Mirapoint RazorGate returns spam to senders

MailHurdle technology rejects unwanted messages before they hit mail servers

After reviewing a half-dozen anti-spam products, I’m starting to take for granted that they’ll screen out about 95 percent of spam with few or no critical false positives. A number of vendors are now shifting their efforts from improving spam filtering to developing products capable of immediately rejecting unwanted e-mail messages before they’re filtered.

Case in point is Mirapoint: The company has incorporated a technology called MailHurdle into its line of RazorGate e-mail security appliances. MailHurdle is capable of stopping 60 percent or more of spam before it’s even delivered. This technology by itself will not necessarily produce better spam-filtering results, but it reduces the number of messages the filters have to handle, lightens the load of internal traffic on the network, and increases message-delivery speeds.

MailHurdle employs a variety of SMTP protocol-level techniques to verify both the recipient and sender of messages. To verify the recipient, the RazorGate uses a directory-based lookup of the recipient address and rejects messages not addressed to real users. This defends against spammers’ directory-harvest attacks as well as bulk e-mail sent to random lists of users.

To verify the sender, MailHurdle looks at the originating IP address and the From and To addresses in the message. If a particular recipient hasn’t previously received a message from the sender’s IP address, MailHurdle sends a temporary failure message back to the originating mail server using a standard SMTP failure code. If the originating mail server is a bulk e-mail system, it will generally not resend the message. Viruses using raw SMTP to send messages will also not retry.

If the message is legitimate, the originating mail server will quickly retry sending the message, at which point it’s allowed through the gateway. (According to Mirapoint, there’s one old version of GroupWise that may not properly retry unless it’s patched, but every other e-mail server the company has found supports this SMTP command.)

Delivery Denied

I witnessed the benefits of MailHurdle first-hand during my test of the RazorGate system at California Polytechnic State University, San Luis Obispo (aka Cal Poly). I opted to assess the RazorGate there rather than running my usual live test, because seeing the system statistics in a real-world, 10-month deployment would make up for the slight loss of control.

There are three versions of the RazorGate: the RazorGate 100, geared for small and midsize businesses; the 300, aimed at midsize to large organizations; and the high-end 450, targeted at the enterprise. (I reviewed the 450, formerly called the Mirapoint MD450, in 2003. The university deployed two RazorGate 450s in a clustered system last May. Since then, the system reduced the number of messages the filters had to handle from 400,000 or more per day to slightly more than 100,000 per day. The user-verification feature also reduced loads on the servers; by dropping e-mail addressed to nonexistent users, the queues of outgoing “user unknown” messages were eliminated.

Of the messages that did reach the filters, 97 percent of the spam was caught, and there were no critical false positives and 0.01 percent noncritical false positives.

Simple Yet Sophisticated

While at Cal Poly I participated in deploying a RazorGate 100, which the university will eventually use for a separate S/MIME e-mail system.

Deploying the RazorGate 100 proved simple. We used a serial console and setup wizard for the initial network configuration, and then a clean, straightforward browser with an additional wizard to complete the process.

The appliance’s management features and reporting tools are good; the solution supports LDAP for user lookups and verification. Management of anti-spam functionality is as granular as you like: The administrator can set one policy for the entire domain and allow or forbid user access to quarantine, whitelist, blacklist, and other anti-spam criteria.

The RazorGate also supports policy enforcement on incoming and outgoing messages, looking for inappropriate language, proprietary information, and attached files that meet proscribed patterns. Mail that matches a certain pattern can be blocked or a copy can be saved for inspection.

In addition to providing anti-spam and anti-virus capabilities, the RazorGate functions as a POP proxy, an intermediary between the user and the back-end e-mail server where e-mail is actually stored. The RazorGate also provides Web access to e-mail.

One component that was not yet installed at Cal Poly is Mirapoint’s Rapid Anti-Spam technology. The technology is based on CommTouch RPD (Recurrent Pattern Detection), which uses recurrent pattern detection and a data analysis center to collect e-mail from all over the world and find bursts of messages with similar or identical content.

Rapid Anti-Spam uses a hash of the message to determine how many similar messages are being found on the global network. It detects viruses and spam bursts very quickly; the more messages and the wider the distribution, the quicker the detection.

The Rapid Anti-Spam technology has remained stable in detection rates over several years, as opposed to spam-filter technologies such as heuristics, keywords, and Bayesian, which drop off in effectiveness after 12 to 18 months.

The Mirapoint RazorGate’s overall detection rate of 97 percent is a couple of points higher than the usual I’ve seen during the past year, and the zero critical false-positives rate is now standard. However, the appliance’s ability to reject a large portion of spam without having to filter it is unique in my experience. With anti-virus and policy enforcement, excellent reporting tools, and enterprise-class, multidomain management tools, there’s little left to look for in an e-mail security appliance.

InfoWorld Scorecard
Scalability (20.0%)
Manageability (30.0%)
Setup (10.0%)
Value (10.0%)
Effectiveness (30.0%)
Overall Score (100%)
Mirapoint RazorGate 10.0 9.0 9.0 9.0 9.0 9.2