Toolbox: How to Choose Your Antispam Strategy

Antispam appliance or hosted service? That's one of many choices you face in the battle against spam. Here's advice from the trenches.

At the most basic level, enterprise antispam systems protect organizations against e-mail-related threats by identifying and removing junk mail and malicious messages. Some of the major threats, according to Radicati Group, include viruses, directory harvest attacks and denial of service attacks.

These systems have also broadened their approach to keep up with increased compliance needs and the evolution of e-mail threats toward phishing and malware-distribution URLs, according to Chenxi Wang, an analyst at Forrester Research. For instance, many systems now support antivirus, content filtering for inbound and outbound e-mail as well as Web and instant messaging traffic, encryption, archiving and e-discovery, or they integrate with systems that offer these functions, she says. Forrester calls this type of system "e-mail filtering"; Radicati, "e-mail security"; and Gartner, "e-mail gateway."

Also see Spam Management Best Practices

Antispam systems come in three forms: software, appliance and hosted service. While software is currently the largest segment, according to Radicati, appliances make up the fastest-growing category, with a 50 percent annual growth rate over the next four years. The second fastest-growing category is hosted solutions, Radicati says.

Buyers increasingly want a turnkey solution for e-mail filtering, Wang says, which explains the popularity of appliances and­, increasingly, hosted services, as they both decrease costs and simplify management. Leading appliance vendors, according to Forrester, are Cisco Systems, Symantec and McAfee/Secure Computing. Leading service vendors are Google/Postini, Microsoft, Symantec/Message Labs and Websense. Gartner expects to see more hybrid solutions emerging, which include an on-premises appliance and a hosted service with a single management interface and the ability to seamlessly migrate functions from one to the other.

Antispam Market Overview

According to Radicati, revenue for all three segments of antispam is forecast to grow from slightly over $3.9 billion in 2008 to over $6.2 billion in 2012.

Organizations are spurred to protect themselves against e-mail threats because of the costs associated with managing spam, loss of user productivity, network downtime, bandwidth costs, compliance and privacy concerns. Since many companies already have antispam systems installed, a significant portion of this market's growth can be attributed to upgrade and replacement, Radicati says.

Core Functionality

When Forrester evaluated e-mail filtering vendors in a recent study, it included vendors that offered the following capabilities:

  • Antispam, antivirus and content filtering for both inbound and outbound e-mail traffic.
  • Support for common compliance policies, such as HIPAA, PCI DSS, Sox and the Gramm-Leach-Bliley Act.
  • Filtering capabilities beyond e-mail, either in Web or instant messaging.

<(next: 9 tips for choosing an antispam solution)

Nine tips for choosing an antispam solution

DO go beyond antispam functionality. With spam accounting for 80 percent to 90 percent of all e-mail today, it's become essential to have an antispam system, Gartner analyst Peter Firstbrook says, and all current systems can be counted on to block almost 100 percent of spam. But if you're buying an antispam system today, make sure it goes beyond that to include more holistic functionality for e-mail protection, such as data loss prevention (DLP) and encryption. "Even if you're not going to use it right now, you will in the next three or four years," he says. "You want to buy a platform that allows you to expand to that without reinvesting in another down the road."

Such advanced features are what really differentiate solutions today, Firstbrook says. DLP programs can search the bodies or headers of e-mails for any information that requires special protection—Social Security numbers, credit card numbers, patient healthcare data and so on—and then apply corporate policy to determine what action to take, including blocking or encrypting. Now that some states are passing laws requiring that personally identifiable information be encrypted, "you pretty much need DLP to comply," Firstbrook says.

Jeff Strang, director of IT at Dakota Growers Pasta Company, the third-largest pasta manufacturing company in the United States, says he is looking into the encryption capability of Proofpoint's service-based antispam system. The company began using the service less than a year ago, he says. "It provides a smart analysis of what is in the attachments and whether they should be encrypted," he says.

Bob Clarke, network administrator at United Bank and Trust, is similarly looking into the Web filtering module of Google/Postini's offering. "Even if you allow a site to be browsed, you can block malicious content from coming through," he says. "We haven't gotten the OK, but it's something we've talked about."

At Franklin Synergy Bank in Franklin, Tenn., CIO Kevin Herrington is using five appliances from Barracuda, including its e-mail archiver, backup, Web filter, link balancer and antispam.

DO consider the cloud. Forrester predicts an increasing industry uptake on hosted, or cloud-based, e-mail filtering in the future, particularly as buyers want a turnkey solution that doesn't require spending a lot of time managing the technology. The research firm also says that the hosted approach provides a lower total cost of operations, rapid user provisioning and less hassle for internal IT operations.

Firstbrook agrees that many companies prefer the hosted approach. "From a price perspective, it's coming down to the point where it's $12 per user per year, and for larger companies, it's $6 per user per year."

Also see Clearing the Cloud: Some Security What-Ifs

Strang chose a hosted approach because he wanted a solution that resided outside of Dakota Growers' own network. "We've had issues in the past with e-mail security software impacting our hardware assets," he explains. He likes the fact that Proofpoint offered both hosted and appliance-based systems. "We had never done anything hosted for any of our services, so it was important to have that flexibility," he says. "If it didn't go well, we could use the same solution by pulling the appliance on-site."

As it turns out, Strang says, "given the positive results we've achieved, we're actually moving to hosted solutions in other areas of our business." For instance, help desk calls related to spam have decreased dramatically, and the company went six months without needing to call Proofpoint to resolve a support issue.

At United Bank & Trust, Clarke chose Google/Postini's hosted system because it was easier to manage. "We just set up the users, show them how to use it, and the spam never hits our network at all," he says. With 45 people to support and two IT employees, "it's one less thing to manage in-house," he says.

DO count on tweaking if you buy an appliance. At Franklin Synergy Bank, Herrington chose a Barracuda appliance because he had used it when he was IT manager at another bank. Before leaving his previous employer, he copied down the configurations he'd worked hard to perfect so he could apply them at Franklin. "I'd spent a lot of time tweaking the configurations to stop legitimate spam and let the real e-mail come through," he says. The configurations include spam scoring limits that determine what gets flagged or blocked, as well as whitelisting capabilities for domains considered safe. "I had played with those numbers quite a bit and finally found some that worked well," he says.

DO evaluate performance. Something that can make or break a product is its performance and throughput while processing large volumes of e-mail, Wang says. At some organizations, as many as 14 of 15 incoming e-mails are spam, she says, so "the performance of the filtering solution determines whether the company's employees will have timely e-mail access or whether everyone's e-mails will be delayed and even dropped by the filtering process."

DO look into how the vendor stays updated on new techniques. Dan Blum, an analyst at Burton Group, compares fighting spam with an arms race, requiring multiple levels of ever-growing protection. The main weapons include reputation-based filtering of both the sender and the sending domain; domain key authentication; active inspection of content, including images; and heuristics-based message analysis.

Spam techniques are constantly changing, so it's important that the vendor can rapidly detect and react to new spam campaigns that may evade filters, Firstbrook says. Clarke says Google/Postini updates its spam filters every day, and effectively captures 95-plus percent of spam. There are occasions where it doesn't catch some new technique, "and we get a call from a user saying, 'Why did we get this?'" he says.

DO consider compliance needs. Compliance requirements are continuing to drive and shape the antispam market, Wang says, and systems are now incorporating sophisticated content-filtering technologies to protect unauthorized leaks of private and confidential data, as well as integration with archiving and e-discovery technologies.

Clarke says he looked at Google/Postini's e-mail archiving system's ability to comply with regulations. However, he ended up choosing something he says was a little easier to use and priced more effectively for his purposes, as it was based on the number of users, not the amount of data being archived. "Our user base isn't going to fluctuate much, but the data size will," he says. It's not inconvenient to have separate systems, he says.

DO determine how much power to give the end user. Some systems enable end users to review a list of quarantined e-mails, or a "gray list" of e-mails that were flagged as spam, and it's up to the individual administrator to determine how much power to give users to review this list. "Some don't want the user to go into the gray list because of usability issues, or the possibility the user might make a bad decision," Blum says. "They might open a message that's a phishing message and act on it." Others would like to have the quarantine available so they don't risk losing an authentic e-mail as a false positive.

At United Trust, Clarke says most users didn't like receiving daily notification that e-mails had been quarantined. He set up the service so that users were free to check the quarantine digest. They have the choice to approve e-mails and tell the service to never block from that sender again, or they can add addresses or domains to a list that should always be marked as spam. "We noticed that if you manage it for a month, checking two or three times a week, the chance of falsely quarantined e-mail is rare," he says. He checks his own quarantined e-mails twice a week and, "other than a newsletter once in a while, there is rarely the need to un-quarantine."

Strang says he appreciates the flexibility of Proofpoint's message digest because he can manage everything right from the report he reviews every day. "I can go in and manage the account versus just getting a list telling me what was blocked. I can go out to the site and approve, reject and unblock from there."

DO determine detection and false positives rate. Unfortunately, it's not easy to get good third-party, independent antispam testing data, on par with what's available for antivirus, Blum says. "It's extremely difficult to do testing that would compare vendors," he says. What customers can do is try to compare core detection and false positive rates by talking to similar customers who might have similar mail flows, or do a proof of concept.

DO look for Web filtering integration. Many times, e-mail threats are blended threats that encourage users to click on a URL. For that reason, Blum says, it's good for the antispam system to include a Web filtering capability or integrate with such a system so it can check the reputation of that URL. "That kind of integration is fantastic," he says.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies