In-Depth

Outrun the Avalanche

These eight spam-fighting tools for Exchange want to play a major role in fighting unsolicited e-mail for your organization.

In the last month, my own personal in-box received 4,846 pieces of unsolicited commercial e-mail or spam. That’s roughly 60 percent of my incoming e-mail to that account. Multiply that by the 20 users on my domain, and I’m paying to download somewhere around 100,000 dubious advertisements and come-ons every month. When you think about the bandwidth and storage costs of these messages as well as the user time wasted in deleting them, paying for a product to reduce the magnitude of the problem becomes a very attractive proposition.

Alternatives for Trapping Spam
Though everyone agrees that spam is a problem, there’s little agreement about what the solution might be. A survey of the universe of anti-spam products reveals a number of alternative approaches, including:

 Changing basic Internet protocols (most notably SMTP, the Simple Mail Transfer Protocol) to make unsolicited mail expensive or impossible to send. While attractive as the ultimate way to end the problem, political and technical hurdles make it unlikely that this will happen any time soon.

 Blocking spammers from sending e-mail to the public networks. This is the approach taken by organizations such as The Spamhaus Project (www. spamhaus.org) and the Open Relay Database Project (www.ordb.org), which maintain lists of servers that you might want to refuse mail from (commonly called “Black Hole lists”). Such organizations don’t actually block any mail themselves, but they make their lists available for other software to use.

 Requiring senders to prove that they’re not spammers. Sender verification or challenge-response systems intercept mail from senders that they don’t recognize and send back a response asking for human action (for example, deciphering numbers from a graphic image, or visiting a URL). If the sender doesn’t respond, the system blocks their mail. SpamLion (www.spamlion.com), for example, offers this service by routing your e-mail through their network or another SpamLion server. Unfortunately, some senders may decide it’s not worth the bother of contacting you when faced with a verification step.

 Filtering mail before it gets to your network. Hosted solutions such as Tumbleweed’s Message Managing System (www.tumbleweed.com) or IntelliReach’s MailScreen (www.intellireach.com) will accept e-mail for you, drop or quarantine the spam, and send the rest of the mail to your actual e-mail server.

 Collaborative filtering. Some solutions depend on a network of users to recognize spam while it’s happening and automatically delete a message if enough users identify it as spam. Cloudmark SpamNet (www.cloudmark.com/products/spamnet/) is one such product that integrates directly with Microsoft Outlook.

 Filtering mail at the edge of the network. Some products offer an SMTP gateway that can accept incoming mail, decide which to drop, and forward the rest to your real mail server. These products include both software and appliance solutions. Several of the products in this review take the SMTP gateway approach, and James Carrion’s review of Tumbleweed on page 14 looks at one of the hardware products.

 Filtering mail on the mail server. There are anti-spam products to integrate with nearly any mail server you can name. These products let your existing mail server handle such duties as responding to SMTP messages and distributing mail to users, but insert themselves into the process to find and stop spam. Most of the products in this roundup integrate with Microsoft Exchange server.

 Filtering mail between client and server. Some products, such as POPFile (popfile.sourceforge.net) work as proxies on the POP3 protocol. They retrieve your mail from your e-mail server, sort it somehow, and then deliver the legitimate e-mail on to your client.

 Filtering mail at the client. There are integrated products for almost any e-mail client you can name to help you sort out spam from legitimate mail after it arrives. For example, Spam Bully (www.spambully.com) offers add-in versions for both Outlook and Outlook Express.

For this roundup, I looked at eight products that work on the Exchange server itself, either integrated to Exchange or as SMTP gateways. These products are likely to be appropriate for the majority of departmental and corporate networks. If you’re an individual user with no control over the mail server, you’ll want to look at one of the client-side alternatives instead. If you’re trying to block spam for an entire enterprise, you may want to consider a separate SMTP gateway or ap-pliance filtering solution.

How I Tested
I tested these products on my actual live network. During the course of the review, I upgraded my domain from Exchange 2000 on Windows 2000 to Exchange 2003 on Windows 2003 Server. All but one of the products (Pro Exchange Spam Smacker) runs on Exchange 2003, though none of them were making use of the new Exchange 2003 anti-spam features in the versions I looked at (see, “What’s New in Exchange 2003” ADD URL). Pro Exchange expects to release an Exchange 2003 compatible version about the time this roundup prints.

My mail servers accept mail for users on a dozen different domains of widely varying traffic. Some get practically no e-mail; others get hundreds of messages a day. My own main e-mail address has been available on my home page on the Web for years now, so it’s been picked up by every spam mailing list on the planet.

Testing on a real network had both pros and cons. From the standpoint of seeing what the products can do, there’s no substitute for using the actual stream of incoming mail. But during the course of the review process, I discovered various incompatibilities and configuration issues. Three times, my Exchange servers were down badly enough to require rebuilding and once, I lost several hours of incoming mail. All of the problems were eventually solved by the respective tech support people, but were I responsible for a busier network, any one of these could have been a disaster. In addition, there were times when the anti-spam filtering was far too aggressive, and user mail got quarantined for hours until I noticed it wasn’t getting through.

Some of the products focus just on spam fighting, while others offer additional services, from adding disclaimers to outbound mail to virus screening to archiving e-mail to a database. I’ve noted which products have these additional capabilities, but I didn’t test them for this roundup. If your organization requires these extra e-mail handling features, you’ll want to give them a workout in your own lab.

When you’re ready to test anti-spam solutions for your own network, I heartily recommend installing, configuring and uninstalling on a test server before you even dream of putting the CD into your live e-mail server. Of course, your test server should duplicate the configuration of the live server as closely as possible. Once you’re confident that you understand a particular product, and it seems to be working well with test mail, you can consider moving it to your production environment. You might even consider investing in a domain that you don’t actually intend to use, and then posting e-mail addresses from that domain on a prominent Web page, just to get a stream of test spam to use without needing to test on your production servers.

One more caution: You’ll see in the various reviews that I report rough percentages of the spam that each package caught in my tests. You should treat these figures with caution. They represent the performance of the products on my own incoming mail stream, but don’t necessarily tell you anything about the relative ability of these products to catch spam in your own environment. Every network has a different pattern of internal and external e-mail, and you might well see different results in your own testing.

 

Product Information

OrangeBox Mail Enterprise 2.0
Starts at $48 per user per year at 25 users
Cobion
www.cobion.com

GFI MailEssentials 9.0
Starts at $250 for 10 mailboxes
GFI Software
www.gfisoftware.com

Nemx Power Tools for Exchange 2000
Starts at $795 per SMTP gateway
Nemx Software Corp.
www.nemx.com

MailMarshal 5.5 SMTP
Starts at $1,295 for 75 users
NetIQ Corp.
www.netiq.com

ProExchange Spam Smacker 1.0
$250/100 users (2-year license)
ProExchange
www.hunterstone.com/comm_prods_smck.aspx

Red Earth Policy Patrol Enterprise 2.5
Starts at $375 for 10 users
Red Earth Software
www.redearthsoftware.com

iHateSpam Server Edition 1.0
$493.75/25 mailboxes with 1 year maintenance
Sunbelt Software
www.sunbelt-software.com

Antigen 7.5 for Exchange with Sybari Spam Manager 1.0
$5,750/250 users (2-year license)
Sybari Software, Inc.
www.sybari.com

 

GFI MailEssentials 9.0
GFI MailEssentials offers flexible anti-spam protection along with a number of other useful extensions for Exchange: database-backed mail archiving, reporting, POP3 import to Exchange mailboxes, and corporate disclaimers. For this review I concentrated on the anti-spam features of version 9.0, working from a late beta copy.

MailEssentials’ anti-spam capabilities fall into four categories: blacklist/ whitelist, Bayesian analysis, header checking and keyword checking. Each has its own strengths, and by combining several approaches you can tune the level of spam blocking to fit in with your own enterprise’s mail.

Blacklisting can be based on a DNS blacklist (DNSBL) server (there are eight of them preconfigured) or on wildcard e-mail addresses. You can configure MailEssentials to use two DNSBL servers as a way to confirm blacklists. Whitelisting lets the mail through based on the sender’s address. One nice feature (that most admins will want to enable) is the Auto-Whitelist. This feature watches your outbound mail and adds every recipient address it sees to the whitelist. Thus, anyone to whom your employees send mail is sure to get through your filters with their replies.

The Bayesian feature blocks or lets through mail based on statistical analysis of the words in the message. You can run the included wizard to specify a source of “ham” (good mail) from an Outlook PST file or Exchange mailbox, and similarly you can pick a source of messages that are known spam. Alternatively, you can download a several megabyte spam profile from GFI’s own servers.

GFI MailEssentials 9.0
Figure 1. GFI’s Bayesian Analysis Wizard lets you update your organization’s anti-spam profile. (Click image to view larger version.)

Header checking looks at a variety of characteristics of the message, from empty MIME FROM fields to multiple recipients to the number of numerals in the sender’s address. And, of course, keyword checking looks for specific words and phrases in the message text or subject.

When spam is detected, MailEssentials can take one of several actions. Mail can be blocked and deleted, forwarded to the user’s spam folder or a special account, or moved to a special folder. Alternatively, you can tag the message by prepending text to the subject; this automatically adds a brief explanation to the end of the subject as well. You also have the ability to log blocked messages (you’ll want to do this to enable some of the useful reports) and to send non-delivery receipts to spam senders.

GFI recommends letting the Bayesian filter learn from your outgoing mail for three days before turning it on, so I started by just experimenting with the header and keyword filtering. I was impressed with how well-tuned these filters are; with mildly conservative choices, they blocked 80 percent of my spam. I did, however, have some problems with false positives. Most of these were fixed by whitelisting senders, but mail from Yahoo! groups was persistently marked as spam. Unfortunately these groups use the actual sender as the message sender, and the Yahoo group name as the recipient—a situation which MailEssentials seems to be incapable of recognizing as a special case.

After the Bayesian filter was primed, I turned it on and looked at its performance. This, too, caught a good deal of spam (around 90 percent after some additional training), though it threw up too many false positives in my own mail stream (among other things it wasn’t fond of press releases). I like the idea of a server-side filter, but MailEssentials doesn’t offer any way to tune the Bayesian filter for an individual user’s mail, which limits its effectiveness unless all of your users have similar mail streams.

Still, with some selective whitelisting, the overall performance of MailEssentials in catching spam was among the best of any of the products reviewed here. MailEssentials lacks the flexibility of some of the other products in reacting to spam, but it has strong reporting and monitoring components. Overall, I think this is a solution that most Exchange administrators can be quite happy with.

iHateSpam Server Edition
Sunbelt Software’s iHateSpam is a spam-filtering product for Exchange 2000 or 2003 (with Exchange 5.5 and gateway versions promised soon) that integrates well with Exchange. It does a good job of catching spam, but has a number of rough edges that I’d like to see smoothed out.

Installation was simple, but it took several rounds of work with tech support to discover why the product wasn’t working for me at all. It turns out that iHateSpam must be installed on the Exchange server that actually hosts the mailboxes you’re using. If you have a front-end/back-end Exchange topology, this means putting the software on your core servers rather than your edge servers. Some sys admins may balk at the extra load on the core servers, and this also means letting the spam into your network rather than potentially rejecting it at the edge.

Once I moved the software to the other server, things proceeded much more smoothly. iHateSpam uses a combination of whitelists, blacklists, custom rules (which let you do keyword matching on subject, body or header fields) and its own proprietary anti-spam filters to catch spam. Its filters do a good job (about 85 percent of my spam), which is good—because you can’t see inside those filters. You can add your own rules, but if a Sunbelt-supplied rule is too strict for your mail patterns, that’s too bad.

Whitelist and blacklist management is the best of any product I tried, with one small caveat. iHateSpam adds custom Exchange folders to each user’s mailbox to hold whitelist, blacklist and quarantined messages. This lets the users review their own quarantined mail. If a piece of mail got caught that should have been let through, drag it to the whitelist folder. Back on the server, iHateSpam will see this, and whitelist that sender for future messages. The caveat? You must be using server-side Exchange storage for this to work. If your users are equipped with client-side PST files, or using POP3 to retrieve their mail, they won’t be able to work effectively with the whitelist and blacklist features. But if users have server-side mailboxes, this interface effectively relieves the e-mail administrator of the necessity to monitor the quarantine area.

The iHateSpam management interface makes good use of Microsoft Management Console (MMC) to organize all the parts of the product. Unfortunately, it also uses a lot of HTML pages within the interface to perform tasks, and many of these pages are incompatible with the enhanced Internet Explorer security introduced in Windows Server 2003. If you’re running iHateSpam on Windows Server 2003, you’ll need to disable the enhanced security features in IE, a security risk that you might not like to take.

iHateSpam
Figure 2. Sunbelt iHateSpam uses its own filtering logic, which you can update manually or on a schedule. (Click image to view larger version.)

iHateSpam uses a “point” system to detect spam; the built-in rules assign various weights to individual spam-like features, and you assign points when you build your own rules as well. You can then set individual thresholds to indicate messages that should be quarantined or even outright deleted. Messages recognized as spam can also be flagged with subject-line text or an X-header. Spam messages from blacklist senders can be deleted automatically.

Overall, iHateSpam was easy to manage, and for users with Exchange mailboxes the management features are excellent. But if you have POP3 users, client-side mailboxes, or a distributed Exchange topology, you might want to look elsewhere.

MailMarshal 5.5 SMTP
MailMarshal SMTP is one of two MailMarshal products marketed by NetIQ. The other, MailMarshal Exchange, is intended to work with mail between Exchange servers; I opted to look at the SMTP version instead, which deals with external mail, because that’s where spam comes from. MailMarshal installs as an SMTP proxy. The installation was straightforward (though a bit tedious when entering the multiple domains for which I accept e-mail). You can install the proxy on the same server as Exchange, though there are no explicit instructions for how to modify Exchange in this situation. (You’ll need to move its SMTP service to a non-default port and forward the messages to that port). If you like, you can also set MailMarshal up to maintain its own POP3 mailboxes for users, rather than forwarding mail into your Exchange organization.

MailMarshal is a policy-based product that runs each incoming e-mail through any number of rules. Rules can do a good deal more than catch spam: You can set up autoresponders, globally deny large attachments, scan for viruses and so on. As with the other products in this roundup, I concentrated on the anti-spam functionality. The MMC-based interface (divided into a Configurator for setting up rules and a Console for working with the server after it’s been set up) was easy to use.

MailMarshall
Figure 3. The NetIQ MailMarshal Console lets a system administrator quickly review mail that has been quarantined for a variety of reasons. (Click image to view larger version.)

MailMarshal ships with a number of built-in rules for catching spam, though you’ll need to decide which ones to enable. You can catch mail from known junk mailers, use a DNSBL to block hosts or block a specific IP range. Other rules catch common virus hoax messages or chain letters. If a specific spam message is giving you fits, you can set up a script to catch that message. The main tool here for fighting spam, though, is the Spam category script, a set of rules that are periodically updated by download from NetIQ. You can’t edit this script, so the key question is how well it performs.

The answer is, “pretty well.” I found that MailMarshal caught roughly 85 percent of my spam and quarantined it for review, using only the Spam category script. The review interface is fairly well-done; you can quickly skim messages for false positives, and a few mouse clicks will deliver a message, quarantine it, or show you its contents. One unfortunate lack is any connection between the review interface and the rules. You can’t, for example, deliver a message and immediately whitelist the sender in a single operation. I did have to set up some custom rules (notably to pass mailing list mail) because the Spam category script had quite a few false positives on its own.

The interface for adding new rules is straightforward, and reminiscent of the Rules Wizard in Outlook; you tell it how to recognize a message and what action to take and click hyperlinks to fill in choices. The range of available actions is quite wide, including:

 Run an external command

 Quarantine the message in a custom folder

 Send a bcc of the message to someone

 Strip the attachment

 Stamp the message with a disclaimer or other message

 Write a log record

 Add or modify message headers

 Delete the message

 Pass the message directly to another rule for further processing

Overall, MailMarshal was an extremely easy product to work with, and its rules offer more flexibility in handling e-mail than any other product I reviewed. While its spam capture rate wasn’t the best, a large organization that needs a multi-purpose workhorse will definitely want to check this one out.

Nemx Power Tools for Exchange 2000
The developers at Nemx understand both Exchange and spam. That’s obvious from the tight integration of their product with Exchange 2000, and its excellent spam-catching capabilities. Unfortunately, there doesn’t seem to have been quite as much thought put into handling the spam once it’s caught, which hobbles the product.

Power Tools for Exchange 2000 (which also runs fine on Exchange 2003) has the tightest integration with Exchange’s own tools of any product that I looked at for this roundup. It installs its own node into the Exchange System Manager, and you configure Power Tools for Exchange by setting properties on this node. Oddly, it doesn’t make any use of the main window of System Manager, which would have been a perfect place for statistics or reporting.

Power Tools for Exchange offers a number of ways to catch spam. You can hook into a DNSBL server or use rules-based filtering on message subjects, addresses, headers, keywords and attachments. There are preconfigured rules that you can import into these areas that do an excellent job; just this level of spam protection got about 75 percent of my incoming spam, with very few false positives.

The most innovative part of the product, though, is the Concept Manager. Concept Manager offers a set of spam-finding heuristics, which caught about 90 percent of my spam, with few false positives. Concept Manager looks at a slew of e-mail characteristics: words in the same sentence, Web beacons, obfuscated URLs, hyperlinked images, nonsense HTML tags inserted to break up words and so on. All of this is put together by a natural language engine to classify messages. You can choose to have it look for up to six different types of message: blatant pornography, definite pornography, probable pornography, moderate selling, aggressive selling and unsolicited advertising. You can’t tweak the rules used by Concept Manager; they’re maintained by Nemx based on customer reports and its own spam traps, with downloadable updates posted monthly.

Nemx Power Tools for Exchange
Figure 4. You can manage Nemx Power Tools for Exchange directly from the Exchange System Manager. (Click image to view larger version.)

Power Tools for Exchange is less flexible in dealing with spam messages than most other products in the category. You can define an action for each way to catch spam. The action can be deleting, quarantining or routing the message to a specified mailbox; deleting any attachment; adding text to the message itself; or setting the message category. You can also send a response, forward a copy or log the message. But you can’t flag a message with text on the subject line or with a special header, which makes writing client-side rules to deal with spam much harder than it should be.

Quarantined messages are held in a queue and processed with an Outlook form that’s sent to a specific mailbox. While this is an intriguing piece of integration, in practice I found it so unwieldy as to be unworkable. Having to open a form to inspect each piece of spam, rather than skimming a list, is a poor use of the administrator’s time.

Power Tools for Exchange also gave me some trouble when I stopped using it. Uninstalling the software destroyed Exchange’s ability to deal with SMTP mail. I had to reinstall both SMTP and Exchange to get it working again. Tech support provided an answer (you must stop the services before uninstalling the software to avoid leaving an invalid SMTP protocol sink behind), but it would have been nice to have that documented rather than discovering it by accident.

There are a number of other modules you can purchase as part of Power Tools for Exchange, including a signature maker, anti-virus scanning, and an address manager. Rather than charge per-user, the base price of the product includes the spam blocker and content manager components for an entire server, with extra components being $199 (except for anti-virus, which will cost you $795 per year).

Overall, I was happy with Power Tools for Exchange’s ability to detect spam; but until it offers more flexible and manageable options for handling the detected spam, it’s not my product of choice.

OrangeBox Mail Enterprise 2.0
Unlike the majority of the products in this roundup, Cobion’s OrangeBox Mail is implemented as an SMTP proxy. That is, instead of integrating directly with Exchange, it sits between your Exchange installation and the Internet, receiving e-mails on your behalf, processing them, and then sending them on to the Exchange server. This approach has pros and cons. On the one hand, a single OrangeBox install can process mail for multiple Exchange servers in a large organization. On the other, this approach makes setup more complex; it took me 90 minutes to get up and running with the help of one of Cobion’s technicians (a service it routinely provide to customers). As always, there are tradeoffs for power. Installation includes a separate Management Console, which can run from anywhere on your network; administrators don’t need to be sitting at the OrangeMail box. You can install the proxy on its own computer or on the same computer with your Exchange server (though in the latter case you need to modify the Exchange SMTP configuration so that the two programs don’t contend for the standard port 25).

OrangeBox Mail is designed to provide content security, defined broadly. In addition to spam, it can also detect viruses (using an external virus scanner), pornography, confidential content, multimedia, files and so on. You can specify which mail to scan and when to perform scanning; when a rule detects a message that falls into one of the suspect categories, you have a wide variety of ways to deal with it. These include modifying the message or the subject, modifying or adding a mail header, adding a disclaimer, delaying the mail until after business hours, quarantining it, or simply deleting it entirely, among other possibilities. For this review, I concentrated on the anti-spam capabilities of the product.

Cobion ships three different anti-spam rules here. The base spam rule uses Cobion’s own database of URLs that appear in spam messages or as the source of spam to make its determination. The more restrictive spam rule looks for similarities to messages in the spam database. Finally, you can turn on some spam heuristics that “makes a comprehensive analysis that utilizes weights and scoring for different parts of the message.” The higher levels of checking also include blackhole lists.

Even on the least restrictive setting, I had trouble with OrangeBox’s decisions. This setting picked up roughly 20 percent of my spam—but it also had false positives on some real messages, notably those from Yahoo groups with advertising tacked on by Yahoo. At the most restrictive setting, OrangeBox caught 80 percent or so of the spam, but I constantly had to hunt through the caught messages for false positives, some of which seemed triggered by nothing more than a couple of URLs and a cc: list in HTML e-mails. If you use OrangeBox Mail this way, you’ll want to quarantine and review messages rather than deleting them. You should also expect to spend some time crafting rules to let through the mail that you actually want. OrangeBox uses the Internet to update its database of spam signatures on a schedule you dictate.

Cobion OrangeBox Mail
Figure 5. Cobion OrangeBox Mail features a drag-and-drop environment for defining rules. (Click image to view larger version.)

Configuring rules and actions for OrangeBox Mail was extremely simple. Much of the work can be done with drag and drop or by clicking around to see the properties of various objects. The online help is good and the user interface is snappy and intuitive. One thing to watch out for is that changes made through the Management Console aren’t active until you specifically send them to the OrangeBox—a consequence of the program’s distributed design.

OrangeBox is integrated with some system facilities that aren’t found in many competing products. These include the ability to use SNMP traps for managing your spam and to use LDAP or Active Directory to list and authenticate your local users.

Overall, I found OrangeBox Mail easy to use and flexible in its response choices. However, its spam detection algorithms were a bit too trigger-happy for effective use on my own message stream.

Policy Patrol 2.5
Red Earth’s Policy Patrol is a comprehensive solution for dealing with e-mail in an Exchange-based organization. In addition to the anti-spam features that I focused on, they also offer antivirus protection (the product includes a licensed copy of the Kaspersky antivirus engine), disclaimers, archiving and other e-mail management functionality.

Setup was easy, thanks to superb documentation that lays out all the choices—what to do if you have Exchange 5.5 servers mixed into your organization, how to handle multi-server sites, and so on. This was just the start of the pleasant documentation for Policy Patrol, which is well-written and comprehensive.

Red Earth Policy Patrol
Figure 6. Handling quarantined spam is easy with Red Earth Policy Patrol. (Click image to view larger version.)

For spam filtering, Policy Patrol offers several alternatives. First, there’s a “Spam blocker” feature that makes use of DNSBL lists. However, unlike some products, Red Earth gives examples of how to set this up and even points to an online list of DNSBLs, including some (like the Spamhaus service) that are not prone to false positives. When a message is detected as spam by a DNSBL, you can either reject the message or add a header to the message. Adding headers is one of the nice features you’ll find throughout this product; it lets Policy Patrol mark messages without making the marking obvious to end users (as it is with products that use subject line or message modifications for this purpose).

You can also check for spam with keyword filtering. The product comes with several keyword lists already implemented and uses a weighted approach to handling keywords. Each keyword is assigned a score, and you pick a threshold value for the total keyword score that indicates spam. This isn’t quite as foolproof as full Bayesian filtering, but it’s much better than assuming that a single keyword always indicates spam.

There’s also a list of spam characteristics that Policy Patrol can detect. These include:

 Missing or invalid To: fields

 To: and From: the same

 Invalid message IDs

 Invalid HTML

 Unusual character sets

 Lots of spaces on the subject line, followed by a code

When Policy Patrol detects spam (or something else you’re filtering on, such as a virus or spoofed attachments), it can trigger a rule. Rules let you decide what to do with messages, and they’re flexible almost beyond belief. Rules can quarantine messages for administrative action, delay them for delivery at a later time or delete them entirely. They can send blind copies or notifications to another account. They can add tags to the subject or disclaimers to the message text or headers to the message itself (adding headers is ideal for use with custom rules in most mail clients). They can add the address to a filter (for example, building a list of known spammers), make an entry to the event log or even run an external application.

Out of the box, Policy Patrol comes with quite a few sample rules and filters already configured. Even so, you’ll want to set aside considerable time to explore all of the options here and to decide which rules to enable (a “spoofed attachment” rule proved a bit too aggressive for my use, catching a bunch of mail from fellow MCP Magazine editors). But that’s an indication of the product’s scope, not a failure.

Using just the Spamhaus DNSBL and keyword filtering picked up about 50 percent of the incoming spam here, with no false positives. Adding some spam characteristics bumped that up to about 65 percent. That lags behind many of the other anti-spam engines that I looked at in this roundup. Overall, I’m happy with Policy Patrol as a general-purpose e-mail handler, but if you’re strictly interested in catching spam, there are better choices.

Spam Smacker 1.0
ProExchange Spam Smacker is a relatively new and inexpensive entrant to the ranks of Exchange anti-spam products. You can download a trial version (it comes in at just over 4MB), and setup and configuration are both easy; a simple step-by-step interface guides you through the essential configuration tasks. When you’re done, you’ll have a product that watches every SMTP message coming into your Exchange server, that stores its data in an Access or SQL Server database, and that you can manage through an IIS-hosted Web interface. As far as integrating with Microsoft’s software, Spam Smacker scores quite high.

Some of Spam Smacker’s methods of catching spam are based on keyword matching. You can search for keywords in the subject, body, recipients or hosts. Searching on recipients and hosts gives you a way to identify messages based on common senders or on carbon-copy lists. The Spam Smacker database is prepopulated with a few thousand terms to block. You can treat phrases and combinations of words as a single keyword for these searches. For example, a keyword of “free, today only” would match mail that contained both the word “free” and the phrase “today only” in any order.

There are some other methods here as well. The program comes pre-populated with a list of known spammers’ addresses. Although looking for known-bad senders this way seems reasonable, it may not do much in practice because spammers move around a lot. You can configure both blacklist and whitelist overrides to the other checks the program performs as well.

More useful is the automatic blocking for commonly-spoofed domains. If a message claims to come from a server such as AOL, Hotmail or Yahoo, but the sending IP doesn’t map back to those domains, it will be treated as spam. You can edit the list of commonly-spoofed domains (just as you can edit all of the other lists that the program depends on). The program also checks for messages trying to spoof the local mail host, and automatically blocks the sender of such messages. The spoofing protection didn’t catch many messages in practice. Perhaps the spammers have moved on to other techniques.

ProExchange Spam Smacker
Figure 7. You can manage all of ProExchange Spam Smacker’s settings from a handy Web interface. (Click image to view larger version.)

There are some other checks here that are less easy to configure. The program automatically does DNSBL checking, and you’ll need to edit the Registry to turn this off. Messages detected as spam can be blocked or flagged on the subject line; the default is to block them. Administrators can use the Web-based interface to delete or release blocked mail.

I tested Spam Smacker with the DNSBL checking turned off so that I could compare its core engine performance with other products. Without the DNSBL, it caught about 65 percent of my incoming spam, though it didn’t have a problem with false positives. As a first line of defense, this is about what I’d expect of a largely keyword-based product. Unless you want to spend a lot of time configuring filters, you’ll need to look elsewhere to do a more thorough job of catching spam.

Sybari Spam Manager 1.0
Sybari has been in the antivirus business for a long time, and with its latest release (Sybari Antigen 7.5 for Exchange), it’s moving into the anti-spam market as well. Antigen includes the bundled Sybari Spam Manager 1.0, which piggybacks on the existing scanning technology to give administrators a tool for blocking unwanted messages whether they contain viruses or not.

Spam Manager offers four options for filtering:

Mailhost filtering allows you to whitelist or blacklist particular hosts. You can also set up DNSBL servers here. Sybari doesn’t actually provide much in the way of detail on the DNSBL feature. It doesn’t even show one actual DNSBL setup, nor does it recommend or even list DNSBL servers in the documentation.

Content filtering lets you specify senders or subject lines that should be caught.

Keyword filtering scans message bodies for particular keywords. The product comes prepopulated with lists for profanity, racial discrimination, sexual discrimination and spam.

File filtering lets you specify particular file names to recognize as spam.

When a message trips one of these filters, Sybari offers the administrator the same options that it does with virus-laden messages. You can block the message from being delivered or simply add a tag (by default, “SUSPECT”) to the subject line. You can send notification e-mails to an administrator or drop the message into quarantine, where it can be managed in bulk with Sybari’s Quarantine Manager.

On the plus side, this whole drill will be familiar to anyone who’s used Sybari Antigen to protect the network from viruses and worms. There’s certainly a benefit to the administrator on not having to learn a new tool.

Sybari Spam Manager
Figure 8. Sybari Spam Manager offers a variety of options for catching spam. (Click image to view larger version.)

But on the minus side, I didn’t find the spam protection here to be particularly effective. Or rather, it offered me a choice between ineffective and overly effective. When I first installed Sybari Spam Manager, I turned on the default spam keyword list and told it to scan all of the incoming mail to the network. In this mode, it caught less than 10 percent of the spam hitting my test network, though there were very few false positives. Still, this performance was insignificant in terms of stopping the flood of spam.

After monitoring the keyword list performance for a while, I tried a couple of the major DNSBL servers (MAPS and ORBS). The problem here is that the major DNSBLs are simply too aggressive in identifying domains as spam-friendly. Although in this mode, around 70 percent of the incoming spam was being caught, there were a tremendous number of false positives-including some mail from co-workers. This isn’t something under Sybari’s control, of course, but it does illustrate how hard it is to make effective use of DNSBL filtering.

Sybari does let you configure your own keyword lists simply by editing a text file. You can use a variety of Boolean and other operators (such as “free _WITHIN[10]OF_ pictures” to match “free” within 10 words of “pictures”) in constructing these files. While in theory an administrator could continually tune the spam keyword file to pick up only spam (and pass the organization’s legitimate mail), in practice that would be a full-time job.

As for DNSBL servers, Sybari has an interesting feature in its antivirus scanning that would be handy here. If you set up multiple antivirus engines, you can tell Antigen how to bias performance against certainty by choosing how many engines to apply to any given message. Adding such a feature to the DNSBL scanning for spam might go a long way towards making that feature more useful.

If you’re already using Antigen for anti-virus checking, you might as well turn on the spam keyword list and use it to skim off some of the spam before it hits user mailboxes. But you’ll need to supplement this with some other product to have an effective anti-spam solution.

Additional Information on Spam

What's New in Exchange 2003
http://mcpmag.com/features/article.asp?editorialsid=363

Understanding Bayesian Analysis
http://mcpmag.com/features/article.asp?editorialsid=364

Two Services for the Enterprise
http://mcpmag.com/features/article.asp?editorialsid=365

Using DNSBLs
http://mcpmag.com/features/article.asp?editorialsid=366

A Thanks to Hormel
http://mcpmag.com/features/article.asp?editorialsid=367

Spam-Fighting Terminology
http://mcpmag.com/features/article.asp?editorialsid=368

Developing an Anti-Spam Strategy
The anti-spam market is still evolving rapidly (and with the number of vendors in the market, we’re probably due for a shakeout soon). Each product in this roundup has its own strengths and weaknesses, but you can expect them to improve rapidly as they discover which features work (and don’t work) in the fight against spam. To choose a product, you need to decide what’s important to you. If recognizing and stopping spam is your priority, choose a product that can catch almost all of it, such as GFI MailEssentials or Nemx Power Tools for Exchange. To push management duties down to your users so that you don’t spend your own time going through quarantined mail, look to Sunbelt Software’s iHateSpam. For flexible alternatives in dealing with detected messages, NetIQ MailMarshal and Red Earth’s Policy Patrol offered the best selections in this roundup. Cobion’s OrangeBox Mail is a good choice if you’re trying to check mail for multiple domains or need a distributed solution. Sybari’s Spam Manager integrates spam checking with an industry-leading antivirus solution, making for one less product to manage, while ProExchange Spam Smacker offers a Web interface so you can manage it from anywhere.

No matter which product you pick, you’ll need to consider this only part of an overall spam-fighting strategy for your organization. In many cases, you’ll find that a multi-tiered approach will work best. As a sys admin, you probably don’t have a lot of time to wade through quarantined mail, looking for messages that should have been delivered. Nor do you want to deal with e-mail from your users asking what happened to a particular piece of e-mail that they were expecting. If that’s the case, consider setting up a server-side package with very conservative settings as a first line of defense. When you’re satisfied that your product of choice is tuned to a false positive rate of zero, you can set it to simply discard the most obnoxious spam before it even enters your network.

But because conservative settings will still let sneakier or less obvious spam make it to users’ inboxes, you’ll want a second line of defense. A good client-side package (such as one of the several products that offers Bayesian filtering) will let your users run their own second line of defense to sort out most of the rest of the spam. The combination is probably the best that we can do until that faraway day when spam has been somehow stamped out of existence

Featured

comments powered by Disqus

Subscribe on YouTube