Versions Compared

Old Version 1

changes.mady.by.user Chris Twa

Saved on

compared with

New Version 2

changes.mady.by.user Chris Twa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Virus scanning based on signatures (Radish uses two scan engines)

  • Links are checked with black/whitelists

  • The entire message is ‘digested’ to a one-way hash and that hash is compared with blacklists

  • Macros are blocked

  • Attachments are ‘sandboxed’ which means they are uploaded to specialized virtual environments and see if they exhibit malicious activity (I’m not even kidding)

  • Attachments with specific extensions are blocked (like portable executable files)

  • Password protected archives are blocked (these are pretty much always bad. If you need to 'send' an archive use onedrive, nextcloud, google drive, box, dropbox, etc.)

  • Bayesian filtering which scores the “spam-i-ness” of the message. Good content decreases the score and bad content increases it.

  • Pattern matching is used mainly with novel spam attacks. Here an administrator will blacklist a message based on a specific phrase in the message.

  • Anti spoofing checks

  • “pen-pal” scoring. The idea here is that if Lisa sends Homer email then we can decrease the spam score for when Homer sends Lisa. This doesn’t count for a lot though, just in case Homer’s account gets hacked.

  • Our optional Link lock service can follow a chain of URLs just in case someone thinks they are being sneaky by using a url redirector in front of their target. See more info here.

So that’s inbound scanning. But did you know we do the same set of filtering for outbound email to? Really! We need to ensure that our system doesn’t get blacklisted and we are also very interested in any indicators of compromise with our customers' devices. Everything is scanned and logged, both directions.

Those are pretty much all of the checks but I’ll chat just a bit on corrective actions. When you’re filtering on so many rules, mistakes can happen. Radish Networks spam filtering uses a scoring system so one failed test might not drop the email. We also set the threshold for actions. Actions would include sending the message on as-is, or maybe sending it on but adding [SPAM] to the subject line. Or maybe we should quarantine the message and let the user decide on releasing the message in a daily report. And of course we have the action of throwing the message in the trash. There are a LOT of configuration options and our new system allows us to delegate what options are available to whom.

...