Decreasing effectiveness of spam (junk email) filtering.
No spam filter will stop all spam email and no spam filter
will allow all legitimate email to pass.
Its purpose of this document is to offer a view of the
process involved and an understanding of the major parts of a spam filtering
system. This is a vastly over
simplistic and incomplete document regarding the ineffectiveness of spam filters
and is constantly being updated so use it a as a guide only.
The Three main things you need to protect yourself against
becoming a victim of spam is good quality up to date security software, good
quality spam filtering and vigilance.
There are over 100 spam filtering systems available and the
senders mail server and/or the recipients mail server could use any combination
of them to filter spam.
In order for a spam filter to be effective they need to be
able to tell the difference between a legitimate email and spam. To achieve
this, a predictable pattern needs to be identifiable so that the spam filter can
award a spam rating to the email. The higher the rating, the higher the chance
there is of the email being spam. Its not black and White.
A spam filter attributes a spam value to an email. In its
simplest form it has several values ranging from off, low, medium, high, and
blacklisted although more sophisticated spam filters (such as on our Hosted
Exchange) have a numerical rating system.
All known blacklisted emails are automatically sent to a
spam folder and the remaining email will be assessed for a spam rating. This
means it is up to the ‘intelligence’ of the spam filter to identify what is spam
and what is not. Spammers are constantly trying to outsmart the spam filters and
are very good at it. In essence, this means the spam filters are constantly
playing catch up so they will never be perfect.
There are several patterns which can be used to identify a
spam. This is a brief outline of the most common techniques used.
1 – The ‘sender’s name’.
2 - The ‘subject’.
3 – The senders IP. If the sender uses a mobile device –
the sending IP is variable.
4 – The IP address of the sender’s domain (it’s ‘A’
record) and other settings.
5 – The location of the device sending content.
6 – The content of the message.
7 – A variation in the volume of email through a
particular gateway or from a particular computer.
8 – The senders email address.
9 – Sites hosted on the server the domain is hosted on
or registered with.
10 - The volume of email being sent form the senders
server.
Let’s deal with each in turn.
1 – The ‘senders name’.
A spammer knows that you can easily blacklist the sending
email address so they can change their email address for every email they send.
Sometimes they will change their name to yours!
2 - The ‘subject’.
In the good old days, the subject used to be relative to
the email, now it is more sinister. They can use what looks like your bank,
PayPal, competitions and so on. Spammer’s will use anything (and I mean
anything) to try to get you to open/read their email.
3 – The senders IP.
Every device on the internet will have an individual IP
(much like your phone number is unique) so it is possible to trace the source IP
of the sender. Spammers know this and can mask their sending IP.
Spammers take over someone else’s PC to spam from – thus
protecting their own IP. If they do, the IP of the recipient’s machine (and
probably the domain) may become blacklisted. A decent Internet Security program
and vigilance will help to protect you. If the sender uses a mobile device – the
sending IP changes depending on which mobile phone mast they are connected to so
using the senders IP address is not an accurate way of detecting a sender.
4 – The IP address of the sender’s domain (it’s ‘A’
record) and other settings.
If a genuine sender has an incomplete or inaccurate or
misconfigured ‘A’ record, email from them will get a higher spam rating. You can
check this by going to the domain diagnostics web site at the bottom of this
document. Please note, the domain may be registered with a different provider
than the domain is hosted on and both are open to be blacklisted by a spam
filter.
Other settings include the sender’s SPF record (and yours),
the mails servers used by them or yourself, subdomains, ‘AAA’ records and so on.
Use the link at the bottom of this document to check these for yourself.
5 – The location of the device sending content.
The location of the device sending the email may change
frequently and the changes may be detected as a spammer trying to erase their
tracks. However, sending locations can be spoofed by using techniques such as
using an international VPN to make it look like they sent their email from a
different country!
Another reason an email may attract a higher spam rating
than it could be the country the email is sent from. Some countries are much
more notorious than others for hosting spammers and email sent from them
automatically attracts a higher spam rating.
This can be a serious problem for clients who receive email
form foreign countries, particularly countries with poor reputations and poor
legal structures.
6 – The composition of the content.
Spam filters can use sophisticated formulas to identify
some types of spam. For example, certain rude words, references to illegal
material etc. To get round this, spammer’s substitute characters within words
with non-alphanumeric characters. For example, they use ‘!’ instead of ‘I’, ‘5’
instead of ‘s’ and so on.
Instead of sending you text, Spammer’s may send you a
picture of text. This is not easy for a spam filter to identify as spam.
However, and email which is made up solely of a picture may attract a higher
spam rating than one that does not.
7 – A variation in the volume of email through a
particular gateway or from a particular computer.
If a server sends out 1000 emails a month and this suddenly
rises to say, 10,000 a day then this may be treated as a compromised server and
the emails treated as spam. The ISP may shut down the server.
8 – The senders email address.
If you get a spam from a@b.com
and you identify it as being spam, you can reject it as such. Spammers know this
and can change the senders email address for every email they send.
If you get an email address form someone you know, you are
more likely to open it, so it is a spammer’s interest to know who is in your
inbox. That’s why; your colleagues may get spam – allegedly sent from you! They
can pick up your details and your friends details from packet snooping,
compromised mail system, hacking your computer, hacking any of your colleagues
computers, Facebook (any online social system), Christmas list, other spam and
of course – they can purchase email lists from other spammers. This is not an
exhaustive list.
If this happens, as a precautionary matter, you should
change your password and update it on all your devices.
If a recipient’s volume of spam is serious, you may have to
make the ultimate sacrifice and change your email address. If you host your own
email (for example, Exchange), you may need to make more serious changes. Even
after you do all that, you will be starting off from scratch with all the
opportunities spammers have of finding the new email address and spamming it!
What about false positives? When a sender creates an
email and sends it to the recipient it passes through a series of servers, most
if not all of them will have spam and virus filtering software running. Also,
the sender’s system, and any one of the hops between the sender and recipient
may be compromised and the email classified as spam. This is called a false
positive.
When this happens, it is up the recipient themselves to
correctly identify it as spam and resolve it.
Check the sender’s domain at
https://www.domaindiagnosis.com/
Check what spam filters if the sender’s email may be on:
https://mxtoolbox.com/blacklists.aspx/
Colum Maguire.
This document is incomplete. Corrections, updates,
adjustments, and recommendations gratefully received.
E&OE.
Last updated 2/2/21