Preventative: Spam Filter Flashcards
Spam can be classified as unwanted commercial emails or soliciting emails and these messages can often lead to annoyances, lost time/money, and potentially malware depending on the intentions of the spammer and the actions done by the user. To prevent these kinds of messages from being delivered into email systems’ inboxes, spam filters were created. There are hundreds, if not thousands of spam filters used throughout the world and these are used in conjunction with existing email services or are built into services such as Gmail and Outlook. These filters use rulesets, algorithms, machine learning, community interaction, and a variety of other techniques to determine what emails are spam, and what emails are legitimately meant for the receiver.
Why is it important?
Spam filters were created with the end-user in mind. Since the rise of email messaging and the internet in the 1990s, more and more cyber-attacks can often be delivered through email services. Phishing attempts, social engineering, and payloads delivered through email can all be caught through a spam filter, depending on the type of filter and how they are configured. Because of the excess of filters, there are three main types of spam filters that could be utilized:
Gateway Spam Filters – Ones that sit behind an on-premises firewall of a network. These can often be utilized by larger enterprise organizations and an example of a Gateway filter is the Barracuda email security gateway.
Hosted Spam Filters – These are ones that are hosted within the cloud. These work very similar to gateway spam filters but are able to update more quickly than some of the on-premises filters and an example of a hosted filter is SpamTitan.
Desktop Spam Filters – These filters are user-installed and are typically used in SOHO scenarios. One major drawback of these kinds of filters is that they can sometimes be categorized as “Freeware” and you may not fully know what the application is installing on your system.
Types of Spam Filters
Since each vendor/email service uses different kinds of spam filters, these can be broadly classified by the way they detect spam:
Content Filters
A content filter is the classic depiction of a spam filter and uses information in the email header and body to try to determine whether the email is legitimate or spam. When looking at the header, the filter could cross-reference the header with published blacklists or known spamming networks and automatically classify it as spam. When this filter scans the body of the message it could, for example, look for adult-oriented content and determine that as spam, based on preferences set on the account.
Rule-Based Filters
A rule-based filter allows for emails to be filtered based on predetermined criteria. A good example of this is Mail Flow rules in Microsoft Exchange where you could say:
If the subject or body contains “FREE OFFER” and the Sender is located Outside of the Organization, raise the likelihood of the message being spam
Bayesian Filters
Bayesian filters have become one of the most intelligent types of spam filters that can be used. This is because it can often utilize concepts such as machine learning, to learn the users’ spam preferences. For example, when the user marks an email as spam, it can analyze the characteristics of that message and use that information to block similar messages from going to the inbox. One slight downside to this kind of filter, however, is that it can often require a large amount of spam to efficiently utilize the machine learning capabilities.
While there are many other kinds of filters, the three listed above are some of the most widely used. One important thing to note about spam filters is that they need to be configured correctly to work properly. If the individual maintaining a Bayesian filter flags legitimate email, then the system will start classifying legitimate email as spam. It is important to maintain proper configurations and provide user training on what should and shouldn’t be considered spam.
Conclusion
A spam filter is arguably the most basic email defense an organization can deploy to reduce the number of spam and unsolicited emails reaching employee mailboxes. Whilst some phishing emails will still bypass this defense, by reducing emails that are not business-related, employees will have less junk in their mailboxes and will report fewer emails to the security team, so they can focus on real phishing emails.
Preventative: Attachment Filtering
This lesson will briefly cover what attachment filtering is, and why it’s used. One way to stop malware from being delivered to employee mailboxes is by limiting what types of files are allowed to come into the organization as email attachments. There are many tools out there that offer this functionality, but we will cover generally how these tools operate, and why this can be a good preventative security control.
Filtering
It isn’t a good idea to block attachments outright – employees will have difficulty sending legitimate documents internally and externally. The most appropriate way to approach this situation is to consider what file types are often used for malicious purposes, which file types the organization deals with on a regular basis, and whether blocking them would have any negative impact on the business. The most obvious file types that are used for malicious activity are:
.exe (Executable)
.vbs (Visual Basic Script)
.js (JavaScript)
.iso (Optical Disk Image)
.bat (Windows Batch File)
.ps/.ps1 (PowerShell Scripts)
.htm/.html (Web Pages / Hypertext Markup Language)
Typically businesses will use and send the following file formats via email, which can also be used for malicious purposes:
.zip (Archive)
.doc/.docx/.docm (Document file, often for Microsoft Word)
.pdf (Portable Document Format)
.xls/.xlsx/.xlsm (Spreadsheet file, often for Microsoft Excel)
Email gateways and email security tools will often allow for different actions to be taken once a certain attachment has been identified, such as scanning it for malicious indicators, blocking the email from being delivered, quarantining the email, stripping the attachment, alerting the email gateway administrator, sending an email to specific recipients about the activity (such as the security team), or generating logs which can be ingested by a SIEM platform and used to generate an alert for security analysts to investigate.
