BorderWare and Proofpoint boxes are both capable spam combatants

MX-200 masters false positives while P800 nails more unwanted messages

When choosing an anti-spam solution, there is always an unfortunate trade-off between effectiveness in filtering out spam and the possibility of misidentifying important messages as spam (known as false positives).

This trade-off is perfectly illustrated by the performance of the BorderWare MXtreme MX-200 and the Proofpoint P800 Message Protection Appliance. In my tests, the MX-200 had zero false positives but stopped only 83 percent of spam. The P800, on the other hand, stopped 94 percent of spam but had 26 false positives, two of which were important messages.

Both appliances are intended to provide a drop-in, low-maintenance solution to e-mail security. The feature sets are complete in both products, including not only anti-spam features, but anti-virus (included in the MX-200 and optional in the P800), content control, and some e-mail-specific intrusion-detection and firewall capabilities. Both also offer substantial reporting capabilities, granular management delegation, and good, all-round e-mail security. The BorderWare device offers additional features aimed at ISPs or large organizations with multiple domains.

Both companies offer several models distinguished by capacity rather than feature set. Due to differing pricing models, an apples to apples comparison of these two products is difficult; and the cost per user varies with the number of users.

BorderWareMXtreme MX-200

The MXtreme MX-200 is a tiny 1U box, though brackets are available to mount it in a standard rack, if you so desire. It has a Celeron 1.2GHz processor, 256MB of RAM, and a 10/100 Ethernet connection, and it runs a hardened version of Linux.

Initial setup is straightforward, but because the box was not supplied with a default IP address, I had to use a keyboard, mouse and monitor for initial setup. After entering the basic network information, I completed the rest of the configuration through a Web browser.

The MX-200 has a wide variety of anti-spam technologies, including: whitelists and blacklists; RBLs (real-time black hole lists), which are lists maintained by volunteers or organizations that identify spammers or potential spammers; a distributed checksum clearinghouse, which looks at data collected from many e-mail servers to identify spam; statistical token analysis, which scrutinizes message content; and several filters that reject improperly formatted e-mail. It also has an optional Brightmailanti-spam engine.

Not all of the filters are enabled by default, and if the Brightmail engine is used, redundant filters are disabled. It is necessary to look through the list of filters and understand what they do in order to set them up correctly; this is not a product that you can simply enable by clicking one button and be on your way.

BorderWare recommends Brightmail as the default. Filtering performance was not exceptional in this configuration with only 83 percent of spam filtered. Tuning the filters should increase that rate. The box’s false positive rate, remarkably, was zero.

The MX-200 provides an e-mail server in addition to the filtering gateway. It offers POP, IMAP, and HTTP access to e-mail, with security through LDAP, RADIUS, or SecurID.

BorderWare’s box does not quarantine spam. By default, it appends “Brightmail spam” to the subject line. The administrator or end-user must then create a filter to move messages with that subject to a spam folder.

The MX-200 offers a set of features that are appropriate for ISPs or large organizations with multiple domains. Among those features are domain aliasing, which can map user names from one domain to another; user aliasing, which maps generic user names like to specific users; custom vacation, delay, and bounce messages; forwarding information for users that have been removed; SMTP security enforcement; rejection of malformed SMTP; and filtering of attachments or undesirable content. BorderWare also provides centralized management software that enables one-stop management of multiple MXtreme systems.

Although the initial cost of the MXtreme appliances are higher than the corresponding Proofpoint appliances, the yearly maintenance costs should be substantially less if you elect to use only the BorderWare anti-spam technologies rather than the Brightmail service.

ProofpointP800 Message Protection Appliance

The Proofpoint P800 is based on a Dell PowerEdge 1750 dual Xeon 2.4GHz rack-mount server with 2GB RAM and dual SCSI disks in a RAID 1 configuration. It provides dual Gigabit Ethernet interfaces and is intended to handle up to 40,000 messages per hour. Lower-end models are available with single processors and less RAM.

The P800 came with a default IP address, so configuration required only that we connect it to the network and starting a browser — no serial terminal or keyboard, mouse and monitor were required. This kind of simplicity carried through the entire process. The Web interface was clean and easy to use, and the default settings were generally fine, with only network configuration information necessary to get the device working. This ease of use extended to areas like content checking, where a default dictionary of objectionable words is provided.

The P800 filtered about 94 percent of spam, with a tolerable false positive rate of 1.6 percent; 24 bulk e-mails and two real messages out of 1,600 good messages were incorrectly identified as spam. According to Proofpoint, the false positive rate will improve over time as the administrator or end-users identify messages as “not spam” and add the senders to the whitelist.

Mail identified as spam is quarantined on the appliance by default, although it can be forwarded with an altered subject line if desired. Each user can access his or her own quarantine. Accounts are generated automatically, so the administrator doesn’t have to manually create log-ins or import access control lists from other directories. Each user can maintain his or her own whitelist and blacklist, in addition to the domain-wide lists the administrator maintains.

The P800 provides a hardened OS and an MTA, which are designed to prevent a variety of attacks, including buffer overrun attacks and host-based intrusions as well as phishing and directory harvest attacks. The delegation of administrative rights is nicely granular. Reports and alerts are comprehensive and can be e-mailed both to users and admins.

Overall, the P800 provides a very simple interface and easy setup, with performance that should make administrators and users happy.

Either of these boxes will reduce the deluge of spam. The MXtreme had great performance on false positives and should get more of the spam after additional tuning.

For its part, the Proofpoint was adept at catching most of the spam and will improve on the false positives as you add to the whitelist. Both will  provide excellent long-term performance, with little effort after the first month’s “training.”

InfoWorld Scorecard
Performance (25.0%)
Ease of use (20.0%)
Manageability (25.0%)
Setup (20.0%)
Value (10.0%)
Overall Score (100%)
BorderWare MX-200 9.0 8.0 8.0 8.0 8.0 8.3
Proofpoint P800 Message Protection Appliance 9.0 9.0 9.0 9.0 9.0 9.0