Product Details
Product Rating
Barracuda Spam Firewall 600
Cloudmark Authority
DynaComm i:mail
Gordano Messaging Server
iHateSpam for Exchange
IronMail
MailMarshal for SMTP
MailSite
Nemx Power Tools for Exchange 2000
Policy Patrol
PureMessage Small Business Edition
SurfControl Email Filter for SMTP
CipherTrust's IronMail appliance wins our Best Buy for its excellent detection rates, advanced filtering options, high performance and integration with other services within its portfolio. We have three Recommended products. FutureSoft's DynaComm i:mail offers excellent reporting and feedback with a feature set well suited to gateway roles. Gordano's GMS is a great messaging suite with lots of spam filtering capabilities and it is let down only by some unnecessary complexity. SurfControl Email filter for SMTP demonstrated very fast mail processing and the best detection rates in the test.
Anti-spam, part I (2004)
If your company is not using an anti-spam product yet, what are you waiting for? Jon Tullett and René Millman review some of the new products on offer
Anti-virus (AV) is child's play. Something matches a signature or not; you let it through or not. Assuming the technology works it is a fairly basic binary process. Spam is a real pain. It is more varied, cunning and voluminous.
AV pundits will say spam may be more vague, but it is lower risk too. The odd junk email sneaking through is mildly annoying, while a virus can cost you millions. This is true, but spam has implications too: coordinated efforts between spammers and virus writers mean you can never be sure the site luring users is not going to download malware, attempt identity theft or display offensive material that could land you in a lawsuit.
While humans are good at detecting junk mail (phishing attacks excluded), computers struggle to distinguish junk from legitimate mail with accuracy.
First, the spammers are ahead. They can test junk mail against anti-spam solutions to see what will work and what will not (the same way a virus writer can). Second, some legitimate mail looks "spammy," such as newsletters in HTML format. Third, spoofing is now standard practice, which makes blacklisting harder but plays well to network checks like reverse DNS (RDNS). Fourth, users in a company have different requirements.
The larger the company, the more likely you are to struggle. For example, at SC Magazine, we share a network with people working on medical publications. The staff for these publications regularly receive email about drugs and cosmetic surgery. Filtering by regex on our network is therefore very difficult.
All things considered, we tested a collection of spam solutions to see how effective they would be at accommodating the needs of an enterprise. We wanted to block spam, allow legitimate mail, accommodate an environment where one user's spam may be another's business mail and integrate smoothly into a company's messaging flow.
We tested the products with a heavy load of spam (with some particularly tricky legitimate mail) to test how good the filtering was, how clean the integration and the impact on performance.
We had an overwhelming response to our request for products to test. As a result, we decided to split the test in half and review one set of products this month and another set in the July issue (which will include managed services).
Most products offer a range of techniques that can be combined in many ways. Every organization will have unique needs and it is advisable to run anti-spam in "observe only" mode for a while and check the results before going live.
In testing, we found a scoring approach tended to be much better than outright blocking. By tagging mail with the calculated probability that it is spam, you gain more flexible handling and can pass the management to a second mail gateway that is handling mail routing.
RDNS attempts to resolve the source of incoming mail. If it fails it assumes the mail is spam. It is very effective as a technique, but so many companies have misconfigured DNS that it makes for a huge number of false positives. RDNS should only be used as a scoring mechanism.
Sender Policy Framework (SPF), Microsoft's Caller ID and Yahoo's DomainKeys are the next step, but few products offer them, just as few organizations publish the requisite data for it to work.
Realtime blackhole lists (RBLs) keep track of spammers and open relays. This is great for catching relays, but, with the increase in compromised home computers sending spam via Trojans, this is less effective than it used to be. Also, RBLs have political problems of their own.
Heuristics scan the content for known spam patterns and work quite well. Legitimate mail almost never contains HTML comment fields or obfuscated URLs.
Spotting spam phrases is more tricky and can lead to false positives so look for products that allow you to fine-tune filtering and scoring. Spam signatures issued by vendors are great for real-time protection. Spam campaigns tend to be short-lived and this means you can target "live" spam by updating regularly. An advantage over AV is that spam signatures can be expired, where AV signatures must be kept in the system much longer.
If you retrieve mail from remote sites irregularly, relatively old spam may sneak through. In practice, that did not seem to happen – our mix of old and new spam was managed similarly by most products.
No product was perfect (or even close). Few managed a low false positive rate without letting in a lot of mail.
Accommodating a flexible environment presents management difficulties with which vendors are clearly still coming to grips. Some products are difficult to configure behind proxies and relays and integration with AV and content filtering is still limited (except for those offered as part of a suite and even then there are limited options).
Our tests were very demanding but any organization that can reduce its junk mail overhead by half is still clearly benefiting.
