Spam Filtering: An Important Part of a Nutritious Breakfast

Careful planning is the most important part of any effective anti-spam deployment. We offer key tips to maximize your chances of success.

Link Porterfield Leave a Comment
Spam Filtering: An Important Part of a Nutritious Breakfast

The spam problem goes far beyond annoying solicitations for questionable products. These days, it's a frequent vector for identity theft, ransomware and more. Photo by scanrail/stock.adobe.com

The first spam email was sent 44 years ago, and the threat posed by this sinister practice has grown to reach a scale that few, if any, could have envisioned back in the late 1970s. The spam problem goes far beyond annoying solicitations for questionable products and unwanted adverts from presumably well-meaning, but misguided and overzealous, marketing teams.

These days, it’s a frequent vector for identity theft, ransomware and other extortion attempts. Even the most conservative figures for the resulting financial damages attributable to spam are staggering! A well-implemented spam-filtering solution can become an indispensable part of your defense against online crime. 

Planning is the most important part of any successful spam-filtering deployment. Working with an expert to make sure you completely understand your current mail flow, as well as your desired outcomes, can mean the difference between a seamless integration that goes off without a hitch and one that is an unmitigated disaster, replete with lost email.

If you know in advance how your email domains both send and receive mail, you’ll be armed with key details that need to be accounted for in any spam-filtering project. 

Ongoing Monitoring and Maintenance 

As with any technology, spam-filtering tools are not “one size fits all,” and they’re not “set it and forget it,” either. Once you have a spam-filtering tool in place, you will have to monitor and maintain it.

This is a critical element of any successful solution, whether you rely on in-house staff, a trusted solution provider or a combination that leverages both. Adopting a strategy in which only the mailbox owner handles maintenance might seem like a way to spread out the effort, but taking that tack forsakes the benefits of aggregate knowledge and cumulative experience that specific individuals or teams can reap.

Planning for dedicated resources, which can check the email quarantine to evaluate and adjust filtering rules, will leave you in a more advantageous position. 

Having a plan in place to review your filtering rules regularly can help you learn which ones are ineffective. After all, one can easily create a rule that is overly broad or excessively specific.

Too many times, I have seen an inquiry from a mailbox owner, asking why they received some spam email, only to find out that they added the sender’s email address to their allow list, or they placed an overly specific address on their block list.

Obviously, the former bypasses regular filtering; by contrast, the latter often allows similar messages through because they do not match the narrow filter criteria. Learning what works and what doesn’t work takes time and, often, what seems intuitive might prove ineffective.

Given that cloud computing is effectively a global resource, quarantining — or even simply labeling — email by country of origin is just one situation where a decision might produce unexpected results and require adjustment. 

Every inbound message that reaches the spam filter has many evaluations performed on it, and those are coupled with any custom filters that your organization’s email administrator has defined. Among the most important checks performed are anti-spoofing tests.

Although not something that can be implemented entirely within your spam filter, even if it includes beneficial tools like Domain Keys Identified Mail (DKIM) signing capability, configuring your domain to be Domain-based Message Authentication, Reporting & Conformance (DMARC) compliant will make it possible for your spam-filtering system, as well as those of your recipients, to confirm the authenticity of email claiming to be sent from one of your domains.

Although DMARC compliance appears to be a simple concept on the surface, a valid implementation can prove challenging in the absence of a knowledgeable partner. 

Extra Layers of Protection 

Once you have a hosted spam-filtering solution in place to protect your inbound emails, you can add outbound filtering for extra layers of protection. Should one of your email accounts become compromised, having outbound filtering in place will increase the chances that any attempts to abuse the account for malicious purposes will be caught and quarantined. Outbound filtering can also be used to enforce Data Loss Prevention (DLP) policy, including preventing inclusion of protected client data in emails. 

If you implement outbound filtering, it’s best, when possible, to go “all in.” This allows you to exclude your actual mail server IP addresses from your Sender Policy Framework (SPF) record. Should an email account be compromised by an attacker who is sufficiently sophisticated to circumvent your outbound filtering, the message will fail SPF verification.

If your messages are DKIM signed by your mail server, rather than your outbound filter, the message may still appear as authentic. In any event, although this might not be a silver bullet, it’s a good practice. 

Splitting your email across multiple domains assigned by purpose is a technique that larger enterprises have long practiced, and it can be quite helpful on any scale. Using your main domain for individual email communication, in conjunction with dedicated domains for marketing and transactional emails, makes it easier to employ different management techniques.

In addition to protecting your primary email domain from any mistakes made in the other domains, it helps with the 10-lookup limit of SPF, which can be easily encountered with only a few include statements. 

Consider a Training Program 

Many spam-filtering systems have an option to rewrite links contained in emails to impede phishing attempts. Like anti-spoofing methods, this feature benefits from external enhancement. Consider augmenting your phishing defenses by implementing a training program. 

In an age when one wrong click can lead to a catastrophic outcome, the decision to invest in a spam filter is a modern-day application of a Ben Franklin adage: “An ounce of prevention is worth a pound of cure.” Before you embark on such an endeavor, become familiar with your mail flow. Don’t hesitate to collaborate with experts. Plan to allocate resources to review and learn how your spam filtering is faring.

Implement a DMARC policy and check the reports. Consider filtering outbound email and, if you do, exclude your actual mail server addresses from your SPF policy. Use dedicated domains or subdomains to create logical separation between the distinct types of mail that you send. Strengthen your team’s skills with training and testing. 

All these strategies, taken together, will give your organization a good chance of avoiding catastrophe and enjoying continued success. 


Link PorterfieldLink Porterfield is founding member with epic.network, a member of The ASCII Group since 2015.