Lifecycle of an Email attack
Here is a graphical representation of an email attack from beginning to end.
*1: A spammer or hacker creates a template to send out hundreds of thousands (possibly millions) of slightly different messages.
*2: The messages are sent by hundreds of SMTP servers worldwide, which might be their own servers or servers which have been hijacked for this purpose.
*3: Those messages are received by millions of people throughout the world, from the US to Europe to Asia.
*4: When people open the message, the message includes headers, a body, possibly an attachment, and often a URL that they takes them to a spam site, a phishing site, or possibly a site that will infect them with spyware.
This is the standard path for every email attack – whether a spam, phishing, virus, worm, or other outbreak.
The Mail Frontier system detects these types of messages at every part of the attack...
Most email security vendors focus primarily on either reputation or content analysis to identify threats. Both of these are necessary , but are no longer sufficient on their own to stop modern techniques used by Spammers and other senders of unwanted mail. The only way to protect yourself from attacks is to track it each step of the way. This is where MailFrontier Cognite come in. It is the world’s only end-to-end attack monitoring system with over 17 pending patents
Using the patented MailFrontier Lexigraphical Distancing method, MailFrontier identifies the original template used to create the thousands of email variations.
The next stage is to track the reputation of the sending server. With our MailFrontier Reputation Service, we track the reputation of sending servers and whether they are known to send good or malicious email. This is far more advanced system than simply using RBL lists, as these lists assume that servers either only send good mail, or only send bad mail which is not the case. The Mail Frontier Reputation Service looks at all mail received by the system for a given server and sets the sending server's reputation based on this information. This helps to avoid false positives in the system which is a major problem for most other anti-spam services.
Some companies such as IronPort focus primarily on Reputation. While Reputation is valuable, it’s not enough on its own. For example, companies such as Yahoo, Hotmail, and all ISPs send out mostly good mail, but have some users that spam as well. This means that their reputation is mediocre but there is a lot of email coming from them. In fact, many enterprises will send primarily good mail, but if they are ever infected by a virus, they might all be sending infected mail, and again will have a compromised reputation. Using Reputation alone won’t help here.
The MailFrontierSMART Network has over one million users worldwide and it measures their reaction to the message. Is the message junk or is it legitimate email? No other vendor has a collaborative network of real users, providing real input, in real time. This network helps in rapid response to outbreaks, as the Mail Frontier system processes this information in real time.
The MailFrontier Content Evaluation engines then analyze the message for various threats.
Many other systems rely primarily on content evaluation. While this is important, it is incomplete by itself. Email attacks have become very sophisticated in confusing content filters, often completely copying legitimate email, such as the case in phishing attacks, or providing nearly zero content by using image spam. You need more than content analysis.
Lastly, we track the links in the message and compare them with our database of 20 million MailFrontier Contact Points. If the links go to suspicious sites, then that is yet another piece of information we use to judge a message.