Search Close
Email Security Blog

Email Filtering and Open Quarantine – The Paradigm Shift

Markus Jakobsson November 17th, 2016 Email Security
Fallback Featured Image

In my previous blog post, I provided examples of the growing sophistication – and subsequent success – of several high-visibility email attacks that used social engineering to evade traditional email security filters. This week, I’d like to introduce a new filtering paradigm: open quarantine.

Open quarantine balances the needs of security and usability using a two-phase email filtering process. In the first phase, a risk score is computed for each incoming message. Messages with a risk score corresponding to near-certainty malice (e.g., those containing known malware attachments) are blocked, and messages with a risk score corresponding to a near-certainty benevolence (e.g., messages from trusted parties, with no risky contents) are delivered. The remainder of the messages—which comprise approximately 1% of the email traffic volume for typical organizations—will then be subject to additional scrutiny carried out in a second phase.

The power of open quarantine is that the undetermined emails will not be kept out of the inbox of the recipient as they are being subjected to additional scrutiny. Instead, they will be neutralized and delivered. The neutralization limits the functionality of the email but allows the recipient to access non-risky components while the second-phase filtering is performed. After the second phase of filtering concludes, the neutralization will be reverted (for safe emails) or a blocking action will be carried out.

Open quarantine enables additional security measures that were not practically meaningful in a world where filtering decisions need to be made within milliseconds. For example, consider an email received from a trusted sender, e.g., a party with whom the recipient has communicated extensively in the past. Under normal circumstances, this would be considered safe. However, if the email contains high-risk content, such as apparent wiring instructions, and the sender does not have a DMARC reject policy, then this poses an uncomfortable risk since the email may have been spoofed.

To address this potential threat, the receiver’s system can send an automated message to the apparent sender, asking this party to confirm having sent the email by clicking on a link or replying to the message. (Please note, however, that the confirmation request would not be send to a potential reply-to address.) If an affirmative user response is received, then this is evidence that the email was not spoofed, as an attacker that spoofs emails would not receive the confirmation request.

Check back in next week, when I discuss the first phase of open quarantine in more detail and review example filters.

Leave a Reply

Your email will not be published. All fields are required.

October 31, 2018 Fareed Bukhari

Business Email Compromise: 54% of Email Attacks Use Display Name Deception

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher,…

September 26, 2018 Ravi Khatod

BEC: Future-Proofing Your Investment in Email Security

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher,…

September 24, 2018 Armen Najarian

The CMO's Guide to Email Deliverability

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher,…

September 20, 2018 AJ Shipley

With Losses from Email Attacks Rising Fast, is it Automate—or Else?

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher,…

September 13, 2018 Srinivas Malladi

The Chance to Work on Advanced Email Fraud Prevention Tech? Priceless

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher,…

mobile image