Blog - Article
Date of publication
Nov 4, 2020
And new spam campaigns are being launched all the time. By spam campaign, we mean a coordinated effort using a set of emails deployed across a specific period of time with an illegitimate purpose. When such an emerging threat starts targeting our clients, it sometimes happens that our filtering system does not block the campaign entirely from the start. In that case, we need to adjust our filters. For that, we first and foremost need to be informed of the problem. The time it takes before we can block a new spam campaign is called the time to block. As can be seen on the diagram below, before 2019, we often were first made aware of a new threat by a client reporting some uncaught spam. But that could take from 20 minutes to 2 hours! This was unsatisfactory, we needed a way to be informed sooner and reduce our time to block. You walk into your (home) office on Monday morning and open Outlook, ready to tackle a weekend’s worth of emails.
But then we had a breakthrough: What if we applied artificial intelligence techniques to our email flow to continuously learn about the latest threats targeting our clients? Since we’re talking about still-unknown threats, unsupervised learning seemed like a good choice because it doesn’t rely on emails being already labeled as spam or legitimate. So we experimented with clustering, a kind of unsupervised machine learning that consists of grouping similar objects into groups called clusters. We tuned the similarity function so that each cluster represented an email campaign. In the video, you can get an impression of how DBSCAN, the clustering algorithm we selected, enables Zerospam to set aside outside emails not part of any campaign and capture chains of similarity inside a spam campaign with many variations. After clusters are obtained, they are analyzed and alerts are generated if some clusters are suspicious.
Note: Embedded video: DBSCAN email demo, screen recording of an interactive demo of the DBSCAN algorithm found on a website (© Naftali Harris, 2012-2019). The parameters were set by us to illustrate the case of email campaign identification.
For example, the operations team is notified when a cluster is only partially blocked by our filters. That’s because a campaign should be either completely blocked, if it’s spam, or not blocked at all, if it’s a legitimate mass mailing.
The threat intelligence provided by this clustering and analysis is updated every few minutes, enabling the rules-based filtering system in Zerospam to be adjusted promptly. That means a considerably faster time to block (under 20 minutes) and safer, blissfully unaware clients.
That’s how THINC: THreat INtelligence from Clustering, was born. This AI technology is what makes our Zerospam email security solution so powerful.
This summer, we added an exciting new feature to THINC that not only provides information about current campaigns and alerts of irregularities – it also blocks campaigns on demand! This is made possible by THINC’s ability to follow a campaign over time and determine if a new individual email is part of an already identified campaign.
Skipping the rules adjustment step means that campaigns can now be blocked within seconds after the operations team confirms it’s spam, saving precious minutes. This feature is now being used in Zerospam to block thousands of spam emails each week.
This innovation has considerably improved Zerospam’s ability to block emerging threats. It has also significantly reduced our time to block to under 5 minutes.
We continue to expand the applications of THINC. Our roadmap includes automatic campaign blocking, publishing threat intelligence, and a client interface. Stay tuned!