Picking Your Anti-Spam Poison: The Spam Series, Part 2 - Page 2
Question 1. What will work better for this organization - in-house products or hosted services?
"Host-based services can be a good choice for small businesses or other organizations without in-house expertise with anti-spam technology," notes Keldsen.
Knowledge of transport-level issues is particularly important in fighting spam, according to Gartner's Grey. "In particular, one should never use Microsoft Exchange, Windows SMTP Server, or Lotus Domino Server directly on the Internet. Those products should be protected from attack by Sendmail, Sun ONE, or one of the [anti-spam gateway] products. If that seems too much effort, you may want to consider engaging a service."
Yet some organizations, such as Illinois Tool Works, have found that certain hosting services lack the customization they want. "Many organizations don't want to lose control over their e-mail," points out Keldsen.
Pricing can be another big factor. One administrator said he was flabbergasted to find that a two-year subscription to a major hosting service would cost his university over $40,000.
Question 2. Which is better for your environment, a gateway- or client-based approach?
Product permutations abound. Generally speaking, though, anti-spam products -- gateway and client software alike -- let users or administrators set up filters for screening e-mail. Many e-mail clients come with their own basic filters. Examples include Microsoft Exchange, Lotus Notes, Eudora, Netscape, and, for Macintosh clients, Mail for MacOS X.
In addition, third-party vendors provide add-in filtering products for many of these clients, as well as for Microsoft Outlook Express and Webmail --q two clients that don't have any built-in filtering capabilities of their own. For Unix boxes, PINE and Procmail (except for E4E) also provide built-in filtering.
"Client filtering can be an inexpensive way to go," observes Keldsen. End users also get autonomy. On the other hand, centralized administration is impossible, a situation particularly problematic in large organizations. Moreover, some open source and commercial SMTP gateways have started to offer levels of filtering not possible on the client side.
Some gateway makers claim to include heuristic and lexical analysis, as well as support for white and black lists, which automatically let in or screen out mail. Typically, these products assign probability scores to e-mail messages based on their spamlike characteristics.
White and black lists can be based on IP address range, "from" address, or content analysis, for example. At this point, many black listing capabilities still rely largely on databases of known spammers, such as RBL, DUL and RBL+ MAPS. It's typically possible to make manual modifications to the black and white lists as well.
For example, you might want to place the company president on the white list, so that all communications from his office are guaranteed to get through. Conversely, e-mails containing certain curse words might be consigned to the black list, suggests Brainard. As with some hosted services, many gateways are not customizable to the filtering requirements of individual domains and end users, points out Michael Osterman, principal of Osterman Research.
Scalability and resource consumption are other considerations. Rightly or wrongly, some administrators believe that SpamAssassin, for example, consumes too much processing power for large-scale implementations.
Also, the quality of rules-based engines can vary considerably. Generally speaking, you get what you pay for, insists Gartner's Grey. "In general, the lower-cost tools have less-rich logic and rely instead on action from the implementing customer. You can craft your own rules, but it takes a lot of time and attention, and the success of your handcrafted rules will be mixed."
Many products are still too young to be tried-and-true, contends Grey. "Some rely almost entirely on 'black lists' and 'white lists' -- blacklist everyone, then load your contact list into the system and white-list your contacts, and then block individuals, domains, or IP addresses as you go forward. Such systems require mountains of people time to build and maintain the lists, are not very effective over time, and are almost impossible to debug when your blocking lists begin to overlap."