The filtering methods use by Agent Spam have been designed to avoid false positives. Two different levels of filtering are used. The first level filters at the “SMTP” level and the second at the “DATA” (or content) level. Agent Spam follows RFC standards to insure that no mail is lost. The sender is always informed by their sending server that the messages was accepted or rejected.

SMTP Level filtering

As much as possible incoming email connections are not blocked until after the ‘rctp to” SMTP command is received. This is done to insure maximum logging. Once an incoming connection is established the message is checked to see if it follows RFC standards, if it is listed on any internal/external blacklists and several other checks. If the connection is from an unknown source the Agent Spam cluster may temporary reject it with a 4xx code. This type of filtering is referred to ask “grey listing” and all properly configured mail servers will reattempt delivery. If the connections is from a know, spam-only source or there is a conflict with RFC standards the message will be permanently rejected with a 5xx error code. If this would to happen to a legitimate sender, the sender will always receive a bounce notification from their sending server.

DATA level filtering

When the “DATA” level is reached the system will scan the email contents based on a combination of advanced statistical filtering, spam fingerprint databases, virus, phishing and spy-ware checks. Based on the score from these checks the mail may be temporary rejected with a 4xx error code or permanently rejected with a 5xx error code (depending on the actual score) Email that is permanently rejected is either stored in the quarantine or tagged depending on how your domain is configured.

Grey Listing

Greylisting is a new way to combat spam email. What Greylisting does is to send a “try again later” response to all incoming emails the first time they arrive. The SMTP protocol is designed by default to retry sending an email numerous times before giving up. A properly configured email server will simply send the email again in a short amount of time. The amount of time will vary between email servers. Since most spammers do not use a properly configured email server or in most cases spoof or fake their IP address they are unable to send the message again.

This means that, for the most part, only legitimate email traffic originating from a properly configured email server will be able to get through as only those servers will send it twice. The main drawback of this system is that it will delay legitimate email slightly. As stated above the exact amount of time will vary between SMTP servers but is typically around 15 minutes.

Behavioral checks – Server Analysis