Focus on Security: Anti-Spam technology may also cause misjudgment and omission

Editor's note: Machine devices naturally have unsolved problems.

Security products are used to enhance network security performance and prevent internal/external attacks. There is a common problem in security products-false positives, such as false positives and false positives of anti-virus software. In fact, there is no absolute security. Security and application are a contradiction. Security Enhancement tends to restrict some applications, such as reducing the running speed of applications, reducing Internet access speeds, and making enterprise email misjudgment.

Since there is no absolute security, we need to take reasonable measures to effectively reduce the probability of false positives and false negatives caused by security products.

Anti-Spam devices have the following four manifestations of false positives and false negatives: the normal emails received are considered as spam; the spam emails received are not identified; normal mails sent are regarded as spams, and spams sent are not identified.

Currently, there are five common anti-spam technologies: keyword filtering, IP blacklist and whitelist, RBL (Real-Time blacklist) List, Bayesian, and SPF (sender policy framework. Their focus and technical features are different.

We need to combine various factors to reasonably reduce the false positives and false negatives of anti-spam. Based on the above common anti-spam technologies, we can find out the causes of false positives and false negatives, and find the crux of the problem so that we can be targeted to better reduce the probability of false positives and false negatives.

In addition to technical reasons, false positives and false negatives are also caused by equipment design. We can take measures one by one based on these two reasons to reduce false positives and false negatives of anti-spam devices.

Seven technical reasons and Solutions

In view of the different characteristics of various anti-spam technologies, we need to take comprehensive consideration to find a solution.

1. keyword Filtering Rule formulation problem: the keyword definition is either too strict or missing. It is necessary for users to take into account the specific usage of their own enterprises, commonly used commercial words, and other factors, summarize and develop a set of keyword definition rules suitable for your organization.

2. IP blacklist and whitelist technology: if the company sends commercial emails for a long time and frequently, it is easy to be identified as spam. As far as the device operator is concerned, it is necessary to adjust the mail sending frequency and time range according to the actual situation to minimize the chance of being mistaken for spam.

3. RBL list: Because the RBL list is mostly provided by foreign institutions, it is inevitable that the RBL list will be rejected. The actual operator should select a list of organizations with strong authority and complete list to address this issue. At the same time, in order to avoid being defined as spam in your company's email, you can also submit your company's domain name to the RBL organization in advance to demonstrate the legitimacy of the domain name.

4. SPF Technology: this technology can effectively solve the problem of identity disguise. Device operators can use this technology to adjust SPF records in a timely manner.

5. virus Filtering Technology: most anti-spam devices currently have virus scanning engines, while emails with viruses are a type of spam, most anti-spam devices also have projects that set rules for virus emails. The operator should have a detailed understanding of the mail features of mainstream viruses, including the attachment file format type and malicious code of the body, so as to develop reasonable and effective anti-virus mail rules.

6. Limitations of a single technology: a single technology has its own limitations. A reasonable combination of multiple filtering technologies is the development trend of anti-spam devices. As the main decision maker and operator of enterprise anti-spam, You need to select anti-spam devices that combine multiple filtering technologies to achieve better filtering results.

7. Development and advancement of Filtering Technology: Traditional keyword filtering and RBL technologies all have high false positives and false negatives. In addition, today's spam sending techniques are becoming increasingly sophisticated and increasingly concealed. We must constantly study popular spam sending techniques and select the latest anti-spam technology in a timely manner to deal with spam. For example, selection of SPF Technology for identity disguise, selection of image analysis and multi-Image Recognition Technology for image spam, proxy forwarding for spam, and selection of reputation scoring technology. We should also select a technology-leading anti-spam device for advanced filtering technologies.

Seven device causes and solutions

Spam misjudgment and underreporting caused by devices are mainly due to the design defects of anti-spam devices, which are generally manifested in the following aspects.

1. the email isolation mechanism is incomplete or does not have the mail isolation function at all: You must have the mail isolation management function and the email or SMS reminder mechanism, so that device operators can understand the isolated mail information in a timely manner, in addition to the original Filtering Technology of the device, manual judgment is used to manually process isolated emails. In this way, we can not only avoid the deletion of normal misjudgment emails, but also summarize some filtering rules.

2. System Performance of devices: Some devices may encounter bottlenecks when handling spam due to operating system and hardware configurations, resulting in reduced network access speed or even network congestion. Enterprises should comprehensively consider and compare and select anti-spam devices with stable systems and excellent processing performance.

3. the difficulty of device filtering rules: different devices write different filter keywords. If the syntax is difficult to write, the actual operator is not easy to use, the written keyword rules are prone to misjudgment and false negatives because they do not conform to the syntax rules. Operators should, while familiarizing themselves with syntax writing, try to select devices with simple syntax to reduce false positives.

4. device logs: logs are the key to checking and correcting various problems. Are the logs detailed and have the search function available, for real-time transparency, it is very important for the system to understand the mail processing result, cause, score, and virus. Detailed logs facilitate the revision of rules and scoring settings by manufacturers and enterprise operators, and play a significant role in correcting misjudgment.

5. Whether the device has the intention analysis function: Some devices only use static anti-spam technology, and do not have dynamic analysis and learning functions such as intention analysis. The probability of false positives is naturally greater.

6. anti-Virus engine: What type of virus scanning engine is used by the device, whether it is a self-owned engine or an OEM engine; if it is an OEM, whether it is a well-known anti-virus Manufacturer's engine and how well the virus database is upgraded in real time; whether it is a single engine or multiple engines. Selecting a powerful virus engine increases the virus mail judgment intensity.

7. After-sales service: includes the after-sales technical support of products and the update frequency of product versions. Good after-sales support can solve various problems in a timely and accurate manner, which naturally reduces the false positive rate of products. Similarly, products with high update frequency can keep up with the popular trend of spam in time and improve the filtering of spam.

Link:

Five common anti-spam technologies

1. Keyword Filtering: it is the most common and has the advantage of being simple and rapid. However, if keyword rules are too strict, false positives may occur.

2. IP blacklist and whitelist technology: The advantage is that it is easy to implement and quick to judge. The disadvantage is that the false positive rate is too high, and commercial emails (such as sending meeting invitations) are easily identified as spam.

3. RBL (Real-Time blacklist) List: It is generally implemented through DNS (query and regional transmission. This technology is similar to the IP blacklist technology. The difference is that the RBL list is provided to users by a third-party organization. The Spam judgment is performed on the Internet without interference or manual addition. Most of the providers of its blacklist list service are authoritative international organizations, which can reduce the false positive rate but cannot effectively reflect domestic spam.

4. bayesian technology: it is currently the most effective anti-spam technology with a certain degree of intelligence and an adaptive learning function. It can comprehensively evaluate the key words in emails, you can grasp the balance between the two.

5. SPF Sender Policy Framework, Sender Policy Framework: It authenticates email senders with IP addresses. It is a very efficient spam solution that can effectively deal with the counterfeit problem of senders in spam.