Choices in mail security

Choosing an appliance means more than selecting the highest filtering rate. The easiest way to stop all viruses and spam is to stop all mail; the trick is to stop as much of the bad mail as possible without stopping any of the good mail. This has gotten much harder over the years. Because the spoils belong to spammers who get their message through, spam evolves quickly to bypass new filtering paradigms. As with anti-virus technologies, spam is a moving target, requiring constant updates to filtering rules.

You may also find that you and some vendors disagree on what constitutes spam or malware. A number of the vendors -- Barracuda Networks, BorderWare, Mirapoint, Proofpoint, Secure Computing, and Sendio -- stopped many marketing e-mails and other types of bulk e-mails that users may have signed up for, leaving it to the individual user to add senders to the whitelist. Because all of the messages that were blocked were messages I'd signed up for -- product updates, newsletters, weekly specials from vendors I use, and so on -- they were all counted as false positives. However, I also whitelisted each bulk e-mail when it was stopped, so the total bulk false positive represents the number of unique senders that were stopped; no duplicate bulk e-mails were counted as spam.

Lots of bulk e-mail doesn't comply with the CAN-SPAM Act, which requires that the "from" address and sending domain match, among other things -- so that mail from xxx@infoworld.com comes from a server in the xxx.infoworld.com domain. Many organizations outsource their bulk e-mailing to third parties, who don't bother to set up the domains correctly. For example, a bulk e-mail (newsletter) from Secure Computing Magazine has a sender address that isn't SCmagazine.com, or even haymarketmedia.com, but bull_05_sc_01112006@ecm.hbpl.co.uk. In other cases, e-mail newsletters from legitimate senders such as infoworld.com come from a different address each time. Thus, you need to whitelist the domain, rather than the sender, which creates the potential for spam that is apparently from that site to make it through.

Some administrators may attach minimal importance to whether or not users can receive bulk e-mail, but some of these messages include security updates from vendors such as Red Hat and Microsoft. Personally, since other products match the catch rate while blocking far fewer legitimate bulk messages, I think the problem is solvable in other ways. A couple of products offer two levels of filtering: They classify messages as spam, bulk mail, or legitimate, rather than either spam or legitimate, allowing users to sort bulk e-mails into a folder for occasional perusal.

In terms of installing a system that will have a minimal impact on end-users, the rate of false positives is more important than the catch rate for spam. If users find they aren't receiving messages they're expecting, they'll spend as much or more time looking through the quarantine than they would deleting spam in the first place.

Similarly, some anti-malware products may stop programs that exhibit behaviors similar to adware, even if the user wants the service that comes with the program. In these cases, management will have to make the call as to whether users should be able to whitelist these programs themselves or whether they will have to go though the administrator. The latter gives the admin better control, but may leave them handling dozens or hundreds of requests, depending on the number of users and how stringent the filtering rules are.

One differentiator among appliances is the ease of configuration and maturity of the interface. LDAP configuration is particularly problematic. All the devices tested could import information from Active Directory or other enterprise directory servers to verify that incoming mail is addressed to valid recipients. However, depending on the product, LDAP setup could be a matter of a few clicks, or a long and involved process of trial and error to get the syntax of the LDAP queries correct.