Are multiple spam filters practical?

Some industry observers advise against business use of more than one spam filter, but another says antispam tools can still be implemented concurrently.
Written by Vivian Yeo, Contributor on

Some industry observers advise against using multiple antispam products, contrary to a recent call for businesses to consider doing so.

Last month, the Virus Bulletin (VB) recommended organizations that regard spam-filtering as critical to their business to consider using more than one such tool. The security product testing company also urged antispam vendors to collaborate and share information so that inboxes can be better protected.

However, Graham Titterington, principal analyst at analyst firm Ovum, noted that having multiple spam filters "is a waste of precious resources". Such an approach is "simply not the best use of resources", he said in an e-mail, given that organizations typically have "finite" security and IT budgets.

Noting that he would not agree with the advice, Titterington added that the presence of multiple filters could impose extra latency on communications networks.

On top of that, there is also the issue of false positives, or labeling legitimate e-mail as junk. "The more filters you have, the greater the risk of false positives. One false positive does more harm than several spam messages getting through," the analyst said.

Concurring, Andy Norton, Cisco Systems' director of product management and product marketing for IronPort in the Asia-Pacific region, told ZDNet Asia that having more than one spam filter was "not practical at all". He added that it is unlikely any company would engage in such practices.

Norton said in an e-mail interview: "Multiple antispam engines are just as likely to amplify the problem as they are to reduce the problem. Imagine problems resulting from sorting through two quarantine folders or [inconsistent] dealing [of] two copies of [the same] message."

He added that VB's recommendation is viable if a central intelligence tool exists to manage results from multiple antispam engines, and which does not add to the current workload on the e-mail infrastructure.

Layering and specialized roles
According to Andrew Klein, product manager at SonicWall, adopting a layering approach was "not unusual" to protect against spam. This, he said, would be similar to deploying antivirus products at various points such as the corporate firewall, or on the client itself.

For instance, an organization may have a filter to manage SMTP (Single Mail Transfer Protocol) e-mail, and a second antispam tool on the firewall for Web e-mail traffic. Similarly, client-based antispam may also be needed to filter POP traffic, said Klein said, particularly for organizations that need to protect users--accessing corporate resources--from receiving improper e-mail messages.

"Some companies may have a network configuration that [requires] some or even all of their e-mail [traffic] flowing through two spam filters, maybe as a consequence of a recent merger or acquisition, or possibly as a by product of their MX (mail exchanger) record routing and configuration," he explained.

"Some companies just feel better with two systems, possibly, they divide the work between them such as having one system [perform] IP reputation while the second [manage] content filtering. Or, they could have one system manage inbound and another do outbound filtering," he added. "So it is not unusual at all to have two spam or more filters."

According to Cisco's Norton, global spam volume in 2010 will register a year-on-year growth of 30 percent to 40 percent. The company's 2009 Annual Security Report noted that developing economies in Asia such as India and Vietnam, have experienced rising spam levels over the last year.

Editorial standards