Giving Spam a Bad Reputation

Imagine a world where, for every useful message, you also get three advertising, fraudulent or malicious ones in your mailbox. Suddenly the convenience of keeping in touch via email would

Imagine a world where, for every useful message, you also get three advertising, fraudulent or malicious ones in your mailbox. Suddenly the convenience of keeping in touch via email would be, at the very least, time-consuming and frustrating. Yet this is exactly what we would all face if it wasn’t for anti-spam products and technologies: Kaspersky Lab’s statistics show that spam makes up 74.3% of all email traffic.  It includes billions of useless and often dangerous messages, most of which are, fortunately, blocked by special filters before they get to our inboxes. However, we shouldn’t rest on our laurels and Kaspersky Lab, a world-leading vendor of anti-spam solutions, is constantly improving its products and technologies, forever striving to block more spam. One of the company’s recent developments – Reputation Filtering technology – doesn’t just improve detection rates for new outbreaks of unwanted mail, it also helps the company’s spam analysts in their work.

Anti-spam specialists play a crucial role in the fight against spam, but they remain a potential weak link: even the most talented analyst is unable to process every suspicious message immediately and comprehensively. To help with this task, the Reputation Filtering technology within Kaspersky Linux Mail Security, takes on part of the job of detecting and blocking unwanted correspondence.

This method of evaluating the reputation of messages is based on information from the cloud security system, delivered to client software using Urgent Detection System 2 (UDS2) which we discussed earlier. In short, UDS2 breaks every suspicious message into fragments which are then used to make special signatures called shingles. The result is sent to the cloud where it is compared with shingles received by Kaspersky Lab specialists during analysis of known spam samples. The reputation of the suspicious message is calculated based on how closely these shingles coincide, and a verdict about whether it is spam or not soon follows.

O0ngCrKfiij-ywcbU34X1YrUXz5khiGnbQ9qfvD__zs

If it is not immediately possible to give a definitive verdict about the suspicious message, Reputation Filtering comes in. The message is quarantined, and delivery is delayed for a few minutes. In that time, Kaspersky Lab analysts issue database updates that will most probably enable a definitive classification of the sample in question. Crucially, only a few messages are held in quarantine. These usually feature the most complex spam samples.

The technology’s second mode of operation is when spam distributions are blocked automatically based on reputation of messages. This is applicable where there is no information about the message in the database, but reputation evaluation confirms that it is 100% unwanted. For the first time ever, this method makes it possible to block spam without active expert intervention, while keeping false positives to a minimum.

In other words, Reputation Filtering significantly improves the quality of spam filtering, being able to block the most sophisticated unwanted messages. Combined with the other technologies within Kaspersky Linux Mail Security, Reputation Filtering ensures users enjoy truly effective protection from unwanted correspondence.

Tips