IBM ISS goes fishing for phishers

There’s just no stopping it: Spam continues to get worse, and more of it is now targeted at obtaining financial or corporate information rather than just selling herbal remedies or porn. Phishing, or trying to get users to go to Web sites that seem legitimate but are actually forgeries intended to capture users’ information, is an increasing threat, too.

Internet Security Systems, now owned by IBM, is attempting to take on both of these plagues and more. The Proventia Network Mail Security System MS3004, version 1.0 appliance I tested provides e-mail security (including anti-virus, anti-spam, and anti-phishing capabilities), a firewall, intrusion prevention, and an SMTP server. The appliance format makes it easy to set up, and it does a good job on the IPS front, but I found that the MS3004’s anti-spam abilities weren’t as solid as those of other solutions I’ve reviewed.

Focus on phishing

Click for larger view.

The MS3004’s anti-phishing capability is potentially very useful. If it detects a phishing attempt, the appliance puts a “Fraudulent Message” alert at the top of the e-mail. It also marks the message as spam so that it will be quarantined, but it ensures that even if users open the message in quarantine, they should have warning that the message is not legitimate. Most products don’t label spam and phishing separately, so this is a nice touch on ISS’s part.

Unfortunately, if the message is not caught as spam, it is usually not caught as a phishing attempt either. For example, out of 151 fraudulent PayPal messages received during testing, 148 were marked as spam and with the “Fraudulent Message” phishing warning. The three that were not caught as spam were also not marked as phishing attempts.

Similarly, out of 43 fraudulent Bank of America phishing attempts, 42 were caught as spam and flagged with the phishing warning, and one was neither labeled as spam nor with the warning. Because the phishing filter does not catch all phishing attempts, users may incorrectly assume that messages not caught are legitimate e-mails.

The anti-spam catch rate was 91 percent, which is average, but the critical false positive rate was among the worst I’ve seen in the past couple of years, at 0.16 percent. By contrast, the best products had a false positive rate of 0.01 percent. The noncritical false positive rate was moderate, at 1.4 percent. Anti-virus filters worked fairly well, missing only three out of 219 viruses received.

Almost plug-and-go

The MS3004 is easy to install and configure. Initial network setup can be done via the front-panel LCD, a serial terminal, or a browser pointed at the default IP address. The rest of the configuration is done via browser, and the layout is clean and easy to navigate. I did, however, find the Java-based tools slow — working on a 3.4GHz workstation with 2GB of RAM, I experienced delays as long as five-seconds after clicking an item through either Firefox or IE7.