This article can also be found in the Premium Editorial Download "Information Security magazine: What's the best IT security advice you've ever received?."
Download it now to read this article plus other related content.
Spam is epidemic. An enterprise may typically receive 20,000 external e-mails per hour, 24 hours per day, and three-quarters of it's either junk or virus-infected. Winnowing this glut of bogus and often malicious messages while
Think of an investment firm trying to filter spam offering the "the latest stock tip" without blocking advice to customers; or a hospital stemming the flow of "physique-enhancing pill" e-mails, but not risking missing a genuine patient inquiry.
Fortunately, e-mail security technology has advanced against increasingly sophisticated spamming techniques. Organizations have a wide choice of strong products and managed services to protect vital messaging.
More and more, the products are available in enterprise-class appliances to accommodate the staggering volume of e-mail flooding large organizations. We tested and evaluated four of the leading appliances: BorderWare Technologies' BorderWare MXtreme Mail Firewall, CipherTrust's CipherTrust IronMail Secure Platform, IronPort Systems' IronPort C-Series Email Security Appliance and Symantec's Symantec Mail Security (SMS) 8200 Series.
We discovered that any one of these appliances will do a highly capable job of protecting your organization against spam in addition to providing gateway SMTP server for our testing and could conduct everything on an isolated network segment.
The differences in the products' antispam capabilities lie in third-generation technologies, which would be more likely to detect the more sophisticated techniques spammers use to evade detection. Since we used a closed lab environment, we didn't fully test these technologies. Notably, IronPort and CipherTrust are on the leading edge of integrated antispam technology, primarily through their reputation filters. A reputation filter/service (identity-based filter) is used to analyze who is sending you mail and will block or delay messages based on the reputation of the e-mail source.
Though IronPort is credited with creating the technology, CipherTrust is attempting to push the envelope with its correlation engines. The IronPort reputation service, SenderBase, encompasses 75,000 networks and monitors 25% of all e-mail on the Internet. CipherTrust, whose TrustedSource network includes a somewhat smaller sampling of 3,000 enterprises, relies on a series of correlation engines to make inferences among different sources of e-mail.
Symantec's Brightmail BLOC (Brightmail Logistics Operations Center) service uses its patented Probe Network, which leverages millions of decoy e-mail accounts to capture spam. This information is then sent to BLOC, where a combination of automated tools and technicians determine if a message is spam. BLOC protects 15% of the world's e-mail--about 100 billion e-mail messages per month.
BorderWare's antispam technology comprises first- and second-generation tools, such as whitelists/blacklists, pattern matching and Bayesian filtering. The appliance we tested included the optional Brightmail engine. IronPort offers Brightmail as an add-on module, but the appliance we tested performed very well without it.
Antivirus A La Carte
Enterprises can typically see a 60 to 80% reduction in inbound e-mail-borne viral traffic when they use an AV gateway on their SMTP servers.
All the vendors--with the obvious exception of Symantec--use third-party AV technology: CipherTrust uses McAfee/Authentium; IronPort has Sophos; and BorderWare uses Kaspersky Lab and McAfee. IronPort also uses their proprietary Virus Outbreak Filters technology, which scans incoming mail for suspicious patterns that indicate possible zero-day malware attacks.
The AV engines detected everything we threw at them, including an EICAR file and "old" viruses--malware payloads currently living on the Internet. They also detected custom code with viral characteristics that we wrote in our isolated lab.
This was first published in October 2005