In the ever-changing fight to block spam, here are some of the major detection
Whitelist/blacklist contains networks or domain names that are either trusted or untrusted to send legitimate e-mail.
Real-time blacklist (RBL) identifies servers that send out spam or are known to be open relays. (This definition is seen differently across various vendors.)
Message header tests interpret the contents of either the header or message body for valid IP addresses, sender address and destination addresses.
Bayesian filtering is a statistical approach to spam detection based on the probability of an individual word being used in a spam message. These filters must be constantly "trained" to understand variations of a word that a spammer may use. They can be circumvented by the use of HTML in the body of an e-mail message, though newer Bayesian filters are learning to combat this problem.
Machine learning typically consists of advanced statistical techniques run by an artificial intelligence engine to not only provide advanced e-mail text-based filtering (statistics), but to adjust or adapt itself based on the e-mail it's seeing (artificial intelligence).
Reputation filtering, based on very large samples of traffic, develops spam origination locations and blocks those locations.
Traffic shaping operates at the packet level. It not only looks at locations of spam senders, but actively controls the bandwidth allowed from those IP addresses to reduce the amount of mail it will even allow to be seen by the antispam appliance.w
Installation/ConfigurationEnterprise products may not be plug-and-play, but one of the key benefits of an appliance is that it shouldn't require a lot of professional services or hours on the phone with tech support to get up and running. Our evaluation considered the documentation supplied and whether we could complete an installation without vendor professional services. If technical support was required, we evaluated their professionalism, courtesy and knowledge.
IronPort was clearly the smoothest installation, followed by CipherTrust. Symantec and BorderWare were somewhat problematic.
Once the appliances were installed, CipherTrust and IronPort presented the smoothest configuration experiences; the former because of its engineering support, the latter because of its documentation. On the other hand, they offer far wider sets of configuration options than either Symantec or BorderWare, meaning the experience may be more complex and time-consuming depending on how granular the appliance is tuned.
The IronPort installation starts with a command-line wizard and moves smoothly into a Web-based interface. A clear one-page installation check-off list and succinct Quick Start Guide helped us zip right through. The wizard was truly a fill-in-the-blanks installation. The only hiccup was at the end of the Web-based component, which failed due to cookies being disabled in Internet Explorer--an undocumented issue. We completed the install using Firefox (alternatively, we could have enabled cookies in IE). CipherTrust was the only vendor to insist on a telephone-supported installation, which went smoothly; our feeling was that we could have done well on our own. The manuals are nicely laid out, with plenty of screen shots and pictures of the appliance. Wiz-ards--though not quite as polished as IronPort's--for both the command line and browser interfaces guide you through the installation. However, the software update process is somewhat kludgy (you must query the update service for each update). CipherTrust's installation team was highly knowledgeable and very professional.
CipherTrust provides the most robust set of predefined filters, including antispam and antivirus settings based on industry best practices. Very few changes or modifications would be needed to configure your appliance for state-of-the-art e-mail protection. The only real challenge for CipherTrust is adding new rules, which requires a command-line style of coding. Wizards would make this a more complete package.
The BorderWare installation was more problematic. The appliance was sent without manuals; when we did receive the documentation, it was for a different model, but was close enough to get us through.
There were no pictures of the device to identify the network cards, the network adapters don't follow standard right-to-left or left-to-right conventions--0, 1, 2 or 2, 1, 0-- and only through three hours of trial-and-error testing to see if the box was live or dead did we figure out that the internal firewall drops ping packets. When the device responded to HTTPS, we finally determined which network adapter we had actually configured.
Once the command-line wizard is complete, you are left with a DOS-like menu that lacks a top menu bar to show possible menu selections (we accidentally pressed an arrow key and another menu box showed up). Neither the documentation nor online installation help gives any guidance on whether to choose an automatic or manual installation.
But, the license, software update and security processes are well thought out and straightforward. Setting up the box for mail was completed via a slick wizard. BorderWare provides a basic set of default rules, but changing settings is simply a matter of selecting check boxes.
The Symantec installation began with a three-day ordeal troubleshooting what turned out to be a bad box. The good news was Symantec's response: The company brought in any and all resources needed to remedy the situation, and it listened to its customer. Technicians dialed remotely into the appliance, and together we spent nearly six hours total over the three days trying to correct the problem. In the end, they sent a new box, which installed flawlessly.
This experience revealed two issues: Symantec's registration process needs to be more flexible and allow direct IP addressing. We learned this because the installation problem stemmed from the appliance's inability to use DNS to find Symantec's registration site, thus, we could not move into the browser-based interface to control the box. We had to use their command line, but Symantec admittedly "hides" the command-line commands available in the dark recesses of its documentation. The technical support folks stated flatly that they don't want customers using the command line.
Two other problems plagued this installation: The physical connectors are so poorly placed that we resorted to using old Cat 3 Ethernet cables (without rubber "hoods") to plug in; the same was true of the video cable. We had to "work" the video connector into the physical boundaries of the appliance.
On the plus side, the beauty of the Symantec configuration process is that, once you complete the command-line wizard, the basic mail settings are complete. This was a clear advantage over the other appliances. The default policies are very basic, but the intuitive wizard makes creating new policies easy.
This was first published in August 2005