How Tesserent Spam Filtering Works
Protecting You From spam
In a typical month at Tesserent we will block nearly 15 million emails through the multiple layers of our spam filtering solution. And for each customer, there is an automated weekly report that includes various data points on the security service, including emails scanned, and blocked. But what exactly happens during the scanning, and how do we ensure spam has as little impact on our customers as possible?
Envelope Checking vs Content Checking
Email scanning comprises two distinct phases: envelope checking; and content checking.
Envelope checking is based on only downloading the envelope of an email initially. In simple terms, it is like checking the addressee and sender on the envelope of a letter. If the addressee doesn't exist, or you don't trust the sender, the letter is sent back.
The same process occurs as part of envelope checking in spam filtering. This reduces the traffic on the link, and the load on the Tesserent platform. This is also known as the pre-scan phase, and makes a series of checks against the envelope information only. If an email is rejected at this pre-scan stage, an error is returned to the originating email server.
If an email successfully passes through the pre-scan filters, then the contents of the email are downloaded, and another series of checks is performed against the content. Again, in simple terms, this is like a censor opening the letter and checking for content that is not allowed. If the email successfully passes those checks it is passed onto the recipient(s), and if it has failed, it is quarantined (if that is what has been requested).
At this stage the email envelope only has been downloaded.
Amongst the checks performed are the following:
GreyList Checking - forces the sending server to queue and retry sending the email, effectively blocking email being sent by spambots (spambot software typically does not queue).
SPF Checking - an industry standard technique used to detect and prevent email spoofing, ie. altering the format of an email to look like it has come from somewhere/someone else.
Blocklist Checking - checks the source against blocklists maintained by commercial blocklist vendors.
Envelope Verification - an optional test, to check that the recipient address(es) actually exist. This is done using a technique that also discourages Directory Harvesting.
At this stage, the email has passed the envelope checking stage, the full email is downloaded and the contents checked.
Checks at this stage include:
Anti-malware scanning - Anti-malware scanning using multiple OEM vendors to reduce the risk associated with using just one.
Anti-spam scanning - Anti-spam engines are used from multiple OEM vendors to provide different views whether a message looks like spam.
Heuristics - heuristic and statistical tests against headers and content using heuristic tests from OEM vendors and those derived by Tesserent.
DKIM Checking - another industry standard technique used to detect and prevent email spoofing, ie. altering the format of an email to look like it has come from somewhere/someone else.
We also perform a number of proprietary checks, including, but not limited to:
Content scan for urls - Scan all urls in the body, and assess them against site categorization engines.
Relationship tracking - tracks the inter-realationships between sending and receiving parties to determine if an email is part of normal communication.
Policy based checks - for example, to block executable file attachments.
Backscatter filtering - uses a cryptographic signature to assist in eliminating deliberate backscatter email attacking your site.
Language determination - uses Bayesian classification to identify the majority language contained within the body of the email.
And then …
… after all that, you receive the email. So as you can see, the email that arrives in your inbox has gone through many checks before it arrives. And is scanned in a way to minimize the impact on the receiving email systems.