While manual dictionaries for detecting phishing mails appeared about a decade ago, heuristics came in later.
The latter is the act of searching for signs that indicate the nature of a message and how it could be malicious. For example a link could mean an unprotected protocol such as http or the presence of the recipient's email within the the link.
The first element for the technology scheme for the new method lives in a cloud service that runs an algorithm that detects ratware or software that automatically generates and sends mass messages.
Email works in the following way: one uses a mail user agent (like Microsoft Outlook or Apple Mail) to create a message and send it out on the Internet. The mail is configured to use specific servers which then use a mail transport agent (like Microsoft Exchange or Postfix) to direct the mail to its destination.
Spammers, Kaspersky said, often used their own personal mail user agents to send spam in order to avoid detection. They varied the headers (like subject and to address) to achieve variety which also made spotting them more difficult.
Given this, the company said the task they faced was to create a tool that could detect traces of ratware based on headers. The first classifier, based on a deep neural network, was trained on millions of spam headings, and it extracted non-trivial features to detect suspicious headers.
A second classifier was the kind of language often used in spam, with emotive language being typical.
Kaspersky said this technology was effective in blocking spam in real time. It was also able to detect new techniques using these two classifiers. A second benefit was that it was automatic.
"We continue to improve the technology and plan to add other classifiers that will analyse more message parameters," the company said. "In its current form, as part of the solutions for protecting mail servers and the Microsoft Office 365 application, the technology has already been used to help increase the detection rate of the most sophisticated phishing emails."