Spam defenses get shot in the arm from Immunity 2.0

Cloudmark software integrates well with Exchange, but beware complex setup process

Most of the anti-spam products I've reviewed recently have been appliances. Although appliances are simple to install and set up, it's often less expensive to buy anti-spam software and install it on existing systems.

For larger organizations that already have SQL servers and either sendmail/Postfix servers on Linux or Exchange servers on Windows, products such as Cloudmark's Immunity 2.0 offer considerable financial advantage. Immunity comes in at about $1.50 per user per month for 1,000 users, compared to an average appliance's cost of $3,000 and up, depending on the number of users.

Immunity 2.0 requires both an SMTP e-mail server and a SQL server. There are specialized versions for Windows and Linux; I received the Red Hat ES (Enterprise Server) 3.0 version. Immunity performed well, stopping almost 95 percent of spam with zero critical false-positives and a noncritical false-positive rate of 1.5 percent.

Config Questions

Installation preliminaries caused me more headaches than the installation of Immunity itself. For some reason, Red Hat no longer includes the MySQL server with its ES release (despite it being included with ES 2.1 and Red Hat Linux 9), so I was stuck without one of the required elements.

Thankfully, after I got sendmail properly installed, along with an appropriate version of MySQL, everything went smoothly and quickly. Immunity's basic configuration is straightforward, with few options other than the Exchange plug-in.

Immunity uses a data collection and distribution network (SpamNet) to collect data from thousands of organizations and classifies messages according to a spectrum of parameters including originating server, domain, subject, content, and more. SpamNet is available from multiple vendors, and some other anti-spam vendors, such as Brightmail, offer similar networks.

The quarantine option holds suspected spam on the Immunity server. (It's actually stored on the SQL server, which may or may not be the same server as the Immunity server.) With the Exchange plug-in, e-mail is delivered to a spam folder in each user's e-mail directory. Users release incorrectly classified messages by dragging them to the inbox and classify missed spam by dragging it to the spam folder.

Either action adds the e-mail to the Immunity filter's classification engine, not as a simple whitelist entry, but as a more sophisticated entry that considers the originating domain and sender, subject, message contents, and more. Messages from a given domain may still be filtered out if they meet other spam criteria, even if some previous messages from that domain have been approved.

Immunity evaluates whether the scope of the user feedback should apply to only the individual or to the entire organization. By default, the software is conservative and applies the feedback only to the particular user who released the message from quarantine or added it to the spam folder. But once enough feedback has come in from multiple users, it's applied organizationwide -- an extremely useful feature I haven't seen in other anti-spam solutions.

Clearly, the directory plays a big part in all this. Immunity can use LDAP to connect to existing directories (including Active Directory), or it can create a new LDAP server to hold user information. Either option allows individuals in organizations not using Exchange to access their quarantined messages via a Web browser. It would be nice if you could save quarantine search criteria, too.

One minor quibble: The default action in quarantine review is to delete rather than release the message. I accidentally deleted a couple of quarantined messages rather than releasing them; fortunately, they were only newsgroup messages, as there is no way to recover deleted messages. This behavior should be fixed in the next patch release.

The Immunity administrator can create group policies that allow some users to submit feedback on false positives or missed spam and others to release messages but not affect other users. The administrator can also alter already-submitted feedback, changing its scope or removing it so it doesn't affect filtering.

Balancing Costs

In my testing, Immunity 2.0 stopped 94.89 percent of spam, with zero critical false positives and 1.5 percent noncritical false positives (newsletters, marketing messages from selected vendors, OS and hardware updates, and so on). These levels -- about a 95 percent catch rate, zero critical false positives -- are virtually the standard for anti-spam solutions.

Immunity's noncritical false-positive rate is a little higher than average, but dropped off to almost zero after training. According to Cloudmark, users who implement the Exchange plug-in (which provides feedback on spam missed as well as false positives) or who use the alternative, Immunity's somewhat-cumbersome missed-spam reporting tool, will also see some improvement in spam-filtering performance.

Users on systems other than Exchange get this performance benefit only by using the Immunity feedback tool, which is limited to the administrator (users cannot provide feedback on their own). This puts non-Exchange users at a disadvantage in the continuous improvement of filtering via feedback.

Immunity isn't intended to be used as a mail gateway; it's built to integrate with an existing e-mail infrastructure, whether Linux-based or Exchange-based. Within those parameters, it's reasonably easy to install and configure.

If an organization previously installed SQL and SMTP servers, Immunity will serve it well as an anti-spam engine. It's especially attractive for Exchange users, because the Exchange plug-in offers a very simple way for all users to review their own quarantined messages and provide feedback. However, Immunity's installation and setup are less than easy, and you need to invest some time in training to see an improvement in performance.

InfoWorld Scorecard
Value (10.0%)
Performance (25.0%)
Setup (20.0%)
Ease of use (20.0%)
Manageability (25.0%)
Overall Score (100%)
Cloudmark Immunity 2.0 9.0 8.0 7.0 8.0 8.0 7.9