How SpamFilter ISP Works

SpamFilter ISP's strength lies in the large number of filters that are applied to detect spam. Below is a partial list of some of the various filters that are employed to stop spam.

SFDE - Spam Filter Distributed Email Database

The SFDE filter has been developed exclusively by LogSat Software. Similarly to the SFDB and the SFDC filters, this filter uses a very powerful resource to stop spam: The entire global SpamFilter ISP user community.

This latest filter is proving to be one of the most effective and accurate tools in stopping spam. 
Anytime a company running SpamFilter ISP blocks a spam email, SpamFilter will parse its contents and scan it for any email addresses it contains in the body. These will usually be email addresses associated with the spammer or the website the spam emails directs users to. SpamFilter will then create a unique hash for each email address in that email and will upload that hash to our centralized SFDE database. This allows the SFDE filter to have access to a huge repository of real spammer's email addresses, updated in real-time by all the SpamFilter ISP installations in the world. 
Our database analyzes this data in realtime, and will block emails that contain the same hashed email addresses being reported as spam at that time. This allows the SFDE to be extremely accurate, effective, and to start blacklisting spammer's email addresses within minutes of them sending spam.  
Email addresses from the database are automatically aged and removed from the database within 6-24 hours if they stop sending spam and/or viruses.

SFDB - Spam Filter Distributed Blacklist Database

The SFDB filter has been developed exclusively by LogSat Software. This filter uses a very powerful resource to stop spam: The entire global SpamFilter ISP user community.

This filter, along with the SFDE filter, is proving to be one of the most effective and accurate tools in stopping spam.
Anytime a company running SpamFilter ISP blocks an email, the sender's IP address is sent to our centralized SFDB database. This allows the SFDB filter to have access to a huge repository of spammer's IPs, updated in real-time by all the SpamFilter ISP installations in the world.
Our database analyzes this data in realtime, and will block IPs that have sent excessive amounts of spam to multiple locations in the world in the spam of the previous few minutes. This allows the SFDB to be extremely accurate, effective, and to start blacklisting IPs within minutes of them sending spam. 
IP addresses from the database are automatically aged and removed from the database within 6-24 hours if they stop sending spam and/or viruses.

SFDC - SpamFilter Distributed Content Database

The SFDC (SpamFilter Distributed Content) filter is a propietary filtering technology developed by LogSat Software.

When SpamFilter ISP receives an email, it will analyze the email's contents and will calculate a 20-byte hash to characterize it. We developed technology that is able to detect similar emails based on their contents. SpamFilter will assign the same hash to similar emails. When SpamFilter detects that emails with the same hash signature are originating from several different locations, it will report such anomaly to our centralized servers.

Our database analyzes, in real-time, this incoming flow of messages, and, based on their quantity, origin and destinations, is able to detect what signature hashes are generated by spam emails.

The technology behind the SFDC allows our centralized database to detect spam signatures regardless of the email's text and contents, but rather base it on the patterns used by spammers to deliver their emails.

Detection of spam signatures in images

SpamFilter ISP contains proprietary technology developed by LogSat Software that scans images embedded in emails for spam content. 

We at LogSat Software were the first, in June 2007, to develop technology that allowed SpamFilter to scan images embedded in PDF files for spam content (the so-called PDF spams).

RBL and SURBL Blacklists

Spam Filter ISP can check any user-specified RBL blacklist to see if the sender's IP address is being blacklisted. Reliability can be improved by requiring an IP to be blacklisted by two or more RBL servers for it to be marked as spam.

Spam Filter will analyze all URLs specified in the email body itself, and will check any user-specified SURBL blacklist server to see if the URL in the email is being used to host spam-related websites.

Greylisting

Greylisting is not an anti-spam filter itself. More specifically, greylisting takes advantage of a required behavior by the RFCs that some anti-spam products use to greatly reduce the amount of spam received.

In the majority of the cases, when a "spam bot" computer is used to send spam, it will do so by sending huge amounts of emails in the fastest way possible. If a recipient's SMTP server does not respond, chances are that the spam bot will ignore such server and move on.

Luckily this behavior by spammers is in direct violation of the RFCs that dictate how email works. The RFCs require that, if an initial attempt to deliver an email fails, the sender must retry to send it.

Greylisting takes advantage of this by initially denying every connection attempt from an IP address. Only after a certain, small amount of time is the remote IP allowed to connect. If the sender is a spam bot, it is very likely that said IP will never retry to connect again, and so it will not even try to send spam. If the sender is a legitimate server, they will be following the RFC guidelines, and within a few minutes they will retry sending the email, which will be then delivered.

Bayesian statistical DNA fingerprinting

Spam Filter ISP performs statistical DNA fingerprinting on all incoming emails. This bayesian filter is self-learning, continuously analyzing your incoming traffic to improve its accuracy with time.

SSL and SMTP Authentication

Many mail servers lack support for SSL and SMTP Authentication. SpamFilter ISP supports both SSL and SMTP AUTH via Active Directory, LDAP, and Unix-style password files. If a user is authenticated, they will be able to bypass all filtering rules and use SpamFilter ISP as a relay to send their outgoing emails.

Administrators can then add support for SMTP Authentication (and SSL) if they have older mail servers that do not have these features.

SPF - Sender Policy Framework

SPF fights email address forgery and makes it easier to identify spam, worms, and viruses. SPF is an open source standard that is emerging as a solution to prevent spammers from using fake email addresses. Domain owners identify sending mail servers in DNS. SpamFilter ISP verifies the envelope sender address against this information, and can distinguish legitimate mail from spam before any message data is transmitted

Block Emails from User-Defined Countries

SpamFilter ISP is able to block emails being sent from any user-specified country. In addition, SpamFilter will track and record the number of email attempts made from all countries. This allows administrators to determine, visually, if there are any countries they do not wish to receive emails from.

...and dozens of more filters!

In addition to the filter specified in other sections of the website, SpamFilter ISP supports several more filters that can be used to detect spam.

A partial list is below.

  • Local IP Blacklist - Our SPAM Filter server checks if the remote server's IP address matches an entry in your local IP blacklist file, the email is rejected.
  • Local Domain Blacklist - The SPAM Filter gateway checks if the domain portion in the sender's email address is in your local domain blacklist file, the email is also rejected.
  • Local FROM EMail Blacklist - The sender's email address is checked against your local list of blacklisted email addresses. If present, it is rejected.
  • Local TO EMail Blacklist - The recipient's email address is checked against your local list of blacklisted email addresses. If present, it is rejected.
  • Attachment Blocking - SPAM Filter can check emails for specific attachments or attachment extensions. If found, the email is rejected.
  • Keyword Content Filtering - Our SPAM Filtering software can check email content and subject for specific keyword and/or phrases. If found, the email is rejected.
  • Honeypot Emails - You can have a list of "honeypot" email addresses. Any email sent to an address in the list will cause the sender's IP to be blacklisted.
  • Connections can be rejected if the remote server does not have a reverse DNS PTR entry.
  • Spam Filter is able to check if the sender's MX DNS record is valid before accepting email.
  • Refuse connections if there are too many spaces in the subject line.
  • Max Recipients in single session - Use this setting to limit how many RCPT TO commands can be issued in a single session.
  • Max Email Size - Incoming emails can be blocked if they exceed a certain size.
  • Reject if Empty "Mail From" - If this option is checked SPAMFilter will reject all emails with an empty "Mail From" field.
  • Reject if "Mail From" = "Mail To" - Reject all emails where the sender's email is the same as the recipient's email.
  • Reject if "From Domain" = "To Domain" - SPAM Filter can reject all email where the sender's domain is the same as the recipient's domain.
  • Tag Spam & Deliver - Allows to tag spam by adding the header "X-SF-SPAM:Y" to email classified as spam. The email is then forwarded to the destination SMTP server. This allows administrators to handle spam as they wish on the back-end.
  • Tag Spam in Subject & Deliver - Allows to tag spam by prefixing the word SPAM: in the subject line of emails classified as spam. The email is then forwarded to the destination SMTP server. This allows administrators to handle spam as they wish on the back-end.
Copyright © 2002-2024 LogSat LLC - Sales: sales@LogSat.com
Contact Us