Rival solutions smack down spam

MailFrontier, Sophos, Symantec, and Trend Micro deploy effective spam combatants

See correction at end of review

Spam is such a significant problem these days that even the federal government has gotten involved, passing legislation such as the CAN-SPAM Act. Meanwhile, a wide variety of companies has collaborated on an authentication scheme called the Sender ID Framework, aimed at making e-mail fraud even harder to perpetrate. Realistically, though, neither CAN-SPAM nor e-mail-sender authentication is likely to do much to stem the flood of mail. Fortunately, anti-spam products continue to evolve and improve.

In my ongoing tests of anti-spam products, I recently looked at four more contenders: Brightmail Anti-Spam 6.0 from Symantec; IMSS (InterScan Messaging Security Suite) Version 5.5 from Trend Micro; MailFrontier Enterprise Gateway 3.1 from MailFrontier; and PureMessage 4.6 from Sophos. They all performed admirably, filtering more than 90 percent of spam, with few false positives.

All are software gateways that can reside on the same system as your mail server or on a separate system. They all offer enterprise-caliber features, including user access to quarantined messages; automatic setup of user access to quarantined messages; different policies by user, group, or domain; optional anti-virus scanning; and useful reporting tools. Pricing for all four is within $1 per user, per year, for anti-spam, anti-virus, and policy filtering.

Beyond the basics, Brightmail offers a simple installation with almost no configuration or tuning required, and little ongoing maintenance is necessary. Trend Micro delivers extensive tuning capabilities that cater to the needs of varying groups of users. MailFrontier provides easy installation and great reporting. Sophos installs on Linux only, and it provides a great deal of flexibility as well as a relatively simple installation.

As for accuracy, Brightmail sets the standard for filtering performance, boasting zero false positives, critical or bulk, and stopping 97.69 percent of spam. With zero critical false positives, 1.26 percent bulk false positives, and 96 percent of spam stopped, Sophos will also keep end-users content. MailFrontier is also quite acceptable, with the spam-stopping score of 97.95 percent, three critical false positives out of 1,711 messages, and a bulk false positive rate of 0.94 percent. IMSS is still well within the acceptable range, with a bulk false positive rate of 0.6 percent, one critical false positive out of 834 messages, and 96.5 percent of spam blocked.

The importance of the false positives rate should not be overlooked; that statistic is arguably more significant than a solution’s spam-blocking percentage. Mining the quarantine for false positives, after all, is much more time-consuming than dealing with the few spam messages that slip through the filter.

In my tests, I divided the false positives into two categories: bulk and critical. Stopping some bulk e-mails, such as newsletters, mailing lists, and authorized marketing e-mails from getting through is not the worst thing in the world, and it’s generally easily remedied by adding a few senders to the whitelist. Critical false positives are personal e-mails addressed to specific users that get blocked. A high critical false positive rate is the biggest barrier for end-user acceptance of anti-spam filters: If it’s too high, they stop trusting the filter or have to spend a lot of time checking quarantined e-mail every day.

Symantec Brightmail Anti-Spam 6.0

Brightmail Anti-Spam 6.0 is the latest in a line of products that has been a top performer in our tests during the past couple of years. Recently acquired by Symantec, Brightmail will offer few surprises to those familiar with previous versions.

The solution installs easily on Windows 2000 and 2003 Servers. It does require IIS for SMTP services and will prompt you to install it if it’s not present. It would be nice if it also warned you that using the default installation option for IIS through Windows doesn’t install the needed SMTP component. It also installs MySQL Pro and the open source Tomcat application server, which handles quarantined messages and grants end-users access to the quarantine. A license key is also required, as is registration through the Symantec Web site.

Configuration is simple, straightforward, and well-documented. When the initial configuration is complete, there is little else to do. There are controls for the filters available, but given the very high performance of the filters in the default position, it’s hard to imagine anyone wanting to mess with them. Further, there are no updates to schedule, as they occur automatically.

Brightmail provides Web access to the quarantine on a per-user basis. Users may also access the quarantine via plug-ins for Microsoft Outlook and Exchange as well as for Lotus Domino. Users may view quarantined messages, release messages incorrectly identified as spam, report spam that got through, and control their whitelist and blacklist settings. User and group information can be imported from Active Directory or other LDAP directories to speed the setup process.

Administration is also performed via browser, and admins can manage multiple servers across the enterprise from a single console. Policies are manageable by domain, group, or users, with fine granularity for controls as well as permissions for end-user access.

Brightmail now offers non-English support. It detects what language is in use in an e-mail for the top dozen languages (including Chinese, Russian, Japanese, Korean, German, and Italian), and heuristics only run for the applicable language. It can also let through messages written in one specific language or in English and another language.

Also new is the sender authentication feature, which ensures that the apparent e-mail address of a sender is legitimate and filters out messages from fake sender addresses before they even hit the server. Brightmail has done considerable work to optimize this feature. The filter rejects messages using the fastest filters first, thus reducing the load increase. Brightmail estimates that even with sender authentication turned on, overall load increases by less than 3 percent.

The results tell all: nearly 4,000 messages and no false positives, not even newsletters or marketing materials. Brightmail is an enterprise-caliber product with superb performance that didn’t need to be tuned at all, and that had almost no ongoing maintenance requirement.

Trend Micro InterScan Messaging Security Suite

IMSS is a full-featured anti-spam, anti-virus, and e-mail policy management suite that runs on Linux, Solaris, or Windows 2000 and 2003 Servers. Installation is relatively simple and can be done remotely if desired. When the product is installed, it must be registered via the Trend Micro Web site, which then e-mails activation keys that must be entered.

Configuration is straightforward, and the Web-based interface is easy to navigate, although after you make all your changes and click the Save button in each field, you must click the easy-to-overlook Apply Now button to update all the configuration changes to the server.

I initially received the out-of-date Version 2.0 of the spam engine, which shipped in late May. Unfortunately, the product’s Auto-Update feature updated anti-spam signatures but not the software engine, a problem the company says is fixed in the current Version 2.8. The product’s accuracy improved dramatically when I installed the newest edition, stopping 96.5 percent of spam and generating only one critical false positive, resulting in a bulk false positive rate of 0.72 percent.

IMSS allows for highly specific tuning of filters, from lenient to aggressive, in a variety of categories including sexual or racial content, profanity, chain letters, hoaxes, and HTML scripts. Filters can be tweaked for individual users, groups, or domains.

Admins may customize the actions taken when a filter is triggered. In addition to the usual defaults of quarantining, forwarding with an addition to the subject heading, forwarding to a different user account, or deleting what the other programs offer, you can also create custom responses. For instance, you could have all e-mails containing objectionable racial or sexual content automatically forwarded to an HR mailbox and with a warning inserted at the top of the message.

Users may access quarantine via a browser interface or an Exchange plug-in, allowing them to release messages and whitelist or blacklist senders. User and group information can be imported from Active Directory or other LDAP directories to speed the setup of users and groups in IMSS.

Aside from the outdated original version of the software issue, IMSS performed well, and it offers extensive policy management tools and granular management of anti-spam characteristics.

MailFrontierEnterprise Gateway 3.1

MailFrontier had the easiest installation of any of the products I tested and, as does IMSS, requires no additional software. The Windows installer automatically installs Tomcat and Java Runtime Engine, which grant access to quarantine. The installer installs to any Windows 2000 Server or Windows 2003 Server system on which you have administrator rights.

Admins may deploy the product remotely to one or more servers with a single install. Be mindful, however, that if you’re setting it up as a gateway and not paying close attention, you could inadvertently install it on the mail server instead of the local system, as I did.

When Enterprise Gateway is installed, you may retrieve users and groups from a Windows NT, Active Directory, Novell NDS, or other LDAP directory. Brightmail and Trend Micro offer the same capability. Individual user access to quarantine requires enabling the LDAP function; there’s no provision for creating user tables manually nor for automatically creating log-ins based on e-mail address. After user information is imported into the LDAP server on the MailFrontier system, it is automatically updated. New users added to the directory in Windows have access to quarantine as soon as they are enabled in the e-mail directory system.

Users can access the quarantine via browser or by downloading an Outlook plug-in. They can then release quarantined e-mail or report spam that got through the filter, plus they can add addresses to the whitelist or blacklist from within Outlook or via the browser. Releasing e-mail automatically whitelists the sender, which is a nice feature.

MailFrontier provides lots of control to the admin and better-than-average reporting tools, with an easy-to-use interface for generating reports and a wide variety of predefined reports available.

Policy management is flexible and easier to configure. There are two spam categories, spam and likely spam, each of which can have a separate response. So, for instance, with an addition to the subject line, you could quarantine spam and mark messages that are likely spam. Users could then report any likely spam they received as spam, which would fine-tune the filters. Each of five categories of spam (sexual content, offensive language, get rich quick, gambling, and advertisements), can have separate settings from mild to strong filtering, and the administrator can choose whether to allow users to release each of those types of messages from quarantine.

MailFrontier provides excellent accuracy, stopping 97.95 percent of all spam --but a couple of critical false positives did slip through. Furthermore, it’s easy to install and import users from Active Directory. The remote installation feature will appeal to admins at large companies who need multiple servers.

Sophos PureMessage 4.6

PureMessage is the only one of these gateways that doesn’t support Windows, installing on AIX, HP-UX, Linux, or Solaris. A Windows version should be available later this year. A year or two ago, this would have meant a much more complex installation. Today, though, even Windows admins who have installed Red Hat Linux a time or two should be comfortable installing PureMessage in front of their Exchange or other e-mail server. Linux shops will be satisfied with a high-performance, easy-to-install package.

After I installed Red Hat 9, the PureMessage documentation clearly showed me where the two additional required libraries, libstdc++ and glibc, were located. The PureMessage installer is simple and easy to run, and includes all other packages (your choice of sendmail or postfix), and either the CDB or PostgreSQL databases for quarantine.

PureMessage can either quarantine spam or modify the subject line to highlight likely spam. The documentation has a nice, clear example of how to set up a filter in Outlook to move marked spam to a junk folder. There is no plug-in for Outlook, however, so users cannot release e-mail directly from the e-mail app. Instead, they must access the browser interface to release mail from quarantine or add to their whitelist or blacklist. If the quarantine is enabled, spam can be released and added to the whitelist simultaneously. If it’s not, users may easily access suspected spam from a folder via e-mail program but must then take two manual steps to add false positives to their whitelists or spammers to their blacklists. Controls to allow users to change filter settings are granular and easy to set up.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies