What is anomaly detection in email traffic?

Anomaly detection identifies sending patterns that deviate significantly from established norms. It catches problems that rule-based filters might miss.

What systems baseline:

Normal sending volume per hour/day/week

Typical recipient domains and distribution

Usual sending times and patterns

Standard bounce and complaint rates

Expected content characteristics

Types of anomalies detected:

Volume anomalies: Account normally sends 5,000/day, suddenly sends 500,000

Timing anomalies: Account always sends business hours, now sending at 3 AM

Geographic anomalies: Account based in US, sending to entirely new countries

Content anomalies: Dramatic change in message types or characteristics

Metric anomalies: Sudden spike in bounces or complaints

How it helps:

Early compromise detection: Attackers using stolen accounts show different patterns than legitimate owners

Accidental misconfiguration: Caught before massive impact

List problems: Bad list imports detected before full damage

System issues: Infrastructure problems surfaced quickly

Anomaly detection complements rule-based filtering. Rules catch known bad patterns; anomaly detection catches "unusual for this account" even if the pattern isn't universally bad.