Stop Spam Now -- Redmondmag.com

Stop Spam Now

These 10 anti-spam software solutions can help you stop spam in its tracks, restore lost productivity and save money and time.

By David W. Tschanz
03/01/2005

Spam is a wildly growing contagion, a blight on the universe, the creation of the most disgusting denizens of the darkest depths known to man. Even with new technologies and techniques for limiting the amount of spam filling your inbox, it's tough to stay ahead.

It's no wonder then that anti-spam software is such a growth industry. Ferris Research estimates that anti-spam software will be installed on as many as 500 million seats by 2008, up from 11 million in 2003. Choosing the right spam control system is ultimately based on many of the same factors as any other IT deployment decision—primarily total cost of ownership and return on investment. What you're really trying to do is save dollars and reduce lost productivity. Here we will examine 10 solutions representative of the burgeoning anti-spam market—all built to filter spam at the server level.

Identify Your Objective
Before you evaluate any specific solution, let's take a high-level view and clarify the ideal goals and techniques of any anti-spam process or technology:

Restrict access to your e-mail addresses: This is one of the strongest and most effective techniques for reducing spam. Limiting or removing a spammer's access to your e-mail identities can stop spam at the source. This is more an issue of internal procedure and policy, so unfortunately none of the current solutions address this. It's important for organizations and individuals alike to have a strong e-mail publication policy and audit and control the addresses published on their Web sites. (For example, the e-mail address I have listed at the end of this article was hit with 200 spam e-mails the day after it first appeared on a Web site.)

(Click image to view larger version. )

Identify the spammers: Limiting who gets access to your e-mail address is difficult, especially when you're battling hordes of spammers with questionable ethics. The next best thing is to identify the senders themselves. Then you can configure an anti-spam solution to block messages coming from particular addresses.

Identify the spam itself: All of the spam-fighting solutions covered here rely on several methods, but they fight spam primarily by detection and isolation. There are a number of specific techniques, including content analysis, keyword recognition, Bayesian filtering and so on. As with identifying spammers, this approach requires a high degree of accuracy and proper configuration to be effective.

Given the general maturity of anti-spam technology and the fact that everyone is working off the same type of script, most of these products boast similar features, with certain nuances and differences in approach. All used some of the more common forms of basic content filtering, blacklists and user configuration. There were differences though; some of them quite dramatic. We'll give you a look at how each anti-spam solution fared with respect to spam signature updates, operational parameters and reporting, identifying spam and identifying the spammers.

Spam Signature Updates
Spammers are smart. They adapt to changes like the roaches they are. A truly effective anti-spam solution needs to have software updates released on a quarterly basis at the very least, preferably more often. What's really important is the vendor's long-term commitment to the quality and capability of its anti-spam filter.

Look for strong and frequent updates to filtering rules, signatures, patterns and lists. I can't stress this point strongly enough. Spam filtering products are only as smart as their last filter or signature update. The best bet is a vendor that automatically keeps your installation refreshed on a real-time basis. Hourly, daily or even scheduled updates are also ideal, as long as the time between updates is relatively short.

MailFrontier's Gateway Server and NetIQ's MailMarshal can be configured for automatic updates or to perform updates on demand. SurfControl boasts a continuously updated spam engine, as does ModusMail with real-time updates. ChoiceMail uses a different system of spam identification that does not require updates—more on that later.

MailWasher Server's list of quarantined messages

MailWasher Server lists quarantined e-mail messages, identifies the sender and lets you know why it blocked the message. (Click image to view larger version.)

How It Runs and How It Reports
While we are only focusing on spam control for e-mail in this review, you should also consider other factors, like what exactly can it filter and process? Can it thwart instant messenger spam (known as spim), digital fax spam, short message service spam and so on? Can it detect and eliminate viruses, worms and Trojans? Most of the major anti-virus products have added extended spam-fighting techniques to their virus-control platforms. Given the control inherent to virus regulation, it's a natural fit for those firms to offer comprehensive packages that include spam control.

Continuously applying many different techniques to a huge amount of e-mail can lead to system degradation over time, so the best solution should have low system overhead while providing many different tests to incoming mail. You should place anti-spam controls at strategic locations throughout the network. Here we're considering those that work with mail servers, but the best design is a multimode architecture that layers different types of anti-spam software at different points in the mail transmission path from the server to the user's mailbox.

A spam control system should be easy to use and fix, provide solid reporting and scale appropriately. Most importantly, it must be easy to update. You should establish a practice of continuous testing, tweaking and refinement. The ongoing system operation should account for a significant portion of your overall criteria when selecting a solution.

Scalability and reporting is one area where there were indeed significant differences between these 10 solutions. CMS' Praetor G2 uses Microsoft's MMC for configuration and maintenance. It features an excellent log and log analysis system, a good set of reports and good scalability. ChoiceMail Enterprise is easy to configure and you have a good share of control and responsibility. It scales well, but the lack of reporting capability is a drawback. Similarly, while it's easy to install and configure MailWasher Server, there's no reporting system. MailWasher, however, is very scalable.

GFI's MailEssentials has a well-developed and easy-to-use reporting system that covers the key aspects of anti-spam activity. The filter itself is easily scalable and easy to configure. MailFrontier Gateway Server has an exceptional reporting system and is also easy to scale and configure. Nemx Power Tools is more difficult than the others to configure and has no reports, but it is quite scalable.

NetIQ's MailMarshal provides a list of mail management options, including editing whitelists and blacklists. (Click image to view larger version.)

NetIQ's MailMarshal is also easily scalable and provides detailed, customizable reporting on all aspects of e-mail activity. It can also drill down from summary levels to individual user activity. You can save and e-mail reports, which provide everything from individual user behavior to bandwidth usage, spam information, virus reports, policy breaches and ROI.

iHateSpam has an exceptional reporting system. Choosing between this and NetIQ's system was virtually impossible. It's also easy to operate and is very scalable. SurfControl has a limited reporting system, but is very easy to operate and scalability is very good. ModusMail is highly configurable, but offers limited reporting.

Spam: Identify Yourself
There are many filtering methodologies to identify spam, but the general rule of thumb is that a variety of techniques at a variety of points in the mail transmission path is best. The stronger the methods used to combat spam, the less spam you will receive and the happier you will be.

The techniques for identifying spam boil down to parsing the bulk of an e-mail message and analyzing the results to decide whether or not the message is spam.

These are the more common techniques:

Keyword: This method rejects any message containing single-word or phrase matches. It's easy to set up, but yields many false positives.
Pattern matching: This method mixes constant text, like keywords, and variable components, like wildcard characters.
Rule-based (heuristic) filtering: One notable advancement over keyword matching is the notion of how those words are used, what they mean and what relationship they have to each other. Rule-based filtering provides enhanced decision-making drawn from advanced rule construction. You can string together several rules to form a decision tree that effectively does multiple-pass filtering on any given message.
Signature-based filters: These operate by performing a calculation on each message and comparing it to a database of known spam messages. The actual calculation is called a hash, which is a fixed-length "signature" often computed using an MD5 algorithm. Long messages, those with attachments and even those with lots of embedded HTML code all produce valid hash signatures. However, changing each message slightly and randomly produces a different hash value. Signature filtering has its place, but it's effective only if used in conjunction with other, stronger techniques.
Bayesian and statistical filtering: Bayesian-based filtering applies statistical modeling to any form a spam message may take. It breaks a message into component parts (individual words) and applies a frequency analysis. Because it's an iterative process, the spam filter is also constantly updating itself and learning to separate good from bad as mail flows through the system.

The difference in accuracy of statistical filtering over rules-based content filtering is dramatic. If a message from a good sender uses the word free (a heavily-weighted spam word), a blind rules-based filter would bounce it immediately. A Bayesian filter would let it pass since the overall composition conforms to what we would normally receive. Statistical filters are not only very accurate, they're also very efficient. They can adapt to new techniques used by innovative spamming organizations. Bayesian methods are among the highest rated and deserve to be a key component in your quest for a clean mailbox.

All of the solutions reviewed here use multiple filtering methods, but all have one primary method. CMS Praetor G2, MailWasher Server, GFI MailEssentials 10.1 and MailFrontier Gateway Server all use Bayesian filtering.

Nemx Power Tools does subject and header filtering, but no content assessment. NetIQ's MailMarshal uses its heuristic SpamCensor engine.

iHateSpam and SurfControl also use rules-based heuristic filtering, although iHateSpam's is fully customizable. ModusMail does standard content filtering. ChoiceMail Enterprise only provides limited filtering, but that's by design and the means with which it identifies and isolates suspect messages.

Identifying content as spam by whatever method is no longer the primary means of spam control. It has essentially been supplanted by methodologies that identify the spammers, not the message. That's to be expected because improperly constructed content filters or rules are more likely to generate false positives and false negatives.

ChoiceMail Enterprise uses a challenge/response filtering method, which assumes every sender is a spammer until you indicate otherwise. (Click image to view larger version.)

Bayesian filtering is the best, mostly because it's iterative and adaptable, but that shouldn't be your sole technological criteria. In fact, for this criteria, I gave highest marks to NetIQ's heuristic anti-spam engine. It's functional right out of the box and MailMarshal lets you automatically update its spam patterns and definitions, as well as the SpamCensor engine rules, over the Internet. Generally, any anti-spam filter using Bayesian filtering as its primary method will catch as much as 98 percent of what it identifies as spam. Heuristic anti-spam filters function in the 95 percent range. Both of those results can be improved with constant spam signature updates and careful configuration as you fine-tune the systems.

ChoiceMail's lower score in this category is by design, as they have essentially abandoned the idea of identifying spam by looking at message content. Instead, it uses content filtering as a rough cut, and depends on a challenge/response method of defense. While this type of anti-spam filtering puts more of the onus on the user, it essentially catches 100 percent of all spam. It considers any message as spam until you tell it otherwise. Therefore, only messages from senders you have specifically approved are allowed through.

Ultimately, any of these anti-spam filtering tools are only going to be as effective as the amount of effort you put into configuration and maintaining updates. Being able to set your own filtering parameters will determine how aggressively your filter will examine the flow of spam coming into your inbox. If you find you're receiving a lot of false positives, then you'll need to adjust your settings.

If you're still getting too much spam, time to configure your filter to a more aggressive level. These filtering mechanisms—whether heuristic, signature-based or Bayesian—are user dependent, vendor dependent and even DNS blacklist dependent.

Identifying Spammers
Filtering based on the sender or relay identity is becoming more important. Almost all anti-spam solutions have some integrated blacklist (prohibited senders) and/or whitelist (allowed senders) technology. Most vendors pool their blacklist resources and share them over a network to cut down on processing, load and storage resources. These DNS blacklists are part of nearly every solution.

Unfortunately, blacklists can have serious validity problems. Important servers can accidentally find their way on a blacklist, either by mistake or because a spammer may have slipped spam through the gateway, rendering it a "known spammer." Blacklists have no real granularity of control so senders are either blocked completely or allowed without further regard. To get around this, spammers can simply change addresses. Because network-based blacklists are run by outside organizations, the quality of the filtering is only as good as the people who manage the list.

Whitelisting is the opposite of blacklisting. A whitelist identifies good senders that should still be allowed through without filtering. Whitelists are normally better implemented at the user level than at the server level. Challenge and response is another, more cumbersome method to enforce an identity check as part of the initial mail handshake. Current e-mail doctrine is established around an "always allow" philosophy. This means your system assumes any message is not spam unless you tell it otherwise. The challenge and response method assumes everything is spam until proven otherwise. Theoretically, this is a flawless strategy. The largest impediment to quick and complete adoption is that it places a heavy burden on the sender to validate legitimate senders.

CMS Praetor G2 filters mostly at the message level with a DNS blacklist check also available at the SMTP protocol level. It also does other protocol level filtering via the IIS Services Manager, including IP addresses, domain names and sender addresses. You can also create a whitelist. ChoiceMail Enterprise performs challenge/response, permission-based e-mail management. It assumes all incoming mail is spam and only lets it through if the senders are approved.

Firetrust MailWasher Server does connection filtering, real-time blackhole list servers, blacklists and whitelists. GFI MailEssentials 10.1 uses a whitelist, blacklists and DNS blacklist. MailFrontier Gateway Server also uses blacklists, DNS blacklist, third-party DNS blacklisting services and dynamically created whitelists.

Nemx Power Tools does blacklisting and whitelisting, which works well but is somewhat limited compared to the others. NetIQ MailMarshal can use third-party DNS blacklisting services and dynamically created whitelists. It also has anti-relaying capability, securing e-mail servers against relaying by default. (Relaying hides the spammer's identity and effectively frames the company by using its mail servers.)

The rest also use a variety of methods. iHateSpam uses both whitelists and blacklists, as well as its own signature files. SurfControl uses protected domains, trusted IPs, blacklists, reverse DNS lookup, real-time black hole lists and whitelists. ModusMail maintains a user-level blacklist and whitelist, reverse DNS blacklist, real-time blacklisting at the server level, protocol filters, SMTP security, fingerprinting, connection limits and a block scan.

After much consideration, I gave ChoiceMail the highest marks for its unique approach. Nearly all the others use minor variations on the same theme of identifying spammers through a combination of the standard methods. The implementations aren't different enough to be distinguishable.

ChoiceMail follows a different path. Because it initially considers everything spam, it only allows mail from pre-approved senders or those who obtain approval. It populates the list with senders from your existing address book and anyone you e-mail. It also lets you write rules to accept mail from senders not on your whitelist. (For example, if you want to receive e-mail about sailing, you can configure ChoiceMail to accept any message containing the word "sailboat.")

Praetor G2 uses a DNS blacklist to filter at the message level or SMTP protocol level. (Click image to view larger version.)

ChoiceMail quarantines any unrecognized mail and automatically sends a "registration request" to each unknown sender that directs them to a Web page where they enter their name, e-mail address and reason for contacting you. They must also complete a task, which is easy for a person but impossible for a computer. This process alone eliminates most junk e-mail because spammers cannot respond to the registration request. After that process is complete, you decide whether or not to accept the sender.

Keep Spam in the Can
There was no single "winner" in this group of 10 anti-spam software solutions, a fairly predictable result given the limited parameters within which anti-spam software has to operate and the overall maturity of the technology. Your determination should be based on a number of detailed factors, rather than major differences in the technology or the approach to spam filtering.

GFI's MailEssentials, MailFrontier's Gateway Server and NetIQ's MailMarshal all scored the highest, with Sunbelt Software's iHateSpam missing the top tier by a narrow margin. GFI has always had a solid reputation. MailFrontier has some of the best documentation in the industry and its Web site is a cornucopia of information. MailMarshal has an exceptional reporting system and its spam identification attributes were the best of the group. The aptly named iHateSpam has an excellent reporting system, is very easy to use and definitely deserves consideration.

DigiPortal's ChoiceMail Enterprise has the most intriguing approach to spam control. It received a low overall score, but only because it lacks a good reporting system. Vircom's ModusMail, CMS' Praetor G2, Firetrust's MailWasher Server and Nemx's Power Tools all have great strengths and are worthy of consideration as you make your decisions.

The war against spam is on. Choose a weapon that suits your the requirements of your organization. It's a delicate balance of allowing the messages you need to receive, while keeping the pernicious spam out of your in-box. Consider carefully and choose wisely.

Featured

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.