Behind the Scenes: Blocking new spam campaigns

Here's a little peek behind the scenes into the details of spam blocking. Last week, I tweeted about a rash of new spam emails we were seeing. There was nothing special about these emails: just the usual prescription pill gibberish. I particularly enjoyed these lines:

"ppikllls forĀ heailth turkey sandwich toward secretly gratifying curse over blotched"
What is noteworthy is how quickly our SpamStopsHere team was able to identify and block them (within minutes), so that our customers never even got the chance to read about "turkey sandwich toward secretly." In order to combat the millions of spam emails that are sent everyday, we use multiple filtering methods that are constantly monitored and updated by our SpamStopsHere techs. 24 hours a day.

One of these methods, a content filter, is what allowed us to block this particular set of spam. Content filters work by pattern matching many different parts of an email, including the headers and body of the message. This is actually what allows us to properly pass legitimate email containing words like "Viagra" while blocking actual spam, making SpamStopsHere incredibly effective for organizations like hospitals that may need to receive email with "spam-like" words. For the above spam emails, this content filter matched 13 different components of the email. Here's a sample of the code that's been edited to be more readable:

(num_newlines >=18) & (num_newlines <=20); num_font_tags = 4;

In this case, the spam had some very specific traits: there would be a big block of 18-20 empty lines (newlines), and the html of the messages contained four <font> tags. Even though the messages were short and obscuring the normal spam keywords - for example "ppikllls" - these characteristics can uniquely identify instances of this spam campaign.

Once the filter is in place, any more spam of the same type is automatically caught and disposed of. In the next Behind the Scenes, we'll take a look at how we discover spam in the first place.