Anti-spam Filtering Tools & Email Security
Email undoubtedly is the most used and effective forms of communication today. Every business relies heavily on email and the internet. However due to the rapid growth of emails, this has also resulted in a massive growth in email threats. The obvious ones are viruses, spyware and of course general spam messages. Also there are other concerns when it comes to emails, such as data leakage of confidential information from within the company, bullying, and indecent material being exchanged such as pornography, violence, hate mail, legal and ethical issues that all have to be monitored and controlled. Not to mention there are other forms of attacks via email, such as denial of service attacks, spoofing of emails and many more.
Email security firewalls or anti-spam security filters have been designed to address the security issues mentioned above. Due to the vast amount of spam flying around, businesses look into investing into anti-spam solutions. Anti-spam solutions look at each individual email and decide whether the email is spam or legitimate, contain any malicious threats or breaking any of the company security policies. Anti-spam software comes with various layers of tools to combatting these. An example at a very basic level would be looking at the subject and body of an e-mail message for common spam like statements.
On the left hand menu there is a list of spam security terminology, tools and features used in many of the main stream ant-spam solutions to combat threats.
Anti-spam solutions provide protection tools to combat the following threats:
- Viruses, Trojans and bots
- Spam and phishing attacks
- Spyware
- Confidential data leakage
- Illegal and stolen material
- Denial of service attacks
- Company defined breaches
- General immorally and unethically bad email such as hate mail and pornography
Anti-spam security Tools & Techniques
Email security solutions should be able to use various defence in depth technologies when analysing harmful email messages. These include common defence mechanisms addressing many of the connection based and content based attacks, as well as other security aspects.
The following information below provides the most common connection based and content based controls, anti-spam solutions use to protect organisations from email based threats.
Connection based controls
The following provides examples of connection based controls:
Denial of service protection – protection against DOS attacks.
Rate control – controls how many connections are permitted from the same IP address. This is a subset to DOS protection.
Sender authentication – validating and authenticating the sender using techniques such as reverse DNS look up, SPF, and anti-spoofing techniques.
Recipient Verification – protection against directory harvesting attacks using techniques such as verifying users against an LDAP server and ensuring RFC compliant emails.
SPF Sender Policy Framework and Sender ID Validation – if SPF records of the connecting host exist, then these would be checked to validate that the email is coming from where it is supposed to come from, verifying the sender address and preventing spoofed email.
Greylisting – greaylisting will reject the connection temporarily. The originating server will retry sending the email message after a short period. Spam botnets are not capable of or do not tend to retry to send an email message that has already been rejected, where legitimate email servers do retry.
Real time IP Blocklist – the connection will be checked against RBL servers to determine whether the connecting IP is a known or a suspected spam originating IP address.
BATV (Bounce address tag validation) Address validation – validating bounce back messages ensuring it is a legitimate bounce back.
Validate sender domain – reverse DNS lookup is performed against the connecting host.
Blacklisting – blacklisting a host name, IP address, domain name or email address so that the source is not able to send any email messages. With blacklisting, wildcards can be used to simplify the process. For example if you wanted to block a list of IP addresses in the 192.168.1.0 255.255.255.0 address range, you can type the wildcard 192.168.1.*
Whitelisting – whitelisting against a host name, IP address, domain name or email address, to ensure the source is able to send email messages.
Directory Harvesting Protection – detecting invalid recipients per connection in order to detect and block directory harvesting attacks.
LDAP Integration – by integrating the anti-spam security solution with an LDAP server, the anti-spam service would accept and process only valid recipients living within the LDAP database, though dropping all other invalid recipients, where there is no account on the LDAP server.
Content based controls
The following provides examples of content based controls:
Anti-virus Engine – content is checked for viruses. Some anti-spam security solutions support the use of multiple anti-virus engines. Having this facility enables a proxy to consist of two different anti-virus software packages, where if one fails to pick up a virus, chance are, the other anti-virus engine may pick it up.
Anti-spyware Engine – content checked for spyware.
URL Blocklist – the content of the email message is checked for any URL’s registered with a URL database. These URL’s within a database would have been previously identified as spam sources.
Anti-spam signature database – email message signature is checked to see if one matches within a database of signatures. If matched, then the email message would be classified as spam.
Detection of malformed messages/attachments – the detection of deliberate malformed email messages that are usually used for DOS attacks.
Blocking file types (*.vbs, *.exe, etc) – blocking of certain files.
Defined files to be blocked by checksum – using a checksum to define which files should be blocked. Blocking file types by file names can prove to be vulnerable because users just change the filename to bypass the system, hence the requirement to use checksums.
Compress or strip attachments by size or type – delivery of email, however stripping of large or dangerous files.
Stripping of active HTML code from an email – delivery of the email, however removal of links that could potentially lead to dangerous websites.
Blocking via MIME types (Multi-Purpose Mail Extensions) – blocking of images, video, music and other MIME type content within an email.
Percentage of HTML in message – if too much HTML is found within an email, it signifies a very spam looking email and some proxies, depending on how they are configured, may quarantine or tag the message.
If a message contains an unsubscribe link – another example of using regular expressions.
Bayesian Analysis – is used to determine the probability of an email message being spam using the Bayesian algorithm.
Image analysis – used to analyse images within the body of the message. Images such as pornography are dropped or quarantined. Also attachments can be scanned for images.
Off hour's delivery – large emails taking bandwidth and resources can be parked for delivery out of hours when network usage is at its lowest.
Expression Lists / Dictionaries – to look for within email headers, subject or body of the email message for certain words, expressions, and sentences. If there are any matches, perform an action which should be dictated by by the organisations security policy. For example you can configure your email security solution if the statement, “Buy Viagra” or any words containing profanity are detected in an email message, the email is quarantined.
Rule based spam scoring – anti-spam security solutions will have their way of assigning an email message an overall spam score, depending on the overall characteristics and behaviour of the message and sender. If this score is above a threshold, then a certain action will be applied, such as blocking the message. If the threshold is not met, another certain action can be applied, such as permitting the message to be delivered to the end user. Sometimes anti-spam solutions have an assignment in between, where if an email has scored around the boundaries of a threshold, a certain action will be applied, such as tag the message as suspicious spam, and further analysis is applied to the message.
With most anti-spam solutions, an email message is checked against connection based defence methods and then content based defence rules. This makes sense, because connection based control methods, as discussed above; provide a first line of defence from attacks such as denial of service attacks. There is no point breaking messages down and undertaking content based checks, if its then blocked because it's part of a denial of service attack. Content based scanning can be quite heavy on the CPU and therefore should be done as the final verification after all the other security inspection checks.
Other security features used on anti-spam security solutions
The following list provides some of the other common features used within anti-spam solutions:
TLS encryption – securing of emails when in transit
Hardened operating system – minimising the chances of an attack via the operating system.
Internal to internal scanning of email messages – usually emails are only scanned when leaving the organisation or entering the organisation, also known as outbound and inbound email traffic. With scanning of emails between internal users within the company, allows for emails to be controlled and monitored between internal employees.
Data Leakage Protection (DLP) – ensuring confidential data does not leave the organisation.
Further Reading
Wikipedia's guide to Anti Spam Techniques