What is a spam filter and how does it work?

With billions of spam and phishing emails sent worldwide every day, it's important to use proper spam filters.

12-04-2022 - 4 minute read. Posted in: cybercrime.

What is a spam filter and how does it work?

Billions of spam and phishing emails are sent to people around the world every day. Fortunately, some of them don't reach the inbox. This is due to spam filters that monitor and block unwanted emails.

What is a spam filter?

Spam filters are devices, software or cloud-based solutions that monitor emails as they are sent or received. Spam filters identify and block unwanted emails such as spam and phishing emails. Emails sent or received in an email server are checked using a series of algorithms that determine their validity.

Malware filters work in much the same way. Filters can be either software or cloud-based solutions that monitor emails and block malware, such as computer viruses.

General types of spam filters

Gateway spam filters

A gateway spam filter is typically located behind a network's firewall and looks for potential email threats entering the network. Typically, gateway spam filters will be physical hardware located locally on servers. The idea of a gateway spam filter is that an email has to pass through a "security gate" ("gateway") before it reaches the computer's network.

Hosted spam filters

Unlike a gateway spam filter, a hosted spam filter is a cloud-based solution. A hosted spam filter can be active before an email enters the network, like a gateway filter, or it can be used in an organisation's network. These spam filters work in the same way as gateway spam filters and identify potentially harmful emails. An advantage of hosted spam filters is that they can be quickly updated with the latest security software. Hosted spam filters are often offered by third parties offering subscription-based services.

Desktop spam filters

Desktop spam filters must be installed by the user and are typically downloaded locally to their computer. An advantage of desktop spam filters is that they can be configured by the user to include filtering techniques specific to the user's needs.

How do spam filters work?

Spam filters can use different types of filtering methods. The most common are:

Content filtering

Spam filters that use content filtering know the classic features of the header and body of an email. The e-mail header is a piece of code containing information about the e-mail sender, recipient, route to the recipient's inbox, etc.

The spam filter can use the header information to ensure that the sender is legitimate or look for any suspicious "stops" that the email made on its way to the recipient. Anything that might be an indication of spam in the header will be carefully considered by the spam filter before being sent to the recipient's inbox or spam folder.

In addition to the header, the spam filter also checks for suspicious content in the body of the email, such as certain words or images that are often used in spam or phishing.

Rule-based filtering

A rule-based spam filter filters emails based on predetermined criteria. The spam filter contains one or more rule sets that are determined by the user. For example, a rule-based spam filter will block emails from a sender that the user has blocked.

Bayesian filtering

A Bayesian spam filter is a filter that learns your "spam preferences". When you mark emails as spam or phishing, the spam filter notes the characteristics of the email and looks for similar characteristics in incoming emails, filtering out anything that has the same characteristics. A Bayesian spam filter is therefore dynamic and gets better at identifying spam and phishing over time.

The US IT security company CaniPhish has conducted a survey of 3177 organisations' use of spam and malware filters. Many services offer both spam and malware filters. The study shows that the most commonly used filters are:

Most popular spam filters by use:

  • Exchange Online Protection: 47%
  • Proofpoint SEG: 15%
  • Mimecast SEG: 12%
  • Cisco IronPort: 12%
  • Google Mail: 11%
  • Symantec MessageLabs: 3%
  • Trend Micro HES: 3%
  • Barracuda Email Security: 2%
  • Forcepoint Cloud: 1%
  • FireEye ETP Cloud: 1%

Most popular malware filters by use:

  • Exchange Online Protection: 50%
  • Proofpoint SEG: 16%
  • Mimecast SEG: 12%
  • Google Mail: 11%
  • Sophos AV: 10%
  • McAfee AV: 2%
  • Barracuda Email Security: 2%
  • Symantec MessageLabs: 1%
  • Forcepoint Cloud: 1%
  • FireEye MX: 1%
Author Sofie Meyer

About the author

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

Similar posts