In-Depth

Stop Spam Now

These 10 anti-spam software solutions can help you stop spam in its tracks, restore lost productivity and save money and time.

Spam is a wildly growing contagion, a blight on the universe, the creation of the most disgusting denizens of the darkest depths known to man. Even with new technologies and techniques for limiting the amount of spam filling your inbox, it's tough to stay ahead.

It's no wonder then that anti-spam software is such a growth industry. Ferris Research estimates that anti-spam software will be installed on as many as 500 million seats by 2008, up from 11 million in 2003. Choosing the right spam control system is ultimately based on many of the same factors as any other IT deployment decision—primarily total cost of ownership and return on investment. What you're really trying to do is save dollars and reduce lost productivity. Here we will examine 10 solutions representative of the burgeoning anti-spam market—all built to filter spam at the server level.

Identify Your Objective
Before you evaluate any specific solution, let's take a high-level view and clarify the ideal goals and techniques of any anti-spam process or technology:

Restrict access to your e-mail addresses: This is one of the strongest and most effective techniques for reducing spam. Limiting or removing a spammer's access to your e-mail identities can stop spam at the source. This is more an issue of internal procedure and policy, so unfortunately none of the current solutions address this. It's important for organizations and individuals alike to have a strong e-mail publication policy and audit and control the addresses published on their Web sites. (For example, the e-mail address I have listed at the end of this article was hit with 200 spam e-mails the day after it first appeared on a Web site.)

In This Roundup / Redmond Rating
(Click image to view larger version. )

Identify the spammers: Limiting who gets access to your e-mail address is difficult, especially when you're battling hordes of spammers with questionable ethics. The next best thing is to identify the senders themselves. Then you can configure an anti-spam solution to block messages coming from particular addresses.

Identify the spam itself: All of the spam-fighting solutions covered here rely on several methods, but they fight spam primarily by detection and isolation. There are a number of specific techniques, including content analysis, keyword recognition, Bayesian filtering and so on. As with identifying spammers, this approach requires a high degree of accuracy and proper configuration to be effective.

Given the general maturity of anti-spam technology and the fact that everyone is working off the same type of script, most of these products boast similar features, with certain nuances and differences in approach. All used some of the more common forms of basic content filtering, blacklists and user configuration. There were differences though; some of them quite dramatic. We'll give you a look at how each anti-spam solution fared with respect to spam signature updates, operational parameters and reporting, identifying spam and identifying the spammers.

Spam Signature Updates
Spammers are smart. They adapt to changes like the roaches they are. A truly effective anti-spam solution needs to have software updates released on a quarterly basis at the very least, preferably more often. What's really important is the vendor's long-term commitment to the quality and capability of its anti-spam filter.

Look for strong and frequent updates to filtering rules, signatures, patterns and lists. I can't stress this point strongly enough. Spam filtering products are only as smart as their last filter or signature update. The best bet is a vendor that automatically keeps your installation refreshed on a real-time basis. Hourly, daily or even scheduled updates are also ideal, as long as the time between updates is relatively short.

MailFrontier's Gateway Server and NetIQ's MailMarshal can be configured for automatic updates or to perform updates on demand. SurfControl boasts a continuously updated spam engine, as does ModusMail with real-time updates. ChoiceMail uses a different system of spam identification that does not require updates—more on that later.

MailWasher Server's list of quarantined messages
MailWasher Server lists quarantined e-mail messages, identifies the sender and lets you know why it blocked the message. (Click image to view larger version.)

How It Runs and How It Reports
While we are only focusing on spam control for e-mail in this review, you should also consider other factors, like what exactly can it filter and process? Can it thwart instant messenger spam (known as spim), digital fax spam, short message service spam and so on? Can it detect and eliminate viruses, worms and Trojans? Most of the major anti-virus products have added extended spam-fighting techniques to their virus-control platforms. Given the control inherent to virus regulation, it's a natural fit for those firms to offer comprehensive packages that include spam control.

NetIQ's MailMarshal Product Box

Continuously applying many different techniques to a huge amount of e-mail can lead to system degradation over time, so the best solution should have low system overhead while providing many different tests to incoming mail. You should place anti-spam controls at strategic locations throughout the network. Here we're considering those that work with mail servers, but the best design is a multimode architecture that layers different types of anti-spam software at different points in the mail transmission path from the server to the user's mailbox.

A spam control system should be easy to use and fix, provide solid reporting and scale appropriately. Most importantly, it must be easy to update. You should establish a practice of continuous testing, tweaking and refinement. The ongoing system operation should account for a significant portion of your overall criteria when selecting a solution.

Scalability and reporting is one area where there were indeed significant differences between these 10 solutions. CMS' Praetor G2 uses Microsoft's MMC for configuration and maintenance. It features an excellent log and log analysis system, a good set of reports and good scalability. ChoiceMail Enterprise is easy to configure and you have a good share of control and responsibility. It scales well, but the lack of reporting capability is a drawback. Similarly, while it's easy to install and configure MailWasher Server, there's no reporting system. MailWasher, however, is very scalable.

GFI's MailEssentials has a well-developed and easy-to-use reporting system that covers the key aspects of anti-spam activity. The filter itself is easily scalable and easy to configure. MailFrontier Gateway Server has an exceptional reporting system and is also easy to scale and configure. Nemx Power Tools is more difficult than the others to configure and has no reports, but it is quite scalable.

NetIQ's MailMarshal
NetIQ's MailMarshal provides a list of mail management options, including editing whitelists and blacklists. (Click image to view larger version.)

NetIQ's MailMarshal is also easily scalable and provides detailed, customizable reporting on all aspects of e-mail activity. It can also drill down from summary levels to individual user activity. You can save and e-mail reports, which provide everything from individual user behavior to bandwidth usage, spam information, virus reports, policy breaches and ROI.

iHateSpam has an exceptional reporting system. Choosing between this and NetIQ's system was virtually impossible. It's also easy to operate and is very scalable. SurfControl has a limited reporting system, but is very easy to operate and scalability is very good. ModusMail is highly configurable, but offers limited reporting.

Spam: Identify Yourself
There are many filtering methodologies to identify spam, but the general rule of thumb is that a variety of techniques at a variety of points in the mail transmission path is best. The stronger the methods used to combat spam, the less spam you will receive and the happier you will be.

The techniques for identifying spam boil down to parsing the bulk of an e-mail message and analyzing the results to decide whether or not the message is spam.

These are the more common techniques:

iHateSpam Product Box
  • Keyword: This method rejects any message containing single-word or phrase matches. It's easy to set up, but yields many false positives.
  • Pattern matching: This method mixes constant text, like keywords, and variable components, like wildcard characters.
  • Rule-based (heuristic) filtering: One notable advancement over keyword matching is the notion of how those words are used, what they mean and what relationship they have to each other. Rule-based filtering provides enhanced decision-making drawn from advanced rule construction. You can string together several rules to form a decision tree that effectively does multiple-pass filtering on any given message.
  • Signature-based filters: These operate by performing a calculation on each message and comparing it to a database of known spam messages. The actual calculation is called a hash, which is a fixed-length "signature" often computed using an MD5 algorithm. Long messages, those with attachments and even those with lots of embedded HTML code all produce valid hash signatures. However, changing each message slightly and randomly produces a different hash value. Signature filtering has its place, but it's effective only if used in conjunction with other, stronger techniques.
  • Bayesian and statistical filtering: Bayesian-based filtering applies statistical modeling to any form a spam message may take. It breaks a message into component parts (individual words) and applies a frequency analysis. Because it's an iterative process, the spam filter is also constantly updating itself and learning to separate good from bad as mail flows through the system.

The difference in accuracy of statistical filtering over rules-based content filtering is dramatic. If a message from a good sender uses the word free (a heavily-weighted spam word), a blind rules-based filter would bounce it immediately. A Bayesian filter would let it pass since the overall composition conforms to what we would normally receive. Statistical filters are not only very accurate, they're also very efficient. They can adapt to new techniques used by innovative spamming organizations. Bayesian methods are among the highest rated and deserve to be a key component in your quest for a clean mailbox.

All of the solutions reviewed here use multiple filtering methods, but all have one primary method. CMS Praetor G2, MailWasher Server, GFI MailEssentials 10.1 and MailFrontier Gateway Server all use Bayesian filtering.

Nemx Power Tools does subject and header filtering, but no content assessment. NetIQ's MailMarshal uses its heuristic SpamCensor engine.

iHateSpam and SurfControl also use rules-based heuristic filtering, although iHateSpam's is fully customizable. ModusMail does standard content filtering. ChoiceMail Enterprise only provides limited filtering, but that's by design and the means with which it identifies and isolates suspect messages.

Identifying content as spam by whatever method is no longer the primary means of spam control. It has essentially been supplanted by methodologies that identify the spammers, not the message. That's to be expected because improperly constructed content filters or rules are more likely to generate false positives and false negatives.

ChoiceMail Enterprise uses a challenge/response filtering method
ChoiceMail Enterprise uses a challenge/response filtering method, which assumes every sender is a spammer until you indicate otherwise. (Click image to view larger version.)

Bayesian filtering is the best, mostly because it's iterative and adaptable, but that shouldn't be your sole technological criteria. In fact, for this criteria, I gave highest marks to NetIQ's heuristic anti-spam engine. It's functional right out of the box and MailMarshal lets you automatically update its spam patterns and definitions, as well as the SpamCensor engine rules, over the Internet. Generally, any anti-spam filter using Bayesian filtering as its primary method will catch as much as 98 percent of what it identifies as spam. Heuristic anti-spam filters function in the 95 percent range. Both of those results can be improved with constant spam signature updates and careful configuration as you fine-tune the systems.

ChoiceMail's lower score in this category is by design, as they have essentially abandoned the idea of identifying spam by looking at message content. Instead, it uses content filtering as a rough cut, and depends on a challenge/response method of defense. While this type of anti-spam filtering puts more of the onus on the user, it essentially catches 100 percent of all spam. It considers any message as spam until you tell it otherwise. Therefore, only messages from senders you have specifically approved are allowed through.

Ultimately, any of these anti-spam filtering tools are only going to be as effective as the amount of effort you put into configuration and maintaining updates. Being able to set your own filtering parameters will determine how aggressively your filter will examine the flow of spam coming into your inbox. If you find you're receiving a lot of false positives, then you'll need to adjust your settings.

If you're still getting too much spam, time to configure your filter to a more aggressive level. These filtering mechanisms—whether heuristic, signature-based or Bayesian—are user dependent, vendor dependent and even DNS blacklist dependent.

Praetor G2

Identifying Spammers
Filtering based on the sender or relay identity is becoming more important. Almost all anti-spam solutions have some integrated blacklist (prohibited senders) and/or whitelist (allowed senders) technology. Most vendors pool their blacklist resources and share them over a network to cut down on processing, load and storage resources. These DNS blacklists are part of nearly every solution.

Unfortunately, blacklists can have serious validity problems. Important servers can accidentally find their way on a blacklist, either by mistake or because a spammer may have slipped spam through the gateway, rendering it a "known spammer." Blacklists have no real granularity of control so senders are either blocked completely or allowed without further regard. To get around this, spammers can simply change addresses. Because network-based blacklists are run by outside organizations, the quality of the filtering is only as good as the people who manage the list.

Whitelisting is the opposite of blacklisting. A whitelist identifies good senders that should still be allowed through without filtering. Whitelists are normally better implemented at the user level than at the server level. Challenge and response is another, more cumbersome method to enforce an identity check as part of the initial mail handshake. Current e-mail doctrine is established around an "always allow" philosophy. This means your system assumes any message is not spam unless you tell it otherwise. The challenge and response method assumes everything is spam until proven otherwise. Theoretically, this is a flawless strategy. The largest impediment to quick and complete adoption is that it places a heavy burden on the sender to validate legitimate senders.

CMS Praetor G2 filters mostly at the message level with a DNS blacklist check also available at the SMTP protocol level. It also does other protocol level filtering via the IIS Services Manager, including IP addresses, domain names and sender addresses. You can also create a whitelist. ChoiceMail Enterprise performs challenge/response, permission-based e-mail management. It assumes all incoming mail is spam and only lets it through if the senders are approved.

Firetrust MailWasher Server does connection filtering, real-time blackhole list servers, blacklists and whitelists. GFI MailEssentials 10.1 uses a whitelist, blacklists and DNS blacklist. MailFrontier Gateway Server also uses blacklists, DNS blacklist, third-party DNS blacklisting services and dynamically created whitelists.

Nemx Power Tools does blacklisting and whitelisting, which works well but is somewhat limited compared to the others. NetIQ MailMarshal can use third-party DNS blacklisting services and dynamically created whitelists. It also has anti-relaying capability, securing e-mail servers against relaying by default. (Relaying hides the spammer's identity and effectively frames the company by using its mail servers.)

The rest also use a variety of methods. iHateSpam uses both whitelists and blacklists, as well as its own signature files. SurfControl uses protected domains, trusted IPs, blacklists, reverse DNS lookup, real-time black hole lists and whitelists. ModusMail maintains a user-level blacklist and whitelist, reverse DNS blacklist, real-time blacklisting at the server level, protocol filters, SMTP security, fingerprinting, connection limits and a block scan.

After much consideration, I gave ChoiceMail the highest marks for its unique approach. Nearly all the others use minor variations on the same theme of identifying spammers through a combination of the standard methods. The implementations aren't different enough to be distinguishable.

ChoiceMail follows a different path. Because it initially considers everything spam, it only allows mail from pre-approved senders or those who obtain approval. It populates the list with senders from your existing address book and anyone you e-mail. It also lets you write rules to accept mail from senders not on your whitelist. (For example, if you want to receive e-mail about sailing, you can configure ChoiceMail to accept any message containing the word "sailboat.")

Praetor G2
Praetor G2 uses a DNS blacklist to filter at the message level or SMTP protocol level. (Click image to view larger version.)

ChoiceMail quarantines any unrecognized mail and automatically sends a "registration request" to each unknown sender that directs them to a Web page where they enter their name, e-mail address and reason for contacting you. They must also complete a task, which is easy for a person but impossible for a computer. This process alone eliminates most junk e-mail because spammers cannot respond to the registration request. After that process is complete, you decide whether or not to accept the sender.

Keep Spam in the Can
There was no single "winner" in this group of 10 anti-spam software solutions, a fairly predictable result given the limited parameters within which anti-spam software has to operate and the overall maturity of the technology. Your determination should be based on a number of detailed factors, rather than major differences in the technology or the approach to spam filtering.

GFI's MailEssentials, MailFrontier's Gateway Server and NetIQ's MailMarshal all scored the highest, with Sunbelt Software's iHateSpam missing the top tier by a narrow margin. GFI has always had a solid reputation. MailFrontier has some of the best documentation in the industry and its Web site is a cornucopia of information. MailMarshal has an exceptional reporting system and its spam identification attributes were the best of the group. The aptly named iHateSpam has an excellent reporting system, is very easy to use and definitely deserves consideration.

DigiPortal's ChoiceMail Enterprise has the most intriguing approach to spam control. It received a low overall score, but only because it lacks a good reporting system. Vircom's ModusMail, CMS' Praetor G2, Firetrust's MailWasher Server and Nemx's Power Tools all have great strengths and are worthy of consideration as you make your decisions.

The war against spam is on. Choose a weapon that suits your the requirements of your organization. It's a delicate balance of allowing the messages you need to receive, while keeping the pernicious spam out of your in-box. Consider carefully and choose wisely.

comments powered by Disqus

Reader Comments:

Mon, Apr 14, 2008 Jerry CA

I use Gafana.com and find it's the best anti-spam solution ever. No false positives at all and no spam, sure. I've used it for a year already and not going to look for something else. Btw, the price isn't realy much - just 30 $ a year.

Sat, Apr 12, 2008 Dave Anonymous

Great article! I use Gafana.com now to prevent spam from coming to my mail and feel totally comfortable about it!

Sat, Apr 12, 2008 Anonymous Anonymous

fcre4cfercvfvc

Wed, Dec 14, 2005 Hartley North Carolina USA

Thanks for the article. You covered a lot of products.

I don't usually gush but this is one time I will.
We completed an exhaustive test and evaluation of product last year including all of the big names on your list and settled on MailMarshal.

We designed our install to support faculty, staff, and local and distance students (50,000 users). We currenly have over 38k users and growing. MailMarshal's architecture made it easy to meet our 24x7x365 availability requirement. We have a three dual processor server array of which only two are required to meet our service level requirement of 1 million messages per day. We can pull a server of out service during our busiest time of the day with no hit at all to performance. We also needed different rule-sets for each group. Marshal made this a breeze. We have one person responsible for this platform and this was added to his existing Exchange duties. This is a low overhead toolset.

One of the clear differentiators for Marshal was how fast and well the content engine performed. MailMarshal can check the binary of over 180 different file types of the box - no matter what the extension or name or if nested in compressed files of any type. No more changing file names to get around the acceptable use policy. No other product came close to this performance. Even with this breadth, the Marshal content engine is the fastest we found.

Users create their own white and black lists. They can check attachments safely in the secure portal. These features really lower our administrative burdon.

We are ecstatic at how well this product has performed. I wish all our tools worked this well!

Thu, Jul 28, 2005 George Zervo Somerset NJ USA

We use SYMANTEC's BRIGHTMAIL and I have to say I might see one spam email every 3 weeks or so and there is hardly any ADMINISTRATION required. It is simply the best we found that works well with our Exchange 2003 email server. We tried SpamMarshal and found it to to be dismal and we did try Barracuda and it did seem to work well but after a while we had an RDNS problem that was never resolved by support. We did try iHateSpam and that did work well as did Cloudmark's product. We were going to try SurfControl's product and StBernard's ePrism but we really just could not try any more after installing BRIGHTMAIL. BTW IRONMAIL offers BRIGHTMAIL on a hardware appliance which is not how we went but I would highly recommend that route. -Geo

Thu, Jul 28, 2005 Andrew UK

We use MIMESWeepr for SMTP v5 from clearswift and find it rubbish! The number of false positives is way too high.

As a result we are looking at alternatives and have so far tested a few but the best (by quite a distance) is Ironport. It is superb, in the 6 weeks we tested it there wasn't a single false positive and I didn't get one user (out of over a 1000) complain that they had received any spam.

Expensive, but well worth a look!

Thu, Jun 9, 2005 Edward UK

I understand you have just completed a review of products by Netiq.... Are you aware of the activities of this company... they owned until very recently a business known as "Webtrendslive" a business which loaded tracking software and cookies unto unsuspecting computers and secretly monitored all the activities of the unsuspecting computer user ??? I suggest you check out the activities of this business.... oh and perhaps you could ask them to allow you to publish how to remove the software and cookies they have embedded unto peoples computers.... thankyou Eddie P

Wed, Mar 23, 2005 Kevin Anonymous

Good Article, about 9 months ago we tested several Anti-Spam solutions, including several in the article, to replace our current one at the time and found Barracuda Spam Firewall to be the winner. It currently filters out about 96% of the incoming email to our company. It lets users manage their own spam settings and they can unblock email sent to them that had been quarantined. With its daily virus and spam definitions I have not seen a virus reach our exchange server. In our case, since it is an appliance with 3 years of support and updates, and not licensed per mailbox it cost less then most of the other products yearly maintenance. Also when I put it into production in front of our exchange server I watched the utilization drop from 40% - 60% to less than 10%, so much for trying to justify purchasing a new server to replace our current exchange server. It is definitely worth a look www.barracudanetworks.com

Sat, Mar 19, 2005 K.S.Han Australia

Next product you guys would want to test would be Sybari Anti-Spam Defence (ASD) that give 98% detection rate and less than 1% false positive, enterprise level policy and user level policy that unloads the burden of administration of mails in the spam/junk folder. It simply lets users control their own personal quarantine folders. MOST IMPORTANTLY, WHY MICROSOFT BOUGHT THE COMPANY AND THE PRODUCT???? THINK ABOUT IT.

Fri, Mar 18, 2005 Pavan Bangalore

Me too..Rathan..Has saved my email problems and we use Marshal in all our branches.

Fri, Mar 18, 2005 Rathan Bangalore

Guys..I use MailMarshal and eyes closed you can opt for it..Its the best, flexible and most value for maney and excellent support too.

Fri, Mar 18, 2005 Barney Anonymous

Great article but my eyes water at the cost of some of those systems! I came across a filter called mxORB last year and liked it's functionality, but even more it's per server rather than per mailbox license - save me a lot of money which means a happy boss :)

Thu, Mar 17, 2005 Rick Anonymous

We constantly compare products as well as cost. Our current spam rate is at 68%, a huge issue. With the help of GFI Essentials we have elimated about 60% of that number. No solution is the "one-stop-fix-all" as you pointed out and we thank you for your unbiased comparisons. This should help us do our own comparisons as well.

Tue, Mar 8, 2005 Julio De Icaza Panamá

Thank you Mr. Tschanz for the explanation about the products out of the round up and the "spam universe". I would like to see comparisons for MXLogic and Sophos solutions, too.

Fri, Mar 4, 2005 Eric Anonymous

The next time you do a round up, give Spam Bully a try. We've been using it at work for a year. It's bayesian based and has a terrific accuracy rate.

Fri, Mar 4, 2005 David Tschanz Anonymous

Apologies as always to those whose favorite product was not included. Inclusion or exclusion should not be read as meaning "good" or "bad"; worthy or unworthy. the key to any product selection is to know in advance what you want (as explained under "Identify Your Objective") and then assess the universe of possible solutions against that. It is a big universe out there.

Thu, Mar 3, 2005 Deputy Dawg MN

We have been using MailMarshal for about a year now and find it truly excellent. It's nice to see the "experts" agreeing with me for once :)

Wed, Mar 2, 2005 Sandy Jupiter, FL

I was surprised Mimesweeper from Clearswift was not among your spam solutions. We've been using it for several years and it just keeps getting better.

Wed, Mar 2, 2005 Anonymous Anonymous

MXRate.com is a system that tracks the current and recent email sending habits of millions of mail servers and other computers world wide. Statistics are maintained on millions of addresses, and probability percentages are calculated. The senders "reputation" can then be determined by their probability percentage. Not only are spammers identified, but good senders are identified as well. You can make decisions as to whether or not to accept and deliver a message based on the senders reputation and criteria that you define.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.