Spam is epidemic. An enterprise may typically receive 20,000 external e-mails per hour, 24 hours per day, and three-quarters of it's either junk or virus-infected. Winnowing this glut of bogus and often malicious messages while allowing legitimate business communication to flow is a huge challenge.
Think of an investment firm trying to filter spam offering the "the latest stock tip" without blocking advice to customers; or a hospital stemming the flow of "physique-enhancing pill" e-mails, but not risking missing a genuine patient inquiry.
Fortunately, e-mail security technology has advanced against increasingly sophisticated spamming techniques. Organizations have a wide choice of strong products and managed services to protect vital messaging.
More and more, the products are available in enterprise-class appliances to accommodate the staggering volume of e-mail flooding large organizations. We tested and evaluated four of the leading appliances: BorderWare Technologies' BorderWare MXtreme Mail Firewall, CipherTrust's CipherTrust IronMail Secure Platform, IronPort Systems' IronPort C-Series Email Security Appliance and Symantec's Symantec Mail Security (SMS) 8200 Series.
We discovered that any one of these appliances will do a highly capable job of protecting your organization against spam in addition to providing gateway AV protection--to the extent that this was not a differentiating factor based on our test results.
Accordingly, we evaluated
|About this BakeOff|
Information Security tested four leading e-mail security appliances, focusing heavily on their antispam capabilities and overall suitability for a large enterprise environment.
Since our focus was not on processing power, the exact model was of little import, but, specifically, we tested BorderWare TechnologiesÕ MX 400 BorderWare MXtreme Mail Firewall, CipherTrustÕs CipherTrust IronMail Secure Platform on a standard IBM server, IronPort SystemsÕ IronPort C-60 Email Security Appliance and SymantecÕs Symantec Mail Security 8200.
Our test lab contained one server running Windows 2003, our SMTP and DNS servers, and Active Directory. Additionally, we had three workstations (Linux and Windows XP SP2) running on a Cisco network backbone. We used a mail generator/mail drain running on a BSD server.
For spam testing, we used the mail generator server to supply us with varying rates of live mail, and received the mail via the mail drain.
All of our testing was done inside a firewall on an isolated network (no outside-facing mail server, which limited our ability to test some third-generation features, such as reputation filtering).
Spam-SquashingThe four vendors have some similarities and also some profound differences in how they filter spam. That being said, they all caught close to 100 percent of the spam we ran through them and registered no false positives. Our e-mail generating tool was a BSD server that simulated generating 1,000,000 messages to 10,000 recipients, allowing us to test the stability and scalability of the appliances. It also allowed us to see how the first- and second-generation spam filters would work under load. We were capable of creating both hard and soft bounces on the mail drain (receiver) as well, which meant that we didn't require a SMTP server for our testing and could conduct everything on an isolated network segment.
The differences in the products' antispam capabilities lie in third-generation technologies, which would be more likely to detect the more sophisticated techniques spammers use to evade detection. Since we used a closed lab environment, we didn't fully test these technologies.
Notably, IronPort and CipherTrust are on the leading edge of integrated antispam technology, primarily through their reputation filters. A reputation filter/service (identity-based filter) is used to analyze who is sending you mail and will block or delay messages based on the reputation of the e-mail source.
Though IronPort is credited with creating the technology, CipherTrust is attempting to push the envelope with its correlation engines. The IronPort reputation service, SenderBase, encompasses 75,000 networks and monitors 25 percent of all e-mail on the Internet. CipherTrust, whose TrustedSource network includes a somewhat smaller sampling of 3,000 enterprises, relies on a series of correlation engines to make inferences among different sources of e-mail.
Symantec's Brightmail BLOC (Brightmail Logistics Operations Center) service uses its patented Probe Network, which leverages millions of decoy e-mail accounts to capture spam. This information is then sent to BLOC, where a combination of automated tools and technicians determine if a message is spam. BLOC protects 15 percent of the world's e-mail--about 100 billion e-mail messages per month.
BorderWare's antispam technology comprises first- and second-generation tools, such as whitelists/blacklists, pattern matching and Bayesian filtering. The appliance we tested included the optional Brightmail engine. IronPort offers Brightmail as an add-on module, but the appliance we tested performed very well without it.
Antivirus A La CarteEnterprises can typically see a 60 to 80 percent reduction in inbound e-mail-borne viral traffic when they use an AV gateway on their SMTP servers.
All the vendors--with the obvious exception of Symantec--use third-party AV technology: CipherTrust uses McAfee/Authentium; IronPort has Sophos; and BorderWare uses Kaspersky Lab and McAfee. IronPort also uses their proprietary Virus Outbreak Filters technology, which scans incoming mail for suspicious patterns that indicate possible zero-day malware attacks.
The AV engines detected everything we threw at them, including an EICAR file and "old" viruses--malware payloads currently living on the Internet. They also detected custom code with viral characteristics that we wrote in our isolated lab.
This was first published in August 2005