Tricks used by spammers to avoid detection

Blocking unwanted emails is akin to cat-and-mouse game, where spammers are always looking for new tricks allowing their emails sneak in through spam filters.

Most spam filters use common techniques to filter junk. Below is a list of filtering techniques that you will most likely find in any email filtering software:

IP Reputation Several services on the Internet track reputation of IP addresses through Real-time Blackhole List (RBL) servers.
SPF, DKIM & DMARC Most filtering solutions will use these technologies to filter forgeries.
Dynamic IP addresses Email servers are meant to run on networks with static IP address. Email filtering software will reject emails generating from dynamic IP addresses
Network best practices It is expected that the sending server follow certain best practices, such as having MX and PTR record in the DNS server. Additionally, using SSL/TLS when communicating is also becoming popular.

CuRE To The Rescue

Filtering software have to stay one step ahead of tricks and techniques used by spammers. This is where CuRE (Custom Rules Engine) comes in. Consider the following examples where traditional filtering rules won't work but CuRE can effectively block messages.

CEO Forgery
This trick involves forging the name of C-Level employees. Although it is very easy to detect forgeries in an email address/domain, there is no way to determine if a name is forged. A naive user can be easily tricked into opening an unwanted attachment if the message appears to come from the CEO.

Filter that help block such emails.

  • Sender Name Forgery
Tricky Sender
Emails clients typically prefer displaying the sender's name over email address. Spammers exploit this behavior by entering multiple addresses in the FROM header. They also use a fake domain name in the envelope to avoid getting flagged by SPF and DMARC filters.

Filter that help block such emails.

  • Sender Name Forgery
  • Tricky Sender
Hidden Characters
Often administrators specify a set of keywords they consider harmful and block them. Spammers often use techniques to obfuscate words by using different techniques. For example:

  • Using invisible characters - one such example is a Bitcoin scam.
  • Misspelled words - For instance using the digit 1 (one) instead of a lower case L or an @ sign instead of an a
  • Inserting text by absolute positioning in CSS Using CSS spammers can place otherwise hidden letter in between a word, which will only appear when an HTML client renders the text.

  • Non-Printable Characters
  • Hidden HTML Blocks
  • Invisible Text
Obfuscated Attachments
Several file extensions are considered bad universally. Spammers try to obfuscate them by hiding their payload behind innocent extensions. For example:

  • A *.rtf files disguised as a *.doc file.
  • A *.zip file containing harmful attachments, such as a document that say "Invoice.xlsx"
  • MS Office documents containing macros

  • Sender Name Forgery
Filter Unwanted Languages
Many organizations do not get any business related emails in foreign languages. Using Language filters you can assign scores to emails containing foreign characters.

Filter that help block such emails.

  • Language Filters
Links Reputation
Xeams can inspect the reputation of HTML links within emails and block them if links refer to known sites that try to lure users. Filter that help block such emails.

  • External HTML Link Filter