Appliances offer more than spam defense

Proofpoint, Symantec devices protect against directory harvest, phishing attacks

While spam continues to be a problem, consuming network bandwidth and users' time, it is not the only security issue facing e-mail administrators. DHAs (directory harvest attacks) try to find valid e-mail addresses by sending random e-mails to thousands or millions of possible users at a domain; phishing scams try to collect users' log-in information with phony eBay or update messages; users send or receive e-mail with objectionable content -- or share information that shouldn't be released outside the company.

Recognizing these growing threats, anti-spam appliances are moving beyond spam protection. I tested two devices, Proofpoint Protection Server and Symantec Mail Security, both of which provide excellent anti-spam performance and help to secure your e-mail systems against other risks. The appliances offer drop-in simplicity of installation and excellent integration with any e-mail server already in use, and they help enforce e-mail policies, ensure regulatory compliance, and stop the transmission of proprietary data.

Pricing on these products can be difficult to figure out, but it's an important consideration. Proofpoint offers three different appliance models; Symantec, two. Additional per-user, per-year costs for subscriptions vary with the number of users and the features enabled. Symantec comes out as the price leader in all of the per-user, per-year costs, especially because their content filtering, e-mail firewall, and regulatory compliance features are included in the base price. At 5,000 users, the cost per user, per year for all features is $10.37 for Symantec, and $57.56 for Proofpoint.

Cutting false positives

Performance in anti-spam filtering is measured in two areas: the percentage of spam caught and the number of false positives. There are two types of false positives -- bulk e-mails and critical false positives, which are e-mails that end-users need to see but are erroneously tagged as spam.

Both the Proofpoint and Symantec products produced excellent statistics, with better than 95 percent of spam caught and no critical false positives out of more than 8,000 messages processed. Each had a few -- three for Proofpoint, four for Symantec -- bulk false positives, but these were relatively unimportant; bulk e-mails tend to repeat and are thus easily whitelisted, a task users can do for themselves. The zero critical false positive rate is much more important than the catch rate because too many critical false positives negate productivity gains by forcing users to sort through quarantined files for e-mails they need.

Both appliances can quarantine spam, throw the message away, or mark message headers to indicate that the messages are definitely or probably spam. This allows for differing responses based on spam-confidence levels -- you could throw away messages with high confidence and quarantine ones that are probably spam, while allowing the rest through into the user's inbox.

Featurewise, the two appliances are well-matched. Both products have flexible policy-based engines for dealing with e-mails that violate rules relating to language -- explicit, harassing, or vulgar language, or messages containing words or phrases that shouldn't be discussed with anyone outside the company -- or the sending of documents that shouldn't leave the company.

Symantec has a slight edge in its range of responses to violations, but either system will make security officers happy. Both Proofpoint and Symantec also offer granular and flexible role-based administration to allow auditing of e-mails that have been stopped due to policy violations.

To stop DHAs, the appliances can import user information from Active Directory, Exchange, Notes/Domino servers, or standard LDAP directory servers. They can also reject e-mail addressed to invalid users.

Symantec provides a very simple, easy-to-use directory synchronization function that uses auto-discovery and auto-fill-in to reduce the necessary steps for synchronizing to just one: entering an administrator log-in and password. It is the easiest directory synchronization tool I've ever used -- although Proofpoint's directory synch isn't too far behind, with only a couple of additional fields to fill in and good documentation of the necessary syntax.

Proofpoint Protection Server v.

Proofpoint Protection Server is available in three versions: a basic version (the Messaging Security Gateway X200) with limited functionality that retails for $1,995, with bundled anti-spam/anti-virus/compliance modules priced at $8,995 a year; the P600, priced at $6,750, with support for 500 users; and the P800, which supports 1,000 to 5,000 users or more, priced at $9,750.

I tested the P800 version, which comes with a content compliance module, but anti-spam, anti-virus, regulatory compliance, and digital asset security modules are each priced separately. (Depending on whether your company has a lot of intellectual property to protect, you may or may not need the regulatory compliance or digital asset security modules.) Performance was excellent, with only three bulk false positives and a catch rate of more than 95 percent.

The Proofpoint appliance is simple to configure, using either a keyboard, monitor, and mouse, a serial console, or a Web browser pointing at the default IP address to configure network settings. After initial configuration has been completed, the rest of the process is done via the clean, clear browser interface.

Importing users from Active Directory, Exchange Server, Lotus Notes/Domino, a file, or an LDAP server to set up DHA prevention and Web mail/quarantine access is straightforward, although setting up an LDAP query through Exchange/AD required some experimenting to get the query and log-in information right. You can allow users to access their own quarantine or limit access to the administrator only, depending on company policy and preference.

The system sends an e-mail digest of quarantine either to the administrator or to each user; the user can click on links in the e-mail to release a message, whitelist the sender, or delete the message. Releasing a message from quarantine is separate from designating a safe sender -- releasing a message doesn't automatically add the sender to the whitelist, which means another step for the admin. There is also no way to see the message in the e-mail or by clicking on a link, so if you're not sure whether the message is spam from the sender or header, you have to open the quarantine through the browser, log in, and search for the message.

The e-mail firewall has a flexible policy engine that can limit the rate at which SMTP messages are accepted, based on the IP address of the sender or the spam score of the messages received from that address in the past. The policy engine has several different dictionaries, which allow you to set differing policies for potentially offensive language, phishing attacks, or words or phrases that might indicate leaks of proprietary data, using a custom dictionary. You can also scan for attachments -- either by type (extension) or by name -- and quarantine messages or forward them to a policy auditor, as desired.

With all these granular settings, and apart from its higher price and relatively minor management quirks, Proofpoint Protection Server is a solid e-mail security system.

Symantec Mail Security 4.1.1-3

The Symantec Mail Security appliance is available in two versions, the 8240 (which I tested) and 8260, priced at $1,995 and $4,995, respectively. Content checking and e-mail security features are included in the base price; anti-spam and anti-virus functionality are priced per user, per year. With a spam catch rate of more than 97 percent and four false positives, all bulk, this appliance's performance is outstanding.

The appliance is easy to install, with initial network configuration accomplished via either a keyboard, monitor, and mouse, a serial terminal, or a browser using the default IP address. Basic configuration is easily done via the browser interface, which is wizard-driven and includes the simplest directory synchronization I've ever used, with auto-discovery of existing Active Directory, Exchange, or LDAP servers and automatic field fill-in.

The single configuration complaint I have with Symantec Mail Security is that the only way to bypass the strong password requirement is to set the password manually via console. There's no way to uncheck an "enforce strong passwords" box in the browser interface, and the password requirements are a pain, with dictionary checking and minimum character requirements. As an added annoyance, there's no guidance other than a failure message when you try to use a password that doesn't meet the requirements.

Security policies, however, are easy to configure and are very flexible, with a wide range of responses variable by type of policy, user, filter criteria, or incoming/outgoing messages. You can filter messages based on inappropriate content, possible leakage of proprietary data, attachment type, or content, and you can select a different response for different groups of users. For example, you could quarantine messages for one group of users and save a copy for others, drop inappropriate messages, notify an auditor of possible leaked data, and so forth.

For e-mail security, the e-mail firewall can throttle traffic based on sender IPs or based on spam messages, viruses, or DHAs over a threshold of messages per hour. In addition, Symantec can integrate with Exchange via a plug-in to provide a dedicated spam folder, a feature Proofpoint doesn't offer. With this plug-in, users can move messages to and from the spam folder, automatically whitelisting messages moved out and blacklisting ones moved into the folder. This is a simpler process for most end-users, compared with logging in to the appliance through the browser interface.

Beyond spam

Previous versions of Symantec Mail Security, formerly known as Brightmail Anti-Spam, have consistently rated well in my testing, and this version continues the trend. Proofpoint did slightly better in filtering performance, but Symantec has the edge in ease-of-use and flexibility of configuration.

This is not to say that Proofpoint is hard to use or insufficiently flexible -- both of these products are capable performers, and either should suit any organization looking for power and simplicity. The Symantec appliance wins out with slightly better ease-of-use, a better spam catch rate, and lower pricing, but if you find pricing for Proofpoint that's lower than what we were quoted for this review, you could choose it without fear of missing any features.

InfoWorld Scorecard
Value (10.0%)
Scalability (20.0%)
Setup (10.0%)
Effectiveness (30.0%)
Manageability (30.0%)
Overall Score (100%)
Proofpoint Protection Server v. 8.0 8.0 8.0 9.0 8.0 8.3
Symantec Mail Security 4.1.1-3 9.0 8.0 9.0 9.0 9.0 8.8