Feature checklist

Nearly all AV engines use a combination of signatures that are constantly updated by the vendor, along with heuristics that attempt to identify dangerous attachments that aren't caught by the signatures database. Anti-spam techniques include sender reputation, based on the vendor's database of IP addresses known to be sending spam; certain TCP/IP tricks such as requesting a resend of the message (legitimate mail servers will resend, while most spam engines don't); heuristics of many different varieties; and a host of other specialized techniques, including such oddities as employing optical character recognition to identify image-based spam that doesn't use conventional text in the message. Filtering and spamming techniques evolve through a constant battle between the anti-spam vendors and spammers, who are desperately trying to slip their ads past the filters. Because the spammers are commercially motivated to bypass new heuristic techniques quickly, many vendors are relying more on reputation-based filtering.

While anti-virus and anti-spam are the essence of mail security, there are a number of other features you should expect to find in all e-mail security appliances. These include:

• Policies that can be set per user, per group, or per site to control when users can send and receive mail, to whom, whether whitelists or blacklists can be modified by users or admins, which types of attachments are allowed on incoming and outgoing mail, and so on.

• Support for multiple domains or back-end mail servers.

• "Outbreak" anti-virus, which is designed to snare viruses for which signatures don't yet exist. Outbreak AV filters typically stop messages that have the characteristics of a virus, such as an executable attachment or a suspicious origin, then review them over the next 24 or 48 hours to see if a signature appears; if not, they notify the user or admin to inspect the message and release or delete it.

• Secure content management features that examine outbound messages for specific phrases, types of files, or specific file names, and log or quarantine them for review.

• LDAP/Active Directory synchronization.

• DoS protection, which blocks repeated attempts to ping, send connection request, send directory request, send user verification, or basically any type of request for a response from the server that exceeds a certain frequency threshold, such as more than 100 pings per minute from a particular IP address.

• Directory harvest protection, which is designed to thwart attempts to send messages to all possible addresses on a mail server. By discovering which addresses are not rejected, so-called directory harvest attacks attempt to build a database of valid addresses. To combat this, when the appliance sees a large number of messages going to invalid addresses, it either throttles the connection (limiting the sender to one message per minute, for example) or blocks that IP address entirely.

• Address verification, to block e-mails sent to nonexistent users, and the ability to use reverse DNS to verify that a sender's IP address matches the sender domain. The use of reverse DNS thwarts phishing attacks by preventing forged e-mail from getting through.
  Page:

  • 1
  • 2
  • 3
  • 4
  • 5
  • < previous
  • next >
  Computerworld Buyer's Guide - Vendors Matched to this Article

  Unixpac , Citrix , HAL Data Services , Dimension Data , Trend Micro , Hewlett-Packard , SafeNet , Revelation Software , GFI , SonicWALL , nCircle , Sagem , NetIQ , Secure Computing , Red Hat , MessageLabs , CA , 3Com
  More about PGP, Symantec, Secure Computing, Tumbleweed Communications, Proofpoint, IronPort, Red Hat, BorderWare, Citibank, Microsoft, Mirapoint, Evolve, Barracuda Networks, ACT, V7, PLUS, Cisco Systems, Cisco, Gateway, Linux