Zérospam

Email is generally sent through two, three or several ISP networks before being delivered to your email server. When you subscribe to ZEROSPAM, the email path is modified and ZEROSPAM's system intervenes between the last ISP and your email server.

Email passes through ZEROSPAM's servers with lightning speed and this brief passage is enough to get rid of all malicious content. A stream of clean email is instantly redirected to your email server. The filtering process takes just seconds and the delay incurred in the email delivery is negligible. ZEROSPAM provides effective protection at its client's network perimeter, and clients therefore do not need to change any of their server's configurations.

ZEROSPAM uses a multi-layered filtering architecture based on state-of-the-art technology. Its top-notch service is constantly evolving in order to address the latest tactics used by spammers. The only commercial component of ZEROSPAM's architecture, which has 15 distinct layers, is Cloudmark's message fingerprinting technology.

 ___________________________________________________________________________
|   _____                                                                   |
| _(     )__     ____________________     ____________________              |
|( Internet )=> |_____SMTP checks____|=> |_Content  filtering_|             |
|  (__    _)      | - IPs          |       | - fingerprints |               |
|     ((_)        | - domains      |       | - anti-virus   |               |
|                 | - RBLs         |    /--| - anti-phishing|               |
|                 | - spoofing     |    |  | - heuristics   |               |
|                 | - integrity    |    |  | - statistics   |               |
|                 | - feedback loop|    |   --------v-------                |
|    _____         -------v--------     |           |                       |
|   /     \               |             |    _______v_______                |
|  / BOUNCE\ <------------/             |   |_____queue_____||              |
|  \ (DSN) / <--------------------------/     ==============='              |
|   \_____/                                    ___  |                       |
|                                            _(   )_v___                    |
|                ____                       (__Internet_)                   |
|    Customer's |.--.| <================= =  ==(_____))                     |
|      server   ||--||                                                      |
|               |[=o]|                                                      |
|               |____|                                                      |
|                                                (c) ZeroSPAM.ca            |
 ---------------------------------------------------------------------------

Two major stages

During the SMTP handshake, integrity and authentication checks enable us to block more than 50% of incoming connections. This is what is referred to as envelope filtering. For example, email that is sent using open relays, zombies (desktops infected with viruses that generate spam) or by open proxies are blocked at this stage. ZEROSPAM also rejects inappropriate connections based on its own list of blacklisted addresses and sources known for sending spam. Furthermore, certain communications are blocked when the sender does not provide valid parameters during the HELLO command of the SMTP protocol.

Messages that have successfully passed the envelope filtering stage are then forwarded for content-analysis, where they are subject to several layers of analysis that jointly determine the likelihood that the message is spam. Messages are assigned a score based on specific criteria. If the score is above a certain threshold, the message is quarantined. If the score is below the threshold, it is sent to the client's gateway.

Below is an overview of the various content-analysis layers:

Heuristic algorithms

Heuristic filtering refers to all the techniques used to analyze various characteristics of messages. Before a message is classified, several characteristics are examined. To adapt its detection techniques to shifting spam tactics, ZEROSPAM continually develops, updates and applies new analysis rules.

Bayesian statistical analysis

This technique requires a database consisting of thousands of spam and legitimate email, referred to as spam and ham collections. The content of each new email is analyzed and the text is segmented into strings. These strings are compared with spam and ham collections and classified according to how often they appear in both categories. This frequency is calculated using Bayes' theorem and then a score is obtained, indicating the probability that the message is spam. Any email above a certain threshold will thus be considered spam.

Message fingerprinting (genotypic analysis)

At the beginning of 2006, spammers introduced image spam, a new type of spam that effectively thwarted content analysis. Words contained in this new form of spam were incorporated into an image, making it impossible for detection systems to recognize them. This problem presented a challenge to the global anti-spam industry. Even Optical Character Recognition (OCR), a costly technique, has proved useless. So far, the only solution that can effectively prevent image spam is message fingerprinting.

Message fingerprints are profiles created from the unique form and characteristics of known spam. Message fingerprinting providers collect spam that has been reported to them from around the world by reputable volunteers. The providers use the spam to produce a message fingerprint, which is then incorporated into the filtering system in order to accurately detect messages that have a similar profile. The entire process is incredibly fast and reliable. With the advantage of having participants located around the world, a spam message received in Korea at 2:12 p.m., for example, is reported to the fingerprinting provider at 2:13 p.m. At 2:14 p.m., this spam's fingerprint is added to the filtering system, making it a near real-time detection system.

At the beginning of May 2007, ZEROSPAM signed an agreement with Cloudmark, a world-renowned message fingerprinting provider, and incorporated a genotypic analysis layer into its architecture. This incredibly effective upgrade marked the end of image spam for ZEROSPAM's customers.

Virus detection

The antivirus layer blocks 99% of viruses, worms and executable files. Malicious content is therefore deleted and not quarantined. The virus fingerprints used by ZEROSPAM are updated every 30 minutes. Anti-virus protection is an integral part of the ZEROSPAM solution. It significantly reduces the burden on the server, as viruses, worms and executable files are deleted before they reach it.

Anti-phishing protection

Three separate techniques are used to provide extremely effective protection against phishing. First, message fingerprinting instantly detects phishing email for which there is a positive signature. Secondly, we monitor and analyze active phishing campaigns and then continually apply new detection rules, thereby fine-tuning the filtering quality. Thirdly, SMTP integrity checks monitor the authenticity of email from major financial institutions.

Feedback

As ZEROSPAM filters millions of spam messages every day, our system constantly becomes more intelligent. In fact, by analyzing spam collections, we are able to continually apply new rules and constantly improve the filtering quality.

It is important to note that whenever an email is rejected, whether it is filtered on the basis of its envelope or content, the sender receives a non-delivery notification. Therefore, if the email is mistakenly quarantined, the sender is notified that the message was blocked. He or she may then contact you to let you know. You can thus retrieve the message in the quarantine and release it.