The purpose of email filtering is to separate wanted messages from unwanted ones. This includes, but is not limited to, messages with malicious intent. This creates a hierarchy of knowledge:
- Third-party vendors, who process many messages for many domains, are best positioned to detect and block malicious messages, because these are unwanted by everyone.
- Organization email administrators are best positioned to detect and block messages that are unwanted based on the organization’s purpose and its administrative controls.
- Individual users are best positioned to detect and report messages that are unwanted based on their personal needs.
Therefore, an important design challenge is how to integrate all three knowledge sources into an integrated defense posture. But initially, this document will focus on the narrow scope of identifying malicious messages.
Malicious messages have these attack vectors:
- Author impersonation using a fraudulent From address.
- Author impersonation using a deceptive Friendly Name, to exploit the fact that some email client programs, especially on cell phones, suppress the From address to save space.
- Content with malicious intent, whether implemented as text, images, web links, or attachments.
Effective defenses against these attack categories have one common element: the need to have a verified From address:
- A message with a fraudulent From address is inherently an attack.
- Friendly name defenses involve judgement of whether the asserted Friendly Name is consistent with the actual From address. This effort is difficult, but becomes even more problematic unless the From address has been validated.
- Content filtering depends on the From address because acceptability is frequently dependent on the author. An easy example is an email containing an invoice. It might be a corporate invoice for a corporate purchase, a personal invoice for a personal purchase, or a fraud. The acceptability of the invoice message is entirely dependent on the identity of the author.
Given this dependency, every email filtering system should be designed around this goal:
- Every allowed message must be authenticated, and every allowed message must be allowed.
Unfortunately, I have found zero commercial products that attempt to achieve this goal. The apparent excuse is an assumption that mandatory authentication is impossible to achieve. It appears impossible only because it has not been tried. I have tried and succeeded (using customized Declude). Now, I am trying to find a vendor who is willing to embrace this design goal. I have only one lead at present.