This article contains information on Mimecast's Spam Score, how it is calculated using multiple scanning engines, and guidance on configuring spam scanning definitions and policies to optimize email security settings.
Overview
Mimecast's multiple scanning engines examine the content of inbound mail, by searching for key phrases and identifiers commonly used by spammers. These scanning checks can use:
- Content matching rules.
- DNS based filtering.
- Checksum based filtering.
- Statistical filtering.
- Machine learning.
All of these are correlated to give a final verdict on the message, the Spam Score. Details of the key indicators which informed that score can be found in the Spam Analysis tab of the message. See Message Analysis Tab.
As malicious actors change their tactics, the need to continually update these algorithms, so they detect harmful content is of paramount importance. Our messaging security team continually monitor the threats faced by both our customers and the wider business community, to make the necessary changes to protect your users.
There are over 45 sub categories, consisting of hundreds of different checks that are logically grouped to identify what kind of email it is. See Email Categorization.
What is the Spam Score Used For?
There is no Spam Score standard, so scores should not be seen as equivalents. For example, if Microsoft gives an email a spam score of 3 and Mimecast gives it 4, it does not necessarily follow that Mimecast found more indicators in the email.
Mimecast’s Spam Scores are designed to coalesce around the spam detection Threshold set in the Spam Scanning Definition, which can be:
- Aggressive triggers on any score >= 3
- Moderate triggers on any score >=5
- Relaxed triggers on any score >=7
You have consistent experience for what types of email fall into which category, so that you can choose the setting that best meets your security needs.
See Configuring Spam Scanning Definitions and Policies for more detail.
When considering what spam score setting to use in your spam scanning policies, we recommend starting with a Relaxed level and adjusting it according to the results and feedback from end users. Moderate and Aggressive levels should be applied to selected groups of users that still receive spam, as opposed to applying Aggressive checks to all users. This helps reduce false positives generated in the held queue.
Comments
Please sign in to leave a comment.