My company receives countless spam emails over the course of a day that get through our gateway. We receive them in batches of 50-100, each containing the same subject line, but different (probably spoofed) senders/domains. The batches usually come in over the course of 5-6 minutes. I juse received 81 titled 'Electric cars offer huge savings.', all to different people in the organization. 5 were caught as spam, 5 fast passed, and 71 directly to my users. The spam catches were probably due to reputation, as were the fast passes. Using reputation and keyword heuristics, we're pretty much failing to catch these as spam. Using something looking at the subjects, senders, and dates would catch these quite quickly.
Here's my idea for improvement:
An in-memory array would store the subject and sender of the last XX,XXX messages that have come in over the last 5 minutes. It would be a simple array of three items: subject, sending domain. Each incoming email would check for a violation, and then either deliver or deem the email spam. The customer would have a integer they could set in the admin GUI, indicating how many of the same emails they will allow inbound from different domains that have the same subject over a period of 5 minutes before labeling the incoming email spam.
Another thing that would be helpful, looking at this list, would be that if a verdict is 'suspected spam', log that subject line and anything over next 5 minutes would be heavily weighted as spam. At 11:36, the very first of these emails was labeled 'suspected spam', yet it allowed over 60 more into our email. I would think the odds of someone sending something with an identical subject to 'suspected spam' should be heavily weighted as suspected spam?
Sorry to rant, because I'm certain I'm over-simplifying a very complex process, but there seems to be a good reliance on content inspection, but maybe not enough on correlation of the incoming emails? SMG needs to not only look at reputation and each individual email, but also compare the flow of emails over the last X minutes.