6 min read

anti-spam software: Fighting a tricky enemy

With inboxes increasingly clogged with junk mail, administrators need good weapons to defeat spam. We tested five of the best

Mention the word spam to any e-mail administrator and expect a growl in response.

There are many ways to combat this plague, none of which is 100 per cent effective. Spam purveyors are devious; they continually tweak their distribution mechanisms to defeat detection.

The latest trick is using networks of compromised machines, known as botnets, to do their dirty work, sending thousands of e-mail messages unbeknownst to the machines’ owners, and without revealing who the real villain is. The hapless owner of the culprit PC is the one whose ISP will cut off his or her Internet access (spamming is a major violation of most ISPs’ Terms of Service). The spammer just moves on to another victim.

In corporate networks, a compromised PC can bring a network to its knees by spewing vast amounts of junk e-mail (it will also be virtually useless to its legitimate user). It may also be infected with spyware (spam isn’t all offers for cheap wristwatches and dubious pharmaceuticals) that transmits sensitive information to the spammer, who can sell it to the highest bidder.

Growing industry
IDC says that the worldwide market for anti-spam products will hit $US1.7 billion by 2008, up from $300 million in 2003, achieving a 42 percent compound annual growth rate. According to Ferris Research, up to 500 million seats of anti-spam software will be installed in 2008.

Dozens of companies are targeting this burgeoning market, with technologies for desktop, server, and network. However, IDC predicts a convergence with overall e-mail content security, stating that two out of three executives it interviewed view spam-fighting as part of a larger network security solution.

Probably the best way to defeat spam today is with a multi-layered approach.

No one product is perfect, but if, for example, a company filters mail at the gateway level to skim off the bulk of the spam, then at the server level, to peel off more, and finally at the client level (Microsoft Outlook 2003’s Junk Mail Filter is one option), the amount of junk mail that actually hits an inbox is minimal.

However, since one person’s junk is another person’s sales lead, it is important to ensure that the recipient can examine the mail that’s been filtered out and salvage false positives.

How we tested
We collected information on a number of products that stop spam at or before it hits the mail server. Each uses a combination of techniques to eliminate or at least minimize the number of organ enhancement appeals that land in users’ inboxes. Most offer downloadable evaluation versions so you can determine which works best in your situation.

Prices are in Canadian dollars; U.S. dollar prices have been converted at the current Bank of Canada exchange rate of 1.1582. Vendors usually offer a sliding scale based on number of seats; base amount is quoted.

McAfee SpamKiller
Price: $342.80 for 10 users
Eval available: Yes

McAfee SpamKiller runs on either Microsoft Exchange or Lotus Domino mail servers. It uses technologies from Apache SpamAssassin, an open source spam filtering project, to trap spam. Integration with McAfee ePolicy Orchestrator (ePO), which also manages McAfee’s anti-virus products, means that security administrators have one fewer interface to learn; they can set SpamKiller policies and view reports through ePO.

Technologies used include header analysis, heuristics, Bayesian filtering (for explanations see p. 31), black and white lists and content filtering. Exchange users benefit from additional filtering; the program can even prevent sensitive company information from being sent out and automatically replace any e-mail or attachment containing specified words.

Each message is scored, and the program can be configured to let low-scored messages into the user’s inbox for checking, to help avoid false positives.

SpamKiller is available as software, or on a ready-to-go appliance.

Sybari Advanced Spam Manager
Price: $303.40 for 10 users for two years
Eval available: Yes

ASM can run on a gateway server or directly on an Exchange server. Domino support was recently introduced. It can also be integrated into Sybari’s Antigen anti-virus.

Its detection engine is based on SpamCure from Mail-Filters, which uses the combination of an automated engine and a database of signatures created by human editors. In addition, it offers the usual blacklisting, manual whitelisting, and keyword filtering, and can be configured to deal with file attachments. It will even scan within Zip files. It does not use Bayesian filtering.

Suspect messages can be rejected, quarantined, or placed in a user Junk Mail folder for examination, where users can then create rules to deal with future similar e-mail.

Roaring Penguin CanIT Pro
Price: $5.79 per user for the first 300 (minimum $1,738)
Eval available: Yes, 20 days.

Ottawa-based Roaring Penguin’s server product can either be put on a Linux box or a self-contained appliance. It receives and filters mail before it gets to the mail server, and also looks at outgoing mail.

An administrator defines what users can or can’t look at (right down to how the filter decided an offending message was spam). Users then manage their own spam settings within those parameters through a browser interface. Per-user Bayesian filters allow users to teach the software what they define as spam. They can even decide to opt out of spam filtering entirely. CanIT Pro integrates with existing directories so users don’t need yet another password to remember.

CanIT Pro’s filtering techniques run the gamut: keyword search, header analysis, message format analysis, Bayesian statistical analysis, black lists, white lists, grey lists, open proxy lists, DNS verification, Apache SpamAssassin content-filtering rules, sender policy framework (SPF) and more. Customers can enroll in the Roaring Penguin Training Network, which collects tokens (indicators of spam) from consenting customers and distributes them to others to speed the detection of new spam. The program can also be configured to strip or quarantine certain attachments, providing some virus protection as well.

For organizations with 50 or fewer mailboxes, Roaring Penguin offers a basic version of the program (without technical support) at no charge.

Sunbelt Software iHateSpam for Exchange
Price: $571.86 for 25 users
Eval available: Yes, 30 days

iHateSpam for Exchange comes in two editions: a Server edition that integrates with Exchange 2000 and 2003, and a Gateway edition that runs on a separate Windows server and works with Exchange 5.5. It offers two spam detection engines: Cloudmark’s Anti-Spam engine, and Sunbelt’s own, which can be used separately or together (Sunbelt recommends using both, since they complement each other). Cloudmark analyzes input from its users worldwide to generate updates and block attacks in, it claims, 20 seconds to three minutes.

Sunbelt uses the familiar Microsoft Management Console (MMC) interface for management and reporting. It lets the administrator set policies for individual users or groups of users as well as establishing global policies. Users can create their own rules, black lists and white lists (iHateSpam automatically white lists everyone in users’ Outlook contacts), and can examine the mail designated as spam.

Reporting is extensive, and lets the administrator see the top 50 spam recipients, number of spam compared to legitimate messages, stats by detection method, and more.

Symantec Brightmail
Price: $299.97 for 10 users
Eval available: Yes

Brightmail uses 17 filtering technologies, including spam signatures, heuristics, reputation filters, language identification and other proprietary methods in its spam-hunting. A gateway product, It also isolates fraud and phishing messages, and has an optional anti-virus component. It continually receives feeds of signature updates from the vendor (generated from millions of decoy e-mail addresses worldwide), requiring, Symantec says, no tuning or signature administration. User information can be imported from Active Directory or another LDAP directory.

Users can view quarantined mail through a Web interface, or through plug-ins for Outlook and Exchange or Domino, as well as manage their own white lists and black lists and release false positives.

Administrators work through a Web console, setting policies based on domain, group, or even user level. Brightmail provides statistics on its activities across all servers, letting administrators view things like users receiving most spam, sources of spam, message counts, and so forth. Top-line statistics are presented in a dashboard.

Filtering Basics
The filtering technologies in use today fall into five main categories, each with its own pros and cons.

Keyword filtering looks for single words or phrases commonly used by spammers. Unfortunately, some of those words and phrases are also in legitimate e-mails, so expect a lot of false positives.

Pattern matching looks for constant text (keywords), plus variable items like wildcard characters.

Rule-based (heuristic) filtering not only looks at words and phrases, but their context. You can use several rules to drill down and make checking more granular, just as you do if you use your e-mail client’s rules to sort and filter mail. Some programs also filter by character set.

Signature-based filters perform a calculation on each message and compare the result (the hash) to known spam. It can be defeated by changing the message randomly, so is most effective if used with other techniques.

Bayesian and statistical filtering applies a frequency analysis to each message and determines statistically how likely it is that the message is spam. And it can learn to separate good from bad. For example, the words “free” or “sex” in an otherwise harmless message would automatically get it labeled spam by a rule-based filter, but a Bayesian filter might let it through, based on other factors.

Whitelists and blacklists are also important parts of many spam fighters’ arsenals. A blacklist identifies and blocks traffic from known spamming servers by IP address; a whitelist identifies known safe senders. Unfortunately, it’s all too easy to be incorrectly placed on a blacklist, and difficult to get off it.

Some software can also check to see that a message actually came from the domain it claimed to, a useful way to detect spam that spoofs its source.

Finally, there’s the challenge/response technique. It requires unrecognized senders to visit a Web site the first time they send e-mail to a user, and perform a task such as typing in a random word that’s displayed as a graphic. A human has no problem with this, but for an automated system it’s impossible. Once the task is successfully completed, the sender is whitelisted.