Test Center guide: Mail security appliances
Mail security solutions differ in anti-spam techniques, accuracy, false positive rates, and ease of setup and administration. We compare Barracuda, BorderWare, Cisco IronPort, Mirapoint, Proofpoint, Secure Computing IronMail, Sendio, Symantec, and Tumbleweed
Lots of bulk e-mail doesn't comply with the CAN-SPAM Act, which requires that the "from" address and sending domain match, among other things – so that mail from email@example.com comes from a server in the xxx.infoworld.com domain. Many organizations outsource their bulk e-mailing to third parties, who don't bother to set up the domains correctly. For example, a bulk e-mail (newsletter) from Secure Computing Magazine has a sender address that isn't SCmagazine.com, or even haymarketmedia.com, but firstname.lastname@example.org. In other cases, e-mail newsletters from legitimate senders such as infoworld.com come from a different address each time. Thus, you need to whitelist the domain, rather than the sender, which creates the potential for spam that is apparently from that site to make it through.
Some administrators may attach minimal importance to whether or not users can receive bulk e-mail, but some of these messages include security updates from vendors such as Red Hat and Microsoft. Personally, since other products match the catch rate while blocking far fewer legitimate bulk messages, I think the problem is solvable in other ways. A couple of products offer two levels of filtering: They classify messages as spam, bulk mail, or legitimate, rather than either spam or legitimate, allowing users to sort bulk e-mails into a folder for occasional perusal.
In terms of installing a system that will have a minimal impact on end-users, the rate of false positives is more important than the catch rate for spam. If users find they aren't receiving messages they're expecting, they'll spend as much or more time looking through the quarantine than they would deleting spam in the first place.
Similarly, some anti-malware products may stop programs that exhibit behaviors similar to adware, even if the user wants the service that comes with the program. In these cases, management will have to make the call as to whether users should be able to whitelist these programs themselves or whether they will have to go though the administrator. The latter gives the admin better control, but may leave them handling dozens or hundreds of requests, depending on the number of users and how stringent the filtering rules are.
One differentiator among appliances is the ease of configuration and maturity of the interface. LDAP configuration is particularly problematic. All the devices tested could import information from Active Directory or other enterprise directory servers to verify that incoming mail is addressed to valid recipients. However, depending on the product, LDAP setup could be a matter of a few clicks, or a long and involved process of trial and error to get the syntax of the LDAP queries correct.