What is anomaly detection in email traffic?

Anomaly detection identifies sending patterns that deviate significantly from established norms. It catches problems that rule-based filters might miss.

• What systems baseline:
• Normal sending volume per hour/day/week
• Typical recipient domains and distribution
• Usual sending times and patterns
• Standard bounce and complaint rates
• Expected content characteristics
• Types of anomalies detected:
• Volume anomalies: Account normally sends 5,000/day, suddenly sends 500,000
• Timing anomalies: Account always sends business hours, now sending at 3 AM
• Geographic anomalies: Account based in US, sending to entirely new countries
• Content anomalies: Dramatic change in message types or characteristics
• Metric anomalies: Sudden spike in bounces or complaints
• How it helps:
• Early compromise detection: Attackers using stolen accounts show different patterns than legitimate owners
• Accidental misconfiguration: Caught before massive impact
• List problems: Bad list imports detected before full damage
• System issues: Infrastructure problems surfaced quickly

Anomaly detection complements rule-based filtering. Rules catch known bad patterns; anomaly detection catches "unusual for this account" even if the pattern isn't universally bad.