Journey of an email

Mailsphere provides 4 layers of protection, beginning at the perimeter on-the-wire analysis is performed to ensure a connection is valid.  An email server or MTA receives many illegitimate connections every day, mainly by spammers looking for an open gateway that they can take advantage of.  This is also the first stage in protecting against domain spoofing as the customers domains are compared against a list of authorised IP addresses.

Once a connection has been validated we analyse any attachments. The attachment filter rejects any invalid attachments such as scripts and executables.  All other attachments are run through spam and malware analysis.  This analysis looks at known issues and uses heuristics to detect zero day exploits.

If the email is flagged as malicious at this point the content is destroyed and the sender and recipient are notified, depending on configuration.

Emails are then checked against an organisations whitelists and user whitelists which will allow them to circumvent full spam analysis.  Before we allow this route past the complete spam check we confirm that the source of the email is authorised to send for the senders email address.

Now that the email and its attachment have been received Mailsphere runs over 400 different rules across the email.  These rules include checks on:

  • the senders domain,
  • the sending IP,
  • the properties of the email format (MIME),
  • the history in the SMTP headers,
  • the content and subject line,
  • any URL's listed,
  • additional checks on the attachment
  • and any HTML found in the email.  

As well as these internal rules and checks on internal blacklists we also work with nearly 20 global partners to identify suspicious sources.  Further, machine learning classifiers are employed to learn about the language found in an organisations email and identify where this is legitimate or not.

When an email triggers a rule it receives a score. The score can be positive or negative.  If the total score for the email is above 5.0 then the email is flagged as spam.  When you see a spam report you will see that some rules carry a score of 0.  This is not to say that they have no bearing on the final result of the spam analysis as all scores are considered in the decision tables.  These decision tables are used to consider the impact of multiple checks being triggered (both positive and negative checks) and whether the final result should be modified as a result of the combination.

Mailsphere runs frequent tests on the effectiveness of these rules and the scores assigned with updates being applied on a weekly basis as the ongoing battle against spammers continues. 

When a false positive is reported we typically can recommend a way to resolve this in future cases and in many cases it is recommended for the sender to improve their email configuration - which will improve their ability to successfully deliver email globally.

Notifications of emails held in the quarantine are sent to the intended recipient based on the schedule for that customer organisation.  Each time the schedule runs it checks for quarantined emails since the last time the notification email was sent.

If a quarantine report was deleted, it is still possible to login to the portal and release emails via the UI.