“Two-Pass” Techniques Improve Spam Filter Efficiency

Good spam filters are putting increasing emphasis on filtering some of the "obvious" spam at the connection level. They do this before the body of the message has even been received. This is a good thing because it saves server horsepower, network bandwidth, and reduces backscatter.

Spam filters are increasingly running an initial set of anti-spam rules at the connection level, before the SMTP DATA transaction even starts. If these rules generate a high enough score, the message can be immediately rejected with a 5xx SMTP error code (permanent failure). Only if the filter's unsure will the message make it to the second, content filtering stage.

Examples of the techniques employed at the first stage:

  • Valid HELO or EHLO?
  • Valid PTR or RDNS?
  • Greylisting/tempfailing
  • Throttling (prevents illegal pipelining)
  • IP reputation/blacklists
  • SPF/SenderID/DKIM

Author: Richi Jennings

Post a comment

You must be logged in to post a comment. To comment, first join our community.