Security

Digg This!

There are many anti-spam solutions available to the e-mail administrator, resulting in a daunting task when attempting to pick an anti-spam solution. Some general classifications of anti-spam solutions include (examples in parentheses):
> Open source (SpamAssassin)
> Standalone commercial applications (Sophos PureMessage for Unix)
> Closely integrated with an existing e-mail solution (McAfee Spamkiller for Exchange)
> Anti-spam gateway appliance (Ironport X1000)
> Anti-spam service

The line between various anti-spam solutions is very blurry. For example, many anti-spam gateway appliances contain a "service" portion where the appliance queries a real-time facility to help determine whether or not a message is spam. Also, many anti-spam gateway appliances and/or software also have integrated anti-virus or traditional firewall functionality. This article focuses on the distinct anti-spam service, such as Postini, Cloudmark, Trend Micro, or MXlogic.

Benefits of using an anti-spam service as opposed to the other available solutions is primarily ease-of-use for your end e-mail users and less time for your support staff. This solution often doesn't require any action for installation/management on the part of the administrator other than changing where DNS records point to. Using an anti-spam service can reduce the amount of time the mail administrator and other staff (helpdesk and other support staff) spend on the headache of spam.

The downside to implementing an anti-spam service is a loss of control of your inbound e-mail. Your vendor now controls your inbound e-mail, so they better not go down. Of course, there is always the cost for the ongoing service itself, something you don't have with an open source solution.

Reputation Systems
What about sender reputation systems like Yahoo DomainKeys and Sender Policy Framework (SPF)? There seems to be a lot of misinformation regarding what these systems can and cannot do. MXlogic CTO Scott Chasin says, "The media has done a bad job of characterizing what these technologies are." The fact that spammers are incorporating these protocols in greater numbers than non-spammers does not bode well for reputation systems. Scott adds that "sender reputation systems are good for whitelisting, but not much else."

One way sender authentication systems can be more viable is when they are paired with IP reputation systems like Trend Micro's RBL+ Service. IP reputation systems assign a score to an IP address (or block of IP addresses). This can be a simple "on/off" the list (such as the old MAPS project) or more involved like a credit bureau score. However, no centralized system for IP scores currently exists, unlike the credit reporting business.

The lack of a central clearing house for IP reputation data is a problem. Dave Rand of Trend Micro says, "There are no centralized reputation databases, which leaves us with a bunch of ad hoc solutions." This lack of a reputation data broker will make sharing data between reputation data providers almost impossible, due to differences in how vendors generate the reputation data itself.

Choosing an Anti-Spam Service
How does an e-mail administrator decide which service to use? There are a number of solutions out there, but how do you find the one that is right for you? First off, you need to understand what your users need and what type of environment this solution is going into. Then you should narrow down the set of service offerings and vendors to evaluate. Finally, evaluate the product, make your decision, and implement your solution. After implementation, it is always a good idea to evaluate what you have done and how well the solution is meeting your needs. This process can identify areas that can be "tweaked."

Needs Analysis
Understanding your organization's needs is usually a good place to start. For example, are there any government reporting requirements that might impact the ability to block spam? How sophisticated are the end users? Are end users willing to go to a separate Web site to view the potential spam messages that end up in quarantine (sidelined)? How can the proposed anti-spam services fit into the existing e-mail infrastructure? How many end-user mail boxes and/or messages/day is the solution going to need to support?

Choosing a Short List of Vendors
After getting some idea of what your needs are, the next step is to think about what vendors to consider. To start that discussion off, you might wonder what defines a good anti-spam service? According to Cloudmark's Vipul Ved Prakash, four attributes to look for include:

1. Correctness: Be as accurate as possible
2. Granularity: Be able to differentiate spam and legitimate e-mail
3. Feedback driven: End user determines what is/is not spam
4. Automated systems: No manual action required on the part of end users

Andrew Lochart of Postini adds headers analysis and quarantine areas to the above list. "Don't look at just content; look at headers too," says Andrew. The ability to let end users manage their own quarantine will ease headaches on the administrator's part, and allow for faster false positive identification and happier users in the long run. Also, what kind of track record does each vendor have? Do they have a redundancy of systems and networks, so that network outages don't cause you e-mail outages/losses?

Trying to find data that compares various anti-spam services is very difficult. Of course, vendors can provide performance data to you, but is that really going to reflect what you will see if you buy the service? Perhaps, but more likely the numbers vendors give you will be "ideal" cases and not reflective of the "real world."

One source of comparison data for products is side-by-side reviews of products. This can be good source of (hopefully objective) information. However, most product comparisons are for end-user versions of the anti-spam solution, if at all. It certainly helps to talk to fellow e-mail administrators, search the Internet, and ask user groups for other people's experiences with the anti-spam services/vendors you are considering.

Evaluate Vendors
Once you have narrowed down the candidates, how do you effectively evaluate each vendor's products? One good way is to make use of the free trial periods most anti-spam service vendors offer. Draw up comparison metrics and give the most promising ones a try right on your own network. What are some criteria you might use to compare solutions? Here are a few ideas to get you started:

• False positive rate
• False negative rate
• Ease of setup/installation
• Ease of use of management UI
• End-user rating of solution
• Vendor support/reliability of service
• Cost

Perhaps the most important is the false positive rate. It reflects how accurate the solution is by indicating the number of non-junk messages that end up incorrectly in your spam box. If the rate is too high, you're probably better off not implementing an anti-spam solution, because it'll be more hassle than it is worth. Regarding the false negative rate, this is spam that ends up in your real inbox. This is more of a nuisance than a real problem, unless the rate gets so high that it isn't worth using the solution.

The "ease of use/setup," and "end-user satisfaction" areas are more subjective and harder to classify. They are mostly personal/company preference. Vendor support/reliability is another area that is difficult to quantify, though the evaluation process should give you some sense of how well the vendor supports their product. Cost is arguably the easiest to quantify, and it should be easy to compare solutions on a perceived cost/benefit basis.

Implementation
Once the solution has been chosen, you might be able to easily move it from your test installation into full production. Depending on the number of users and how your infrastructure is set up, this can be done as a one time move, or done in steps.

Conclusion
There are a number of anti-spam solutions available on the market today. Using an anti-spam service can be a benefit to the organization, though it does cost real money. There are a number of anti-spam vendors out there on the market today. Choose a couple of services and run trials of their service right on your own network.

In the end, choosing an anti-spam solution can be a frustrating process. However, with the right information, the buyer can make an informed decision.

References

• Product guide and reviews for anti-spam software: www.pcmag.com/category2/0,1874,4795,00.asp
• SpamAssassin: http://spamassassin.apache.org/
• Sophos PureMessage for Unix: www.sophos.com/products/es/gateway/pm-unix.html
• McAfee Spamkiller for Exchange: www.mcafee.com/us/products/mcafee/antispam/spk_mailserver.htm
• Ironport X1000: www.ironport.com/products/ironport_x1000.html
• Cloudmark: www.cloudmark.com/
• Postini: www.postini.com/
• MXlogic: www.mxlogic.com/
• Trend Micro's RBL+ Service: www.trendmicro.com/en/products/nrs/rbl/evaluate/overview.htm
• DomainKeys: http://antispam.yahoo.com/domainkeys
• SPF: www.openspf.org/