Spam Filters: Help or Hindrance?

Close up of a mouse cursor over the spam folder in an email.

You’ve probably been here before.  You’re waiting for that crucial email to arrive. Time is of the essence. You regularly check your email for those important documents. As hours turn into days and days turn into weeks, it never arrives. You might even call the sender assuming they’d forgotten to fulfill your request. Guess what? It’s been captured and quarantined in your spam filter for weeks. Yes, they don’t call it anti-virus for nothing. Like the digital version of Typhoid Mary, your tax forms, signed proposals, travel itinerary, and even family photos have been rounded up and put away in a safe place far from your prying eyes. For those of you with personal email accounts like Yahoo, Hotmail, or Gmail, the solution is simple. Check your spam folder. But if you’re using the company outlook and a third-party antivirus appliance, the procedure for recovering legitimate email is not so simple. In fact, it is because corporate domains are more prone to cyber-attacks that their spam filter tends to be more complex (i.e. less user-friendly). It’s also because cyber-attacks are getting so sophisticated that retrieving some of the emails we legitimately requested is going to remain a challenge. Often separating the wheat from the chaff requires a modicum of administrative diligence to compensate for filter configurations that are either too aggressive or too lax.

Ideally, most IT departments would love to integrate a third-party spam filter with Outlook. Then all it would take is a right-click and, faster than you can say “Joseph McCarthy”, those subversive emails that threaten your organization’s data security will be blacklisted (i.e. permanently blocked) and never be heard from again. Without such integration, the right click, junk, block sender option is a futile exercise. In addition, the manual process of repetitively hitting the delete button means users are more prone to do away with legitimate emails as a matter of oversight. Nonetheless, ABS’s Manager of I.T. & Data Analytics Brian Nunziato explains why Outlook integration with tools such as Symantec is not a realistic or effective solution:

“The Symantec Messaging Gateway uses its own built-in spam protection, designed to be collaboratively used by both the end user and administrator, and isn’t intended to work with Outlook’s junk filter.  When an end user receives the list of blocked messages each day there is an option to release blocked messages.  The administrator can then view which messages have been released and add valid domains to a whitelist (such as belonging to clients or vendors) which will prevent messages from these identified senders from being quarantined again in the future. In order for spam control to be handled by Outlook, it must integrate with Exchange and use manually configured junk or spam lists.  While this sounds great in theory, this is generally less efficient and allows for much less control, customization, and protection than a dedicated messaging gateway product which also tends to include anti-malware and other more advanced features.”

What do spam filters consider suspicious? Often it’s a hyperlink in the body of the message, the tried and still true method of launching a .exe virus file. A signature that includes company website or social media links may be confused for a threat. Sometimes it’s the file attachment or an unrecognized extension due to version incompatibility that triggers block. Sometimes, the domain itself winds up on the spam filter application blacklist due to excessive instances of spam being issued by that domain. Organizations that purchase email lists or target non-subscribers with unsolicited promotional messaging are prone to having this violation reported and their domain, rather than the individual sender’s email account, summarily blocked by the messaging gateway provider as a result. In instances where the filter is deemed overzealous, there is the whitelisting process. Nunziato elaborates:

“The easiest way to add a new sender to the white list on the messaging gateway is to identify the domain name of the sender.  By adding the domain to the whitelist, it allows all future messages from that domain to pass unobstructed by the spam filter rules.  The downside to this is that it will allow all senders from that domain which hardly makes it useful when the sender is using a public email domain such as Google or Yahoo.  In these cases, you simply want to add the full email address of the sender so that it only allows messages from that particular individual versus everyone from the domain.”

For non-administrative end users privy to the daily log of quarantined emails, there can be a misconception that the handful offered for review and release from quarantine means the messaging gateway is letting more junk through than it is blocking. But in fact, the suspected spam list they’re seeing is merely the tip of the proverbial iceberg. Brian Nunziato clarifies what’s happening in terms of back-end due diligence:

“From the user’s perspective, all they see is what comes into their inbox and their viewpoint of what is too much is often colored by their personal tolerance threshold.  What an end-user doesn’t see however is the sheer amount of junk messages that are correctly caught by the messaging gateway or other spam control tool which is only visible to administrators.  Spam is a massive and growing industry because it is inexpensive to implement and has been found to be effective.  This, unfortunately, has led to increasingly more sophisticated methods of trying to bypass or “fool” spam filters.  This forces administrators to walk a fine line between higher levels of message scrutiny and dealing with user frustration from increasingly blocking legitimate email while some amounts of spam continue to find their way into user’s inboxes. ABS employs two different spam listing services whose role it is to block email from servers on their known blacklists.  Emails stopped at this first level are prevented from entering the second level of evaluation, content filtering and heuristics, and are never seen by end-users.  Only emails which pass the first level of filtering and are then subsequently flagged at the second level, content filtering and heuristics, show up on the spam notifications that users receive daily.”

Continuing with the aquatic analogy, any successful IT organization is comprised of network administrators and security engineers busily at work trying to stem the persistent tide of junk and virus-laden emails that flood Exchange servers every single day. Like ducks on the pond drifting calmly by, their feet are pedaling feverishly below the surface to keep messaging systems afloat. Even if the extent of their efforts goes largely unnoticed by the end user population, maintaining a meticulous cyber-attack prevention process means more than just treading water. It’s the help we don’t see that hinders the junk we don’t want to see.