How do we check an e-mail for you?
Every e-mail passes through multi-stage filter and security systems to ensure that the e-mail is not spam and that there is no virus in the e-mail or an attachment. Spam detection is based on various technologies:
- Filter lists: Every spam filter works with a so-called blacklist, which contains all spam characteristics - such as sender, IP address or certain keywords. If the spam filter recognizes these, the message is flagged, moved or deleted. The counterpart to the blacklist is the whitelist. Messages from senders on this list are always delivered.
- Check the IP address: The IP address of the sender can be used to determine whether it is an account known for spam. The method of using the sender's address is less reliable - spammers often falsify it.
- Content filter: Certain keywords are typical for spam. The content is scanned accordingly. If terms such as “Viagra” appear frequently, the message is classified as spam. The catch with this technique is that if special characters or deliberate spelling mistakes are included in the keywords, the filter can be fooled.
All these factors are used to calculate a so-called reputation score for an email. If the total score exceeds a previously set threshold, the e-mail is classified as spam.
Technical description of the filter levels
Filter at SMTP level
As far as possible, incoming e-mail connections are only blocked after the SMTP command “rcpt to:”. In this way, we ensure that the connection and the associated logging function properly.
If the connection appears to originate from an unknown source that does not yet have a good reputation in our systems, it can be temporarily rejected with a 4xx code. In this case, the sending server will queue the email and automatically retry the delivery. After 10 minutes, the connection is accepted on one of the filter nodes and the internal whitelists are adjusted to prevent such a delay in email delivery from occurring again the next time.
This concept is also known as greylisting. However, we use a much more complex method than traditional greylisting systems, as all nodes are fully synchronized and only connections from servers unknown to the whole filtering system are temporarily delayed. Therefore, email delays due to greylisting are rather uncommon and generally do not cause problems for recipients.
If the connection appears to originate from a spam source, it is temporarily rejected with a 4xx code.
In this way, the email is not lost even if the server has been incorrectly listed as a spam source (e.g., on an external block list) or the spam issue has been resolved on the sending server.
Only if the connection originates from a known, spam-only source or if the behavior is in direct conflict with RFC standards (RFC is the ISO standard on the Internet) can a connection with a 5xx error code be permanently rejected. If this would ever happen for a legitimate sender, the sender will always receive a notification from their email server.
This issue only occurs if there are serious problems with the sending server, which should be resolved on the sender's side.
Filter at DATA level
Once the “DATA level” is reached, the system scans the email content of the message based on a combination of advanced statistical filtering technologies, including
- Spam fingerprint databases
- Viruses, phishing, and spyware databases
An email that has been recognized as spam is either temporarily (4xx error code) or permanently (5xx error code) rejected, depending on the total score.
Emails that are permanently rejected as spam at this level are moved to quarantine and are available for you to check (except viruses).
If a legitimate e-mail had been permanently blocked, the sending server always informs the sender that the e-mail could not be delivered.
Detailed technical diagram of the filter levels
Below, you can see a diagram of the individual checks your e-mail goes through before we deliver it to your mailbox.