How To Nip A Little More Spam in The Bud - 01 Mar 2006

Most spam filtering systems do a good job of tagging spam, but many can be tweaked for better detection rates and better performance.

Recently a security expert ran a test on more than 254,000 email messages to see which filters work best, and then adjusted filters so that the most effective filters run first, thus reducing processor overhead. The tests were conducted against live in-coming email on a legitimate mail server.

What the expert found is quite revealing. The most effective filter on this particular mail system is a simple foreign language filter that detects more than 48.02 percent of all spam. This filter works by eliminating all email written in any language other than the specific languages that are define as valid for the enterprise.

The second most effective filter is a DNS blacklist filter, which checks mail headers to see if a message came through a mail server that is known source of spam. This particular filter eliminates another 39.82 percent of all incoming email.

Together, the foreign language filter and DNS blacklist filter work to eliminate 87.84 percent of all spam coming into the mail server. The third most effective filter is a simple word filter that works by implementing Bayesian filter. The Bayes filter eliminates another 9.57 percent of spam, and with this filter in place the total spam elimination rate reaches a total of 97.41 percent. Not too shabby, but still not perfect.

Nine more filters run after the three previously mentioned filters to catch the remaining 2.59 percent of spam. These filters include tricks such as filtering character patterns, checking for RFC mail header compliance, filtering particular character sets, looking for odd forms of spelling, etc.

With these filters in place, this particular enterprise finds that only one or two messages per month are able to slip past the filters and for many months not a single spam message makes it through. And even when one does slip past, the spam filters can easily recognize them so that similar messages do not make it through in the future.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.