Rules for tools: Buying the right e-mail security product

E-mail Security School guest instructor Joel Snyder offers practical advice for purchasing antivirus, antispam and e-mail policy control solutions.

by Joel Snyder

Buying e-mail security products is just like buying any security product -- sort of. While the same principles apply, the problem is that you have too many e-mail security choices. If you want to buy a database or an operating system, you basically have three or four options. Even for messaging systems, the field is pretty narrow. But start talking about antispam and antivirus technologies and you'll find dozens of products– each promising to be better than the next. That makes things more complicated and the decision-making process particularly difficult. Here's my advice.

Establish your requirements

I get a lot of e-mail from folks asking which of two antivirus or antispam products is better. These folks haven't done the first, and most critical, step in their search: defining requirements. When you know what you want a product to do, it makes the buying process simpler.

Security School

Print this technical paper


Webcast: E-mail policy control


E-mail Security Final Exam


Talk to the author and your peers in our discussion forum


Security School Home Page


Most enterprises choose to "pre-treat" their e-mail before it hits their main messaging system (such as Exchange or Notes). So I'll use that as an example for how to pick products. Take a "divide and conquer" approach. Divide your search for e-mail security products into at least three components: antispam, antivirus and policy controls. Products that sit in front of the corporate messaging system usually have one or more of these components. Start by deciding what you require. If you're not sure, then stop right here – because you need to be sure. Whoever sent you on this wild goose chase must carefully define your company's needs.

Evaluate deployment options and performance

Let's continue by assuming that you want all three components. Next, see if your organization has any other global requirements, for example a preferred deployment model. E-mail security products are available as services, appliances or software you install on your own server. Is one strategy better for you than another? It's OK to say "no." You shouldn't make the deployment model a requirement just because it seems like a good idea.

If you haven't thought about outsourcing your e-mail security, now is the time to do so. You need to be sure whether a service-based approach benefits you before discounting it. In the antispam and antivirus world, you'll always find a service component, either in the form of frequently automated updates or as a completely outsourced filtering system. Because antispam and antivirus are far from the core concerns of every enterprise, they are ideal technologies to outsource. Being "better" at antispam is not going to help your company manufacture safer widgets, I promise. So, it's not an area where you want to spend a lot of time getting good.

Computing message peaks


To determine your peak per-second message load, take the number of messages you receive in a day and divide it by 10,000. Divide your total messages by 100,000 for the average load. For example, if you get one million messages a day, you are going to have an average load of about 10 messages per second, and you'll see peaks of up to 100 messages per second.


While you're considering these alternatives, think about performance requirements. You should buy a product or server that can accommodate your peaks (See sidebar on how to compute peaks). This is harder than it seems because many of the antispam vendors have taken an imaginative approach to describing their products' performance. For example, one up-and-coming appliance supplier quotes its performance as 10 times what it actually is, on the theory that 90% of your e-mail is spam and will get blocked. Don't fall for that kind of marketing sophistry. Test the products yourself or work with an independent lab to get true performance numbers for the products you're considering.

Determine if antivirus is a differentiator

You will need to refine your core requirements to narrow the field of contenders. Antivirus is a fairly stable market, so you're going to find it difficult to differentiate products based on their capabilities. One of the few factors that some vendors tout is "statistical antivirus," meaning they run each message through multiple scanners, any one of which can boot the message. Decide whether this matters and put it in your requirements if it does. Other antivirus techniques are available, such as heuristic antivirus and near-zero-day protection. If you consider antivirus a serious and primary threat, you may want to include these kinds of newer technologies in your requirement list.

Focus on users when choosing antispam

You'll find much greater variation in the antispam and policy-based controls of products, which makes it easier to disqualify products that don't meet your needs. For antispam, start with per-user capabilities. More than anything, this distinguishes products. Consider the following:

  • Do you need a per-user quarantine?
  • If so, how will users get to this quarantine?
  • Do you want a Web-based system, an e-mail notification or both?
  • How much control do you want to put in the hands of users?

You'll have several options for granting user control. Some products let end users create their own white and black lists. Others allow users to control spam sensitivity settings. Some take the tag-and-deliver approach, where e-mail is tagged with its "spam score" (typically in a header or the subject line), and filtering rules in the end-user e-mail client either file or delete the spam based on the tags. This gives the user instantaneous access to their quarantine, at the cost of having to receive and store a great deal of unwanted e-mail.

Words To Know

If you're trying to minimize end-user interaction, make that a requirement. In that case, you don't want quarantine or per-user settings, and you certainly don't want tag-and-deliver. But you will need to be extraordinarily sensitive to false positives, so be sure you get greater control over various antispam settings. You might require the ability to tune pieces of the whole antispam engine or even to disable individual signatures. You definitely do not want to touch these things unless you absolutely have to, so don't require them unless you are serious about the need.

In any case, you need to decide on a strategy. I've looked at a lot of antispam products, and no single product excels at all strategies, no matter what the vendor claims. Choose your path ahead of time, and you'll be able to focus on the parts of the product that truly matter to you -- and avoid compromising on a product that does everything, but nothing very well. While many factors differentiate antispam products, user focus and control will do more to establish your baseline requirements than any other.

Next page: Policy control and completing the buying process

Next >>
This was last published in April 2005

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.