The four spam identification engines utilize more than one million filter checks to identify spam with an incredibly high accuracy rate, and a near-zero false positive rate.
Creates a fingerprint ID for every e-mail message and compares it to existing fingerprints in its databases.
Results are combined using SpamScore, a proprietary Bayesian statistical formula, into one final spam probability score.
SpamBulk Engine: Was the message, or have similar messages, been sent in bulk?
For each email, Mailshell creates a fingerprint ID of the message. Unlike conventional fingerprint hashes, Mailshell's fingerprints only include elements of the message hardest for spammers to fake or change.
The fingerprints are added to Mailshell's database of fingerprints and then queried when analyzing new, incoming mail.
Every five minutes (configuration option), the most active, useful fingerprints are automatically downloaded to the SmoothWall SmoothZap system.
Mailshell's patent-pending ID Module bulk detection system uses Bayesian analysis to detect whether a message was sent via bulk email.
Bayesian statistical analysis calculates 'sameness' among messages, i.e., it determines whether 'Message A' is fundamentally the same as 'Message B' despite spammers' efforts to obfuscate.
Though many anti-spam solutions, including Mailshell's, use Bayesian filtering to analyze message content, Mailshell is the only solution to use Bayesian analysis to detect bulk mail.
SpamRepute Engine: Determines the reputation of the sender, i.e. whether most people want to receive the message.
SpamRepute queries proprietary and third-party databases of IP addresses, domains, and email addresses of known spammers help accurately identify spam.
Mailshell's proprietary database of known spammers is augmented by SpamPit which accurately adds to the list of known spammers with complete confidence.
Mailshell's real-time collaborative network collects user feedback from users worldwide to better determine whether people want to receive specific messages.
Just as the SpamBulk engine identifies 'sameness' among messages disguised to appear different, the Bayesian-based patent-pending Sender ID Module can predict that two messages are sent from the same spammer, despite their attempts to conceal their identity. Mailshell is the only solution to use Bayesian analysis to determine sender reputation.
All of this data is combined to create a SpamRepute Index, Mailshell's proprietary method of quantifying reputation to guard against phishing, fraud and foreign language spam.
SpamContent Engine: Examine the message to identify spam related content. Message format, layout, design and vocabulary, are considered as part of thousands of checks on message attributes including:
To Field
Subject Field
Header Fields
Email Format, Design, and Layout
Vocabulary, Word Formatting and Word Patterns
Foreign Language Detection
SMTP Envelope Content and Analysis
Country Trace
Image Layout Classification
Hyperlink Analysis and Comparison
Contact Verification
Mailshell's SpamContent engine also parses words into pieces (or n-grams), which allows the detection of similar vocabulary even if the words are not exact matches.
Mailshell also conducts Bayesian analysis of message content. The engine then uses its SpamAdapt AI technology to ensure that the engine 'learns' over time, as spam changes.
SpamTricks Engine: Is the message formatted or sent to bypass anti-spam rules or to be economical for spammers?
Tactics spammers use to reduce the costs of sending large volumes of mail; and
Tactics spammers employ to circumvent spam filters.
Common tricks include uses of image-only messages, HTML obfuscation, and manipulation using relays, mail formats and various header analysis including time stamps, header analysis and SMTP envelope analysis.
SpamTricks also looks for fraudulent spam, frequently known as 'phishing' whereby messages appear to be from a known company and attempt to trick users into revealing personal information.
Mutiple Spam Detection Methods
SmoothZap blocks malicious email and as much as 99% of spam before it reaches its target mail server or user PCs, reducing both Internet bandwidth utilization and wasted mail server resources. It does this using a number of sophisticated techniques, including: Mailshell spam detection software, SMTP validity checking, "greylisting", RBL checking and domain spoofing detection.
Mailshell Spam Detection: The multi-engine spam detection software from Mailshell has been shown by independent tests to be one of the very best anti-spam products. It analyses email on the basis of its content, sender reputation, whether it was sent in bulk and any unusual formatting which is characteristic of spam. Automatic update of the detection signatures every five minutes provides quick reaction to emerging spam outbreaks.
SMTP Validity Checking: Malformed email is either spam or designed to attack mail servers or clients. Many mail servers have been subject to vulnerabilities which can be exploited by specially crafted emails, typically using buffer overflow techniques to get the mail server to run the attacker's program code. SmoothZap checks that all received SMTP email is correctly formed and standards compliant, thereby protecting vulnerable mail servers and clients from this form of attack.
The vast majority of spam mail is sent through vast networks of compromised home computers, known as "zombies" or "botnets" that are under the remote control of spammers. Unknown to their owner, the PCs are running a remote control program that was normally installed by an email virus. These computers effectively become "open relays", that is they accept and relay mail from anyone to anyone, which makes them very useful to spammers. Fortunately, most of these computers run SMTP software that is badly implemented and does not conform to standards, enabling SmoothZap to reject their email as spam.
Greylisting: This mechanism temporarily rejects email from unknown senders. Any genuine standards-compliant email server will try to resend the mail after a short delay. When SmoothZap sees the same email sent a second time it will accept and relay the mail - and record the sender as trusted. Any subsequent email from that sender will be accepted immediately. Most spam comes from systems that do not waste their time trying to resend email to failed addresses.
Remote Blackhole List (RBL): SmoothZap has the option to utilize RBL services that maintain databases of IP addresses that are acting as open mail relays through which spam mail is sent. Any email received from an IP address in an enabled RBL list will be rejected by SmoothZap.
Sender Domain Spoofing: To check if the sender of an incoming email is falsely using an internal domain in their "from" address (ie pretending to be somebody within your own organization). Any such email will be rejected unless it is from a member of a list of remote senders, ie people who send company email from home, WiFi hotspots, hotels etc.
Independent Tests
Results based on various tests conducted by independent third parties.
Mailshell Engine as deployed by Panda in GateDefender 8200 and reviewed in Security Appliances Keep Mail Stream Clean, Government Computer News, April 4, 2005.
MessageLabs Anti-spam Service as reviewed in Anti-Spam Benchmark Service, VeriTest Q1 2005.
CipherTrust as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
McAfee SpamKiller 6.0 as reviewed in CNET Preview, New York Times, November 2, 2004.
Proofpoint Messaging Security GW as reviewed in Anti-Spam Benchmark Service, VeriTest Q1 2005.
Barracuda as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
Cloudmark as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
MailFrontier as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
Sophos as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
Symantec as reviewed in Analyzing the Spam Test Results, Network World, December 20, 2004.
