Trevor Hawthorn | November 12, 2015

Phishing Prevention: Six Reasons Spam Filters Can’t Catch Everything

Spam filters can't catch all malicious messagesYour organization uses a spam filter that scans all inbound email messages, and that’s good. But spam filters vary in effectiveness and are only part of the solution to preventing intentionally malicious attacks — especially phishing emails — from succeeding.

Consider, for instance, that in our 2016 State of the Phish survey, nearly 100% of IT executives and professionals reported using email/spam filters, yet 85% still experienced phishing attacks. So, relying on an email filter alone won’t make your organization risk-free.

While spam filters block most of the junk and low-sophistication phishing attempts that less skilled attackers throw your way, no spam filter is perfect. Phishing prevention done by email filtering vendors is continually improving, but attackers are always designing new ways to bypass traditional email content filters — it’s the familiar (and never ending) arms race.

Why does your spam filter sometimes let malicious emails slip through? Here are six reasons why your email filter can’t be your only defense:

1. Attackers send emails from legitimate addresses

Email messages sent from well-known email services or senders will likely pass through spam filters and reach their target’s inbox. Attackers can create throwaway email accounts (which is increasingly easy to automate), and these accounts can be used until caught by the email provider (e.g., Gmail, Hotmail, Yahoo, etc.). Attackers can also compromise an existing email account and use it to send messages to that person’s contacts. A compromised email address will eventually be flagged as a spammer, but until then any email from it could make it into your employees’ inboxes — and deliver a malicious payload.

Think about it: If a well-known account from a well-known email service (e.g., Office365) is compromised, and the first thing the attacker does is send a half-dozen of your users a well-crafted and properly worded email message, do you think a spam filter will block it? I wouldn’t bet on it.

2. Attackers modify message content enough so that a filter doesn’t recognize the message as spam

Spam filters look at the content of a message and compare it to other messages. If an email contains a lot of the same characteristics (e.g., specific phrases, text patterns, etc.) as a spam message, it’s flagged as spam. In the old days, spammers could easily defeat these filters with simple tricks: replacing the letter “l” with the number 1, or the letter “O” with a zero. M0st spam filters catch these n0wadays, but there are s0 many m0re p0ssibi1ities: inserting r.andom punct!uation, intentionally spelling a werd rong, or even substituting Cyrillic characters for Western ones (the Cyrillic character “A” and the Latin “A” are visually identical, but a computer recognizes them as different).

Modern spam filters use Naive Bayes spam filtering to score email message content on the likelihood that the message is spam. As long as the attacker writes the message as normal-sounding correspondence, the message will likely make it through.


Get your copy of our latest State of the Phish Report

Download Now


3. Attackers use spam filter solutions to test their messages

Attackers have access to a host of free tools that analyze their messages for deliverability. They can simply run their message through a tester until it doesn’t raise any red flags. They also sign up for fraudulent cloud accounts (e.g., Office365, Google Apps, etc.) to test their messages using the service’s own enterprise-grade email filters.

Want to see how easy it is to test the “spammyness” of your email? Check out

4. Attackers use recipients’ names, or the names of their friends

Spam filtering solutions learn about who your employees correspond with. A message that looks like it’s addressed directly to a known user or appears to be from someone your users have emailed with before is less likely to be blocked.

Attackers can harvest personal data from public sources — social media, message boards — and from shady data brokers who sell information. Not only is this personalization less likely to trigger an email filter, it’s also nearly 20% more likely to garner a click, making phishing prevention even more difficult.

5. Attackers can send messages from IP addresses that are trusted by most spam filters

All servers on the Internet that send email have an IP address. If you were to look into the SMTP headers of an email message, you could spot the IP address that the message originated from. Spam filters look for the originating IP address to determine if the message can be trusted, and IP addresses that are “transient” are huge red flags. For example, IP addresses used by a Comcast cable modem, AOL dialup, or a university dorm are far less trusted than, say, Gmail’s IP addresses.

As anyone who operates a service that delivers large volumes of email will tell you, the originating IP address of the email messages needs to be “warmed up.” Once the IP address is “warmed up” without any spam incidents, the IP will be more trusted by spam filters worldwide.

From an attacker’s point of view, it is easier to sign up for a fraudulent email service or compromise an account within an organization that has warmed up IP addresses.

6. Signature-based defenses will always be one step behind the attackers

Phishing and spear phishing are very effective (and lucrative) attack vectors, which is why attackers continue to invest in and refine their tools and techniques. They are constantly coming up with new ways to craft creative messages that bypass your first line of defense — email filters — and target unsuspecting users despite phishing prevention done by security teams.

Back in 2002, it was suggested that email filters had become so sophisticated that they might result in the end of spam (everyone has a dream, I guess). While the spam situation has greatly improved, unsolicited email is still an issue. Even though spam filters are better than ever before, it will never be possible to eradicate the problem completely, as spammers and phishers will continue to evolve their tactics. That’s why it’s so important for users to be wary of any emails that don’t feel 100% legitimate, even if they’ve passed through your spam filter and made it to their inboxes.

Bottom Line: Users Must Be More Careful With Messages That Reach Their Inboxes

The simple fact is that knowledgeable attackers put a lot of work into getting their messages delivered. To really stop malicious emails from wreaking havoc on your organization, you need a multidimensional approach that involves the human element: your employees. That way, even if a phishing email gets past your spam filter, the target won’t become the victim — and your systems and data won’t be put in jeopardy.


This article was originally posted on the ThreatSim® blog. ThreatSim was acquired by Wombat Security in October 2015. To learn more about Wombat's simulated attacks and knowledge assessments, including ThreatSim, visit our website. We have developed a continuous approach to security awareness training that helps reduce the risks associated with phishing attacks and other prevalent cybersecurity threats.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2017 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now