender is blacklisted, the email is considered to be invalid and rejected.
Where this can be possibly abused is with marketing partners. If you whitelist a company, and someone at that company uses a marketing service (like Sendgrid); a spammer could sign up for a Sendgrid account and use that to spoof the marketing partner’s access.
- Spam Scoring – At this point, the email will either be clean or quarantined. The filter will “read” the email, and then, based on predetermined tests and filter rules, assign a score to the email. For example, the filter may look for certain phrases in the message that indicate common spam attempts, such as “eliminate bad credit,” “xxx,” or “warning – account deactivated.” If the score is below the threshold, the email is considered clean and forwarded on. If the score is above the threshold, then the email is moved into quarantine for a user to determine its validity. Filters can be set with a second-higher scoring setting for emails that will just be rejected if you so choose.
Spammers also know of these steps used to combat them, and they will continue to try to craft emails that can successfully pass through all the tests above. Be vigilant, and report spam emails that do make it through. We can review those emails to try to prevent spam in the future based on what we see in the emails that do make it through.
What About the Emails You Send?
Now, spam filters are important not just in how they protect you, but also in how your emails are received by others. Your recipients have spam filters, too, and they check the emails you send for these same things.
Here are 2 things you can do to make sure the emails you send are valid:
- Make sure that emails sent from your domain are covered in SPF and DKIM records. This is especially important when you have an outside marketing company that sends email on your behalf because those emails need to be covered under the umbrella.
- Enable DMARC so that you can determine if your emails are being considered suspect or if someone is trying to send spam pretending to be your company.
Here at Infinity, we take email protection very seriously. There are so many attacks coming in every moment of every day, and all it takes is one to get through and get clicked on. This is also why we push employee awareness training so strongly, to keep that click from happening. But ideally, the messages never make it through in the first place. So don’t hesitate to reach out to us with any questions or email security requests. The better protected each one of us is, the better protected we all are.