Spam drives users crazy, makes life difficult for mail administrators, and drives up costs. We evaluate five packages that aim to ease the burden on your mail servers.
In this review we take a look at the software that attempts to take unwanted e-mail and puts it into a can--and not the type with the easy-to-open key, either. For some reason these annoying e-mails have increasingly been making more and more headlines over the past few months (while the actual level of spam has not really increased that much, or at least that's what some researchers say.)
There are many different categories of spam from the "go all night like a stallion" from those companies who obviously fail to realise that I personally don't need any help in that department to the "This is not a get rich quick scheme but you can make US$50,000 in 10 easy steps" that immediately make me think "if it's that simple, what am I doing here?" These then escalate to the more directly fraudulent and malicious scams going around such as the notorious 419, advanced fee, or Nigerian scam that has apparently netted some shifty characters some relatively easy money. (For more information see one example here or another example here.) Other e-mail that also falls into this unwanted/undesirable e-mail category and is virtually impossible to stop is hoax mail. Hoaxes are e-mails purporting to warn and inform e-mail recipients of a virus, worm, or security issue with your PC and urging you to immediately forward the e-mail to everyone in your e-mail address book, local community, and then greater metropolitan area. These can also have damaging effects, particularly for less experienced users, because some hoaxes encourage the user to delete files in the belief that they are infected with a virus. (For more information see Symantec's hoax centre or HoaxKill).
The vendors who submitted products for this review are in the business of providing applications that integrate with existing mail server software such as Sendmail or Microsoft Exchange, or sit as an intermediary between the mail server and the client. Once installed and configured, these applications then filter each and every e-mail message to that server looking for identifiers and clues that can signify that a particular e-mail that is being received is unsolicited. The software either removes it totally without any question or flags it and quarantines it for the administrator to check at a later date. The administrator can either allow the delivery to go through, manually delete the file, or add a new rule to stop that particular domain or mail server in the future.
How do they work?
Now you may be thinking how does the application know if an e-mail message is genuine or unsolicited? There are several ways, including reverse lookup, IP blocking (sometimes using blacklists), and heuristic scanning.
Reverse lookups basically take the return e-mail address from the sender of the e-mail strip off the name and the @ symbol and check to see if the domain name is firstly valid and secondly if there is a mail server listening on that given domain name. Spammers often use fake e-mail addresses to cover their tracks, so a reverse lookup eliminates those return addresses that are obviously fake.
IP blocking rules
IP blocking rules are relatively simple and can be set up in one of two ways. The first is in hindsight--once either an IP address or domain or even a specific e-mail address has been found to be generating unsolicited e-mail, that IP address, domain, or e-mail address can be added to the list and blocked for all future messages. This is very similar to the rules that can be set up in most popular e-mail client software applications.
Rules can be tricky to setup and administer and time consuming as well, and as mentioned are generally applied after an unwanted message has already gotten through or been quarantined.
The second way of applying rules is semi-automatic: there are companies who provide blacklists of domains and IP addresses that are known havens for spammers to send their bulk e-mails out from. These black lists can be used as plug-in to spam filtering software, to provide up-to-date blocking and trashing of unsolicited e-mails.
These black lists can prove to be a bit of a double-edged sword. Even though they can easily provide a readily updated and quite thorough list of domains and IP addresses to block, they may also automatically block some quite legitimate services that are trying to get through.
What's an open relay?
Spammers are generally considered a nefarious lot who will resort to any tactics to get as many millions of e-mails out to their e-mail address databases. And the majority of spammers do not want to have to utilise their own equipment and/or bandwidth--they prefer to leech off other legitimate e-mail servers that are running less than secure mail services. There are quite up-to-date detailed lists available on many cracker/hacker sites detailing the IP addresses of spammer "friendly" mail servers. Many of these open mail servers are unwittingly donating their services and resources to these spammers.
Most recent releases of mail server software have a separate section for configuring specific "relay" domains; these are single or multiple domain names and/or IP address ranges that the particular mail server is allowed to send mail for. You may have noted the "message could not be sent--relaying denied" error if trying to send e-mail from your notebook on an unfamiliar Internet connection such as in a hotel or at a conference.
However, not all mail administrators do this correctly, and if poorly set up, the server will relay mail from external IP addresses, an open invitation to spammers.
Blacklist providers--at least in theory--monitor for open relay servers and if they find one, it's added to the blacklist. Once an IP address or mail server is blacklisted, the administrator is usually notified, as naturally they may want to rectify the open relaying issue and have themselves removed from the black list.
This can be a big issue for mail administrators. If your mail server is put on a blacklist, then companies using that blacklist service to filter spam will not receive any mail from your server, no matter how legitimate it is. And this problem can take days to fix: firstly you need to fix your relaying problem, submit your request for testing and removal from the blacklist, and then wait for the test to pass and the IP address to be removed from the black list, and then wait again until the blacklist end-user updates its blacklist file on the anti spam application. So you can see that blacklists, while providing a handy tool to anti-spam applications, can also cause issues too.
Another factor to take into consideration is that these blacklists are not regulated or held to any standards, so it is worth checking the background of the company that you are subscribing to that is providing these blacklists. Find out how regularly servers are checked and updated, and what testing they take to ensure that a mail server that is reported to them is actually allowing spam relaying, and not just a victim of a rogue user who decided on a whim to get into the business of spamming.
An emerging technique for dealing with spam messages is heuristic scanning of each message's content. Heuristic scanners operate on a list of rules that indicate a particular e-mail may or may not be spam. For example, they analyse the mail headers for tell-tale signs such as mail client software that is used for sending spam, or if the mail client has modified its headers to look like they came from a regular e-mail client such as Outlook. They analyse the content of the e-mail for giveaway signs such as being all in capitals, containing suspect phrases such as "no-risk investment", and many others. Depending on the complexity and accuracy of the rules, and how up-to-date they are, heuristic scanners can be a lot less hit-and-miss than the other techniques we discussed.
Anyway, enough of the background, let's have a look at the products. We received spam filters from the following vendors: SurfControl, McAfee, NetIQ, GFI, and Clearswift.
We installed all these applications onto a generic Intel Pentium 4-based server running Windows 2000 Advanced Server. This ran in conjunction with a Digital server running Microsoft Exchange 2000, via a live test e-mail system running records from external name servers across the internet.
Clearswift MailSweeper v4 for Exchange and MailSweeper v4.3 SMTP with Spamactive
Clearswift has two products available that we looked at and may be of some use in the filtering of e-mail messages and the removal/flagging of spam messages.
The first that we look at is the MailSweeper v4 for Exchange. Once we had downloaded the MailSweeper software and unzipped it, we first needed to install the Mimesweeper Technology software before proceeding onto the MailSweeper installation. Part of the Mimesweeper installation requires a server restart.
Once the server has restarted, you can then open the actual MailSweeper installation program giving you a choice of four modes for installation, one-to-one, standalone, distributed, and remote management. We chose standalone although the recommended installation in this case would be one-to-one having separate mail and anti-spam servers.
An interesting note: our installation wouldn't proceed until we installed Microsoft Outlook XP on the server, which seems a bit odd.
Configuration and administration is via the Mailsweeper for Exchange 2000 console. This console allows you Windows Explorer-like control of the application via similar windows and tasks. You can also start and stop the receive services and check the status via command prompt instructions.
Mailsweeper operates its initial rule set from a policy-based application, including several default policies designed to get you up and running and teach you the basics to policy creation.
The second application that we had a look at from Clearswift was the Mailsweeper v4.3 for SMTP with the Spamactive option. Spamactive, as its name suggests, is targeted directly at the prevention of spam, whereas the MailSweeper v4.0 for Exchange had a spam definitions policy file but was not as targeted as Spamactive itself.
Installation of Mailsweeper v4.3 for SMTP was similar to that of v4.0 for Exchange differing mainly with a part of the install/config routine allowing you to specify which type of scanning you would like to implement on mail messages being processed by the application.
Spamactive (being a separate application) then needed to be installed. This was a straightforward exercise. Once that is installed you can then create a new policy classification for spam under MailSweeper and also add a new incoming mail scenario and add the Spamactive Anti-spam filter configured to your needs.
Overall the Mailsweeper application's installation and configuration routines while readily performed were somehow clunky and not very smooth, particularly requiring the installation of multiple applications and associated server reboots. Something to note, however, is the availability on the Clearswift Web site of downloads such as power tools which provide utilities and tools for administrators to create black lists and filter Web and mail content, and also a utility to allow remote Web monitoring of the application.
While most of these features are built into some of the other applications in the review, they are not as individualised as the power tools download. This application seemed to us to be a programmers' application and not as refined as most. This is not to say it was not functional, just more complex to set up and configure than it really needed to be. Clearswift's support was very good and responsive to our requests.
Fully configurable with full support for future updates.
Provides comparatively good return on investment.
Additional contract available.
GFI MailEssentials for Exchange/SMTP 8
MailEssentials can either be installed on the mail server itself or on a separate server, and it can run either in conjunction with Exchange itself or with a separate SMTP server. We installed it on the Exchange server itself, and installation was quite straightforward, with a single restart of the SMTP services required before the installation was completed.
MailEssentials configuration and monitoring are two separate applications.
The overall configuration and already included databases of criteria for allowing/denying mail are very detailed and quite extensive. There is also the ability to import and implement black and white lists and also text files of keywords to use in the scanning of both the body and/or the subject headers of the e-mail messages. GFI has even included the ability to block e-mails that use different language character sets.
With the separate monitoring window, administrators can have this open in the background to quickly monitor the status of the application and also the number of e-mails processed. The blocking control of the messages is relatively straightforward, either sending the files to a directory specified by the administrator, redirecting them to another e-mail account, or by deleting them totally.
Overall this is a very neat and tidy package that is relatively simple and straightforward to install and configure. The well-designed administration console makes what could be quite a difficult task more logical and easier to complete, while the separate monitoring window enables the administrator to see the exact status of the filtering application while it is running.
Windows 2000 or XP Pro with any SMTP mail server.
Fully configurable with full support for future updates.
A freeware version is available if you don't need support. Pricing options are very good.
No service available for freeware version, but 12-month warranty included in paid version.
McAfee SpamKiller for Microsoft Exchange Small Business v2.0
Installation was a walk in the park. Put it this way: the licence manual accompanying the package is 130 pages or so, the installation guide is 16 pages, with only two pages dedicated to the actual installation. The application must be installed on the Exchange 2000 server itself and must have at least SP2, the .NET framework, and Microsoft Data Access Components 2.7 installed. (The application installation will perform .NET and MDAC for you if necessary.)
Configuration was equally easy with a simple step (once the application is installed) of adding the existing users and/or groups into the SpamKiller user group section of the Active Directory service. Note that SpamKiller has a limitation of 500 users per server. A simple test e-mail from an external source is then sent to the server and providing that checks out then the installation and configuration has been successful.
The administration console for SpamKiller is very simple to operate and understand. However the specific individual rule commands may seem a little daunting at first. A quick read of the 38-page product guide PDF (that is installed with the application) gives you an understanding of how to progress and create custom rules. The application comes come with a vast array of pre-defined rules, as well as allowing the administrator to specify additional downloaded blacklists and whitelists.
While far simpler to install and administer than some of the other packages in this roundup there are certain features that could be further refined, such as the creation and administration of rules. This however is more of a design/operability issue than a functionality issue and some administrators may be more than happy with the current design.
Fully configurable with full support for future updates.
An inexpensive solution for SMEs with up to 100 mailboxes.
12-month warranty included in purchase price.
NetIQ MailMarshal v5.5
The MailMarshal documentation is very thorough and quite technically orientated giving a deep and insightful background into the workings and operation of this application and the related e-mail and DNS technologies. You will need to modify your existing Exchange configuration and even possibly your firewall and DNS settings to allow the required ports and access for this application. It is recommended you run SQL Server v7 for the logging and reporting features of this application. Like Surfcontrol's spam filtering application, the MailMarshal software is also orientated to the larger organisations requiring the more powerful feature sets and specific control points.
Installation is certainly more involved and difficult than the likes of McAfee and GFI's products, however NetIQ has managed to keep it as simple as possible yet still maintain the installation and configuration features that a system administrator requiring a package of this level would need to control.
After some of the initial configuration is completed as part of the installation, such as defining internet domain(s) and relaying/forwarding hosts/ports the main MailMarshal configurator is launched.
Overall the main configuration of this application is fairly straightforward with excellent assistance given in the manual and also via the application's help system. You can define wildcards within the rules as well as blocking individual categorised domains, users, junk mailers, etc.
The application status is monitored via a separate application, the MailMarshal Console. This console provides a wealth of resource information to the operator.
For a such a fully featured and powerful application, the design and implementation is quite amazing. The documentation left nothing to be desired and the overall look and feel of the whole process was quite impressive.
Fully configurable with full support for future updates.
Excellent solution and investment for larger or growing enterprises.
Additional contract available.
SurfControl E-Mail Filter v.4.5.
Surfcontrol E-Mail filter gives you the option of working either with a generic SMTP server or Exchange v5.5. The installation then adds Microsoft's (Data Access Components) MDAC 2.5 Service Pack 1 on your system. Then you proceed to enter the e-mail address of the security administrator (where the alerts will be sent) and also your primary Internet domain name. Next you select what type of database engine you want to save the logs to. You must then select if the system that you are installing the application on is actually your mail server or if it is a separate server. As we were running separately with the SMTP version, we were then asked to configure the application with the mail server's IP address and port and also if we were relaying the sending via another external server or use the SMTP/outgoing of the current server.
This is where if anywhere in the installation you can go wrong. It's possible to set up a continuous loop of mail back to itself, which is something that I managed to do inadvertently in my fervour to get the package running. Thank goodness SurfControl has easily viewed status windows and also an individual control panel that allows you to start and stop each of the three services individually (receive, rules, and send) so it was a simple matter of stopping the send service temporarily while we rerouted the ports correctly.
Once the installation and configuration have been completed you can begin to set up the individual rules that will administer your filter system.
There are no rules set up by the application as default. The rules are extremely powerful, giving control options above and beyond that of traditional offensive spam. The administrator can implement such rules as file size, tracing competitor e-mails both to and from your company, and job search rules. This could be seen by some employees as an invasion of their privacy and rights, however providing they were notified as part of their work policy that their e-mail messages may be tracked based on these types of information, then why shouldn't the user beware? Particularly in this day and age of productivity gains through marginal time and resource cropping.
Overall the package was very well documented, easy to set up and administer, and quite a flexible solution. Again of particular note was the well designed main interface window that shows the administrator the real time flow of traffic through the application. Another feature of interest was the Web interface for monitoring and viewing the application status, allowing system administrators to view the application from wherever they had access to a live Internet browser.
Microsoft SQL Server 7.0/2000 or Microsoft Database Engine (MSDE)
Microsoft Data Access Components (MDAC) 2.5 SP1
Maximum mail clients supported
Depends on license
An interesting point to consider that was raised during the testing of these filters and something that would need to be addressed by the larger organisations implementing spam-filtering is that of newsletters and/or circular messages that users may have subscribed to and legitimately need to receive via their e-mail. For smaller companies, this is simply a matter of the administrator changing some rules to allow messages from that sender through to the recipient. However in larger enterprises, it may not be so simple to implement a strategy to allow this e-mail through and may add quite a large resource overhead to the IT department's workload.
Another distinguishing feature of these applications is that the companies involved in manufacturing and distributing them are very pro-active and hands on offering in several cases to even send pre-sales engineers onsite to demonstrate and run through the features and benefits of their particular application. Believe it or not, this is quite exceptional for us during a review, particularly when it comes to server software such as this.
Of particular note was a Clearswift technician who contacted us immediately when we e-mailed a request for help. We also received a follow up call from the local Mail Marshal distributor, following our download of their evaluation key from the Web site. These types of examples and experiences go to show that there are still some industry sectors that are devoted to customer service and support.
Clearly there are two distinct types of spam filtering available. Firstly, there are the small to medium enterprise (SME) level packages; then there are the larger scale applications more suited to a multinational, large educational institution, or SME that is planning to grow and wants to implement a strong foundation from the beginning so as to avoid the interruptions and possible hassles that changing in midstream can cause. The lighter packages more suited for SMEs would be the likes of MailEssentials and SpamKiller, whereas MailMarshal and Surfcontrol cater for the larger scale applications.
Whether you like it, hate it, or are indifferent to it, spam (unsolicited e-mail, junk e-mail, e-mail advertising, broadcast e-mail marketing, call it what you will) is a fact of our Internet experience. The packages that we tested here all go some way to reducing the pain for those of us who find it annoying or detrimental to the businesses resources. However none can effectively claim to remove 100 percent of the spam flowing through the mail server. Certainly the packages that involve up-dateable black and white lists go some way to help, but similar to anti-virus packages they would need to be regularly updated as the opposition is always finding new ways around the defences. n
Sample scenario Company: Naqoyqatsi Import/Export - This company wants a spam filtering plug-in to use on its mail server. Approximate budget: Open. Requires: A spam filtering package that will run with Microsoft Exhange 2000 serving 50 users. Concerns: Company management wants the package to remove as much spam as possible, but is also aware of the need to minimise false positives. The technical staff wants to make sure the package is easy to configure and tweak, and that it doesn't adversely affect mail server response times. Best solutions: The winner for this scenario would have to be McAfee SpamKiller--its overall simplicity is a refreshing change to the usual complexity that some of these spam filtering applications and similar security/filtering software packages can sometimes involve.
We'll also award an Editor's Choice to the clear winner in the enterprise-level packages: NetIQ MailMarshal. Its thorough documentation and powerful feature set combined with its relative ease of installation, configuration, and administration make it a hard application to beat.
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' ownÃ¢â‚¬"only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.