Spam Filters Explained
What do they do? How do they work?
Which one is right for me?
Spam is a very real problem that many people have to deal with on a daily basis. For those that have decided to do something about it and start to investigate the options available in spam filtering, this article provides a brief introduction to those options and the types of spam filters available.
Despite the bewildering array of spam filters available today, all claiming to be “the best of its kind”, there are really just five filtering methodologies in general use today. All products rely on one, or a combination of these:
Content-based filters
“In the beginning, there were content-based filters.”
These filters scan the contents of the email and look for tell-tale signs that the message is spam. In the early days of spamming it was quite simple to look out for “kill words” such as “Lose Weight” and mark a message as spam if it was found.
Very soon, though, spammers got wise to this and started to resorting to all kinds of tricks to get their message past the filters. The days of “obfuscation” had begun. We started getting messages containing the phrase “L0se Welght” (notice the zero for “o” and “l” for “i”) and even more bizarre – and sometimes quite ingenious – variations.
This rendered basic content-based filters somewhat ineffective, although one or two now on the market are clever enough to “see through” these attempts and still provide good results.
Bayesian-based filters
“The Reverend Bayes comes to the rescue”
Born in London 1702, the son of a minister, Thomas Bayes developed a formula which allowed him to determine the probability of an event occurring based on the probabilities of two or more independent evidentiary events.
Bayesian filters “learn” from studying known good and bad messages. Each message is split into single “word bytes” or tokens, and these tokens are placed into a database along with a record of how often they are found in each kind of message.
When a new message arrives to be tested by the filter, the new message is also split into tokens and each token is looked up in the database. By extrapolating results from the database and applying a form of the good reverend’s formula, known as a “Naive Bayesian” formula, the message can be given a “spamicity” rating and dealt with accordingly.
Bayesian filters typically are capable of achieving very good accuracy rates (>97% is not uncommon), and require very little on-going maintenance.
Whitelist/blacklist filters
“Who goes there, friend or foe?”
This very basic form of filtering is seldom used on its own nowadays, but can be useful as part of a larger filtering strategy.
A “whitelist” is nothing more than a list of e-mail addresses from which you wish to accept communications. A whitelist filter would only accept messages from these people and all others would be rejected.
A “blacklist”, conversely, is a list of e-mail addresses – and sometimes IP addresses (computer identification addresses) – from which communications will not be accepted.
While this may seem like a good idea from the outset, a whitelist methodology is too restrictive for most people and, as virtually all spam emails carry a forged “from” address, there is little point in collecting this address to ban it in future as it is very unlikely to be the same next time.
There are bodies on the internet that maintain a list of known “bad” sources of email. Many filters today have the ability to query these servers to see if the message they are looking at comes from a source identified by this Internet-based blacklist, or RBL. Although quite effective, they do tend to suffer from “false positives” where good messages are incorrectly identified as spam. This happens often with newsletters.
Challenge/response filters
“Open sesame!”
Challenge/response filters are characterised by their ability to send an automatic response to a previously unknown sender asking them to take some further action before their message will be delivered. This is often referred to as a “Turing Test” – named after a test devised by British mathematician Alan Turing to determine if machines could “think”.
Recent years have seen the appearance of some internet services which automatically perform this Challenge/Response function for the user and require the sender of an email to visit their web site to facilitate the receipt of their message.
Critics of this system claim that this is too drastic a measure and that it sends a message that “my time is more important than yours” to the people trying to communicate with you.
For some low traffic email users, though, this system alone may be a perfectly acceptable method of completely eliminating spam from their inbox – one step above the “whitelist” system outlined above.
Community filters
“A united front”
These types of filters work on the principle of “communal knowledge” of spam. When a user receives a spam message, they simply mark it as such in their filter. This information is sent to a central server where a “fingerprint” of the message is stored.
After enough people have “voted” this message to be spam, then it is stopped from reaching all the other people in the community.
This type of filtering can prove to be quite effective, although it stands to reason that it can never be 100% effective as a few people have to receive the spam for it to be “flagged” in the first place. Just like its similar cousin the Internet black list (RBL), this system also can suffer from “false positives”, or messages incorrectly identified as spam.
Hopefully you are now armed with more knowledge to be able to make an informed decision on the best spam filter for you.
For more information, consider reading the reviews and articles found at http://www.whichspamfilter.com
Alan Hearnshaw is the owner of http://www.whichspamfilter.com, a web site which conducts weekly in-depth reviews of current spam filters, gives help and guidance in the fight against spam and provides a useful community forum.
Leave a Reply