Abuse Reporting Format (ARF)
A standardized way for email providers to report spam complaints back to the original sender. It takes the confusing technical data of a complaint and packages it into a readable report so the sender knows exactly which message caused a problem.
Halon Pro Tip
Automating ARF processing is critical. If you ignore these reports, providers assume you condone spam and will lower your reputation score.
Halon Pro TipAutomating ARF processing is critical. If you ignore these reports, providers assume you condone spam and will lower your reputation score.
Advanced Persistent Threat (APT)
A complex, long-term cyberattack where an intruder enters a network and stays undetected for a long time. In email, this often starts with a very convincing spear-phishing email to steal login credentials.
Halon Pro Tip
Standard spam filters often miss APTs. You need security layers that analyze behavioral patterns over time, not just single email contents.
Halon Pro Tip Standard spam filters often miss APTs. You need security layers that analyze behavioral patterns over time, not just single email contents.
Anti-Spam Filter
Software used by email providers to screen incoming mail. It looks for specific keywords, suspicious links, or bad sender reputations to decide if an email belongs in the Inbox or the Junk folder.
Halon Pro Tip
Don't just rely on content. Modern anti-spam relies heavily on sender reputation, intent, sender reputation and user signals. If your infrastructure is solid, your content gets more leeway.
Halon Pro Tip Don't just rely on content. Modern anti-spam relies heavily on sender reputation, intent, sender reputation and user signals. If your infrastructure is solid, your content gets more leeway.
Backscatter
A type of spam caused when a server accepts an email, realizes the recipient doesn't exist, and then sends a "bounce message" back to a fake sender address (often an innocent victim). This floods the innocent victim with error messages they didn't trigger.
Halon Pro Tip
Configure your MTA to reject invalid recipients during the SMTP conversation (at the door) rather than accepting and bouncing later. Use Bounce Address Tag Validation (BATV) to sort out valid/invalid bounces.
Halon Pro Tip Configure your MTA to reject invalid recipients during the SMTP conversation (at the door) rather than accepting and bouncing later. Use Bounce Address Tag Validation (BATV) to sort out valid/invalid bounces.
Bayesian Filtering
A smart filtering technique that "learns" from training data by the users. If you mark an email as spam, the filter analyzes the words in it and calculates the probability that future emails with similar words are also spam.
Halon Pro Tip
Because Bayesian filters are learning constantly, senders must keep their content "clean" and consistent to avoid accidentally teaching the filter to block them.
Halon Pro Tip Because Bayesian filters are learning constantly, senders must keep their content "clean" and consistent to avoid accidentally teaching the filter to block them.
Blocklist (DNSBL)
A real-time list of IP addresses or domains that have been flagged for sending spam. If your IP is on one of these lists, email providers will block your messages before they even reach the user.
Halon Pro Tip
Monitoring lists like Spamhaus is mandatory. If you land on one, pause sending immediately and fix the root cause (like a compromised user account) before appealing.
Halon Pro Tip Monitoring lists like Spamhaus is mandatory. If you land on one, pause sending immediately and fix the root cause (like a compromised user account) before appealing.
Botnet
A network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Spammers use botnets to send massive amounts of junk email to hide their own location.
Halon Pro Tip
Botnet traffic usually has unique "fingerprints" in the connection speed and volume. Advanced MTAs can detect and drop these connections instantly.
Halon Pro Tip Botnet traffic usually has unique "fingerprints" in the connection speed and volume. Advanced MTAs can detect and drop these connections instantly.
Brute Force Attack
A trial-and-error method used by hackers to decode encrypted data or guess passwords. They use software to try millions of password combinations in seconds until they break into an email account.
Halon Pro Tip
Implementing rate-limiting on your login pages and SMTP authentication endpoints stops these attacks cold.
Halon Pro Tip Implementing rate-limiting on your login pages and SMTP authentication endpoints stops these attacks cold.
Business Email Compromise (BEC)
A scam where a criminal compromises legitimate business email accounts to conduct unauthorized transfers of funds. It often involves impersonating a CEO or vendor requesting an urgent wire transfer.
Halon Pro Tip
BEC emails rarely contain malware/links, making them hard to catch. DMARC enforcement and using a proper Advanced Threat Protection (ATP) solution is your best defense against domain impersonation used in BEC.
Halon Pro Tip BEC emails rarely contain malware/links, making them hard to catch. DMARC enforcement and using a proper Advanced Threat Protection (ATP) solution is your best defense against domain impersonation used in BEC.
Click Farm
A large group of low-paid workers hired to click on links in spam emails or browse websites to artificially inflate traffic numbers. This ruins analytics and can trigger spam filters if they interact with "honeypot" links.
Halon Pro Tip
Sudden spikes in click rates (CTR) aren't always good news. If your CTR jumps to 100%, you are likely being targeted by a bot or click farm.
Halon Pro Tip Sudden spikes in click rates (CTR) aren't always good news. If your CTR jumps to 100%, you are likely being targeted by a bot or click farm.
Content Filtering
A system that scans the text and images inside an email. It blocks messages containing words like "Viagra," "Free Money," or suspicious code that signals a virus or spam.
Halon Pro Tip
Over-aggressive content filtering creates false positives. Focus on intent and reputation rather than blocking specific harmless words.
Halon Pro Tip Over-aggressive content filtering creates false positives. Focus on intent and reputation rather than blocking specific harmless words.
Credential Harvesting
A technique where attackers send emails directing users to a fake login page (like a fake Microsoft 365 screen). When the user types their password, the attacker steals it.
Halon Pro Tip
2-Factor Authentication (2FA) renders credential harvesting useless. Even if they get the password, they can't access the account without the second token.
Halon Pro Tip 2-Factor Authentication (2FA) renders credential harvesting useless. Even if they get the password, they can't access the account without the second token.
Dictionary Attack
A method of spamming where the sender guesses email addresses by combining common names (like john@, jane@, info@) at a specific domain, hoping some of them are real.
Halon Pro Tip
A high number of "User Unknown" errors from a single IP is a clear sign of a dictionary attack. Block that IP immediately.
Halon Pro Tip A high number of "User Unknown" errors from a single IP is a clear sign of a dictionary attack. Block that IP immediately.
Directory Harvest Attack (DHA)
Similar to a dictionary attack, but the goal isn't to send spam immediately. The goal is to figure out which email addresses are valid to build a list for future spamming.
Halon Pro Tip
Never configure your server to "Verify" recipients (VRFY command) for strangers. It hands over your user list to attackers on a silver platter.
Halon Pro Tip Never configure your server to "Verify" recipients (VRFY command) for strangers. It hands over your user list to attackers on a silver platter.
Distributed Denial of Service (DDoS)
An attack where thousands of infected computers flood a specific server with traffic, overwhelming it so it crashes and cannot process legitimate email.
Halon Pro Tip
Endlessly scaling your servers to absorb an attack gets expensive fast. The smartest defense is using an intelligent MTA that instantly drops connections from IPs with poor or no sender reputation, saving your resources for legitimate email.
Halon Pro Tip Endlessly scaling your servers to absorb an attack gets expensive fast. The smartest defense is using an intelligent MTA that instantly drops connections from IPs with poor or no sender reputation, saving your resources for legitimate email.
False Negative
When a spam email or virus slips past the security filters and lands in the user's Inbox. It is a failure of the filter to detect a threat.
Halon Pro Tip
Zero false negatives are impossible without blocking real mail. The goal is a balance where no false positives occur and the lowest possible FNs.
Halon Pro Tip Zero false negatives are impossible without blocking real mail. The goal is a balance where no false positives occur and the lowest possible FNs.
False Positive
When a legitimate, safe email is mistakenly marked as spam and sent to the Junk folder. This is a nightmare for marketers and business communications.
Halon Pro Tip
Overly rigid filters that only look for "spammy keywords" cause the most false positives. To avoid blocking important business mail, modern inbound filters prioritize the sender's historical reputation and behavior over simple text matching.
Halon Pro Tip Overly rigid filters that only look for "spammy keywords" cause the most false positives. To avoid blocking important business mail, modern inbound filters prioritize the sender's historical reputation and behavior over simple text matching.
Feedback Loop (FBL)
A service provided by ISPs (like Yahoo or Outlook) that notifies a sender when a recipient marks an email as spam. This allows the sender to unsubscribe that person immediately.
Halon Pro Tip
You must process FBLs daily. If you keep emailing people who marked you as spam, ISPs will block your entire domain.
Halon Pro Tip You must process FBLs daily. If you keep emailing people who marked you as spam, ISPs will block your entire domain.
Greylisting
A method of defending against spam where the receiving server temporarily rejects a new email, telling the sender to "try again later." Real servers will retry; spam bots usually give up and move on.
Halon Pro Tip
While effective against bots, greylisting delays email delivery. Modern systems use it selectively only for suspicious, unknown IPs.
Halon Pro Tip While effective against bots, greylisting delays email delivery. Modern systems use it selectively only for suspicious, unknown IPs.
Header Analysis
Examining the hidden technical data at the top of an email (the header). This reveals the true path the email took, the IP address of the sender, and authentication results.
Halon Pro Tip
Spammers can fake the "From" name, but they can rarely fake the "Received" headers. This is the first place security pros look for truth.
Halon Pro Tip Spammers can fake the "From" name, but they can rarely fake the "Received" headers. This is the first place security pros look for truth.
Hijacked Account
A legitimate email account that has been stolen by a hacker. The hacker uses the good reputation of the account to send thousands of spam emails before the owner notices.
Halon Pro Tip
If a standard user suddenly sends 500 emails in 5 minutes, automate a "circuit breaker" to freeze the account instantly.
Halon Pro Tip If a standard user suddenly sends 500 emails in 5 minutes, automate a "circuit breaker" to freeze the account instantly.
Honeypot
A fake email address or system set up intentionally by security teams to attract spammers. If anyone sends an email to a honeypot address, they are immediately identified as a spammer.
Halon Pro Tip
Never buy email lists. Purchased lists are often "poisoned" with honeypots specifically to catch lazy marketers.
Halon Pro Tip Never buy email lists. Purchased lists are often "poisoned" with honeypots specifically to catch lazy marketers.
Image Spam
Spam where the message is embedded inside an image file rather than typed as text. Spammers do this to trick text-based filters that can't "read" the picture.
Halon Pro Tip
Modern filters use OCR (Optical Character Recognition) to read text inside images, making this old spam tactic largely ineffective today.
Halon Pro Tip Modern filters use OCR (Optical Character Recognition) to read text inside images, making this old spam tactic largely ineffective today.
IP Reputation
A score assigned to an IP address based on its history. If an IP sends good mail, the score goes up. If it sends spam or hits traps, the score goes down, causing blocks.
Halon Pro Tip
New IPs have "neutral" reputation, which is often treated as "bad." You must "warm up" IPs slowly to build trust.
Halon Pro Tip New IPs have "neutral" reputation, which is often treated as "bad." You must "warm up" IPs slowly to build trust.
Joe Job
A spam attack where the spammer spoofs the sender address to make it look like you sent the spam. You get flooded with angry replies and bounce messages, even though you did nothing.
Halon Pro Tip
End-users won't check your security settings, but major mail providers will. Implementing a strict DMARC "reject" policy tells receiving servers to drop the forged emails entirely, stopping the flood of bounce-backs and angry complaints at the source.
Halon Pro Tip End-users won't check your security settings, but major mail providers will. Implementing a strict DMARC "reject" policy tells receiving servers to drop the forged emails entirely, stopping the flood of bounce-backs and angry complaints at the source.
Junk Mail
Unsolicited email that is annoying but not necessarily malicious. Unlike phishing (which tries to steal), junk mail is usually just trying to sell low-quality products.
Halon Pro Tip
The line between "Marketing" and "Junk" is consent. If they didn't ask for it, it's junk—even if the product is real.
Halon Pro Tip The line between "Marketing" and "Junk" is consent. If they didn't ask for it, it's junk—even if the product is real.
Keylogger
A type of malware often delivered via email attachments. Once installed, it records every keystroke the user makes, allowing hackers to capture passwords and credit card numbers.
Halon Pro Tip
Never allow executable files (e.g. .exe) to pass through your email gateway. There is almost no legitimate business reason to email a program file.
Halon Pro Tip Never allow executable files (e.g. .exe) to pass through your email gateway. There is almost no legitimate business reason to email a program file.
Malware
Short for "Malicious Software." A broad term for viruses, worms, and trojans sent via email designed to damage a computer or steal data.
Halon Pro Tip
Malware often hides in "Archives" like ZIP or RAR files. Scanners must be able to "unpack" these files to check the contents before delivery.
Halon Pro Tip Malware often hides in "Archives" like ZIP or RAR files. Scanners must be able to "unpack" these files to check the contents before delivery.
Man-in-the-Middle (MitM)
An attack where a hacker secretly intercepts and relays messages between two parties who believe they are communicating directly. The hacker can read or alter the emails in transit.
Halon Pro Tip
While TLS encryption protects the message in transit, an attacker who hijacks the route can still intercept it. The ultimate defense against tampering is DKIM - it adds a digital signature to the email content itself. If the middleman changes a single word, the seal breaks and the email is flagged.
Halon Pro Tip While TLS encryption protects the message in transit, an attacker who hijacks the route can still intercept it. The ultimate defense against tampering is DKIM - it adds a digital signature to the email content itself. If the middleman changes a single word, the seal breaks and the email is flagged.
Open Relay
An email server that is poorly configured and allows anyone on the internet to send email through it. Spammers constantly scan for these to send their junk for free.
Halon Pro Tip
Running an open relay gets you blacklisted globally in minutes. Restrict relay access strictly to authenticated users or specific internal IPs.
Halon Pro Tip Running an open relay gets you blacklisted globally in minutes. Restrict relay access strictly to authenticated users or specific internal IPs.
Phishing
A fraudulent attempt to obtain sensitive information (like usernames or banking details) by disguising as a trustworthy entity, such as a bank or Google, in an email.
Halon Pro Tip
Checking the "From" address isn't enough anymore. Train users to pause and look for broader red flags: artificial urgency, fear tactics, demands to click a link, impersonal greetings, or unexpected typos and placeholders. actual "From".
Halon Pro Tip Checking the "From" address isn't enough anymore. Train users to pause and look for broader red flags: artificial urgency, fear tactics, demands to click a link, impersonal greetings, or unexpected typos and placeholders. actual "From".
Ransomware
A vicious type of malware that encrypts the victim's files, locking them out of their own computer. The attacker demands a payment (ransom) to unlock the files.
Halon Pro Tip
Email is the #1 delivery vehicle for ransomware. Robust email filtering is cheaper than paying a Bitcoin ransom.
Halon Pro Tip Email is the #1 delivery vehicle for ransomware. Robust email filtering is cheaper than paying a Bitcoin ransom.
Real-time Blackhole List (RBL)
A service that maintains a list of IP addresses known to send spam. Email servers query the RBL in real-time to decide whether to accept or reject an incoming connection.
Halon Pro Tip
Don't use just one RBL. Use a weighted mix of several reputable lists to ensure you don't block legitimate mail due to one list's error.
Halon Pro Tip Don't use just one RBL. Use a weighted mix of several reputable lists to ensure you don't block legitimate mail due to one list's error.
Rootkit
A collection of malicious software designed to give a hacker administrator-level access to a computer or network while hiding its presence from antivirus software.
Halon Pro Tip
Once a rootkit is installed via a malicious email link, it is very hard to detect. Prevention at the email gateway level is the only reliable defense.
Halon Pro Tip Once a rootkit is installed via a malicious email link, it is very hard to detect. Prevention at the email gateway level is the only reliable defense.
Script Kiddie
A derogatory term for an unskilled hacker who uses pre-written scripts or programs developed by others to attack computer systems or send spam, lacking the knowledge to do it themselves.
Halon Pro Tip
Even unskilled attacks can cause damage. Your infrastructure must be automated to handle "noise" attacks without waking up your engineering team.
Halon Pro Tip Even unskilled attacks can cause damage. Your infrastructure must be automated to handle "noise" attacks without waking up your engineering team.
Smishing
"SMS Phishing." Similar to email phishing, but the fraudulent links are sent via text message. It is increasingly common as email filters get stronger.
Halon Pro Tip
Many email marketing platforms now support SMS. Ensure your brand reputation extends to mobile by using verified sender IDs.
Halon Pro Tip Many email marketing platforms now support SMS. Ensure your brand reputation extends to mobile by using verified sender IDs.
Snowshoe Spam
A strategy where spammers spread their spam output across many different IP addresses and domains (like a snowshoe spreads weight). This keeps the volume per IP low to avoid detection.
Halon Pro Tip
Snowshoeing defeats simple rate limits. You need reputation systems that look at the content fingerprint across multiple IPs to catch this.
Halon Pro Tip Snowshoeing defeats simple rate limits. You need reputation systems that look at the content fingerprint across multiple IPs to catch this.
Spam Trap
An email address that is not used by a real person but is monitored by ISPs. If you send email to it, the ISP knows you have bad list hygiene and may block you.
Halon Pro Tip
"Pristine" traps are hidden on websites; "Recycled" traps are old emails you should have removed. Prune your inactive subscribers to avoid recycled traps.
Halon Pro Tip "Pristine" traps are hidden on websites; "Recycled" traps are old emails you should have removed. Prune your inactive subscribers to avoid recycled traps.
Spear Phishing
A highly targeted phishing attack aimed at a specific individual or organization. Unlike generic bulk phishing, these emails use personal details to appear very convincing.
Halon Pro Tip
Spear phishing often spoofs internal executives. Configure your email gateway to flag emails with external domains that try to use internal display names.
Halon Pro Tip Spear phishing often spoofs internal executives. Configure your email gateway to flag emails with external domains that try to use internal display names.
Spoofing
Forging the "header" of an email so the message appears to have originated from someone or somewhere other than the actual source.
Halon Pro Tip
Without SPF, DKIM, and DMARC, your domain is wide open to spoofing. These protocols are the digital ID cards of the email world.
Halon Pro Tip Without SPF, DKIM, and DMARC, your domain is wide open to spoofing. These protocols are the digital ID cards of the email world.
Spyware
Software that secretly installs itself on a computer to monitor user behavior and gather data (like browsing habits) without consent.
Halon Pro Tip
Spyware often rides in on "free" software downloads linked in spam emails. Block downloads of executable files at the gateway.
Halon Pro Tip Spyware often rides in on "free" software downloads linked in spam emails. Block downloads of executable files at the gateway.
Trojan Horse
A malicious program that misleads users of its true intent. It looks like a legitimate file (like a tax invoice or game), but when opened, it releases malware.
Halon Pro Tip
Advanced Threat Protection (ATP) "detonates" (opens) these files in a safe sandbox environment to see if they explode before letting them reach the user.
Halon Pro Tip Advanced Threat Protection (ATP) "detonates" (opens) these files in a safe sandbox environment to see if they explode before letting them reach the user.
Unsubscribe Bombing
An attack where a user's email is signed up for thousands of newsletters at once. The inbox is flooded with "Confirmation" emails, often to hide a transaction alert from a bank.
Halon Pro Tip
If a user complains of an email flood, tell them to check their bank accounts immediately. The spam is a smokescreen.
Halon Pro Tip If a user complains of an email flood, tell them to check their bank accounts immediately. The spam is a smokescreen.
URL Shortener Abuse
Spammers use services like bit.ly to hide the true destination of a malicious link. They hope the innocent-looking short link will bypass filters.
Halon Pro Tip
Blindly following every short-link is a trap. If your security filter automatically clicks a hidden "unsubscribe" link, it will accidentally opt the user out of lists. Advanced filters safely unmask and check URLs against threat intelligence without triggering those actions.
Halon Pro Tip Blindly following every short-link is a trap. If your security filter automatically clicks a hidden "unsubscribe" link, it will accidentally opt the user out of lists. Advanced filters safely unmask and check URLs against threat intelligence without triggering those actions.
Virus
A type of malware that attaches itself to a clean file or program. When the program runs, the virus replicates and spreads to other files, causing damage.
Halon Pro Tip
Viruses are distinct from worms because they need a host file. Scanning attachments is the primary defense against email-borne viruses.
Halon Pro Tip Viruses are distinct from worms because they need a host file. Scanning attachments is the primary defense against email-borne viruses.
Whaling
A specific form of spear phishing that targets high-profile executives ("big whales") like the CEO or CFO. The goal is usually to steal sensitive company secrets or authorize large payments.
Halon Pro Tip
Executives' email addresses are public knowledge. They need stricter spam filter settings and "external email" warning tags than the rest of the staff.
Halon Pro Tip Executives' email addresses are public knowledge. They need stricter spam filter settings and "external email" warning tags than the rest of the staff.
Zero-Day Exploit
A cyberattack that targets a software vulnerability that is unknown to the software vendor or antivirus companies. It occurs on "Day Zero," before a fix is available.
Halon Pro Tip
You cannot block Zero-Days with standard virus definitions. You need heuristic and behavioural analysis to spot "weird" code execution.
Halon Pro Tip You cannot block Zero-Days with standard virus definitions. You need heuristic and behavioural analysis to spot "weird" code execution.
Zombie Computer
A computer connected to the internet that has been compromised by a hacker and can be used to perform malicious tasks (like sending spam) under remote direction.
Halon Pro Tip
If your legitimate IP is blocked, one of your own servers might be a "Zombie." Check your outbound traffic logs for unusual spikes immediately.
Halon Pro Tip If your legitimate IP is blocked, one of your own servers might be a "Zombie." Check your outbound traffic logs for unusual spikes immediately.
Social Engineering
No software can fully stop social engineering. Regular employee awareness training is a critical part of your email security stack.