Spam Filters Explained

What do they do? How do they work? Which one is right for me?By Alan Hearnshaw

Spam is a very real problem that many people have to deal with on a daily basis. For those that have decided to do something about it and start to investigate the options available in spam filtering, this article provides a brief introduction to your options and the types of spam filters available.

Despite the bewildering array of spam filters available today, all claiming to the best one "of its kind" there are really just five filtering methodologies in general use today and all products rely on one, or a combination of these:

Content-Based Filters

"In the beginning, there were content-based filters."

These filters scan the contents of the and look for tell-tale signs that the message is spam. In the early days of spamming it was quite simple to look out for "Kill Words" such as "Lose Weight" and mark a message as spam if it was found.

Very soon though, spammers got wise to this and started resorting to all kinds of tricks to get their message past the filters. The days of "obfuscation" had begun. We started getting messages containing the phrase "L0se Welght" (Notice the zero for "o" and "l" for "i") and even more bizarre - and sometimes quite ingenious - variations.

This rendered basic content-based filters somewhat ineffective, although there are one or two on the market now that are clever enough to "see through" theses attempts and still provide good results.

Bayesian Based Filters

"The Reverend Bayes comes to the rescue"

Born in London 1702, the son of a minister, Thomas Bayes developed a formula which allowed him to determine the probability of an event occurring based on the probabilities of two or more independent evidentiary events.

Bayesian filters "learn" from studying known good and bad messages. Each message is split into single "word bytes", or tokens and these tokens are placed into a database along with how often they are found in each kind of message.

When a new message arrives to be tested by the filter, the new message is also split into tokens and each token is looked up in the database. Extrapolating results from the database and applying a form of the good reverend's formula, know as the a "Naive Bayesian" formula, the message is given a "spamicity" rating and can be dealt with accordingly.

Bayesian filters typically are capable of achieving very good accuracy rates (>97% is not uncommon), and require very little on-going maintenance.

Whitelist/Blacklist Filters

"Who goes there, friend or foe?"

This very basic form of filtering is seldom used on its own nowadays, but can be useful as part of a larger filtering strategy.

A "whitelist" is nothing more than a list of e-mail addresses from which you wish to accept communications. A whitelist filter would only accept messages from these people and all others would be rejected

A "blacklist", conversely, is a list of e-mail addresses - and sometimes IP Addresses (computer identification addresses) - from which communications will not be accepted.

While this may seem like a good idea from the outset, a whitelist methodology is too restrictive for most people and, as virtually all spam e-mails carry a forged "from" address, there is little point in collecting this address to ban it in future as it is very unlikely to be the same next time.

There are bodies on the internet that maintain a list of known "bad" sources of e-mail. Many filters today have the ability to query these servers to see if the message they are looking at comes from a source identified by this Internet-based blacklist, or RBL. While being quite effective, they do tend to suffer from "false positives" where good messages are incorrectly identified as spam. This happens often with newsletters.

Challenge/Response Filters

"Open sesame!"

Challenge/Response filters are characterised by their ability to automatically send a response to a previously unknown sender asking them to take some further action before their message will be delivered. This is often referred to as a "Turing Test" - named after a test devised by British mathematician Alan Turing to determine if machines could "think".

Recent years have seen the appearance of some internet services which automatically perform this Challenge/Response function for the user and require the sender of an e-mail to visit their web site to facilitate the receipt of their message.

Critics of this system claim it to be too drastic a measure and that it sends a message that "my time is more important than yours" to the people trying to communicate with you.

For some low traffic e-mail users though, this system alone may be a perfectly acceptable method of completely eliminating spam from their inbox - one step above the "Whitelist" system outlined above.

Community Filters

"A united front"

These types of filters work on the principal of "communal knowledge" of spam. When a user receives a spam message, they simply mark it as such in their filter. This information is sent to a central server where a "fingerprint" of the message is stored.

After enough people have "voted" this message to be spam, then it is stopped from reaching all the other people in the community.

This type of filtering can prove to be quite effective, although it stands to reason that it can never be 100% effective as a few people have to receive the spam for it to be "flagged" in the first place. Just like its similar cousin the Internet black list (RBL), this system also can suffer from "false positives", or messages incorrectly identified as spam.

Hopefully you are now armed with a little more information to be able to make an informed decision on the best spam filter for you.

For further information, consider reading the reviews and articles found at http://www.whichspamfilter.com

Alan Hearnshaw is a computer programmer and the owner of http://www.whichspamfilter.com, a web site which conducts weekly in-depth reviews of current spam filters, provides help and guidance in the fight against spam and provides a useful community forum.alan@whichspamfilter.com

When 'Viagra' Comments on Your Blog, and Other Spam Red Flags PCWorld Matt Mullenweg, the creator of WordPress, actually created a spam blocker for WordPress called Akismet in 2005, partially so his mom wouldn't be assaulted by Viagra ads while writing her blog. Today, spam blockers do a good job of nabbing most spam, ... and more »

Trend Micro Titanium Maximum Security 2012 review PC Advisor Trend Micro Titanium Maximum Security 2012 starts out with traditional modules, including AV protection, an improved firewall, a spam blocker, parental control, a system tuner, protection against data theft and 10GB of online storage.

WatchGuard Breaks Quarterly Billings, Profit and Units Shipped Records MarketWatch (press release) Currently, WatchGuard offers seven add on security services for XTM appliances, including: Application Control, WebBlocker, Gateway Antivirus, Reputation Enabled Defense, spamBlocker, Intrusion Prevention and LiveSecurity. and more »

When 'Viagra' Comments on Your Blog, and Other Spam Red Flags IDG News Service Matt Mullenweg, the creator of WordPress, actually created a spam blocker for WordPress called Akismet in 2005, partially so his mom wouldn't be assaulted by Viagra ads while writing her blog. Comment spam, also known as blogspam, has existed since the ... and more »

NEWS ROUND-UP: The latest from WatchGuard, Compuware, and Island Pacific ARNnet WatchGuard currently offers seven add-on security services for XTM appliances: Application Control, WebBlocker, Gateway Antivirus, Reputation Enabled Defence, spamBlocker, Intrusion Prevention, and LiveSecurity. Technology performance company ... and more »

Tucson victim stalked for nearly 2 decades Tucson Citizen ... in consequence of which she tells numerous falsehoods to create the illusion of danger, purely to get someone incarcerated for up to 10 years merely because she doesn't want to use the spam blocker of her e-mail address account,” Shepard wrote. and more »

Gothamist

After Stalking Woman For 18 Years, Man Faces Five Year Sentence Gothamist ... conscience or both, in consequence of which she tells numerous falsehoods to create the illusion of danger, purely to get someone incarcerated for up to 10 years merely because she doesn't want to use the spam blocker of her e-mail address account. and more »

Demand for business security 'at an all-time high' TechDay.co.nz ... core SMB market is 'solid', the company is experiencing 'accelerated demand' among mid-market and enterprise organisations, Robertson adds. Users are also increasingly taking up add-on services, such as Application Control, WebBlocker and spamBlocker.

ITespresso.fr

Sécurité IT : l'éditeur WatchGuard veut séduire les TPE et les PME ITespresso.fr ... sécurité spécifiques comme le WebBlocker de WatchGuard (blocage des sites Web malveillants et des contenus Web inappropriés), le spamBlocker ou encore le Reputation Enabledd Defense, un service cloud de protection contextuelle contre les menaces.

Anti-Spam-Lösung für Unternehmen erhält Update IT-Business ... das Reporting und Backups für geschützte Exchange-Cluster zentralisieren. Die Anti-Spam-Lösung ist Teil der Unternehmenslösung Kaspersky Open Space Security. Neben dem reinen Spam-Blocker gehören auch Antivirus-Funktionen mit zum Lieferumfang. and more »