An unfiltered, unknown message arrives from a sender destined to an
account protected by SpamShock.
Email speaks a predictable exchange of commands that
makes up its protocol. Failure to follow protocol, such as a simple, portable
script built to impersonate a mail server, will result in rejection.
Deep Protocol Inspection
DPI sends a sequence of commands that a normal mail server
will respond to before accepting a message. Once the sender has
completed this test, it is whitelisted for 48 hours. Failure
to complete this standards-compliance test results in rejection.
Multiple DNS blacklists are used to check the sender against
known sources of spam. If a sender matches on two public lists,
then the message is rejected.
Naive Rule Expressions
Simple rules are checked and scores, based upon statistical
probability, are computed for matching rules. An initial score
is computed. This represents probability of spam, 0% to 100%.
Email is checked against trending subject patterns. Spam
commonly recycles the same subject pattern. Subjects
that match known bulk surplus are scored higher as spam.
Sender history is checked for the recipient. If a prior
relationship has been established (1 non-spam), then the
message is downrated as non-spam. New senders have no effect.
Adaptive Learning Layer
Raw Score Calculation
Message structure is normalized into tokens and
checked using Bayesian calculations. Score is updated based
upon probability of spam given its structure.
Informative tokens are absorbed by the Bayesian data set creating
a new data set by which future emails are calculated
as spam or non-spam given its structure.
Users may submit an email
as spam for further analysis. This changes the previous data set
by enforcing that all tokens be relearned as spam. Helpful
for correcting false negatives.
A final rejection occurs if and only if the calculated score
is above the threshold score. Depending upon calculated probability,
an email may be delivered to a "Spam" folder for quarantine
or deleted to conserve storage.