IBM ISS goes fishing for phishers

MS3004 appliance's anti-phishing features complement its anti-spam and IPS tools, but accuracy is a concern

There’s just no stopping it: Spam continues to get worse, and more of it is now targeted at obtaining financial or corporate information rather than just selling herbal remedies or porn. Phishing, or trying to get users to go to Web sites that seem legitimate but are actually forgeries intended to capture users’ information, is an increasing threat, too.

Internet Security Systems, now owned by IBM, is attempting to take on both of these plagues and more. The Proventia Network Mail Security System MS3004, version 1.0 appliance I tested provides e-mail security (including anti-virus, anti-spam, and anti-phishing capabilities), a firewall, intrusion prevention, and an SMTP server. The appliance format makes it easy to set up, and it does a good job on the IPS front, but I found that the MS3004’s anti-spam abilities weren’t as solid as those of other solutions I’ve reviewed.

Focus on phishing

Click for larger view.
The MS3004’s anti-phishing capability is potentially very useful. If it detects a phishing attempt, the appliance puts a “Fraudulent Message” alert at the top of the e-mail. It also marks the message as spam so that it will be quarantined, but it ensures that even if users open the message in quarantine, they should have warning that the message is not legitimate. Most products don’t label spam and phishing separately, so this is a nice touch on ISS’s part.

Unfortunately, if the message is not caught as spam, it is usually not caught as a phishing attempt either. For example, out of 151 fraudulent PayPal messages received during testing, 148 were marked as spam and with the “Fraudulent Message” phishing warning. The three that were not caught as spam were also not marked as phishing attempts.

Similarly, out of 43 fraudulent Bank of America phishing attempts, 42 were caught as spam and flagged with the phishing warning, and one was neither labeled as spam nor with the warning. Because the phishing filter does not catch all phishing attempts, users may incorrectly assume that messages not caught are legitimate e-mails.

The anti-spam catch rate was 91 percent, which is average, but the critical false positive rate was among the worst I’ve seen in the past couple of years, at 0.16 percent. By contrast, the best products had a false positive rate of 0.01 percent. The noncritical false positive rate was moderate, at 1.4 percent. Anti-virus filters worked fairly well, missing only three out of 219 viruses received.

Almost plug-and-go
The MS3004 is easy to install and configure. Initial network setup can be done via the front-panel LCD, a serial terminal, or a browser pointed at the default IP address. The rest of the configuration is done via browser, and the layout is clean and easy to navigate. I did, however, find the Java-based tools slow — working on a 3.4GHz workstation with 2GB of RAM, I experienced delays as long as five-seconds after clicking an item through either Firefox or IE7.

If your organization uses Active Directory or an LDAP directory, you can automatically import users via LDAP. Users are also automatically given access to their e-mail quarantine so that they can release messages or add them to a whitelist or blacklist. The administrator can set up reports so that each user receives a daily e-mail listing quarantined messages; that note also links to the quarantine store so users can release e-mails.

Help features in the administrator’s console are well done, but there is no help available to end-users accessing quarantine. Admins should plan on doing extra training to head off questions early or expect lots of phone calls from end-users.

Policy management tools add good flexibility for dealing with spam: You can create new policies as needed, as well as modify default policies. For instance, foreign languages can be blocked or allowed by language. This blocking produces mixed results if one e-mail contains multiple languages, however. Messages containing both Chinese and English, for example, will not be blocked even if Chinese is set to be blocked.

Rules and policies can be made very specific, such as blocking certain types of incoming attachments or specific phrases. As an alternative, the MS3004’s default heuristics work well.

Reporting is limited to predefined reports: executive summary, traffic monitoring, policy configuration, top 10 policy responses, top 10 analysis modules, top 10 recipients, top 10 spam senders, top 10 e-mail viruses. Reports can be saved as PDFs but not as comma-delimited or Excel files.

I’d like to see the M3004 support more report types (such as percentage of spam versus real e-mail) and offer custom reports, and the ability to save reports as Excel or CSV. Most anti-spam products I’ve tested do this, including Symantec/Brightmail, Mirapoint, and IronPort.

Beyond spam
In addition to anti-spam, anti-virus, and anti-phishing, the MS3004 appliance also offers IPS and application firewall capabilities. These will protect an Exchange server providing Outlook Web Access services.

During my test period, the intrusion prevention module detected and stopped more than 1,100 attacks on the mail server, the Exchange server, and the Web server running on the Exchange server. These included SMTP-based attacks, application-layer attacks (such as buffer overflow attacks), URL spoofing attacks, and HTML-based attacks.

I was impressed by how well the IPS/firewall features worked, but these features are no longer unique or even unusual in this market. They’re an increasingly necessary bonus, unless your company has an application-level firewall as part of another product.

I found the MS3004 to be an effective tool for fighting e-mail-borne attacks, as well as for securing an Exchange or other e-mail server against direct attacks. Although its anti-spam false positive performance is not good, a lot of the false positives would disappear over time as users updated their whitelists.

If you’re looking for a spam-fighting system, I’d suggest checking out the more accurate Mirapoint or Symantec/Brightmail products. But given its combination of e-mail security, IPS, and firewall in a single appliance, the MS3004 is a good value overall.

InfoWorld Scorecard
Manageability (25.0%)
Performance (25.0%)
Ease of use (20.0%)
Value (10.0%)
Setup (20.0%)
Overall Score (100%)
IBM Proventia Network Mail Security System MS3004, version 1.0 8.0 7.0 7.0 8.0 8.0 7.6