Tricks used by spammers to avoid detection
Blocking unwanted emails is akin to cat-and-mouse game, where spammers are always looking for new tricks allowing their emails sneak in through spam filters.Most spam filters use common techniques to filter junk. Below is a list of filtering techniques that you will most likely find in any email filtering software:
| IP Reputation | Several services on the Internet track reputation of IP addresses through Real-time Blackhole List (RBL) servers. |
|---|---|
| SPF, DKIM & DMARC | Most filtering solutions will use these technologies to filter forgeries. |
| Dynamic IP addresses | Email servers are meant to run on networks with static IP address. Email filtering software will reject emails generating from dynamic IP addresses |
| Network best practices | It is expected that the sending server follow certain best practices, such as having MX and PTR record in the DNS server. Additionally, using SSL/TLS when communicating is also becoming popular. |
CuRE To The Rescue
Filtering software have to stay one step ahead of tricks and techniques used by spammers. This is where CuRE (Custom Rules Engine) comes in. Consider the following examples where traditional filtering rules won't work but CuRE can effectively block messages. CEO Forgery
This trick involves forging the name of C-Level employees. Although it is very easy to detect forgeries in an
email address/domain, there is no way to determine if a name is forged. A naive user can be easily tricked into
opening an unwanted attachment if the message appears to come from the CEO.
Filter that help block such emails.
Filter that help block such emails.
- Sender Name Forgery
Tricky Sender
Emails clients typically prefer displaying the sender's name over email address. Spammers exploit this behavior by
entering multiple addresses in the FROM header. They also use a fake domain name in the envelope to avoid getting
flagged by SPF and DMARC filters.
Filter that help block such emails.
Filter that help block such emails.
- Sender Name Forgery
- Tricky Sender
Hidden Characters
Often administrators specify a set of keywords they consider harmful and block them. Spammers often use techniques
to obfuscate words by using different techniques. For example:
- Using invisible characters - one such example is a Bitcoin scam.
- Misspelled words - For instance using the digit 1 (one) instead of a lower case L or an @ sign instead of an a
- Inserting text by absolute positioning in CSS Using CSS spammers can place otherwise hidden letter in between a word, which will only appear when an HTML client renders the text.
- Non-Printable Characters
- Hidden HTML Blocks
- Invisible Text
Obfuscated Attachments
Several file extensions are considered bad universally. Spammers try to obfuscate them by hiding their payload behind
innocent extensions. For example:
- A
*.rtffiles disguised as a*.docfile. - A
*.zipfile containing harmful attachments, such as a document that say "Invoice.xlsx" - MS Office documents containing macros
- Sender Name Forgery
Filter Unwanted Languages
Many organizations do not get any business related emails in foreign languages. Using Language filters you can
assign scores to emails containing foreign characters.
Filter that help block such emails.
Filter that help block such emails.
- Language Filters
Links Reputation
Xeams can inspect the reputation of HTML links within emails and block them if links refer to known sites that
try to lure users.
Filter that help block such emails.
- External HTML Link Filter