Picking Your Anti-Spam Poison: The Spam Series, Part 2

By Jacqueline Emigh | Mar 17, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/10954_2110571_3/Picking-Your-AntiSpam-Poison--The-Spam-Series-Part-2.htm

Everybody suffers from spam, but which approach to fighting spam is best for your organization? Experts emphasize that choosing the right product or service can make a big difference in spam protection. "Anti-spam technology isn't exactly rocket science -- but in a way, it kind of comes close," quips Jeff Brainard of Mirapoint.

"Anti-spam products are very complex. Products have their own unique characteristics," concurs Maureen Grey, research director at GartnerGroup. "Fighting spam is not an easy undertaking."

The anti-spam cauldron is bubbling over with more and more products and services. Some organizations are claiming positive experiences with outside host-based services, while other alternatives include software gateways and client-based filtering. For universities, SMBs, and others on lean budgets, open source software gateways like SpamAssassin and SpamCop are available free of charge. Another strategy adopted in some places is PerlMx -- a program that uses sendmail's MILTER interface -- for both virus scanning and spam filtering.

Administrators with more money to spend can also consider commercial products and services. Illinois Tools Works, for example, is a highly distributed and autonomous environment with over 500 different domains. The multinational corporation initially deployed an anti-spam hosting service among certain departments that requested such a service. Ultimately, though, users became annoyed when they weren't receiving all of their legitimate e-mails, according to Marc Pilano, IT director for the manufacturing corporation. In anti-spam speak, the service was turning in a high rate of "false positives."

Pilano claims that switching to Mirapoint's MessageDirector, a self-contained anti-spam gateway hardware appliance, fixed the problem. The rules in MessageDirector are customizable to either the domain or individual end user level. Ease of use is another big plus, according to Pilano. "You just put it in, and it works."

Meanwhile, commercial software gateways are being sold by more and more vendors, including Clearswift, Elron Software, BorderWare Technologies, and ActiveState. Some commercial gateway products are incorporating antivirus capabilities or Web page filtering or both, too.

Brightmail, Postini, and MessageLabs are a few of the popular standouts in anti-spam hosted services.

With so many choices, how does an administrator decide what, if anything, to buy? "You should look first at the organization's filtering requirements and then at the amount of money available. Next, you should try to find products or services that meet both of these requirements," advises Dan Keldsen, an analyst at SummitStrategies.

Before shopping around, here's a list of four questions you might want to ask yourself.

Page 2: Question 1: In-house Products or Hosted Services?


Question 1. What will work better for this organization - in-house products or hosted services?

"Host-based services can be a good choice for small businesses or other organizations without in-house expertise with anti-spam technology," notes Keldsen.

Knowledge of transport-level issues is particularly important in fighting spam, according to Gartner's Grey. "In particular, one should never use Microsoft Exchange, Windows SMTP Server, or Lotus Domino Server directly on the Internet. Those products should be protected from attack by Sendmail, Sun ONE, or one of the [anti-spam gateway] products. If that seems too much effort, you may want to consider engaging a service."

Yet some organizations, such as Illinois Tool Works, have found that certain hosting services lack the customization they want. "Many organizations don't want to lose control over their e-mail," points out Keldsen.

Pricing can be another big factor. One administrator said he was flabbergasted to find that a two-year subscription to a major hosting service would cost his university over $40,000.

Question 2. Which is better for your environment, a gateway- or client-based approach?

Product permutations abound. Generally speaking, though, anti-spam products -- gateway and client software alike -- let users or administrators set up filters for screening e-mail. Many e-mail clients come with their own basic filters. Examples include Microsoft Exchange, Lotus Notes, Eudora, Netscape, and, for Macintosh clients, Mail for MacOS X.

In addition, third-party vendors provide add-in filtering products for many of these clients, as well as for Microsoft Outlook Express and Webmail --q two clients that don't have any built-in filtering capabilities of their own. For Unix boxes, PINE and Procmail (except for E4E) also provide built-in filtering.

"Client filtering can be an inexpensive way to go," observes Keldsen. End users also get autonomy. On the other hand, centralized administration is impossible, a situation particularly problematic in large organizations. Moreover, some open source and commercial SMTP gateways have started to offer levels of filtering not possible on the client side.

Some gateway makers claim to include heuristic and lexical analysis, as well as support for white and black lists, which automatically let in or screen out mail. Typically, these products assign probability scores to e-mail messages based on their spamlike characteristics.

White and black lists can be based on IP address range, "from" address, or content analysis, for example. At this point, many black listing capabilities still rely largely on databases of known spammers, such as RBL, DUL and RBL+ MAPS. It's typically possible to make manual modifications to the black and white lists as well.

For example, you might want to place the company president on the white list, so that all communications from his office are guaranteed to get through. Conversely, e-mails containing certain curse words might be consigned to the black list, suggests Brainard. As with some hosted services, many gateways are not customizable to the filtering requirements of individual domains and end users, points out Michael Osterman, principal of Osterman Research.

Scalability and resource consumption are other considerations. Rightly or wrongly, some administrators believe that SpamAssassin, for example, consumes too much processing power for large-scale implementations.

Also, the quality of rules-based engines can vary considerably. Generally speaking, you get what you pay for, insists Gartner's Grey. "In general, the lower-cost tools have less-rich logic and rely instead on action from the implementing customer. You can craft your own rules, but it takes a lot of time and attention, and the success of your handcrafted rules will be mixed."

Many products are still too young to be tried-and-true, contends Grey. "Some rely almost entirely on 'black lists' and 'white lists' -- blacklist everyone, then load your contact list into the system and white-list your contacts, and then block individuals, domains, or IP addresses as you go forward. Such systems require mountains of people time to build and maintain the lists, are not very effective over time, and are almost impossible to debug when your blocking lists begin to overlap."

Page 3: Blocking vs. Quarantining Spam


Question 3. Is it better to block or to quarantine?

Some anti-spam products block rejected e-mails entirely, bouncing them back to the sender. An alternative strategy is known by a number of names, including "quarantining" and "grey listing." In essence, rejected e-mails are isolated in a special area, such as a "grey folder."

This approach helps offset the problem of false negatives by ensuring all remains mail accessible to either end users or administrators (or both). Blocking, though, also has its adherents.

Some administrators think it isn't fair to senders to quarantine e-mails, particularly in the case where legitimate senders think their mail has gotten to its destination -- when, in fact, it may never even be seen by anyone unless a user or administrator bothers to cull through the undelivered mail.

Question 4. Do you want to combine antivirus or Web filtering or both with anti-spam measures?

Vendors are converging on the anti-spam market from a number of directions. Antivirus and Web filtering vendors are among those joining the crowd. Anti-spam filtering, though, is a highly specific discipline, and products that attempt to offer many capabilities are not necessarily best-of-breed across all functions, asserts Grey.

On the other hand, multifunctional products can carry some big advantages, states Keldsen. Systems integration is less of a problem, and the reporting process is a lot smoother. "You don't have to deal with five different kinds of reports from five different vendors," he illustrated.

Illinois Tool Works is using MessageDirector for anti-virus as well as anti-spam filtering. Pilani said he's pleased with the results on both counts. "Administrative time has been greatly reduced."

So far, the product has been deployed among about 6,000 of the company's 50,000 end users. Pilani, though, expects other departments will chime in soon. "Word is starting to get around throughout the company."

MessageDirector will work with any standards-based mail system, so departments wishing to keep using Exchange or Notes for e-mail can still do so while also starting to get anti-spam and anti-virus protection through MessageDirector.

Stay Tuned

If you do decide to invest in a gateway product, your work won't end with selecting a vendor, according to Grey. The Gartner analyst suggests a multi-phase deployment. "Turn the software on in audit mode. Then, assess the kind of spam that's coming into the organization. Based on that assessment, start to develop policies."

Choosing products and hosted services for spam protection is no simple matter, and with the continual addition of new features, the process could get even tougher in the future. In the next edition of this series we'll take a closer look at where some of these products and services appear to be headed.


» See All Articles by Columnist Jacqueline Emigh