The email threat landscape is constantly evolving and hence difficult to counteract even by carrier-grade spam filters. Dangerous spam emails may thus reach the users and then result in damaging attacks spreading through the corporate network. This paper describes a collaborative approach for early detection of malicious spam emails and its application in the context of large companies. By the joint effort of the employees and the security analysts during the last two years, a large dataset of potentially malicious spam emails has been collected with each email being labeled as critical or irrelevant spam. By analyzing the main distinguishing characteristics of dangerous emails, a set of both traditional and novel features was identified and then tested and optimized by applying common supervised machine learning classifiers. The obtained massive experimental results show that Support Vector Machine and Random Forest classifiers achieve the best performance, with the optimized feature set of only 36 features achieving 91.6% Recall and 95.2% Precision. These results, confirmed by a large empirical experiment conducted on 40,000+ company employees, led to the re-engineering of the email threat management process to ensure a high level of security in the company, as well as an increased security awareness of all company employees.

电子邮件威胁形势在不断发展，因此即使通过电信级垃圾邮件过滤器也难以抵消。危险的垃圾邮件可能因此到达用户，然后导致破坏性攻击通过企业网络传播。本文介绍了一种协作方法，可以尽早检测到恶意垃圾邮件，并在大公司环境中加以应用。在过去两年中，经过员工和安全分析人员的共同努力，已收集了大量潜在的恶意垃圾邮件电子邮件，每封电子邮件都被标记为严重或不相关的垃圾邮件。通过分析危险电子邮件的主要区别特征，确定了一组传统特征和新颖特征，然后通过应用常见的受监督机器学习分类器对它们进行了测试和优化。获得的大量实验结果表明，支持向量机和随机森林分类器实现了最佳性能，只有36个特征的优化特征集实现了91.6％的查全率和95.2％的精度。这些结果已通过对40,000多名公司员工进行的大型经验实验得到证实，从而导致了电子邮件威胁管理流程的重新设计，以确保公司的高安全性，并提高了所有公司员工的安全意识。