Spear Phishing Detection

Spear phishing is a dangerous form of threat that is on the rise and causing major concern. Spear Phishing emails usually appear to be coming from a high-level executive who has the authority to request or approve money transfers and are sent to individuals who would perform these transfers. They may also specifically target individuals who have access to sensitive information.

ZEROSPAM has created special algorithms based on factors such as the correspondence between the declared sending address, the real sending address, the reply to address, the validity of the sending domain, SPF checks, the Levenshtein distance between the TO and FROM domains and the presence of text related to money transfers or to the export of sensitive information.

The ZEROSPAM Levenshtein distance calculator

One of the techniques used by spammers is to send Spear Phishing emails from a domain that is almost identical to the destination domain. Typically, they will change, remove or add a single letter so that recipients won’t notice. For instance, a Spear Phishing email might be sent to from Some spammers even go to the trouble of registering these look-alike domains and publishing valid SPF records for them. The ZEROSPAM Levenshtein plugin detects these very minor lexical differences between the TO and the FROM domain and adds Spear Phishing scoring accordingly.

Most importantly, our team of experts works with our corporate clients to refine those rules on an on-going basis and adapt them to their specific needs. In the case of such targeted attacks, this form of collaboration is extremely valuable and not easy to come by.

Phishing Detection

Many components of the ZEROSPAM filtering architecture work together to accurately detect phishing attempts:

URL Scanning

When our two antivirus agents scan messages for viruses, they use Sane Security signatures and Google SafeBrowsing signatures to recognize dangerous URLs leading to active phishing sites
All links contained in email messages are also scanned using our wide set of highly reliable URIBL (URL blacklists) .

The ZEROSPAM specialized Anti-Phishing layer

This unique component is used to accurately detect phishing campaigns spoofing certain specific organizations. This includes organizations handling a high volume of financial transactions like eBay, PayPal and ADP, international shipping companies like UPS, Fedex and DHL and Canadian financial institutions like BMO, Desjardins and National Bank.

ZEROSPAM has carefully built and actively updates a database of the IP address of these organizations’ sending servers. When an incoming email has an Envelope-From or a Content-From address impersonating one of them, our Anti-Phishing layer uses this database to validate the sending server’s IP address. When there is no match, the email is quarantined with a high score.

Plus, thanks to it’s vast user-base and active feedback loop, ZEROSPAM has a large corpus of Canadian Phishing attempts. When messages go through our statistical engine, this corpus is used to detect typical phishing attempts vocabulary in French and in English. Canadian customers who have migrated from a US-based Anti-Spam solution to ZEROSPAM consistently report better recognition of phishing attempts.

The ZEROSPAM constantly-updated heuristics

Our rule-master team is constantly updating our filtering rules and adding new heuristics to block morphing or emerging phishing campaigns caught by our spam traps or reported by our vast user base.