Spam quarantine and SMTP checks: how does it work?

Spam quarantine and SMTP checks: how does it work?

When selecting an email filtering platform to protect your company from malware and viruses, understanding how spam quarantine and SMTP checks work can go a long way in helping you find a solution that works best for you.

After all, it doesn’t do you much good to filter out spam emails if important, legitimate emails are also falsely identified as spam. Nor should you settle for a filter that only blocks some, but not all spam messages. A single virus that is opened by an unwary employee could unleash untold damage on your company's servers.

So how does a reliable spam quarantine system work? The best systems use two levels of validation to ensure your company is kept safe.

Level One: SMTP Authentication

SMTP authentication checks play an essential part of the spam filtering process. Essentially, when incoming mail reaches the cloud filtering system, a check is performed during the mail server conversation to identify any domain or IP-related issues. SMTP checks are performed to verify the trustworthiness of the sender -- one of the most straightforward methods of identifying and eliminating ransomware, viruses, and other spam messages.

For example, SMTP authentication will submit the incoming email to sender reputation and spoofing checks, domain validation, protocol behaviour checks and even checking for botnets, blacklisted or dynamic IP addresses. Using these criteria makes it easy and inexpensive to reject suspicious connections before the spam quarantine analysis system ever needs to examine the contents of the email.

This authentication method takes a deep dive to filter out spam email based on rejected connections. Whether the sender used an invalid or not fully qualified domain or the message was sent from a domain flagged for abusive mailings, it will be blocked with the help of SMTP authentication during this first stage of analysis.

Level Two: Content Evaluation

While SMTP authentication can eliminate the vast majority of suspicious emails, it is not the only level of verification. A quality filtering system will then proceed to examine the contents of all messages that made it through the SMTP authentication process. Content will be evaluated for suspicious links, forbidden file types, and other contextual clues that reveal a message to be spam.

To ensure that the content is accurately assessed, multiple antivirus agents are used to scan any attached files. This even includes unzipping compressed files to examine their contents. Links and URLs are scanned using a constantly updated database of blacklisted websites, which allows for quick identification of dangerous messages.

Finally, the text and images of each email is actually subjected to a statistical classifier, which compares the content to other strings that have appeared in spam messages. Similarities in content increase the suspicious message’s spam score.

As part of this second level of validation, ZEROSPAM then applies a spam “score” to each email that is analyzed by its system. If a message has a very high spam score, it will be deleted outright to ensure that your staff is never even bothered with the content. Suspicious messages with a lower spam score will be placed into a quarantine, where they can be safely reviewed. Users may receive a quarantine digest report, so they become aware of what was blocked and can report false positives in the rare instances that those occur.


While the spam quarantine process sounds complex, the advanced technologies used to scan these messages creates a minimal delay in the actual delivery of your emails. Typically, emails that have passed the filtering process will arrive a mere two seconds later as a result of going through this two-level validation. By eliminating over 99% of all spam emails, the peace of mind and protection your company can enjoy from a quality email security platform is well worth the tiniest of delays.