Filtering architecture

Envelope filtering eliminates 90% of unwanted messages

During the SMTP handshake, an elaborate system of integrity and authentication checks enable us to block approximately 90% of incoming connections. This is what is referred to as envelope filtering. For example, email that is sent from blacklisted domains or IPs, by botnets (networks of infected desktops controlled by spammers), open proxies or using open relays or spoofed domains are blocked at this stage. Furthermore, certain communications are blocked when the sender does not provide valid parameters during the HELO command of the SMTP protocol. ZEROSPAM also rejects inappropriate connections based on its own list of blacklisted addresses and sources known for sendinBeg spam.
All cloud Anti-Spam providers bounce a percentage of incoming email. However, ZEROSPAM has developed many more envelope authentication checks than other providers. When migrated from other Anti-Spam solutions, customer invariably report that they notice the ZEROSPAM quarantine is much smaller.

Messages rejected at the envelope filtering stage cannot be retrieved as they have been bounced before being accepted by our servers. However, the Cumulus message log clearly indicates the reason why every message bounced at the envelope filtering stage during the last 30 days has been rejected. False positives at the envelope filtering stage are quite rare and typically indicate a problem on the sender side that will affect their ability to send email at large. These problems may include the sender having recently become blacklisted or using a recently added server that has not been listed in their SPF record.

Second filtering stage: content analyzis

Messages that have successfully passed the envelope filtering stage are then forwarded for content-analyzis, where they are subject to several layers of analyzis performed simultaneously.


Virus detection

Scanning by 2 antivirus agents is an integral part of the ZEROSPAM architecture. The virus fingerprints used by ZEROSPAM are updated every 30 minutes. Messages recognised as infection vectors are destroyed.

Ransomware protection, detection of executable files and other banned attachments

Most ransomware is propagated through hidden executable files sent by email. Every attachment sent to ZEROSPAM customers by email goes through a strict security checkpoint to determine whether or not it is in fact an executable file. Windows and Mac OS executables are the most common but we also recognise Linux and other executable files because we use a multi-factor analyzis system. This system detects executable code hidden in any type of file.

None of the tricks commonly used by spammers to avoid detection can interfere with our analyzis. If the file is compressed, we open it to analyze the contents. If several archives are enclosed in a single zipped file like Russian dolls, we dig down to many levels, opening archive after archive to get to the real content. We look at the declared MIME type and file extension but we don't stop there. We use a special tool kit of heuristics to determine the real MIME type and file extension.

The default configuration is that all types of executable files are recognised as such and quarantined on our servers. They can't be harmful unless they are released from the quarantine by an administrator or by the recipient.

Cybercriminals are also using infected macros in Microsoft Office documents to propagate ransomware since these have the ability to run software. They can be considered as a form of executable files. Cybercriminals prefer to use old versions of Microsoft Office files since as of 2007, Microsoft added the letter m to the name of the extension (docm, xlsm) to clearly indicate the presence of macros. ZEROSPAM offers the option to enable full blocking of all Pre-2007 Microsoft Office file containing macros. When this option is selected, these files are automatically quarantined.

ZEROSPAM also integrates signatures on active Zero-Day and Zero-Hour campaigns using infected macros as their mode of propagation. These signatures are updated every hour and integrated in our filtering architecture in real time.

Detection of dangerous links.

ZEROSPAM scans every link contained in every email. Each link is analyzed in multiple ways to make sure it’s safe. This includes:

  • scanning by our two antivirus agents
  • analyzis using Sanesecurity signatures on Zero-Day and Zero-Hour malware
  • scanning using a wide set of highly reliable URL blacklists

Phishing and Spear Phishing Detection

The ZEROSPAM architecture integrates a special Anti-Phishing layer that uses several components to detect phishing attempts:

  • Virus scanning
  • URL scanning
  • Bayesian analyzis
  • Our own set of phishing heuristics

Heuristic algorithms

Heuristic filtering refers to all the detection rules used to analyze various characteristics of messages. Before a message is classified, it goes through the entire set of algorithms and each triggered rule adds a small spam score to the message. When the analyzis is complete, if the total score reaches a certain threshold, the message is quarantined. Messages with very high spam scores are simply deleted so as not to burden the quarantine.

Bayesian statistical analyzis

This technique requires a database consisting of thousands of spam and legitimate email, referred to as spam and ham collections. The content of each new email is analyzed and the text is segmented into strings. These strings are compared with spam and ham collections and classified according to how often they appear in both categories. This frequency is calculated using Bayes' theorem and then a score is obtained, indicating the probability that the message is spam. The score is then updated to reflect this probabililty.

Message size

The maximum size for individual inbound and outbound messages is 50 MB. Larger messages are bounced. If they so desire, clients can configure smaller maximum sizes in our management interface.

Delivery to the mail server

Messages that are under the spam threshold and pass all of these checks are delivered to the client gateway without tagging, as if they came directly from the Internet. The process typically takes under 2 seconds.

Feedback loop

As ZEROSPAM filters millions of spam messages every day, our system constantly becomes more intelligent. In fact, by analyzing what is being reported as undetected spam and what is being released from client quarantines, we are able to continually apply new rules and constantly improve the filtering quality.

It is important to note that whenever an email is rejected, whether it is blocked at the envelope or content filtering stage, the sender receives a non-delivery notification. Therefore, if the email is legitimate, the sender is notified that the message was blocked. He or she may then contact the intended recipient.

Useful links

" Technically, it is one of the best solution out there. That’s why we run it. "

- D. Scott CTO EPIC Information Solutions