Overview

Burst Detection helps identify and mitigate sudden spikes or surges in email volume targeting specific recipients within a short time frame. These unexpected bursts can be used by malicious actors to overwhelm or distract users, often paired with unsolicited offers for “tech support” or other schemes. By enabling Burst Detection, INKY will:

• Continuously monitor incoming email volume per recipient.

• Detect when a recipient is receiving an unusually high volume of messages within a short period.

• Automatically apply configurable protections, such as assigning a specific result bucket (threat category) or changing the delivery target for affected messages.

This article covers how to configure Burst Detection settings and explains best practices for minimizing false positives while retaining a high level of security.

Key Features of Burst Detection

1. Burst Interval (seconds)
   Defines the time window in which emails are counted to determine if there is a surge. For example, if set to 300 seconds (5 minutes), the system checks the volume of incoming messages in that 5-minute span.

2. Message Threshold
   Determines how many messages within the Burst Interval will trigger a detection. For instance, setting a threshold of 20 messages means that if 20 or more messages arrive within the specified interval, it’s considered a burst.

3. Burst Mode Cache Duration (seconds)
   Keeps a recipient in “burst mode” for a set amount of time after the initial burst detection, even if the flow of incoming emails slows temporarily. This ensures ongoing protection for that recipient for the duration specified.

4. Ignore Senders / Recipients
   Allows administrators to exclude certain trusted senders or recipients from Burst Detection. This helps reduce false positives, particularly for high-volume internal or third-party senders (e.g., newsletters, automated systems, or mailing lists).

5. Result Bucket
   Classifies messages detected in a burst into a specific threat category, such as “Suspicious Mail Burst.” This makes them easier to track, filter, and review in reporting and threat dashboards.

6. Delivery Target
   Provides the option to override the normal delivery path for detected messages (e.g., route them directly to the Junk Folder).

7. Exclusion Options

   • Exclude Internal or Trusted 3rd Party messages
     Skip internal or trusted third-party messages from contributing to burst calculations.

   • Exclude Known External messages
     Similarly, skip known, trusted external contacts.

How It Works

When a recipient receives a burst of emails that meets or exceeds your configured Message Threshold within the Burst Interval, INKY considers that recipient to be in “burst mode.” During this time (defined by the Burst Mode Cache Duration), all incoming emails to that recipient receive an automatic “Suspicious Mail Burst” threat classification. INKY can then apply your chosen Result Bucket and Delivery Target settings to handle these messages appropriately (e.g., move to spam or quarantine).

Why It Matters

• Prevents Overload: High volumes of emails can distract users or hide malicious messages in the flood.

• Blocks Social Engineering Attacks: Attackers often rely on confusion or urgency tactics—Burst Detection helps you spot them early.

• Streamlines Management: Automated classification saves time for administrators, security teams, and end-users.

Configuring Burst Detection

1. Access the INKY Admin Portal

   • Log in to your INKY administrative console.

   • Navigate to the Analysis - INKY → Burst Detection.

2. Enable Burst Detection

   • Locate the Burst Detection checkbox and set it to On by checking the box.

3. Set Burst Interval (seconds)

   • Enter the desired time window in seconds.

   • Example: 300 seconds (5 minutes).

4. Define Message Threshold

   • Specify the number of messages required to be considered a burst.

   • Example: 20 messages in 5 minutes.

5. Configure Burst Mode Cache Duration (seconds)

   • Enter the duration during which the system will consider the recipient in “burst mode” once triggered.

   • Example: 300 seconds (5 minutes).

6. Ignore Senders / Recipients

   • Add email addresses or domains in the provided fields to exempt them from burst calculations.

   • Use this to ignore high-volume senders that you know are safe (e.g., no-reply@yourcompany.com, marketing@trustedpartner.com).

7. Select Result Bucket

   • Choose the desired threat category (e.g., Caution (Spam)) for emails detected during a burst.

8. Set Delivery Target

   • Override the normal mailbox destination (e.g., route to Junk Folder).

9. Exclude Internal or Trusted 3rd Party Messages

   • Check this option if you want to disregard internal or recognized third-party emails.

10. Exclude Known External Messages

    • Check this option if you want to exempt verified or known external senders.

11. Save Your Configuration

    • Click Save or Apply to confirm the new settings.

Verifying and Monitoring Burst Detection

After enabling and configuring Burst Detection, use the following steps to confirm it’s working as intended:

1. Testing a Burst

   • If feasible, send a high volume of test emails to a specific recipient in a short time.

   • Monitor if the “Suspicious Mail Burst” classification is applied.

2. Review the Threat Dashboard

   • Open your INKY security or threat dashboard.

   • Look for the new category “Suspicious Mail Burst.”

   • Verify that messages detected as part of the test appear in this category.

3. Adjust Settings as Needed

   • If you see too many false positives (legitimate high-volume emails flagged), consider raising the Message Threshold or adjusting ignored senders.

   • If a genuine threat slipped through, consider lowering the threshold or interval.

Best Practices

• Balance Security and Usability:
  Set thresholds high enough to prevent frequent false positives but low enough to detect real suspicious bursts.

• Identify Critical Recipients:
  Keep a closer eye on recipients more likely to be targeted (e.g., finance or HR staff). Consider adjusting threshold settings or ignoring certain addresses if needed.

• Monitor Reports Frequently:
  Regularly check INKY’s dashboards to ensure Burst Detection is functioning well and to catch any spikes of suspicious traffic.

Troubleshooting & FAQs

1. Why am I seeing too many false positives?

   • Ensure that any known bulk senders (e.g., marketing automation tools, ticketing systems) are on the Ignore Senders list.

   • Increase the Message Threshold or shorten the Burst Interval.

2. Why isn’t any email flagged as part of a burst?

   • Verify that Burst Detection is enabled.

   • Ensure your Message Threshold and Burst Interval are set to realistic values.

   • Confirm the messages originate from external domains or addresses not ignored by the detection system.

3. How can I see which recipients are in “burst mode”?

   • Look for the “Suspicious Mail Burst” threat category in message details.

4. Can I override the default mailbox destination for burst-detected messages?

   • Yes, by using the Delivery Target option to route flagged emails to the Junk Folder or Quarantine.