ALTOSPAM Functioning and technologies used

The heuristics analysis constitutes a set of rules represented in the form of regular expressions. It looks for e-mails which headers and\or bodies match some very particular characteristics known to have a strong probability of being a spam. ALTOSPAM uses a database of customized rules to identify spams from different countries

RBL (Realtime Blackhole List) or DNSBL (Back List DNS) are lists of servers or networks known to help, welcome, produce or broadcast spams or to supply a service which can be used as support for the expedition of spams: OpenSMTP Relay, Open Proxy List (OPL). ALTOSPAM uses the main RBLs of the market.

These databases of signatures of spams are used in the same way as the databases of signatures of virus. They are maintained by the users of antispam solutions.

Verify the correlation between the IP address of the server source and its name via an inverse DNS request (in - addr.arpa). Generally, real mail servers possess a fixed IP address which is related to its domain name. Although a large number of servers do not possess PTR recordings in the zones of addresses for which their suppliers have authority, it remains interesting to know the information to moderate the results.

Probabilistic method of e-mails filtering working by learning and basing itself on the statistical distribution of keywords in mails. This type of algorithm self-adapts by leaning on the analysis of e-mails known as being or not spams.

List of sites, hosts, domains or addresses known to be trustworthy. By default very few hosts are considered as trustworthy because their addresses could be usurped by spammers. However a system of self-learning of white list is used by Altospam to accelerate the time of treatment of issuers already tested and considered trustworthy. Furthermore, ALTOSPAM allows you to configure your own white list.

The previously made transactions between the sender and the recipient of a message are used to influence the analysis results. Indeed, individuals used to sending legitimate emails to each others have no reason of exchanging spams.

The analysis of the URL within the message body aims at identifying and filtering the e-mail according to the expected action: a click of the user on a promotional link. This analysis is based on the detection of suspicious sites and suspicious url (numerical, badly formatted).

This antispam technique means Sender Policy Framework. It consists in defining, in a TXT field of a domain, the mail servers authorized to send emails for the same domain (Cf. Sender Policy Framework) et DKIM ( DomainKeys Identified Mail).

Although the address email is not verified, because certain newsletters are sent from accounts which do not exist, we proceed to the analysis of the sending domain to validate that the sender is capable of receiving emails.

Further to the increase of the number of spam-image, we integrated a system of image analysis in order to improve our service efficiency. ALTOSPAM analyzes the images contained in an email on various parameters: number, type, size, format and dimensions, then compares these criteria with the characteristics of images used by spammers.

This technique allows, by holding a session on certain connections considered as questionable, to reduce significantly the speed of answer of the SMTP server. Teergrubing put constraints on the SPAM server.

Greylising is a very recent antispam technique which consists of rejecting temporarily a message, by issuing a code of temporary refusal to the broadcasting server. Then, the broadcasting server sends the mail a second time after a few minutes; an effort that most of spam servers do not make! (Cf. Greylisting/).

This technique, also named challenge / answer, rely on sending an authentication request to the sender of an email (by reproducing a displayed code) to make sure of the sender’s physical existence. Used in isolation this technology has many drawbacks (transferring the filtering work back to the sender, systematic sending of often unsolicited emails, false-positive generation). When integrated with other technologies and suitably used at the end of the analysis, it allows to release unresolved false-positive.