Spam blockers

Antispam appliances use layered filtering to stop spam, viruses.

Spam. You can pay for it now, or you can pay for it later. Spam is more than just an irritation — it is a costly affliction. And the most important questions are when and how much do you have to pay to rid yourself of it?

The worst way to pay for spam is after it has found its way into your agency's network and onto end users' computers. Productivity is seriously affected when 80 percent or more of the messages in users' inboxes are spam. However, simply deleting them can be time consuming and important messages may accidentally be erased along the way.

Also, equipment costs and information technology staff time spent trying to respond to spam-clogged e-mail servers are considerable.

In 2003, spam cost U.S. businesses more than $10 billion in productivity loss, according to some studies. Other research shows that U.S. enterprises spend an average of $49 per e-mail user per year to handle the extra load imposed by spam.

The cost of spam must be measured by more than just the disposal effort. Some spamming techniques represent significant risks for individuals and organizations, such as phishing and spoofing. With these methods, e-mail addresses are guised as coming from reputable sources to solicit sensitive information from users such as credit card numbers and bank information.

A variety of approaches to snagging spam

Techniques used to identify spam are various and complex, and many solutions employ more than one technique. One of the simplest approaches relies on a guilty-until-proven-innocent technique, also known as challenge response. With this technique, a challenge reply is sent to each received e-mail asking users to authenticate themselves as the sender of the message. If no response is received, the antispam software assumes the original message is spam and the sender is placed on a blacklist.

E-mail administrators and individual users can upload their address books to the white list, which lists e-mail addresses, IP addresses and domains that are permitted to send e-mail messages and can therefore bypass the authentication process.

Vendors who employ this technique claim 100 percent accuracy in detecting spam and other e-mail-related threats. With this method, however, legitimate e-mail might be eliminated along with spam, and waiting for senders to authenticate can cause delays.

Word filtering is another relatively simple method for snagging spam. This method targets terms in the e-mail subject line or text such as "Viagra" or "hair growth" and then deletes the message at the mail server. The basic problem with this approach is that spammers can easily avoid the filter by inserting spaces, asterisks or other symbols between the letters.

Rule-based filters are more sophisticated than word filters. They also check for words in e-mails, but unlike word filters, this technique assigns a point value to words. For example, an e-mail containing the word "discount" might receive a +1 rating for that word. That same message may contain another word such as "pills," which would be assigned +3 points. The higher the score, the greater the probability that an e-mail message is spam. Once a message reaches a certain threshold, it is flagged as spam.

Blacklists are a common spam-blocking technique employed by software and appliance solutions. With this approach, once a spammer is identified, its IP address is added to a list. Solutions that rely in part on maintaining blacklists create honeypots — systems that collect spam for identification and blacklisting.

For the most part, all e-mail firewalls use a cocktail approach of employing some combination of these techniques to identify and block spam. Most antispam solutions — whether software or an appliance — at least rely on updates of blacklists and virus signatures, so expect an annual subscription fee to be part of the overall cost.

For our review, we chose to test antispam appliances from three vendors: Barracuda Networks, CipherTrust Inc. and BorderWare Technologies. These products are used more widely among our Federal Computer Week readers, according to a recent survey.

In general, we found that such e-mail firewalls do a good job of addressing important concerns, such as security, manageability, availability and scalability, in relatively cost-effective ways.

Each appliance we tested had a different look and feel, but they were all easy to use. Each box was already configured to protect against denial-of-service attacks or could be configured within minutes, and they all suggested rules and scoring thresholds for spam filtering. We easily added multiple domains to filter and define company-specific rules such as blacklists and white lists.

Each product scanned every e-mail for viruses and could search attachments for hidden dangers within compressed files. All of the devices were easy to install, configure and maintain, and each used many layers of filters, open-source and customized, to defend against spam and viruses.

However, there were some differences among the products. For example, BorderWare and CipherTrust excelled in providing a feature-rich administration interface, customizable features, and extensive monitoring and reporting capabilities. All of the products offered a number of different models and configurations.

The biggest distinction among the three appliances is price. CipherTrust's product is the most expensive, but we found BorderWare's product just as capable at a fraction of the cost. Barracuda's product is the least expensive but it can still adequately serve a budget-sensitive agency.

New kid on the block

Barracuda's appliance is a newcomer to the antispam market.

The Firewall 300 is a 1U rackmountable box built from off-the-shelf hardware that runs a hardened version of Linux. Its architecture uses open-source virus and spam solutions in conjunction with 10 layers of protection: denial-of-service attacks, IP block lists, rate control, virus check and archive decompression, proprietary virus check, Bayesian analysis (a statistical approach that takes prior information into account in the determination of probabilities), user-specified rules, spam fingerprint check, intention analysis and rule-based scoring. Barracuda provides upgrades for the system and application software with a simple one-click download. The company's operations center continuously monitors the Internet for trends in spam and virus attacks, then builds and supplies updates to all Barracuda customers. The product is simple to administer and is inexpensive compared to the competition.

The main screen shows real-time statistics such as e-mails that have been blocked, quarantined, tagged and permitted. This information is displayed in terms of hours, days and totals. Basic hardware health is monitored from the same interface. I appreciated having this information visually but was disappointed that I couldn't find a way to generate statistical reports.

The Firewall 300 was one of the easiest products I tested to set up and administer. I logged on to the console to enter initial IP information and then connected to the device through the Web interface to adjust the rest of the settings. I set spam and virus definitions to update on a regular basis throughout the day and set the spam-scoring thresholds to tag possible spam, quarantine likely spam and delete definite spam. This didn't take long, and although documentation did provide some guidance, it was somewhat of a mystery trying to figure out the best threshold settings. I also easily set my own blacklists and white lists for accepted and denied domains and individual e-mails.

I added a list of file extensions that would be blocked by the Firewall 300, and defined words that would be filtered when the appliance looked at header, subject and body fields of messages. This was easy to do, but it would have been beneficial for Barracuda to provide a default list.

One of the more interesting features of the Firewall 300 is its Exchange Accelerator, which is a Lightweight Directory Access Protocol (LDAP) interface that works with any LDAP server. Accelerator protects your mail server from dictionary attacks by using an LDAP query to ensure that the recipient of a new message has a mailbox on the mail server. If the query doesn't return a result, the appliance generates a nondelivery e-mail, which is returned to the sender.

If a company already has load-balancing hardware in place, multiple Firewall 300s can be installed. However, the appliance doesn't have built-in failover capabilities. So if the box fails, mail in the queue waiting to be processed would be lost. As a result, regular backups should be routine with this appliance.

The bottom line: Barracuda's Firewall 300 is the most affordable solution in the roundup.

Advanced detection sets IronMail apart

IronMail is a 1U rack-ready appliance powered by IBM Corp. Serve 305. It is a result of CipherTrust's work in providing firewall and intrusion detection for e-mail systems, which gives it a strong background in security and a leg up on Barracuda.

I connected the unit to my test network through a console to set up IP information, then I turned to the Web-based interface to perform all other administrative tasks.

IronMail's confidence-based detection, which uses a proprietary algorithm to change the threshold that determines if a message is spam, sets it apart from the competition. Unlike other products, IronMail takes into account scores from each of the spam-

detection techniques and considers the score as part of a cumulative result. CipherTrust officials call this spam profiling. Their antispam technologies are grouped into six categories: connection analysis, lexical analysis, and protocol analysis, authentication protocols, traffic pattern analysis and auto learning. In addition, CipherTrust's research department constantly scans messages on the Internet and automatically adjusts threshold settings on servers to optimize spam blocking.

Additional filtering options supported by IronMail include reverse Domain Name System, real-time black holes, header analysis and dictionary-based filtering. Similar to BorderWare's MXtreme appliance, IronMail's dictionaries for spam and pornography let you check for words from each category and assign point values.

I was impressed with IronMail's Dashboard, which is a Web-based interface that gives administrators real-time statistics on many of the server's functions, such as hardware health, bandwidth, e-mail traffic and more. Using Dashboard, an administrator has a bird's-eye view of the server's health and e-mail traffic patterns. I liked IronMail's ability to automatically export log files via FTP to other servers for a detailed picture of e-mail and spam activity.

The bottom line is that IronMail comes with a hefty price tag, but the device's track record, innovative tools and ease of use make it an excellent choice for quickly deploying an antispam and antivirus solution.

Everything but the kitchen sink

BorderWare's MXtreme MX400 is a 1U device that employs an Intel Corp. Xeon processor with a highly modified and hardened version of FreeBSD.

MXtreme also has a host of e-mail perimeter security features, including antivirus protection, mail-encryption features and everything but the kitchen sink to combat spam. Spam-fighting tools include pattern matching, statistical token analysis, real-time black-hole lists and distributed checksum clearinghouses. The last two techniques rely on outside services to identify spam by matching known mail server offenders or by identifying bulk messages based on how often the messages have been seen by mail servers.

MXtreme was the only product in this group that offers BrightMail as a built-in option. BrightMail, called a reputation service, monitors hundreds of thousands of e-mail sources to determine how much mail sent from these addresses is legitimate and how much is spam. Company officials gather information from user reports and from its Probe Network — a collection of decoy e-mail inboxes designed to catch spam — to determine whether a given IP address sends valid or junk messages. And unlike the CipherTrust and Barracuda appliances, MXtreme uses the Kaspersky Labs HQ's antivirus engine and attachment filtering. BorderWare officials prefer this virus-detection engine because virus profiles are distributed on a more frequent schedule. Kaspersky response time to major virus threats is usually under eight hours compared to the typical 24 hours.

One of the major benefits of MXtreme is its reporting and auditing capabilities. The product offers dozens of predefined reports that can be generated in HTML, PDF and other formats, and they can be automatically e-mailed to predefined addresses.

MXtreme also offers granular administration, allowing multiple administrators to control specific portions of the appliance. For example, a department within an agency could control blacklists and filtering options specific to them. If a department deals with purchasing, officials may wish to be more lenient with e-mails containing words such as "sale," "order" and "buy." MXtreme also was the only appliance that actually had Common Criteria certification for Evaluation Assurance Level 4+. Another plus for MXtreme is its failover capabilities. When two MXtreme mail firewalls are running on the same network and one becomes unavailable for some reason, the second unit takes over seamlessly. This is a tremendous advantage for agencies where e-mail communication is of paramount importance.

The bottom line is that MXtreme is reasonably priced considering the number of features and technology that are packed in this appliance. Also, its Common Criteria certification could be appealing for agencies requiring a high level of security.

Kvitka is a principal of an information technology and Web development company. He can be reached at andre@digitalrig.com.

NEXT STORY: He got green