Server-Based Spam Control

I don't need to bore you with a lengthy discussion about how much spam costs your organization. You're in the trenches?you grapple with the problem every day. Although home users often have no choice but to install antispam software on their home computer, you know that a server-based approach for the enterprise brings it significant advantages, such as requiring less time for you to implement and administer the system, and a lower per-user purchase price for the software.

I tested five server-based antispam software solutions designed specifically to integrate with Microsoft Exchange Server and take advantage of the Exchange features that Microsoft exposes to software developers: Sunbelt Software's iHateSpam for Exchange, Server Edition; GFI Software's GFI Mail Essentials for ExchangeSMTP; Red Earth Software's Policy Patrol Enterprise,;DataEnter's Xwall for Microsoft Exchange with XWALLFilter; and Nemx Software's Power Tools for Exchange-Internet Edition. I installed each product on a Windows Server 2003?Exchange Server 2003 system and ran it through its paces.

Filtering Methods and Testing Criteria
Each of these software packages offers several filtering technologies that let you customize how email is analyzed to determine the probability that a message is spam (unsolicited email) or ham (legitimate email). Some of these technologies use server-based information to analyze the content of a message, while others compare attributes of a message to blacklists (i.e., lists of known spammers) that are maintained by third-party organizations and located on their remote servers and whitelists (i.e., lists of known valid email addresses). Although the method of comparing message attributes against blacklists can improve spam recognition rates when compared with some server-based algorithms, it can also incur processing delays because it requires remote network queries. Messaging administrators will need to evaluate the necessity and value of these remote query?based algorithms in their particular environment.

Semantic filtering, in which the presence of specific words or phrases is an indicator that a message is spam, is a common technique that each of the products in this review supports. Bayesian filtering uses mathematical algorithms to analyze the content of spam and ham email, then uses the analysis results to predict the likelihood that an incoming email message is spam. Bayesian filtering has proven to be among the most effective of filtering techniques but, like voice- recognition software, relies upon what it learns from an organization's spam and ham email. In a typical corporate environment, this learning process can take a week or longer.

To evaluate these products, I examined the variety of filtering technologies each supports, as well as the flexibility the product gives you to customize it. I looked at reporting capabilities, ease of implementation, and usability and effectiveness of any available administrative tools. Evaluating the effectiveness of each product's filtering capability was beyond the scope of my testing.

iHateSpam for Exchange, Server Edition
Sunbelt Software's iHateSpam for Exchange, Server Edition installs on Exchange 2000 and Exchange 2003 servers. The software employs semantic, rules-based, and blacklist filtering to quarantine or delete unsolicited email.

According to the product documentation, iHateSpam as installed out of the box will identify 90 percent of spam email. You can increase the product's spam identification rate by customizing its features. For example, iHateSpam lets you define global filters that apply to all users. Using global filters, you can create lists of email addresses, domains, and names that are always allowed or always filtered. Custom rules let you create your own criteria for identifying a message as spam. When a message fits the criteria, the message?s spam weight is incremented by the weight factor you associated with the rule. The message?s final weight?after all filters are applied?determines whether the message is deleted, quarantined or delivered. Finally, you can define a custom policy?a set of filtering criteria that applies to any mailbox you assign to that policy. Out of the box, all mailboxes are assigned to iHateSpam's default policy.

iHateSpam also provides a number of statistical reports, if you install the optional reporting component. The reports are available in either graphical or text format. A few of the available reports are: spam messages identified by user, the 50 users who are receiving the most spam, number of spam messages identified within a time range you specify, number of spam and ham messages received, messages captured by each filter, messages handled by filtering engine.

iHateSpam's administrative interface is a Microsoft Management Console (MMC) snap-in that runs from the Exchange Server. The hierarchical Windows Explorer?like interface yields quick access to all functions, including policies, global filters, and user policy assignment.

To improve system performance, iHateSpam uses ?smart caching? for configuration information. Cached spam definition rules, user policy assignments, whitelists, and black lists are automatically refreshed every 6 hours. To force changes to take effect immediately, you can use the administrative console to manually reload the cache. Sites with more than one Exchange Server machine hosting mailboxes will appreciate iHateSpam's ability to replicate configuration information from one server to another.

The software installed easily to my test server, binding to the SMTP OnPostCategorize event sink. I installed iHateSpam's optional reporting component at the same time.

For my testing, I created a custom policy, which Figure 1 shows, with a custom filter rule that increments the message weight by 200 when the filter identifies a message with a specific unusual character string. After I reloaded the cache, iHateSpam quarantined messages containing that string for the user I configured to use that profile.

Although the software lacks support for some of the more sophisticated filtering algorithms, iHateSpam provides basic server-based spam filtering at a reasonable price.

GFI MailEssentials for Exchange/SMTP
GFI Software's GFI MailEssentials for Exchange/SMTP adds server-based spam control, mail monitoring and archiving, and POP3 downloading to Exchange Server, and has an optional list server component. You can implement MailEssentials as a mail gateway on a system that doesn't run Exchange Server, but certain features?such as directing mail to a user's junk mail folder?aren't available in the gateway configuration.

In addition to Bayesian filtering, MailEssentials supports Sender Policy Framework (SPF) and the DNS Blacklist feature. SPF identifies spam by comparing the IP address of the email server that sent the message to a list of email server addresses that are registered for the sender?s domain. If a message is purported to be from a user at xyz.com but doesn?t come from a mail server that the xyz.com mail administrator registered for SPF, the message is considered spam.

MailEssential's filters and rules give you a lot of options for the disposition of email. You can specify spam to be sent directly to a folder in a user?s mailbox when you install the software on Exchange Server 2000 and Exchange 2003. Optionally, MailEssentials can tag spam with a string, to let an Outlook rule determine the message's final disposition. The latter method is useful to Exchange Server 5.5 users and those who install MailEssentials on a mail gateway.

MailEssentials includes standard reports that you can customize by date range and other options relevant to the specific report. You can display information by user or by the email domain received from or sent to, receive a summary of messages by date, and receive a daily summary of spam. Figure 2 shows a sample Daily Spam Report.

I installed MailEssentials in just a few minutes with no surprises. During installation, I was given the option to install MailEssentials either in Active Directory (AD) mode or SMTP mode. AD mode lets you base custom rules on AD users. In SMTP mode you base rules on email addresses instead.

After installation was complete, I reviewed the MailEssentials configuration utility. By default, Bayesian filtering isn't enabled; other filtering options are configured to tag filtered messages with "SPAM," for a default that Exchange 2003 users will want to change. MailEssentials detects Directory Harvesting attacks, where a spammer will ?guess? at email addresses, resulting in messages sent to a combination of valid and invalid email addresses. A review of the MailEssentials log files showed that the Directory Harvesting feature was working, filtering email messages addressed to both non-existent and legitimate mailboxes.

GFI MailEssentials is a good value, even if you implement only spam filtering. The additional mail monitoring and archiving, POP3 downloading, and list server features will make the package a compelling choice for many enterprises.

Policy Patrol Enterprise
Policy Patrol Enterprise from Red Earth Software combines server-based spam filtering with automatic compression and decompression of email attachments and other email-related features.

Policy Patrol supports Bayesian filtering, Spam URL Realtime Block Lists (SURBL), and other standard filtering techniques, including semantic filtering, blacklists, and whitelists. Policy Patrol?s extremely flexible rule definition facility makes it easy to create custom rules for specific users, subject to a variety of conditions and exceptions. The ability to use UNIX-like regular expressions when matching character strings adds to Policy Patrol's power and flexibility. Policy Patrol can remove embedded HTML tags that many spammers use to disguise words and phrases that can identify a message as spam.

Policy Patrol?s default rule for handling spam places filtered messages in a special spam folder for review and delivery or deletion by an administrator. However, you can configure Policy Patrol to add an x-header to a message, which will allow Outlook to move the message to a spam folder.

Policy Patrol lets users add new email addresses to the global whitelist by coding "[New Customer]" in the subject line of a message they send to the address. Policy Patrol removes the coded phrase before delivering the message. When users employ a realtime blacklist and Policy Patrol identifies the source of the message as a spammer, users admins admins have the option to reject the message before downloading it, saving both the network bandwidth and the server resources that would have been used to deliver the message. The software supports rules that set the Spam Confidence Level (SCL) that Exchange 2003 uses to direct spam to a user?s Junk Mail folder.

Policy Patrol can archive messages in XML, comma-separated value (CSV), or SQL database format. You enable archiving by creating a rule that allows archiving of all or selected messages. The software also includes 21 report definitions that can be generated only from SQL-based archives, necessitating the implementation of a SQL database to make use of Policy Patrol's reporting capabilities.

Although installing Policy Patrol wasn't difficult, doing so took a bit longer than for the other products. The software's online Quick Start guide walked me through the process. The installation routine lets you install the product's administrative interface to multiple workstations for remote administration. Out of the box, none of Policy Patrol's features are enabled. Another downloadable guide, How to Filter Spam with Policy Patrol, helped me configure the product. I reviewed the available sample rules, which Figure 3 shows, and enabled the rule to allow semantic filtering.

Overall, Policy Patrol is significantly more configurable than most of the other products. However, the flip side of this flexibility is a steeper learning curve during the software implementation phase, and additional administrative effort while the software is in use.

XWall for Microsoft Exchange with XWALLFilter
DataEnter's XWall for Microsoft Exchange is an SMTP email firewall that you can be install either on an Exchange server or a different server in a gateway configuration. An optional component, XWALLFilter, plugs into Exchange 2003 and can route spam directly to a user?s Junk Mail folder. XWall includes of features not related to spam control, including message compression and encryption and virus scanning in association with a supported third-party virus-scanning program.

XWall will run either as a service or in console mode. Either way, the administrative interface, which Figure 4 shows, logs XWall activity in a console window and provides menu access to its host of configurable features.

XWall includes a full set of filtering features and supports Spam Lookup Service (SLS), SPF, SURBL, and other block lists. The software also supports greylisting, a method that temporarily rejects messages with a previously unseen combination of email address and sending mail server IP address. Greylisting relies on the automatic retry feature in standard SMTP servers to resend legitimate greylisted messages; most spammers don't use the automatic retry feature.

XWall takes a heuristic approach to semantic filtering, applying a variety of checks against both the email header and message text. This method calculates a spam value for each message. On a scale of 100, XWall?s default value is 50: A value of 30 classifies more messages as spam; a value of 70 classifies fewer messages as spam.

XWall supports a variety of actions after determining that an email message is spam, including forwarding the message to the postmaster and using several methods to mark the message before delivering it to the recipient. Outlook users can choose a method that will deliver designated spam to their Junk Email folder.

XWall can save a copy of all messages it processes in a history folder, and can scan and block both inbound and outbound email attachments with suspicious content, including known exploits and files with double extensions (e.g., .exe.jpg). When you enable this feature, the software logs activity in CSV-format files for analysis and summarizes statistics in the console window. XWall doesn't include a reporting module.

I installed and configured XWall on my Exchange 2003 test server in a few minutes, using instructions available from XWall?s Web site. As instructed, I configured XWall to forward mail to Exchange Server on port 24 and used Exchange System Manager to configure Exchange Server to receive email on port 24, to be consistent with XWall?s gateway architecture.

Overall, XWall is easy to install and flexible, with a variety of useful non-spam?related features.

Power Tools for Exchange-Internet Edition
Nemx Software's Power Tools for Exchange is a multifunctional product that includes some anti-spam features not found in other products. In addition to the antispam features I discuss, Power Tools performs virus detection and employs Norman SandBox Technology malware detection. Power Tools is available in two editions. The Internet Edition, which I tested, scans email as it passes through the SMTP internet connector. The Advanced Edition adds mailbox and public folder monitoring and content scanning functionality.

In addition to address list and rules-based spam detection, Power Tools includes a proprietary approach that Nemx Software terms the Concept Manager. Concept Manager uses fuzzy logic to locate words and phrases commonly found in spam, and natural language recognition techniques to identify the overall context of a message. Nemx Software describes the approach as superior to Bayesian; among other things, it isn?t misled by the presence of generic words. Nemx Software updates the Concept Manager Policy definitions monthly. The version I tested included 64 spam levels, 14 of them related to pornography. You can selectively enabled the levels.

Power Tools includes extensions to Microsoft Intelligent Message Filter (IMF), a spam filter available for Exchange 2003. (For more information about IMF, see the sidebar, "Microsoft's Intelligent Message Filter.") IMF lets you customize actions according to server, group, or mailbox. Nemx Software's IMF Manager is available as a standalone component.

Power Tools lets you configure custom sets of actions, in addition to standard Delete and Quarantine actions. You can configure custom rules that trigger custom actions and apply the custom rules to inbound or outbound messages. You can log system or custom actions to CSV files for subsequent analysis.

As with the other products, Power Tools was easy to install. It's delivered as a single executable file that you placed into and run from the Exchange server?s BIN directory. Power Tools?s administrative interface plugs into the Exchange Administrator or System Manager, displaying as an item under the entry. In Exchange Server 2003, all Power Tools configuration options are available from the Power Tools Properties page, which Figure 5 shows.

Power Tools is a little more expensive than the other products but offers some unique features, can include a broad range of functions, and is tied together by a flexible, easy-to-use administrative interface.

Recommendation
I've selected both GFI Mail Essentials for Microsoft Exchange and Nemx Power Tools for Exchange as Editor?s Choices. Both MailEssentials and Power Tools offer a broad range of filter technologies. Both products have powerful options that let you customize the product according to your business needs,. and both make it easy to configure these options. Each product has its own spam-filtering strengths. MailEssentials supports Bayesian filtering and includes a reporting component. Power Tools includes Nemx?s proprietary Concept Filtering spam detection technology and a management interface exposed through the Exchange System Manager. Both products also offer additional features not related to spam filtering, for additional value under the same administrative umbrella.

See associated table