Are Spam Filters really that Bad?Written by Jeff on March 27, 2012
The March 2012 report from Virus Bulletin doesn’t speak to highly of commercial spam filters.
After a test of different email filtering solutions available for corporate users, the test director, Martijn Grooten had this to say:
“This is a worrying trend. There have been many news stories highlighting a global decline in spam in recent months, but if spam filter performances decline too, the situation for the end-user doesn’t improve at all.”
Of course, he is right. If spam filters aren’t doing what they are supposed to do, then it is troubling. Considering the fact that spam is becoming a more popular method of malware delivery, filtering solutions need to stop as much spam as they can.
So while Spam Filters Fail may make for great headlines, especially in the blogosphere, let’s take a look at the numbers.
Out of the 20 products tested, nine (including GFI’s anti-spam solution) had a catch rate between 99.75 percent and 100 percent. Eight more scored between 99.25 percent and 99.75 percent when their catch rate was tested. Only three products scored lower than 99 percent. See the graph here.
Overall, the catch rate for the types of spam remained above 99.5 percent during the tests, however in the categories of rogue pharmaceutical spam and credit card phishing emails the catch rate did fall below 99 percent, when the emails were written in German.
The Major Cause
According to Virus Bulletin, IP blacklisting doesn’t work like it used to and this is a significant reason why so many spam messages are able to sneak past the filters.
“…products had a signiﬁcantly harder time blocking messages based on the IP address from which they were sent. This may be because DNS blacklists have become less accurate than they used to be, or because spammers have been sending more spam using legitimate mail servers.”
Using botnets could also be seen as a reason for this. Since botnets can be used to pump out millions of messages from different parts of the world, identifying a single source of spam in any given campaign can prove to be rather difficult. Given the fact that large botnets are falling out of style and smaller armies of zombie computers are more in vogue these days a criminal organization can easily drop a smaller botnet and reform it with new computers rather quickly.
The Good News
With so many spam filtering solutions scoring over 99 percent, it seems that headlines reading Report: Spam filters are getting worse, feeble spam filters catch less junk mail and spam filters are blocking less spam may seem a bit misleading.
In fact, Johannes Ullrich, Ph.D. of the SANS Technology Institute stated:
“I think this is not all bad news… so I don’t think this trend is as ‘worrying’ as Virus Bulletin makes it sound.”
While IP blacklisting may pose a problem as a way to stop spam from working its way into a user’s inbox, it is not the only method used by spam filtering solutions. Most hardware and software based solutions offer some type of IP filtering, but the real stopping power comes from Bayesian filtering.
What is Bayesian Filtering?
Based on a mathematical formula, Bayesian filtering looks at each message as whole as opposed to just the IP address of the sender; or for frequently used spam keywords alone. This type of spam protection can also help reduce the number of false positives since in addition to recognizing spam keywords, it also looks at the sender and other words that would help balance out frequent use of spammy words.
More importantly, Bayesian filters can pick up on the little tricks that spammers like to play with words to beat those who rely solely on keyword filtering techniques. When spammers opt to send emails advertising f-r-e-e stuff instead of free, a Bayesian filter can pick up on this.
When it comes to fighting spam, a number of strategies need to be used. To think that a spam filtering device cannot be an effective part of any successful solution is foolish and reports that state otherwise are irresponsible. Proven spam filtering solutions can be easily researched so that the one that best fits your organization, and its goals, can be easily and seamlessly integrated into your existing infrastructure.