How does Abusix process messages?

We receive Spam to our honey traps on dedicated systems at different global locations. This guarantees high reliability, failure over safety, and diversity. The traffic in real-time is monitored, parsed, and analyzed.

Honey Trap Processing

  1. After (spam-) mail has been seen in our honey traps, the message is first evaluated to determine whether it is spam.
  2. Delivery Status Notifications (DSN RFC-3464) and bounce messages are not considered spam, even if the original message hits a trap, and thus we filter out these messages.
  3. We also implement a Hard Fail SPF record for our trap domains. This helps MTAs identify illegitimate traffic and prevents legitimate DSN messages from being misidentified as spam.

Honey Pot Processing

  1. When a new botnet connects to a new honeypot, control messages are sent to verify that the machine is an open relay. Using a growing library of over 1,500 templates, we can identify the control messages and allow them to pass unhindered.
  2. Once the control messages are received, the bots open up their traffic, and we can see large quantities of spam. We trap the spam.
  3. Additional control messages are sent occasionally, and we allow those to reach their end destination.

What is the geographic mix of your traffic?

We see traffic from all over the world, and depending upon the campaign and time frame, we see this mix constantly change.

The best way to answer your question is to ask us to set up a trial stream and look and see if what we provide fits your purpose.

Why and how do you redact recipient addresses?

We redact trap addresses to reduce the probability that they will be revealed.

All outgoing traffic reports to users of our Threat Intelligence do not contain any information about our trap domains, trap addresses, or our receiving MTAs, IP addresses, or any part of our network.

We receive emails containing email addresses that do not belong to our trap network and are usually misdirected spam or spam directed to open relays. In this case, these addresses remain untouched as there is no need to redact the receiving side of the spam mail.

How does Abusix redact recipient addresses?

The redaction process is automatically applied to the entire mail header and body.

Our systems ensure that any redaction we do does not interfere with hash-based filtering mechanisms.

We rewrite the mail as described below: In the example, we use the trap address [email protected]

Step 1 - Matching

If the addresses belong to our trap network, they are marked as “to be redacted.” These addresses are converted into a search pattern consisting of the domain part.

/trap.tld/i → matches the above domain part. This pattern is executed on both header and body of the original mail.

Step 2 - Rewriting

If there is a match, the mechanism starts to redact the matching pattern as follows:

  • Lower-case character → x
  • Upper-case character → X
  • Number → 1
    The remainder of the mail remains untouched.

Example

[email protected] is redacted to [email protected]

Dear Spam_2011 is redacted to Dear Spam_2011

http://example.com/unsubsribe.php?Spam_2011%40trap.TLD is redacted to http://example.com/unsubsribe.php?Spam_2011%40xxx.XXX

Do you detect the language of messages?

Spam message languages are often essential to our customer’s training in spam heuristics filtering. Thus, Abusix classifies content in the message and body using a common language detection library.

Description

Our challenge with language filtering is to deliver as much spam in a language feed to make it valuable to you and achieve a balance between:

  • being too strict on our language tagging, causing false negatives, and
  • ruling out false positives.

In language identification, we:

  1. first normalize the text in the message body, and
  2. then require a minimum amount of clean text in the message to make a language tag decision.

Thus, Abusix needs to identify emails by language, with more content and special symbols.

So, if what we do isn’t 100% perfect for you and you want to tighten or loosen the filter in some manner, please let us know, and we will try to make adjustments accordingly.

JSON Field / Filter

Our JSON contains a Language Field, which may also be used as a filter.

Languages

We detect and filter the following languages:

  • Albanian (sq)
  • Arabic (ar)
  • Armenian (hy)
  • Azerbaijani (az)
  • Belarusian (be)
  • Bengali (bn)
  • Norwegian Bokmål (nb)
  • Bosnian (bs)
  • Bulgarian (bg)
  • Catalan (ca)
  • Chinese (zh)
  • Croatian (hr)
  • Czech (cs)
  • Danish (da)
  • Dutch (nl)
  • English (en)
  • Esperanto (eo)
  • Estonian (et)
  • Finnish (fi)
  • French (fr)
  • Ganda (lg)
  • Georgian (ka)
  • German (de)
  • Greek (el)
  • Gujarati (gu)
  • Hebrew (he)
  • Hindi (hi)
  • Hungarian (hu)
  • Icelandic (is)
  • Indonesian (id)
  • Italian (it)
  • Japanese (ja)
  • Kazakh (kk)
  • Korean (ko)
  • Latvian (lv)
  • Lithuanian (lt)
  • Macedonian (mk)
  • Malay (ms)
  • Marathi (mr)
  • Mongolian (mn)
  • Norwegian Nynorsk (nn)
  • Persian (fa)
  • Polish (pl)
  • Portuguese (pt)
  • Punjabi (pa)
  • Romanian (ro)
  • Russian (ru)
  • Serbian (sr)
  • Shona (sn)
  • Slovak (sk)
  • Slovene (sl)
  • Sotho (st)
  • Spanish (es)
  • Swahili (sw)
  • Swedish (sv)
  • Tamil (ta)
  • Telugu (te)
  • Thai (th)
  • Tsonga (ts)
  • Tswana (tn)
  • Turkish (tr)
  • Ukrainian (uk)
  • Urdu (ur)
  • Vietnamese (vi)
  • Xhosa (xh)
  • Yoruba (yo)
  • Zulu (zu)

Learn more about Abusix Intelligence

Send us a message

Having trouble with your setup or a technical issue? Get in touch with our team of Abusix experts.

Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected]

Also, follow our LinkedIn Channel for updates & subscribe to our YouTube Channel for the latest Abusix how-to-videos.