eMail Relationship Manager eradicates spam almost entirely

(19/05/2009)

Network Box has developed a new system of fighting spam that significantly improves the performance of spam filters. The system, eMail Relationship Manager, has shown in beta tests over the last four months to eradicate spam almost entirely – 99.5 per cent - rather than the 95-98 per cent effectiveness of most existing anti-spam systems. (Network Box sampled 10,000 spam emails. ‘Traditional’ anti-spam systems were found to let through around 200. eMail Relationship Manager would catch at least 150 of those 200.)

eMail Relationship Manager - developed and tested by Network Box’s security analysts over the past 12 months - changes the way spam is currently classified, detected and treated by applying learning from user behaviour (as well as analysing an email’s content, reputation and IP address).

Currently, spam protection has been applied using three main methods: analysis of the message content, the reputation of the sender; and challenge response, which works by putting the onus onto the email sender to accept a challenge from the recipient, to prove who they are. Today’s anti-spam systems will rarely reach more than 95-98 per cent accuracy, which when you consider the amount of email sent, still lets through a significant number of spam emails. Challenge response systems used in isolation are notoriously unsuccessful, with as little as 40 per cent of genuine email getting through the system, as senders are reluctant to go through the challenge system.

The difference with Network Box’s eMail Relationship Manager is that it analyses and learns from the behaviour of the sender and recipient of an email, to give a score to the email which is applied in addition to traditional anti-spam filter analysis. It works by:

1. Maintaining a central database to store existing email accounts managed by Network Box on behalf of the email recipient (so genuine email from addresses kept in a users address book will be white-listed, assuming their content passes the traditional filter analysis which naturally includes the reputation of the sender). This records and analyses historical information about the relationship in order to judge the likelihood of that email containing malware or unwanted content. The database can be queried and adjusted at any time by Network Box, the organisation’s administrator, or the user. It is continually updated with every email passing through the system, and will challenge new behaviour, flagging up when a whitelisted email address changes its shape – for example, if a contact in Hong Kong suddenly starts sending emails from Russia.

2. All relationships are defined using a score based on sender + recipient + type analysis, and given a score based on the trust and strength of the relationship.

3. The system also learns from user behaviour. For example, if the email user A sends an email to email user B, then the system understands that user A trusts user B, and therefore will strengthen the score of trust in that relationship.

4. If an email relationship is scored as low, then there are number of options open to the system, depending on its configuration. It can quarantine the email and notify the recipient (it can be released with a single click from the recipient if required); challenge the sender to confirm their identity; or defer the email.

Simon Heron, Internet Security Analyst for Network Box says: “The volume and sophistication of spam email means that spam filtering needs to be continually enhanced to address the problem. Neither spam filters nor traditional challenge response systems are effective enough any more. Analysing relationships between email senders and recipients is currently a very effective way to combat spam.”

Related topics:  Internet and Web security   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources