Are Spam Filters really that Bad?

The March 2012 report from Virus Bulletin doesn’t speak to highly of commercial spam filters.

After a test of different email filtering solutions available for corporate users, the test director, Martijn Grooten had this to say:

“This is a worrying trend. There have been many news stories highlighting a global decline in spam in recent months, but if spam filter performances decline too, the situation for the end-user doesn’t improve at all.”

Of course, he is right. If spam filters aren’t doing what they are supposed to do, then it is troubling. Considering the fact that spam is becoming a more popular method of malware delivery, filtering solutions need to stop as much spam as they can.

So while Spam Filters Fail may make for great headlines, especially in the blogosphere, let’s take a look at the numbers.

Out of the 20 products tested, nine (including GFI’s anti-spam solution) had a catch rate between 99.75 percent and 100 percent. Eight more scored between 99.25 percent and 99.75 percent when their catch rate was tested. Only three products scored lower than 99 percent. See the graph here.

Overall, the catch rate for the types of spam remained above 99.5 percent during the tests, however in the categories of rogue pharmaceutical spam and credit card phishing emails the catch rate did fall below 99 percent, when the emails were written in German.

The Major Cause

According to Virus Bulletin, IP blacklisting doesn’t work like it used to and this is a significant reason why so many spam messages are able to sneak past the filters.

“…products had a significantly harder time blocking messages based on the IP address from which they were sent. This may be because DNS blacklists have become less accurate than they used to be, or because spammers have been sending more spam using legitimate mail servers.”

Using botnets could also be seen as a reason for this. Since botnets can be used to pump out millions of messages from different parts of the world, identifying a single source of spam in any given campaign can prove to be rather difficult. Given the fact that large botnets are falling out of style and smaller armies of zombie computers are more in vogue these days a criminal organization can easily drop a smaller botnet and reform it with new computers rather quickly.

The Good News

With so many spam filtering solutions scoring over 99 percent, it seems that headlines reading Report: Spam filters are getting worse, feeble spam filters catch less junk mail and spam filters are blocking less spam may seem a bit misleading.

In fact, Johannes Ullrich, Ph.D. of the SANS Technology Institute stated:

“I think this is not all bad news… so I don’t think this trend is as ‘worrying’ as Virus Bulletin makes it sound.”

While IP blacklisting may pose a problem as a way to stop spam from working its way into a user’s inbox, it is not the only method used by spam filtering solutions. Most hardware and software based solutions offer some type of IP filtering, but the real stopping power comes from Bayesian filtering.

What is Bayesian Filtering?

Based on a mathematical formula, Bayesian filtering looks at each message as whole as opposed to just the IP address of the sender; or for frequently used spam keywords alone. This type of spam protection can also help reduce the number of false positives since in addition to recognizing spam keywords, it also looks at the sender and other words that would help balance out frequent use of spammy words.

More importantly, Bayesian filters can pick up on the little tricks that spammers like to play with words to beat those who rely solely on keyword filtering techniques. When spammers opt to send emails advertising f-r-e-e stuff instead of free, a Bayesian filter can pick up on this.

When it comes to fighting spam, a number of strategies need to be used. To think that a spam filtering device cannot be an effective part of any successful solution is foolish and reports that state otherwise are irresponsible. Proven spam filtering solutions can be easily researched so that the one that best fits your organization, and its goals, can be easily and seamlessly integrated into your existing infrastructure.

Written by Jeff

0 Comments

  1. Jeremy Fries · March 29, 2012

    I honestly don’t think we’ll ever get to 100% protection, it’s just one of those impossible numbers. Being at 99-99.75%? I’ll happily take that. As long as we can keep that number where it is, especially with the switch to IPv6, which I think will throw a lot of spam filters off guard as they adjust to re-blacklisting, I don’t know what else we can do defensively to improve our spam penetration rate.

  2. Ethan Fasbender · April 1, 2012

    It depends on who you’re asking. As an ordinary email user with just about one to two hours spent on email every week, spam filters are doing an excellent job. In my own calculation, only one spam goes straight to my inbox for every 500 (more or less) spam emails sent. Usually, unfiltered spam mails are not that serious, They only contain texts – no attachments whatsoever.

    I’m using Gmail as my personal email account. I’m using Microsoft Outlook and Apple Mail for my corporate accounts (one account for my own email and one for the company’s sales department).

    But if you’ll ask email administrator and webmasters, they will surely say that spam filters failed them. Two of my work buddies are in charge of our IT and all I can hear from them are the new spams created every day.

Leave A Reply