Protection against spam and phishing

A key feature of Kaspersky Security is filtering out spam from the mail traffic passing through the Microsoft Exchange server. The Anti-Spam module filters incoming mail before messages reach user mailboxes.

Anti-Spam scans the following types of data:

• Internal and external traffic via SMTP using anonymous authentication on the server.
• Messages arriving on the server through anonymous external connections (edge server).
• Outgoing Emails.

Anti-Spam does not scan the following types of data:

• Internal corporate mail traffic.
• External mail traffic arriving on the server during authenticated sessions. The scanning of this mail traffic can be enabled manually using the Scan messages arriving over trusted connections for spam setting.
• Messages arriving from other servers of the Microsoft Exchange mail infrastructure, because connections between servers within the same Microsoft Exchange infrastructure are considered to be trusted. Notably, if messages arrive in the infrastructure via a server on which Anti-Spam is inactive or not installed, the messages are not scanned for spam on all subsequent servers of this infrastructure along the path traveled by messages. The scanning of such messages can be enabled manually using the Scan messages arriving over trusted connections for spam setting.

Anti-Spam scans the message header, contents, attachments, design elements, and other message attributes. While performing the scan, Anti-Spam uses linguistic and heuristic algorithms that involve comparing the message being scanned with sample messages, as well as additional cloud services, such as Kaspersky Security Network.

After filtering, Anti-Spam assigns one of the following statuses to messages:

• Spam. The message shows signs of spam.
• Potential spam. The message shows signs of spam but its spam rating is not high enough to mark it as spam.
• Mass mailing. A message belongs to a mass mailing (usually a news feed or advertisement) that lacks sufficient attributes for a spam verdict.
• Formal notification. An automatic message informing, for example, about mail delivery to the recipient.
• Clean. The message shows no signs of spam.
• Address denylist. The sender's email address or IP address is on the address denylist.

  When checking the internal flow of mail that is sent over the SMTP protocol and when enabling spam filtering for messages that are sent through trusted connections, Anti-Spam sets the status to Clean for the following messages: newsletter messages as well as technical messages and messages whose spam rating does not allow them to be classified like spam.

You can choose actions to be taken by the application on messages with a particular status. The following operations are available for selection:

• Allow. The message is delivered to recipients unchanged.
• Reject. An error message is returned to the sending server (error code 500), and the message is not delivered to the recipient.
• Delete. The sending server receives a notification that the message has been sent (code 250), but the message is not delivered to the recipient.
• Add SCL value. The application will assign a rating to messages indicating the probability of spam content inside (SCL, Spam Confidence Level). The SCL rating is a number ranging from 1 to 9. A high SCL rating means a high probability that the message is spam. The SCL rating is calculated by dividing the spam rating of the message by 10. If the resulting value exceeds 9, the SCL rating is assumed to equal 9. The SCL rating of messages is taken into account during subsequent processing of messages by the Microsoft Exchange infrastructure.
• Add label to message subject. Messages that have been tagged as Spam, Probable spam, Mass mail or Address denylist are marked with the following special tags in the message subject: [!!SPAM], [!!Probable Spam], [!!Mass Mail] or [!!Blacklisted], respectively. You can edit the text of such tags.

The application supports four sensitivity levels of anti-spam scanning:

• Maximum. This sensitivity level should be used if you receive spam very often. When you select this sensitivity level, the frequency of false positives rises: i.e., useful mail is more often recognized as spam.
• High. When this sensitivity level is selected, the frequency of false positives decreases (compared to the Maximum level) and the scan speed increases. The High sensitivity level should be used if you receive spam often.
• Low. When this sensitivity level is selected, the frequency of false positives decreases (compared to the High level) and the scan speed increases. This Low sensitivity level provides an optimum combination of scanning speed and quality.
• Minimum. This sensitivity level should be used if you receive spam rarely.

By default, the application uses the Low sensitivity level of anti-spam protection. You can increase or decrease the sensitivity level. Depending on the sensitivity level and the spam rating assigned after the scan, a message can be tagged as Spam or Probable spam (see table below).

Threshold values of spam rating at different sensitivity levels of spam scanning

In exceptional cases, failures in the Anti-Spam kernel operation may result in significantly increased times of message scanning for spam. In such cases, Anti-Spam temporarily switches to the restricted scan mode in order to prevent message detainment. In this mode, some messages can be skipped without undergoing scanning for spam.