Appliances offer more than spam defense

While spam continues to be a problem, consuming network bandwidth and users' time, it is not the only security issue facing e-mail administrators. DHAs (directory harvest attacks) try to find valid e-mail addresses by sending random e-mails to thousands or millions of possible users at a domain; phishing scams try to collect users' log-in information with phony eBay or Amazon.com update messages; users send or receive e-mail with objectionable content -- or share information that shouldn't be released outside the company.

Recognizing these growing threats, anti-spam appliances are moving beyond spam protection. I tested two devices, Proofpoint Protection Server and Symantec Mail Security, both of which provide excellent anti-spam performance and help to secure your e-mail systems against other risks. The appliances offer drop-in simplicity of installation and excellent integration with any e-mail server already in use, and they help enforce e-mail policies, ensure regulatory compliance, and stop the transmission of proprietary data.

Pricing on these products can be difficult to figure out, but it's an important consideration. Proofpoint offers three different appliance models; Symantec, two. Additional per-user, per-year costs for subscriptions vary with the number of users and the features enabled. Symantec comes out as the price leader in all of the per-user, per-year costs, especially because their content filtering, e-mail firewall, and regulatory compliance features are included in the base price. At 5,000 users, the cost per user, per year for all features is $10.37 for Symantec, and $57.56 for Proofpoint.

Cutting false positives

Performance in anti-spam filtering is measured in two areas: the percentage of spam caught and the number of false positives. There are two types of false positives -- bulk e-mails and critical false positives, which are e-mails that end-users need to see but are erroneously tagged as spam.

Both the Proofpoint and Symantec products produced excellent statistics, with better than 95 percent of spam caught and no critical false positives out of more than 8,000 messages processed. Each had a few -- three for Proofpoint, four for Symantec -- bulk false positives, but these were relatively unimportant; bulk e-mails tend to repeat and are thus easily whitelisted, a task users can do for themselves. The zero critical false positive rate is much more important than the catch rate because too many critical false positives negate productivity gains by forcing users to sort through quarantined files for e-mails they need.

Both appliances can quarantine spam, throw the message away, or mark message headers to indicate that the messages are definitely or probably spam. This allows for differing responses based on spam-confidence levels -- you could throw away messages with high confidence and quarantine ones that are probably spam, while allowing the rest through into the user's inbox.

Featurewise, the two appliances are well-matched. Both products have flexible policy-based engines for dealing with e-mails that violate rules relating to language -- explicit, harassing, or vulgar language, or messages containing words or phrases that shouldn't be discussed with anyone outside the company -- or the sending of documents that shouldn't leave the company.

Symantec has a slight edge in its range of responses to violations, but either system will make security officers happy. Both Proofpoint and Symantec also offer granular and flexible role-based administration to allow auditing of e-mails that have been stopped due to policy violations.