Community, Company

Creating Transparency With an Inbox Protection Rate

Len Shneyder

As the Internet evolved and email became increasingly more important to the day-to-day operations of businesses, universities, and a staple of ecommerce, bad actors realized they could exploit email’s ability to reach a global audience due to a dire lack of security and trust mechanisms.

Because of this, email presents a significant area of concern for security professionals around the world. Some recent studies focused on understanding the “spaminess” of the world’s email traffic include:

  • 6.4 billion fake emails (with fake from addresses) are sent globally every single day according to the Email Fraud Landscape Report from Valimail
  • Less than 1/3rd (32%) of email traffic seen in the first half of 2018 was considered “clean” and actually delivered to an inbox. The report also found that 1 in every 101 emails had malicious intent (from FireEye’s Email Threat Report).
  • According to Talos’s (Cisco) email and spam data dashboard, on a given day almost 85% of all email traffic passing through that network is spam. Legitimate email volume for August was pegged around 44 billion emails a day.
    • Based on this external measure of legitimate email, SendGrid is responsible for nearly 1 in 20 emails on a daily basis, or 5% legitimate global email volume.
  • 88.8% of all businesses were targeted by at least 1 email fraud attack, according to the Email Fraud study by Proofpoint,
  • A recent Proofpoint report documented a rise in spoofing attacks of corporate individuals roles and frequency of those attacks.
  • 91% of cyber attacks begin with a phishing email according to a 2017 study.
  • Email is the top channel for HIPPA data breaches according to the OCR’s HIPPA Breach Portal in 2018.

Introducing SendGrid’s Inbox Protection Rate

Here at SendGrid, we use something we call Inbox Protection Rate as a measure of the legitimate email that travels through SendGrid’s servers.

On a 30 day rolling basis, we see 99.97% legitimate email processed by our servers.

This is non-phishing email generated by legitimate businesses. The Inbox Protection Rate is not a measure of spam or how that email is received—the goodness or spamminess of a message is subjective, however, there is nothing subjective about phish.

In addition to analyzing outbound messages, SendGrid also analyzes the inbound blowback that arises during the normal course of emailing operations. Bounces from mailbox providers and domain owners are highly valuable in determining if a given sender is having delivery problems, and in extreme cases, if the outbound traffic is abusive or malicious.

During a 2-week analysis across 20+ billion emails processed, SendGrid determined that < 0.0023% of all email traffic resulted in bounces that cited phishing or malicious content by mailbox providers.

Why we are sharing

In today’s email ecosystem, providers such as SendGrid and other API-driven email platforms are essentially open networks favoring a self-service model similar to public clouds and hosting companies. Self-service models often represent massive compute capabilities that, when not guarded, can be used to harm the ecosystem they serve.

SendGrid’s founders understood, early on, that building and scaling an API-driven platform as a self-service model would require a disproportionate focus on compliance and mitigating abuse. The anonymous nature of the Internet lends itself to the not-so-quiet abuse of systems and individuals by unscrupulous bad actors.

From its earliest days, email was never designed as a secure communication channel, rather it was an open system crafted for collaboration.

Any self-serve model requires hyper-attentive vetting and careful onboarding of new customers, some of which will no doubt be bad actors whose ambitions to use a platform’s reach and ability to deliver spam must be stopped. SendGrid’s Inbox Protection Rate is the result of years of developing robust border defenses to prevent the onboarding of bad actors and intelligent filters and technology to stop mail flow for malicious users that slip through the vetting process.

How we calculate our inbox protection rate

Compliance

SaaS businesses measure uptime and availability through the number of 9’s in their overall score. Similarly, SendGrid measures the amount of legitimate email that transits our system. By setting benchmarks for the effectiveness of our compliance tools and technology, we can better understand how spammers and cybercriminals evolve their attacks and how that affects the overall volume of email we send.

Compliance is not a destination. It’s an ongoing function that not only safeguards SendGrid’s 74,000+ paying customers, but the billions of receivers who have subscribed to receive emails from these businesses.

On a rolling 90 day basis, SendGrid touches 1/2 of the world’s Internet users–estimated at 2 billion people by SendGrid’s Data Science Team.

SendGrid’s compliance function spans disciplines and departments. Over 160 people touch SendGrid’s compliance function as part of their job. In addition to a dedicated compliance team with agents whose task it is to review potential threat actors and new signups, the compliance team has a dedicated product manager and developers.

A healthy, automated anti-abuse program takes advantage of defenses spanning several key areas to form a holistic view of how SendGrid must be protected. At the top-level, these areas include the stages of a customer’s lifecycle with SendGrid, their behaviors while using SendGrid, and the actual content processed by SendGrid on behalf of its customers. (It’s important to note that SendGrid has automated defenses in all of these areas, including Machine Learning and Artificial Intelligence-backed systems in every area of this triad of concerns.)

A more complete representation of these areas with some examples of related concerns appears below.

 

Neural networks

The technology behind SendGrid’s compliance functions is operating at the bleeding edge of technology and email flow intervention. A neural network called Phisherman was created and trained to differentiate the characteristics between legitimate mail and fraudulent emails.

Neural networks are essentially machine learning systems designed to perform deep learning on large datasets. Email’s multiple signals and characteristics represent a ripe data set to be studied and modeled. Phisherman’s mandate is to prevent phish from leaving SendGrid by identifying abusive content characteristics that bad actors attempt to inject into SendGrid’s mail-send API.

Content-based pattern recognition is just one piece of the overall compliance picture. SendGrid’s Compliance Team has studied behaviors associated with spam attacks and phishing to understand how spammers onboard and abuse a platform. These learnings have resulted in a set of rules and defenses called UVS, or User Vetting Service, designed to catch bad actors before they’re able to fully open or enable an account.

…And a patent

SendGrid’s User Vetting Service is also connected to an array of industry data sources to enhance its reach and knowledge about the broader array of threats and behaviors (i.e. abusive actors will often perform abuse on multiple SaaS platforms before coming to SendGrid). The combination of border defenses and content recognition are further enhanced by an intelligent “traffic cop” that watches the mail flow from new accounts to ensure anomalous or large deployments are slowed and even stopped.

Many years ago, mailbox providers and ISPs began the development of reputation systems to understand if an IP was a source of spam and phishing or if it was “clean.” Spammers would burn through new IPs by rotating them quickly to get as much mail out before a mailbox provider or ISP blocked them outright. That behavior fundamentally changed how mailbox providers viewed a new IP with no reputation—new IPs with no history went from “good” to “suspicious” thereby limiting their ability to deliver to the inbox until there was enough data to determine the placement of the mail. This, in turn, prompted legitimate senders to ramp their email volumes slowly on new IPs as a means of building a good reputation history.

SendGrid’s traffic cop looks for anomalies outside of what it considers a normal and healthy method for building sender reputation. The system may take corrective actions that can include minor changes to the mainstream to prevent a more major, unnecessary action affecting a legitimate user.

The algorithm and process used to build this traffic cop were patented in 2017 by SendGrid’s leading data scientist, Dr. Aaron Beach and co-founder Tim Jenkins.

SendGrid process numerous external signals generated by mailbox providers, threat data providers, and other aggregators associated with email security. Email has evolved as a highly instrumented channel for marketers to understand user behavior. Similarly, with the advent of SPF, DKIM, and DMARC, security experts focused on understanding the threat messaging landscape have evolved products and data feeds to catalog and identify bad actors around the world.

Compliance for everyone

SendGrid’s compliance infrastructure, processes, and personnel don’t operate in a pure vacuum—the only way to achieve our scale is to balance compliance outcomes with business goals. Developing tools that take automated action must be built to not only recognize bad behavior and signals but to understand good behavior and not generate an abundance of false positives.

Operating compliance at scale sometimes means temperance to ensure that legitimate users continue to have the best possible experience on our platform and not wind up as collateral damage because of the actions of a handful of nefarious bad actors.

SendGrid’s scale has been a forcing function in terms of compliance—the efforts of a diverse group of individuals focused on securing “The ‘Grid,” in turn secures the Internet from malicious emails. Scale comes with a responsibility to grow in a responsible manner, and the compliance function at SendGrid secures not only “The ‘Grid” but the inboxes of nearly every person on the planet.

For more information on email security, check out my guide: Phishing, Doxxing, Botnets, and Other Email Scams: What You Need to Know.

Author
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. Len serves as an evangelist and proponent of best practices and he drives thought leadership and data-driven insights on industry trends based on the massive volume of email SendGrid delivers on behalf of their customers. Len is a longtime member of M3AAWG (the Messaging, Malware, Mobile Anti-Abuse Working Group) and served on its board in addition to Co-Chairing the Program Committee. He’s also part of the MAC (Member Advisory Committee) of the EEC (Email Experience Council) where he serves as the organization's MAC Chair. The EEC is a professional trade organization focused on promoting email marketing best practices. The EEC is owned by the ANA (Association of National Advertisers), a nearly 100-year-old organization where he also sits on the Ethics Committee. In addition, Len has worked closely with the ESPC (Email Sender & Provider Coalition) on issues surrounding data privacy and email deliverability.