New spam rules of engagement finally starting to sink in

Having been a spam fighter for over two years, and having watched spam evolve very quickly over the previous six months, it is now sinking in to me that the methodology in which we used to use to fight spam is no longer valid.  Whereas before we had a single focus as our primary method of fighting spam, that assumption doesn't hold anymore.  Instead, spam fighting companies must resort to a mult-tiered effort in their attempts to fight spam.  I'm not saying that it took us this long to realize this, or that we only recently changed tactics.  Indeed, Microsoft has done a pretty good job at recognizing this.  What I am saying is beware any spam filtering service that promises a simple solution towards fighting spam, because a simple solution no longer works.

I was browsing through the competition and came across IronPort's strategy, publically available on their web page.  I was impressed with the level of complexity that they use.  I have read some articles that they have and I like the theory behind their Context Adaptive Scanning Engine.  Rather than having different parts of a system add up to make spam determination in isolation, they combine elements of spamminess that stack on top of one another, or rather, with each other, that increases the spamminess.

For example, if an email contains element A (for 100 points) and element B (for 50 points), A + B will make a message more like spam at 150 points.  However, the way IronPort does it, if a message contains A + B, they might assign it 200 points.  This is a much too simplified way of explaining it (and I don't even know if I am reading it or guessing it right) but by considering elements that occur together, this increases the odds that a message is spammy.  The weakness, like any spam filtering service, is that if a spammer figures it out and omits certain parts then the filter can fail.  A malformed file attachment name is not enough to consider a message as spam.  Neither is a message that contains only an image, or an SPF failure.  However, what if a single message contained all three?  That changes things considerably.

We, ourselves, have also shifted our tactics in the past year.  I won't go into any details, but suffice to say we use a multi-tiered approach now.  Our spam filtering service is no longer simple - it is actually quite complex and getting more complicated as we go along.  A simple solution is insufficient, so beware any service that promises simplicity.  Both us and the spammers are smarter and the cat-and-mouse game continues.