A spam filter that only blocked the wrong things

The situation

The spam filter ran on default settings with a quarantine that swallowed 80 mails a day. Nobody checked it daily. Meanwhile the filter was clearly too lax: clear-cut phishing slipped past the first check.

This happens in more offices than you'd think, usually because the settings were set to "default" by a vendor years ago and never touched.

What we did

Two things, in this order:

1. Tightened inbound rules for the phishing patterns that were getting through (typical SPF/DKIM/DMARC mismatches, look-alike domains, "invoice attached" with no prior relationship). Per-rule logging. 2. Quarantine digest emailed daily to one person with simple "release or leave" buttons. No more 80 mails to triage, thanks to step 1, that dropped to 5-10 per day.

After two weeks we reviewed which good mails we'd blocked and tuned the rules.

What it delivered

After one month:

- Phishing in the inbox: from ~3 per month to zero. - Real mail in quarantine: from ~10 per week to 0-1 per week. - Quarantine triage time: from "nobody" to 5 minutes per day for one person. - One invoice paid on time because it wasn't lost anymore.

No extra software purchased.

What this wasn't

Not a second spam filter on top. Not org-wide phishing training (that comes later, calibrated with management). What it was: using the existing tool the way it was designed to be used.