The filtering of e-mails is done on two levels.
- On the SMTP level, the validity of the sending mail server is checked. The e-mail data stream is collected until the RCPT TO command. This way, the e-mail can be logged, but the usage of resources is minimized.
If there is no reason to mark the sender as 'suspected', the e-mail is sent to the next validation step immediately.
If the sender is known as a malicious source, the e-mail is blocked immediately; the sender receives a 5xx code with explanation. This is a permanent reject.
If there is no reason to entitle the sender as malicious, but the sender is trusted neither, a greylisting algorithm will temporarily block the e-mail (temporarily rejected). A RFC-compliant mail server will retry; at the first retry after 10 minutes the e-mail will be accepted by the SpamExperts filters, and the e-mail will be forwarded to the next validation step.
- On the DATA level, the complete e-mail is loaded and verified. Advanced statistical algorithms are used to qualify the e-mail. Because multiple of those algorithms are used, the risk of an incorrect reject (false positive) is almost zero - the logs of SpamExperts show that this only happens in 0,001% of all cases.
E-mail that is blocked on the DATA level is put into the quarantine mailbox and can be released from there. E-mail that is blocked on the SMTP level cannot be recovered: the e-mail was simply not received completely.