Download technology report (pdf, 525k) - West Coast Labs

TECHNOLOGY REPORT - FEBRUARY 2006 

VOLUME 1, ISSUE 5 

Anti-Spam Solutions 

An Independent Technology Report produced by 

www.westcoastlabs.org

2 TECHNOLOGY REPORT SUPPLEMENT FROM 

Comment 

The spam war 

demands cuttingedge 

products 

Introduction 

Controlling uninvited, inappropriate 

content from entering corporate 

inboxes is vital to business productivity 

Welcome to the West 

Coast Labs’ Anti-Spam 

Technology Report. 

Every Technology Report 

published provides a brief overview 

of a number of the leading products 

within the relevant sector. More 

comment and data on each solution 

can then be found in the full and 

individual white papers at 

www.westcoastlabs.org. 

This enables security buyers and 

decision-makers to gain a brief 

overview of each product in the 

summary and then further 

investigate those solutions which 

are relevant to their individual 

business needs and environments. 

The Technology Reports feature 

independent technical analysis of 

the functionality and performance of 

each solution, tested to prepublished 

methods and reviewed 

against the functionality criteria of 

the Checkmark certification 

program. This ensures that all the 

products are tested against realworld 

standards and establishes 

how each performs in a simulated 

business environment. 

Further reports planned for 2006 

will include coverage of antispyware 

solutions, content filtering, 

UTM products and managed 

services, antivirus for both the 

desktop and server, and 

vulnerability assessment. 

This report is part of West Coast 

Labs’ goal to provide IT 

professionals and managers with 

data and comment upon which 

informed choices may be made for 

their individual business and 

network structures. 

Matt Garrad 

Senior Test Engineer,West Coast Labs 

FEBRUARY 2006 

The war for control of 

corporate inboxes has been 

raging for some years now 

as anti-spam solution providers 

seek to protect us from unsolicited, 

inappropriate and often offensive 

intrusions into our time. 

The originators of these emails 

are becoming ever more inventive 

and so more and more companies 

are coming to rely on automatic 

solutions with learning engines to 

protect their users and machines. 

The emails themselves are getting 

more sophisticated. Spam is now 

no longer just advertising material, 

but is evolving, and often acting as 

the precursor to identity theft. 

For testing in this report and for the 

certification of each of the 

participating solutions, we used live 

mail feeds coming in to various extra 

domains wholly owned and 

controlled by West Coast Labs. 

Each domain used contains a 

number of individual user accounts 

with established email addresses, 

along with distribution lists. 

To maintain the flow of genuine 

mail, test engineers used several 

internal and external accounts to 

send emails that simulated real life 

email transactions common in 

business: for example, requesting 

meetings, sending notifications to 

groups and non-business related 

social emails. 

West Coast Labs Testing Team 

Emails were also sent from webbased 

accounts to simulate external 

users sending non-business-related 

emails and home workers. Individual 

user accounts were subscribed to 

several mailing lists and daily 

newsletters for gray mail purposes. 

For each solution we configured 

the device or software to fit in with 

the test network and placed it into a 

stream of live mail to see how it 

would cope in an “out-of-the-box” 

configuration with real-world traffic. 

However, we do recognize that a 

large part of spam detection relies 

on an initially intensive learning 

process. Hence, as a continuing 

service, we will be placing these 

devices in the mail feed in coming 

months for longer periods of time, 

interactively training them, and 

updating the performance data 

included in the online white papers. 

At this stage of testing, 

Checkmark Anti-Spam Certification 

criteria have been set at two catchrate 

levels: Checkmark Anti-Spam 

Certification; Premium – at 97% and 

over Catch Rate; Standard – at 

90% and over Catch Rate. 

The certifications achieved by 

individual products based on the 

initial testing are shown in the 

following reports with product 

performance data in the individual 

white papers which can be found 

online at www.westcoastlabs.org. 

All West Coast Labs tests are carried out by fully trained content 

and perimeter security test engineers under the direction of the 

CTO Jon Stearn, an acknowledged technical authority among his 

peers, who has over 25 years experience in the IT and security 

industries. Particular thanks go to Michael Parsons, Matt Garrad, 

Rob Tanner, Richard Thomas, Mike McMenamin and Chris Elias. 

West Coast Labs Photographs Copyright 

Girts Gailans www.gailans.com. Art editor: 

Sarah Lloyd, Sub-editor: Alison Walley 


TECHNOLOGY REPORT SUPPLEMENT FROM 3 

Email Systems 

DEVELOPER’S STATEMENT: Email Systems offers protection, 

management and compliance through robust messaging technology in 

an effective email service that operates outside the corporate network 

and ISP's mailservers, without extra investment in software or hardware. 

Manufacturer 

Contact details 

Email Systems Ltd. 

www.emailsystems.com 

Email Systems 

has achieved the 

Checkmark 

Premium 

Certification for 

Anti-Spam 

solutions. 

www.check-mark.com 

Email Systems is a U.K.-based company offering a 

managed service that companies can route mail 

through before it gets to their servers. 

The setup and configuration is very simple and this is 

helped by a comprehensive and easy to understand 

Service Deployment Plan that sets out an eight-stage 

process. The plan acts not only as a guide to switching 

the flow of a mail feed, but also as a series of reminders 

for more experienced mail administrators. The 

document and the process have been well thought out 

to ensure that all bases are covered, and provides 

checklists throughout. 

Email Systems’ support also perform a scan of a 

company’s current MX records to establish the current 

mail route and then provide a draft email pre-filled with 

the changes that need to be made and the contact 

email address for the hosting company. Once the 

changes have been made to the relevant MX records, 

mail will start flowing through the Email Systems 

service. Their support team is also very on the ball – on 

the one occasion we had to contact them the response 

and resolution of our query was very speedy. 

The web-based customer management portal is 

decked out in very tasteful subdued blues and grays 

that are easy on the eye. A good proportion of the 

interface is Flash-based and the animations on some of 

the pages add a bit of sparkle to the user experience. 

The initial page after logging in shows a pie chart that 

breaks down the traffic for a 28-day period into colorcoded 

slices, and displays the data on a per day basis 

below in histogram format. Also included here is an 

overview of the status of the accounts, a list of 

notifications of upgrades and improvements from 

support, the network status of each domain and a list of 

top viruses received, top recipients within the domains, 

and top inbound sender domains. Having all of this data 

easily within reach makes getting a snapshot view of 

how the domains are performing very easy. 

The main menu is listed across the top of the screen. 

The Users section allows a current administrator to add 

further administrators with varying scopes – they can be 

set up to make changes to individual domains or to the 

entire account. This is a useful feature that allows for 

the dissemination of responsibility if a company has 

several domains. 

The Accounts section allows the user to change the 

email address for administrative notifications for the 

entire Email Systems account covering all domains, 

and also to set rules that will apply across all domains, 

registered on a simple condition-action basis. 

The Domains section allows control over individual 

domains at a more granular level. Recipients of 

administrative notifications may also be specified here 

on a per domain basis, rules can be added for certain 

domains and not others, different mail signatures can 

be specified for each domain, and there are various 

alert and filter settings. 

In the Logs section an administrator can quickly look 

at a message subject, recipients, sender and status to 

see which rules have been triggered for certain groups 

of emails. There are also good filtering options. 

Messages in Quarantine can be viewed in their own 

separate window which displays the headers and then 

has a separate section for the message content. 

As well as a set of overall reports, the Reporting 

section allows searches to be performed and 

then saved to be run again at a later date. These 

are presented as Flash animations and are in 

keeping with the look and feel of the rest of the 

interface. 

THE VERDICT 

A well presented and carefully planned 

managed service.Any company outsourcing the 

responsibility for spam filtering their corporate 

email could consider adding this service to their 

shortlist. The support team is both quick and 

efficient. Overall, it earned our 

highest rating: CheckMark 

Anti-Spam PREMIUM. 

www.westcoastlabs.org 

FEBRUARY 2006


Equiinet NetPilot Plus 

DEVELOPER’S STATEMENT: The protection provided by the NetPilot’s 

SmartUTM is the most comprehensive available and includes anti-spam, 

antivirus, anti-spyware, intruder detection and prevention, advanced 

firewall, URL filtering, email policy controls and secure VPN support. 

Manufacturer 


Equiinet 

www.netpilot.com 

Equiinet NetPilot 

Plus has achieved 

the Checkmark 

Standard 


Anti-Spam 

solutions. 


FEBRUARY 2006 

The NetPilot Plus device is a compact unified 

threat management (UTM) unit, which Equiinet 

claims has an anti-spam capability with Spam 

Assessment, SpamCop Plus and Bayesian filtering 

coupled to the product’s Email Policy Controls to add 

power and flexibility to effectively deal with spam. 

This acts as a two-layered approach, with each one 

having been integrated to provide common controls and 

reporting, Spam Assessment and SpamCop together 

with the Bayesian learning provide a powerful 

combination of standard spam countermeasures, while 

the Policy Controls can additionally provide quarantine, 

black and white listing and much greater management 

flexibility. 

NetPilot Plus is a compact appliance, with a sealed 

front that is ideal for sitting on a desktop or on a rack 

shelf in a server room. Indeed, the only components on 

the fascia are power and disk lights. The rear of the unit 

contains a PS/2 keyboard connector, parallel port, 

serial connection and VGA connection, and a rockerstyle 

power switch. The collection of two onboard NICs 

plus one further on an expansion card allows for a 

variety of network setups to be implemented. 

During the course of the testing program, Equiinet 

released a new version of the operating system, so the 

device was upgraded from version 3 to version 4. 

Thankfully, the interface look and feel did not really 

change and the knock-on effect in terms of the way that 

spam is handled did not affect the overall test outcome. 

Initial configuration can be performed either via a 

keyboard and monitor plugged into the unit itself; 

alternately a private network range is already setup on 

one of the NICs and a client machine may undergo an 

IP address alteration. All interactions are handled via a 

secure web interface – the client may use a standard 

web browser, and the device itself uses LYNX. 

The opening wizard asks for some basic details to 

perform the setup. Version 4 of the system is capable of 

performing lookups on both the internal network and an 

external ADSL line. This means that if DHCP is enabled 

the device can be plugged straight into a network and it 

can take a guess at how it should be setup. In practice 

this works fairly well, although if the administrator has a 

specific IP address set aside for the device, the network 

settings may need some alterations after first boot – 

these, however, are simple to find and quick to perform. 

Following the preliminary configuration of the device, 

the SSL encrypted interface is available to devices on 

the internal network. The spam functionality is easy to 

find, with the more generic settings being found under 

the section heading of email. Policy actions can be 

found under the Email Filter Policy section, and there 

are options here that allow for the creation or editing of 

policies in some detail. 

Spam functionality is enabled as part of the wider 

UTM functionality on version 4 or as a separate 

component on version 3 via a license key system, with 

keys obtainable from Equiinet resellers. The keys need 

to be entered into the interface along with the hardware 

serial number (found on the rear of the device) in order 

to benefit from the maximum protection that this device 

can offer. 

The NetPilot Plus has several options for dealing with 

suspected spam – it is possible to deliver it as normal 

with extra headers or to quarantine it on the device 

itself. Alternately the administrator can choose to have 

the message delivered to the administrative mailbox, 

either as a copy of the original or as an attachment. The 

training options available on received emails permit the 

reclassification of individual messages from the Email 

section or allow an en masse learning session under 

the Review and Learn banner within Email Filter 

Policies. 

Although the device adds in extra headers to emails, 

it does not currently allow for the alteration of the 

message subject line to reflect the nature of the email. 

The device leaves it up to the client email program to 

interpret these and mark them up as appropriate. 

THE VERDICT 

Equiinet's Unified Threat Management solution 

is well rounded. It boasts a friendly and simple 

interface with plenty of well written 

documentation. The NetPilot Plus takes the 

hard work out of configuration and has been a 

consistent performer during 

testing. 



McAfee Secure Messaging Gateway 

DEVELOPER’S STATEMENT: McAfee Secure Messaging Gateway 

protects against spam, inappropriate content, phishing, worms, and 

viruses – all on a single appliance. It provides enterprise-class 

performance to meet the most demanding requirements. 

Manufacturer 


McAfee 

www.mcafee.com 

McAfee Secure 

Messaging 

Gateway has 

achieved the 

Checkmark 

Premium 


Anti-Spam 

solutions. 


McAfee has a broad product portfolio that 

secures systems and networks from known 

and unknown threats. We tested McAfee’s 

new e-mail security appliance called Secure Messaging 

Gateway. 

The product is a 1U rack mountable Dell unit that 

comes pre-loaded with a hardened Linux-based 

operating system plus McAfee security software and 

other prerequisites such as Java JRE 1.4.2. 

Setup was rapid and uncomplicated. The device was 

configured and ready to accept email within a few 

minutes. The well-written manuals have detailed 

instructions, documentation came in printed form for 

the hardware and in PDF form for the McAfee software. 

The device includes its own browser-like 

administration tools. Organizations that have deployed 

other McAfee security products will appreciate the fact 

that Secure Messaging Gateway can also be managed 

by McAfee ePolicy Orchestrator, the Java-based 

central management console that can direct the efforts 

of multiple McAfee security devices. The resulting span 

of control makes administrators more productive 

because they don’t have to visit individual clients or 

servers to setup company-wide security policies. 

It is easy to navigate around the various options and 

menus. The initial status screen shows a large amount 

of detail about the current state of the device. This 

includes not only traffic and detection statistics but also 

data such as the time and date of the most recent 

antivirus engine update, allowing the administrator to 

see at a glance the current state of play. 

The appliance utilizes multiple techniques to detect 

and block spam and phishing attacks. Some of the 

techniques, such as heuristic rules, are designed to be 

proactive in blocking “first time” spam. Other 

techniques, such as content filtering rules, have been 

developed to be reactive to new spam outbreaks and 

are automatically updated by McAfee every 10 minutes. 

McAfee’s spam management capabilities are 

particularly robust. The spam quarantine can either be 

on the appliance itself – a good choice for small 

organizations – or on a scalable Windows-based server 

that can store spam and whitelist settings for multiple 

appliances. Both administrators and end-users can 

configure blacklists and whitelists and can access the 

centralized spam quarantine via a web browser. 

In testing, the McAfee Secure Messaging Gateway 

did not block a single good message by mistake. 

However, if this were to occur, end users could search 

the spam quarantine for messages and release any 

that are found to have been inappropriately blocked. 

The appliance can also send each user a daily digest of 

the messages that have been placed into quarantine, 

and end users can release individual messages by 

clicking on the appropriate buttons in this digest. 

McAfee also provides an Outlook plug-in tool that 

allows end-users to submit samples of undetected 

spam, thus helping to “teach” the McAfee appliances 

about the user’s unique email characteristics. Once 

messages are submitted, the appliance can be 

configured to learn automatically or with administrative 

help. 

The McAfee appliance can be configured with 

different security policies to meet the needs of different 

groups within your organization. Also, messages can 

be scanned both inbound and outbound. McAfee 

claims that the latter option ensures that your 

organization is not unwittingly sending viruses or spam. 

Whilst not part of the current tests, this appliance also 

provides Content filtering policies which can guard 

against sensitive information leaving your network. 

McAfee’s appliance scans e-mail headers, bodies, and 

more than 300 types of attachments. Content filtering 

policies can block or modify messages that contain 

specific words or phrases that violate a content rule. 

Mcafee also claims that in addition to stopping 

viruses, spam and other unwanted messages, the 

McAfee Secure Internet Gateway blocks directory 

harvest attacks and other types of denial of service 

attacks against your messaging system to ensures that 

your mail servers stay up and running. 

THE VERDICT 

As another valuable tool from McAfee to 

protect corporate networks, the Secure 

Messaging Gateway solution is highly effective. 

It boasts an intuitive and well-thought-out 

interface which allows the administrator lots of 

control. Overall, it earned our 

highest rating: CheckMark 



FEBRUARY 2006


MailMarshal for Exchange 

DEVELOPER’S STATEMENT: MailMarshal for Exchange offers a 

fast, easy-to-use e-mail security solution that ensures a safe and 

productive working environment by enforcing organizational Acceptable 

Use Policy (AUP) and protecting against spam and viruses. 

Manufacturer 


Marshal 

www.marshal.com 

MailMarshal for 

Exchange has 

achieved the 

Checkmark 

Standard 


Anti-Spam 

solutions. 


MailMarshal for Exchange is a software 

solution, and arrived on a single CD with an 

accompanying printed manual, license 

agreement and welcome letter. 

This particular version of MailMarshal, as the name 

suggests, is a plug-in for Microsoft Exchange, but the 

company also offers a more generalized version that 

works with any SMTP mail system. 

The accompanying printed documentation only 

covers the installation and configuration of MailMarshal 

itself, and assumes a preinstalled and pre-configured 

Exchange server. Installation was a simple enough 

affair, with the CD version providing a copy of MSDE 

and patches as well as some of the other prerequisites 

if they are not already present. 

The interface itself is split into a MailMarshal 

Configurator and MailMarshal Console, but there are 

also some tools available from the start menu for 

migration and quarantine synchronization. By default 

MailMarshal quarantines messages that it classifies as 

spam but it provides a selection of tools that allow for 

further processing if required. 

The Configurator allows access to the nuts and bolts 

of the software, allowing the user to specify everything 

from additional local domains and spam updates 

through to attack prevention, by limiting the number of 

recipients per message. It is also possible to specify 

user groups and accounts from within this interface, set 

the location of various system folders, and set policies 

based upon connections, virus threats, spam, 

automated responses and so on. The Configurator is 

loaded through the Microsoft Management Console 

(MMC), so will be instantly familiar to anyone who has 

used this for other applications. 

The other section of the interface is the MailMarshal 

Console. Also loaded through the MMC, this 

multicolored affair is less somber than the Configurator, 

and allows the user to review all the messages that 

have been intercepted and make decisions about them. 

This allows a quick oversight of current trends in 

incoming mail and the colors have been well chosen to 

represent varying types of mail. 

The folder structure for problem messages is colorcoded, 

and all the messages are easy to locate, as 

each separate folder has subfolders that are named 

according to date of receipt of the offending message. 

It is from here that messages can be forwarded or 

released. The latter is either a straightforward release, 

or the messages can continue through the processing, 

or be reprocessed from scratch. The folders are 

grouped by Archive, Attachment, Awaiting Challenge 

Response, Junk, Language, Oversize, Policy Breach, 

Spam, Spoofed, Suspect and Virus, with various sub 

folders. 

The spam folders are split by default into Spam, Spam 

Type: Day Zero, Spam Type: Phish and Spam Type: 

Pornographic, and it is possible to set the rules so that 

each type is delivered to the correct folder. This 

potentially makes it easier for an administrator to decide 

which messages to discard outright and which to spend 

some time going through for false positives, based 

upon a company’s acceptable usage policy. 

Each message can be brought up for review in a new 

window and MailMarshal removes any links that it finds 

within the messages so that they cannot be clicked on 

accidentally. This is a good feature, as it can 

conceivably stop an administrator clicking on a 

seemingly innocent link and downloading malware to a 

corporate mail server. 

The use of MailMarshal for Exchange will come 

naturally to anyone familiar with Windows software. The 

combination of online help plus the printed manuals 

make the installation and administration of this plug-in a 

breeze. 

THE VERDICT 

An integrated plug in for Microsoft Exchange 

that is easy to install and configure, 

MailMarshal has a convincing engine and wellstructured 

interface. This solution should 

definitely be checked out by any company that 

uses Exchange for its mail 

services. 

FEBRUARY 2006 



PineApp Mail-SeCure 

DEVELOPER’S STATEMENT: PineApp Mail-SeCure appliances offer 

a complete mail security solution for different sized organizations: ten 

different anti-spam engines, three antivirus engines, backscatter 

prevention, denial-of-service protection and mail-bombing resilience. 

Manufacturer 


PineApp Mail 

SeCure has 

achieved the 

Checkmark 

Standard 


Anti-Spam 

solutions. 


PineApp Ltd 

www.pineapp.com 

Mail-SeCure is a 1U short-length lightweight 

appliance with ten different spam engines 

operating together with an advanced policy 

management module to provide users with the ability to 

manage their own quarantine processes and black and 

white lists to maintain and improve productivity and 

reduce overheads. 

The anti-spam engine combination also includes 

Sommtouche’s RPD engine for increased effectiveness. 

Three NICs provide a variety of options for setup, 

allowing for a demilitarized zone (DMZ) to be enabled. 

Initial default settings on the Mail-SeCure device 

require a change of IP address on the client machine to 

a private network in order for it to function correctly. The 

interface is then accessed over an SSL-encrypted nonstandard 

port using a web browser. A default name and 

password is supplied, and the manual suggests that 

this is changed immediately upon login. 

In order to enable all the functionality and perform the 

appropriate updates, access to the internet through any 

corporate firewall in place needs to be provided for 

DNS, HTTP, SMTP and POP3. 

The remainder of the initial setup proved to be 

straightforward, as the manual is comprehensive and 

easy to follow. The only data that needed to be at hand 

was network settings, mail server settings, and a 

notification email address for alerts for licensing. 

Overall the setup was simple and quick; the device can 

be configured and functioning on a network within ten 

minutes. The addition of users and groups for policy 

management is simple, especially as the device was 

provided with a group already in place for everyone. 

This means that if the administrator is after a simple set 

of rules for all recipients with no exceptions, the 

configuration time becomes even shorter. 

The interface uses a strong sense of corporate 

branding with various shades of yellow and orange as 

the background with a flash of green here and there, 

and mostly black text. This makes a pleasant change 

from the more traditional presentations and is not as 

disconcerting as it might sound. The main login page 

shows a swathe of important data, from version 

numbers and license status, through disk usage and 

network usage, to queue size, and even some 

hardware statistics, such as CPU temperature. 

The main options for the interface are laid out down 

the side, with groupings split into System, Networking, 

Mail System, Mail Policy, Anti-Virus, Anti-Spam, 

Statistics, Wizards and Help. The subsections within 

these are all clearly labeled and easy to find. 

Supplementary information about each of the fields is 

provided in the manual, which is couched in plain and 

easy to understand language. Images are provided 

where necessary to smooth the learning curve. 

By default, the PineApp device quarantines all 

messages it regards as spam, thus stopping the user 

from ever seeing them in their inbox. It is possible, 

however, to deliver such messages directly through to 

the users, and if this option is selected, the device inserts 

a non-editable tag “*****SPAM*****” into the subject 

header, so that the recipient can be assured that they 

know exactly how the device has classified the message. 

It is possible to create an exclusion list containing a list 

of users whose mail bypasses the spam scanning 

engines by default. The Mail Policy section also allows 

for the configuration of rules that are to be triggered on 

specific extensions for users or groups of users. Rule 

inheritance makes potentially tricky work simpler. 

The spam identification methods cover a variety of 

techniques that can be enabled or disabled by the 

administrator: a heuristic engine, RBL, lookups against 

the Commtouch RPD database, and PineApp’s own 

database of zombie IP addresses. 

An interesting and unusual feature of the PineApp 

solution is that the company has the ability to send 

urgent updates outside of scheduled update times to its 

devices via the SMTP port. 

The reporting section within the interface gives the 

ability to look at a variety of logs for timeframes of up to 

a year. Logs are also exportable as CSV lists, which is 

useful for archive purposes. 

THE VERDICT 

An individually styled interface and a powerful 

spam engine make this recommended for 

consideration when shortlisting corporate mail 

system protection. Easy to use and configure 

and a useful method of emergency 

update delivery mean this 

device has much to offer any 

company. 


FEBRUARY 2006


SoftScan Tower 

DEVELOPER’S STATEMENT: SoftScan provides a hosted spam and 

virus email filtering service that relieves corporate organizations and 

SMEs from the burden of using internal resources, while enabling full 

configurability to comply with company policy. 

Manufacturer 


SoftScan 

www.softscan.co.uk 

Softscan Tower 


Checkmark 

Standard 


Anti-Spam 

solutions. 


FEBRUARY 2006 

Danish company SoftScan provides a managed 

service with a web-based interface. The setup 

and configuration is managed for the most part 

by SoftScan support, which takes the burden off the 

administrator and also eliminates the need to manually 

update scanning engines as these are implemented 

automatically. SoftScan claims its Spam Filter process 

scans more than ten million emails daily, thus learning 

and improving with every one it stops. 

For setup purposes, the only information needed is 

the domain name or names to be scanned, and a 

forwarding name or IP address for each domain. Once 

support has confirmed that these have been set up, 

then the MX records for each domain need to be 

changed to point to SoftScan’s servers. 

The web interface itself is both functional and 

attractive, and the first page seen after the initial login 

displays data which has been carefully chosen to 

include the operating status of the SoftScan servers, 

last login time of the user, general messages from 

SoftScan support, a numerical count of queues in and 

out, a numerical count of outgoing messages that are 

virus infected, and numbers of potential false positives 

received both in the last 24 hours and since the last 

login. Each of these sets of numbers also provides a link 

to seeing more data, and in the case of those related to 

messages allows further drilling down through the data. 

From the front page, the menu system contains links 

to Email Statistics, Email Settings, Quarantine, User 

Admin, Change Password, and a link to various help 

data such as a downloadable Usage Guide. This PDF 

document is well-structured and laid out, and written in 

a clear and intelligible style. 

The Email Statistics section of the web interface offers 

several types of reports with user variable date ranges 

and provides a good range of well-presented and wellchosen 

results. These can be arranged either as data 

or graphically as pie charts or histograms, allowing for 

quick overviews of key parameters. 

The Quarantine section allows an administrator to 

search for messages using a variety of criteria, and 

then perform various actions upon the results including 

releasing the messages, deleting them, downloading 

them, analyzing them, or previewing them within a 

browser – usefully, this displays the HTML messages 

as HTML code rather than loading the full email and 

hence any potentially harmful links into a web browser 

where they may be executed. It is worth noting that if 

messages are released then a new recipient or list of 

recipients can be specified if necessary. Messages can 

be sent as they originally arrived or sent as an 

encrypted attachment in zip format. 

Extra users can be added to gain access to the web 

interface either as administrator or regular user, and 

each of these can have various roles assigned. This is 

a useful tool, allowing the dispersion of selected 

administrative tasks to other users on a per need basis. 

Administrators can build the spam rules for recipients 

or senders via a system of scoring. Using this method, 

negative scores give a more relaxed and tolerant 

approach to spam while positive scores make the 

approach much stricter. A variety of rules may be built 

up on clean messages as well as suspected spam and 

virus-infected ones. 

There is also a group of rule settings under the label 

“paranoid” which allows the administrator to fine tune 

some of the mail blocking settings. Further useful 

functionality is provided by optional daily reports via 

email to individual users notifying them of mail 

classified as “most likely false positives”. Users then 

have the option of releasing these messages, not only 

allowing them to contribute to a corporate spam policy 

but also relieving some of the administrative burden. 

THE VERDICT 

An accomplished, robust and flexible product 

that is not only easy to set up and use, but also 

alleviates some of the burden of the 

administrator. This online solution would fit well 

for any company who wants to outsource their 

spam solution to an effective 

managed service. 



SurfControl E-Mail Filter SMTP 

DEVELOPER’S STATEMENT: SurfControl E-mail Filter for SMTP is 

compatible with all SMTP-based email systems and offers a scalable, 

secure messaging solution for organizations of all sizes and vertical 

markets. 

Manufacturer 


SurfControl plc 

www.surfcontrol.com/products/email/ 

SurfControl E-Mail 

Filter SMTP has 

achieved the 

Checkmark 

Standard 


Anti-Spam 

solutions. 


Powered by SurfControl’s Adaptive Threat 

Intelligence, E-mail filter offers continuous 

protection against not only spam, but also 

phishing attacks, spyware, viruses and malicious code 

with customizable protection from corporate data 

leakage, compliance and email management 

SurfControl’s E-mail Filter is a software solution that 

sits upon a Windows 2000 or 2003 Server installation. 

The version of E-mail Filter provided for test works for 

any SMTP host, although SurfControl also provide a 

solution geared specifically toward Exchange. It can be 

deployed across multiple servers to provide loadbalancing 

and fallover protection. 

The installation itself was very straightforward, and 

provides the necessary prerequisites such as the 

Microsoft Database Engine (MSDE) if they are not 

already present on the system. We had the system 

ready to receive email very quickly. 

The E-mail Filter software itself has several distinct 

components, each of which can be loaded separately. 

They include Dictionary Management, the message 

administrator, a monitor application, QueueView, the 

Rules Administrator, various scheduler tools, and a web 

administrator interface. Even though these are all 

separate applications, each can open the others from 

the tools menu in each interface. 

The Dictionary Management tool shows the user what 

is in the contents of the spam filtering dictionaries 

supplied by SurfControl, and allows the user to add, edit 

or remove words and phrases as necessary as well as 

create custom dictionaries. This is straightforward and 

the methods for adding data are clear 

The Message Administrator shows the user the 

quarantine folders. Each of these that contains mail has 

a number next to the title indicating the number of 

messages, giving a rapid overview of the types of traffic 

coming through the mail stream. The window itself is 

split into four panes. These display the list of quarantine 

folders, some overview data regarding the individual 

messages (such as subject, recipient and sender), the 

component parts of the message that is currently 

highlighted, and finally a copy of the currently 

highlighted message. 

There are several options for mail within this highly 

intuitive interface – the messages can be released, 

moved to a different queue, deleted, and a search can 

be done based upon the recipients of mails. A notable 

feature is that while this application is open, new 

messages received are heralded by a pop-up dialog 

box to inform the user so that they can amend any 

searches or further examine the relevant data. 

The Monitor interface shows statistics for E-mail 

Filter’s Receive, Rules and Send services, and has 

logging panes for each of these. Within this application 

it is possible to track the progress of an email from entry 

into the system through to either quarantine or release. 

The rules which are being triggered can be traced so 

that an administrator can immediately see where 

decisions are made within the software. 

The Rules Administrator is where a user can really get 

to grips with how mail is processed by E-mail Filter. 

Complex rules can be built very quickly using a dragand-drop 

interface. 

The Web Administrator brings together several of 

these applications, allowing viewing of the traffic logs, 

rules and system logs, as well as an online version of 

both the Dictionary Management application and the 

Message Administrator. 

THE VERDICT 

A highly capable software solution with an 

impressive spam engine and well-thought-out 

mechanisms for dealing with corporate 

messages, this solution offers a wealth of 

interactive options and a pleasant interface. 

E-Mail Filter offers an intuitive 

way of building rules and lots 

of documentation. 


FEBRUARY 2006


SurfControl RiskFilter – Email 

DEVELOPER’S STATEMENT: SurfControl RiskFilter–E-mail is 

compatible with all SMTP-based email systems and offers a scalable, 

secure messaging solution for organizations of all sizes and vertical 

markets. 

Manufacturer 


SurfControl plc 

www.surfcontrol.com/products/email/riskfilter 

SurfControl 

RiskFilter – Email 


Checkmark 

Standard 


Anti-Spam 

solutions. 


FEBRUARY 2006 

SurfControl’s RiskFilter combines content 

recognition abilities with multi-layered blended 

threat recognition and extensive reporting and 

analysis to provide the tools and flexibility to protect 

against harmful and inappropriate content – both 

inbound and outbound. 

RiskFilter is a 1U rackmountable device with a front 

fascia on a hinge and swivel mechanism, so that it can 

be pulled out, twisted down, and tucked underneath the 

main body of the unit without ever having to remove it 

fully. This gives access to the main power and reset 

switches, the CD, floppy and the removable drives. 

The arrival of the RiskFilter product in the lab was 

preceded by a pre-configuration questionnaire which 

contained a checklist of necessary prerequisites along 

with sections for the administrator to fill in with DNS and 

IP details relevant to the company. After mailing this 

back, SurfControl partially preconfigured the device – a 

great help to an administrator under a heavy workload. 

The initial setup of the RiskFilter was very easy – the 

provided starter guide gives clear and concise advice. 

Each separate step in the procedure is accomplished 

by logging in at a console or terminal for initial 

configuration of the networking and then updating and 

configuring the application itself, using the two secure 

web interfaces available, to setup relays and build mail 

routing. 

Both web interfaces are SSL encrypted and are split 

to allow administration of the device itself through one 

port and of the software on the other port. This is a neat 

implementation that allows devolution of responsibility 

for the central spam management without giving access 

to the configuration of the device itself. Further control 

may be given to individual end-users via a further web 

interface that deals with End-User Spam Management 

(EUSM), although that functionality was not tested in 

this case. Although there are two interfaces, overall the 

setup and configuration of this device was speedy and 

the starter guide is written in such a way that ensures 

that it was trouble free. 

As an overlay service that covers the essential system 

administration tasks, the Webmin or System 

Management Console provides an intuitive method of 

setting the parameters for logging, network interfaces 

and clustering on the underlying Linux installation 

without ever getting near the OS itself – the subdued 

grays and blues make this easy on the eye and easy to 

navigate. All the options are well-labeled and easy to 

find and tasks can be performed intuitively. 

The RiskFilter email console interface acts to allow 

alterations to be made to the SurfControl software 

installed on the device, with alterations to the spam 

management system being performed via this route. 

This interface is stylistically similar to SurfControl’s 

website and has the same color scheme with shades of 

blue and touches of red, black and gray on a mostly 

white background. This gives a clean uncluttered look 

to the presentation and this serves the RiskFilter well. 

The interface is split into three major groups: System 

Settings, Policy Manager, and Reports and Logs, with 

each section having subsections that are appropriately 

grouped so that all options are exactly where the user 

expects them to be. The accompanying administrator’s 

guide provides simple advice for navigating and making 

changes within the interface, and is enhanced by 

screen grabs, ensuring that the user is not left with any 

doubts when making alterations. 

The Policy Manager section is where an administrator 

is likely to spend most of his or her time, as here it is 

possible to create new policies or alter existing ones. 

These can be set to read only, or to be altered by 

individual users using the EUSM facility. The RiskFilter 

quarantines all spam messages by default, stopping 

users from seeing the messages in their inboxes, but it 

is possible to apply other actions to incoming 

messages, such as adding a user-defined subject 

alteration or X-header and then delivering the message 

anyway. 

THE VERDICT 

Riskfilter's dynamic and effective spam engine 

make this solution a convincing contender for 

inclusion in any administrator's shortlist. The 

documentation is plentiful and the system is 

easy to set up and configure. 

An intuitive interface and good 

support from SurfControl 

complete the package. 



MailGate Edge and MailGate Email Firewall 

DEVELOPER’S STATEMENT: MailGate products provide companies 

with comprehensive email security including protection from network 

edge defense, anti-spam, antivirus, content filtering, and policy-based 

routing of secure email via multiple encryption methods. 

Manufacturer 


Tumbleweed Communications Corp. 

www.tumbleweed.com 

MailGate Edge and 

MailGate Email 

Firewall from 

Tumbleweed has 

achieved the 

Checkmark 

Premium 


Anti-Spam 

solutions. 


The Tumbleweed solution under test comprises 

two parts of its multiple device MailGate solution: 

the MailGate Edge and the MailGate Email 

Firewall. Both of these components are available 

separately and both perform distinct services. 

MailGate takes an integrated approach to email 

security, providing intelligent defense against network 

attacks, zero-hour protection from spam outbreaks with 

additional services in the form of anti-virus, deep 

content inspection of inbound and outbound messages 

and attachments with automatic routing and encryption 

of sensitive or protected messages. 

The MailGate Edge is a relay appliance that removes 

directory harvest attacks and email denial-of-service 

(DoS) attacks. It checks for malformed packets and for 

invalid recipient addresses, thus removing a large 

proportion of what Tumbleweed terms “dark traffic”. The 

MailGate Email Firewall provides the usual forms of 

spam protection using a policy-based system that 

allows an administrator to alter existing policies or 

create new ones. 

Each box is a 1U rackmounted device and the focus 

is on simplicity of use from the outset. The configuration 

was straightforward for both boxes with lots of clear 

diagrams and advice in the provided manuals. After the 

configuration the method of installing the two devices 

becomes more distinct. 

The SSL encrypted web interface for the MailGate 

Edge takes the user through a series of steps asking for 

basic information such as mail server address and 

proxy settings. The manual reminds the administrator to 

check that the corporate firewall settings are 

appropriately in place for correct operation. The entire 

process is speedy, allowing the administrator to get the 

device in place and functioning quickly. 

The MailGate Edge has a fairly simple web interface 

with menus and submenus arranged across the top of 

the screen and the main body of the page devoted to 

data. All of the menus are easy to navigate and options 

are simple to find. At the initial login the interface loads 

in a statistics reporting page that displays a graphical 

representation of the messages received, messages 

passed through and messages blocked by category. 

By not overcomplicating the web interface for the 

administrator this device will win a lot of converts. The 

running tickertape style display on the LCD panel 

enables users to see at a glance what level of 

protection the MailGate Edge is offering. 

The MailGate Email Firewall uses a remote desktop 

connection to install the software before any web-based 

configuration can take place. The well-written and 

comprehensive setup documentation details how to 

build and deploy the software. 

The device uses a licensable option called DAS 

(dynamic anti-spam) to do all the filtering. This allows 

the administrator to build policies using a Catch – Action 

– Exclude setup method whereby any messages with 

certain characteristics have specific actions applied to 

them unless they fall under a subset. These are easy to 

construct, and from the administrator’s point of view 

easily extendable. 

Further configuration is performed via an SSL 

encrypted web interface. The availability of a lot of data 

does not preclude the menus from being easy to 

navigate and well laid out, with options in four groups. 

The first group gives plenty of data regarding the 

operations that are being performed within a given 

timeframe including reports and status screen. The setup 

of the rules is part of the second group. Next up is the 

group that allows for the system settings to be altered. 

Finally the last group consists of a Log Out, with contextsensitive 

help that is clearly written and appropriate. 

The Email Firewall is set to quarantine by default, but 

can also be set to drop, return, detain, redirect, defer 

delivery or deliver normally for any message that is 

marked by the internal engines as spam. Add to this the 

ability to add recipients, change the subject line, add 

headers and add notifications or annotations and 

overall this system offers a lot of choice. 

THE VERDICT 

A powerful grouping of these spam engine and 

attack prevention devices make this a 

powerhouse of mail protection, well-presented, 

well-documented, and simple to use. Any 

company would be well advised to include it on 

a shortlist. Overall, it earned 

our highest rating: CheckMark 



FEBRUARY 2006

Tel: +44 (0) 1792 324000 

For more information, contact Mark Thomas by email mthomas@westcoast.com • www.westcoastlabs.org

Download technology report (pdf, 525k) - West Coast Labs

Create successful ePaper yourself

Delete template?

Save as template?