Picking Your Anti-Spam Poison: The Spam Series, Part 2

By Jacqueline Emigh | Mar 17, 2003 | Print this Page

Everybody suffers from spam, but which approach to fighting spam is best for your organization? Experts emphasize that choosing the right product or service can make a big difference in spam protection. "Anti-spam technology isn't exactly rocket science -- but in a way, it kind of comes close," quips Jeff Brainard of Mirapoint.

"Anti-spam products are very complex. Products have their own unique characteristics," concurs Maureen Grey, research director at GartnerGroup. "Fighting spam is not an easy undertaking."

The anti-spam cauldron is bubbling over with more and more products and services. Some organizations are claiming positive experiences with outside host-based services, while other alternatives include software gateways and client-based filtering. For universities, SMBs, and others on lean budgets, open source software gateways like SpamAssassin and SpamCop are available free of charge. Another strategy adopted in some places is PerlMx -- a program that uses sendmail's MILTER interface -- for both virus scanning and spam filtering.

Administrators with more money to spend can also consider commercial products and services. Illinois Tools Works, for example, is a highly distributed and autonomous environment with over 500 different domains. The multinational corporation initially deployed an anti-spam hosting service among certain departments that requested such a service. Ultimately, though, users became annoyed when they weren't receiving all of their legitimate e-mails, according to Marc Pilano, IT director for the manufacturing corporation. In anti-spam speak, the service was turning in a high rate of "false positives."

Pilano claims that switching to Mirapoint's MessageDirector, a self-contained anti-spam gateway hardware appliance, fixed the problem. The rules in MessageDirector are customizable to either the domain or individual end user level. Ease of use is another big plus, according to Pilano. "You just put it in, and it works."

Meanwhile, commercial software gateways are being sold by more and more vendors, including Clearswift, Elron Software, BorderWare Technologies, and ActiveState. Some commercial gateway products are incorporating antivirus capabilities or Web page filtering or both, too.

Brightmail, Postini, and MessageLabs are a few of the popular standouts in anti-spam hosted services.

With so many choices, how does an administrator decide what, if anything, to buy? "You should look first at the organization's filtering requirements and then at the amount of money available. Next, you should try to find products or services that meet both of these requirements," advises Dan Keldsen, an analyst at SummitStrategies.

Before shopping around, here's a list of four questions you might want to ask yourself.

Page 2: Question 1: In-house Products or Hosted Services?

Question 1. What will work better for this organization - in-house products or hosted services?

"Host-based services can be a good choice for small businesses or other organizations without in-house expertise with anti-spam technology," notes Keldsen.

Knowledge of transport-level issues is particularly important in fighting spam, according to Gartner's Grey. "In particular, one should never use Microsoft Exchange, Windows SMTP Server, or Lotus Domino Server directly on the Internet. Those products should be protected from attack by Sendmail, Sun ONE, or one of the [anti-spam gateway] products. If that seems too much effort, you may want to consider engaging a service."

Yet some organizations, such as Illinois Tool Works, have found that certain hosting services lack the customization they want. "Many organizations don't want to lose control over their e-mail," points out Keldsen.

Pricing can be another big factor. One administrator said he was flabbergasted to find that a two-year subscription to a major hosting service would cost his university over $40,000.

Question 2. Which is better for your environment, a gateway- or client-based approach?

Product permutations abound. Generally speaking, though, anti-spam products -- gateway and client software alike -- let users or administrators set up filters for screening e-mail. Many e-mail clients come with their own basic filters. Examples include Microsoft Exchange, Lotus Notes, Eudora, Netscape, and, for Macintosh clients, Mail for MacOS X.

In addition, third-party vendors provide add-in filtering products for many of these clients, as well as for Microsoft Outlook Express and Webmail --q two clients that don't have any built-in filtering capabilities of their own. For Unix boxes, PINE and Procmail (except for E4E) also provide built-in filtering.

"Client filtering can be an inexpensive way to go," observes Keldsen. End users also get autonomy. On the other hand, centralized administration is impossible, a situation particularly problematic in large organizations. Moreover, some open source and commercial SMTP gateways have started to offer levels of filtering not possible on the client side.

Some gateway makers claim to include heuristic and lexical analysis, as well as support for white and black lists, which automatically let in or screen out mail. Typically, these products assign probability scores to e-mail messages based on their spamlike characteristics.

White and black lists can be based on IP address range, "from" address, or content analysis, for example. At this point, many black listing capabilities still rely largely on databases of known spammers, such as RBL, DUL and RBL+ MAPS. It's typically possible to make manual modifications to the black and white lists as well.

For example, you might want to place the company president on the white list, so that all communications from his office are guaranteed to get through. Conversely, e-mails containing certain curse words might be consigned to the black list, suggests Brainard. As with some hosted services, many gateways are not customizable to the filtering requirements of individual domains and end users, points out Michael Osterman, principal of Osterman Research.

Scalability and resource consumption are other considerations. Rightly or wrongly, some administrators believe that SpamAssassin, for example, consumes too much processing power for large-scale implementations.

Also, the quality of rules-based engines can vary considerably. Generally speaking, you get what you pay for, insists Gartner's Grey. "In general, the lower-cost tools have less-rich logic and rely instead on action from the implementing customer. You can craft your own rules, but it takes a lot of time and attention, and the success of your handcrafted rules will be mixed."

Many products are still too young to be tried-and-true, contends Grey. "Some rely almost entirely on 'black lists' and 'white lists' -- blacklist everyone, then load your contact list into the system and white-list your contacts, and then block individuals, domains, or IP addresses as you go forward. Such systems require mountains of people time to build and maintain the lists, are not very effective over time, and are almost impossible to debug when your blocking lists begin to overlap."

Page 3: Blocking vs. Quarantining Spam