Why RBLs and Graylists Can’t Stop Modern Email Threats
Email security has always been a technological arms race between bad actors and those who try to thwart them. But now the arms race is accelerating at an unprecedented pace, making many of the actual email security defenses obsolete and requiring entirely new approaches to detecting and eliminating threats.
As exciting as technological advancements and accessibility are, they also allow criminals to become more sophisticated in their attacks. With new technology enabling malicious actors to rapidly evolve their tactics, it’s not surprising that email continues to be the primary vector for attacks, with phishing the most popular method. The advent of generative AI is only exacerbating this problem, with AI-powered phishing seeing a 222% increase in the second half of 2023.
This, in turn, reduces the effectiveness of the tools companies typically rely on for email security, such as real-time blackhole lists (RBLs) and gray lists. As malicious actors increasingly conceal the source of an email and legitimate actors become vehicles for malicious traffic, it is clear that a more holistic and nuanced response is needed.
Founder and CEO, Libraesva.
What are RBLs and gray lists, and why are they becoming less effective?
When an IP address, sender domain, or web domain is recognized as the source of spam, it is added to a block list. Many methods are used to achieve this, from manual flagging to ‘honeytraps’ designed to lure and detect spammers. There are several organizations that manage these block lists, and email providers typically join one or more to filter out spam in real time before it can do any damage. That’s why there are real-time blackhole lists.
Greylisting works the same way, although the email is deferred instead of blocked if it comes from an unknown source. By holding the email for a while, legitimate senders can try to deliver the email again, which is then likely to continue because spammers tend to try only once. This prevents large-scale spam attacks, without blocking emails that may have initially been false positives.
The problem today is that the link between the source of an email and its risk level has been broken. Where criminals used to bomb servers with fake accounts or exploit vulnerabilities, malicious actors can now camouflage their attacks through seemingly legitimate channels that bypass list-based email security systems. This is often achieved by infiltrating an organization’s email address and using it to send malicious emails.
When an email address is compromised to conduct attacks, the organization or the entire service may end up on a block list. Thousands of users may have their emails marked as spam, causing enormous personal and professional communication problems as collateral damage from spam attacks. As such, RBLs and graylists not only fail to detect criminal activity, they also risk degrading service for legitimate users.
How can AI ensure email security stays one step ahead of cybercriminals?
With source-based filters no longer fit for purpose, how can email security fight back against the rising tide of phishing and email threats? The answer is not to look at a single piece of data, but to collect a holistic scope that provides a broader network-level view of email attacks, their origins, and their vectors. It also means that the category of data itself is expanded to include the content of emails and behavioral analytics.
Of course, processing and analyzing that much data is a huge undertaking, and that’s where AI – specifically large language models (LLMs) and machine learning (ML) – comes into play. LLMs can be trained to gain semantic insight into email content and identify suspicious activity in real time. ML engines, meanwhile, can analyze vast amounts of historical data to develop predictive capabilities that can stop attacks before they start.
Organizations can deploy such capabilities internally, using AI engines to learn normal email usage patterns so that anomalies can be easily detected, with any false flags corrected through human oversight to further refine the model. In fact, AI can provide businesses and even individuals with customized email security services, 24 hours a day and in real time.
Unfortunately, the ‘good guys’ are not the only ones working with AI. Criminals have been quick to leverage generative AI’s ability to quickly create persuasive text, images, and even voices to launch a series of scams for which the public and business community are underprepared. In email security, the eternal arms race continues, with fraudulent emails now able to ‘clone’ the communication style of staff members to deceive colleagues, or spoof business communications to defraud customers.
Real-time predictive capabilities that could counter the capabilities of secure email providers may currently be beyond the reach of anyone but state actors, but given the rapid development of AI, it is only a matter of time before such technology becomes widely accessible – even can be run locally, outside the control of AI platform holders who might otherwise revoke access.
The future of email security will then be AI versus AI, and providers must quickly increase their technological capabilities on this front and invest in the talent to develop and deploy AI-based solutions. Criminals will do the same, and any organization that still relies on outdated, resource-based methods will soon be caught in the crossfire.
We have listed the best cloud antivirus.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro