Download technology report (pdf, 525k) - West Coast Labs
Download technology report (pdf, 525k) - West Coast Labs
Download technology report (pdf, 525k) - West Coast Labs
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TECHNOLOGY REPORT - FEBRUARY 2006<br />
VOLUME 1, ISSUE 5<br />
Anti-Spam Solutions<br />
An Independent Technology Report produced by<br />
www.westcoastlabs.org
2 TECHNOLOGY REPORT SUPPLEMENT FROM<br />
Comment<br />
The spam war<br />
demands cuttingedge<br />
products<br />
Introduction<br />
Controlling uninvited, inappropriate<br />
content from entering corporate<br />
inboxes is vital to business productivity<br />
Welcome to the <strong>West</strong><br />
<strong>Coast</strong> <strong>Labs</strong>’ Anti-Spam<br />
Technology Report.<br />
Every Technology Report<br />
published provides a brief overview<br />
of a number of the leading products<br />
within the relevant sector. More<br />
comment and data on each solution<br />
can then be found in the full and<br />
individual white papers at<br />
www.westcoastlabs.org.<br />
This enables security buyers and<br />
decision-makers to gain a brief<br />
overview of each product in the<br />
summary and then further<br />
investigate those solutions which<br />
are relevant to their individual<br />
business needs and environments.<br />
The Technology Reports feature<br />
independent technical analysis of<br />
the functionality and performance of<br />
each solution, tested to prepublished<br />
methods and reviewed<br />
against the functionality criteria of<br />
the Checkmark certification<br />
program. This ensures that all the<br />
products are tested against realworld<br />
standards and establishes<br />
how each performs in a simulated<br />
business environment.<br />
Further <strong>report</strong>s planned for 2006<br />
will include coverage of antispyware<br />
solutions, content filtering,<br />
UTM products and managed<br />
services, antivirus for both the<br />
desktop and server, and<br />
vulnerability assessment.<br />
This <strong>report</strong> is part of <strong>West</strong> <strong>Coast</strong><br />
<strong>Labs</strong>’ goal to provide IT<br />
professionals and managers with<br />
data and comment upon which<br />
informed choices may be made for<br />
their individual business and<br />
network structures.<br />
Matt Garrad<br />
Senior Test Engineer,<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong><br />
FEBRUARY 2006<br />
The war for control of<br />
corporate inboxes has been<br />
raging for some years now<br />
as anti-spam solution providers<br />
seek to protect us from unsolicited,<br />
inappropriate and often offensive<br />
intrusions into our time.<br />
The originators of these emails<br />
are becoming ever more inventive<br />
and so more and more companies<br />
are coming to rely on automatic<br />
solutions with learning engines to<br />
protect their users and machines.<br />
The emails themselves are getting<br />
more sophisticated. Spam is now<br />
no longer just advertising material,<br />
but is evolving, and often acting as<br />
the precursor to identity theft.<br />
For testing in this <strong>report</strong> and for the<br />
certification of each of the<br />
participating solutions, we used live<br />
mail feeds coming in to various extra<br />
domains wholly owned and<br />
controlled by <strong>West</strong> <strong>Coast</strong> <strong>Labs</strong>.<br />
Each domain used contains a<br />
number of individual user accounts<br />
with established email addresses,<br />
along with distribution lists.<br />
To maintain the flow of genuine<br />
mail, test engineers used several<br />
internal and external accounts to<br />
send emails that simulated real life<br />
email transactions common in<br />
business: for example, requesting<br />
meetings, sending notifications to<br />
groups and non-business related<br />
social emails.<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> Testing Team<br />
Emails were also sent from webbased<br />
accounts to simulate external<br />
users sending non-business-related<br />
emails and home workers. Individual<br />
user accounts were subscribed to<br />
several mailing lists and daily<br />
newsletters for gray mail purposes.<br />
For each solution we configured<br />
the device or software to fit in with<br />
the test network and placed it into a<br />
stream of live mail to see how it<br />
would cope in an “out-of-the-box”<br />
configuration with real-world traffic.<br />
However, we do recognize that a<br />
large part of spam detection relies<br />
on an initially intensive learning<br />
process. Hence, as a continuing<br />
service, we will be placing these<br />
devices in the mail feed in coming<br />
months for longer periods of time,<br />
interactively training them, and<br />
updating the performance data<br />
included in the online white papers.<br />
At this stage of testing,<br />
Checkmark Anti-Spam Certification<br />
criteria have been set at two catchrate<br />
levels: Checkmark Anti-Spam<br />
Certification; Premium – at 97% and<br />
over Catch Rate; Standard – at<br />
90% and over Catch Rate.<br />
The certifications achieved by<br />
individual products based on the<br />
initial testing are shown in the<br />
following <strong>report</strong>s with product<br />
performance data in the individual<br />
white papers which can be found<br />
online at www.westcoastlabs.org.<br />
All <strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> tests are carried out by fully trained content<br />
and perimeter security test engineers under the direction of the<br />
CTO Jon Stearn, an acknowledged technical authority among his<br />
peers, who has over 25 years experience in the IT and security<br />
industries. Particular thanks go to Michael Parsons, Matt Garrad,<br />
Rob Tanner, Richard Thomas, Mike McMenamin and Chris Elias.<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> Photographs Copyright<br />
Girts Gailans www.gailans.com. Art editor:<br />
Sarah Lloyd, Sub-editor: Alison Walley<br />
www.westcoastlabs.org
TECHNOLOGY REPORT SUPPLEMENT FROM 3<br />
Email Systems<br />
DEVELOPER’S STATEMENT: Email Systems offers protection,<br />
management and compliance through robust messaging <strong>technology</strong> in<br />
an effective email service that operates outside the corporate network<br />
and ISP's mailservers, without extra investment in software or hardware.<br />
Manufacturer<br />
Contact details<br />
Email Systems Ltd.<br />
www.emailsystems.com<br />
Email Systems<br />
has achieved the<br />
Checkmark<br />
Premium<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
Email Systems is a U.K.-based company offering a<br />
managed service that companies can route mail<br />
through before it gets to their servers.<br />
The setup and configuration is very simple and this is<br />
helped by a comprehensive and easy to understand<br />
Service Deployment Plan that sets out an eight-stage<br />
process. The plan acts not only as a guide to switching<br />
the flow of a mail feed, but also as a series of reminders<br />
for more experienced mail administrators. The<br />
document and the process have been well thought out<br />
to ensure that all bases are covered, and provides<br />
checklists throughout.<br />
Email Systems’ support also perform a scan of a<br />
company’s current MX records to establish the current<br />
mail route and then provide a draft email pre-filled with<br />
the changes that need to be made and the contact<br />
email address for the hosting company. Once the<br />
changes have been made to the relevant MX records,<br />
mail will start flowing through the Email Systems<br />
service. Their support team is also very on the ball – on<br />
the one occasion we had to contact them the response<br />
and resolution of our query was very speedy.<br />
The web-based customer management portal is<br />
decked out in very tasteful subdued blues and grays<br />
that are easy on the eye. A good proportion of the<br />
interface is Flash-based and the animations on some of<br />
the pages add a bit of sparkle to the user experience.<br />
The initial page after logging in shows a pie chart that<br />
breaks down the traffic for a 28-day period into colorcoded<br />
slices, and displays the data on a per day basis<br />
below in histogram format. Also included here is an<br />
overview of the status of the accounts, a list of<br />
notifications of upgrades and improvements from<br />
support, the network status of each domain and a list of<br />
top viruses received, top recipients within the domains,<br />
and top inbound sender domains. Having all of this data<br />
easily within reach makes getting a snapshot view of<br />
how the domains are performing very easy.<br />
The main menu is listed across the top of the screen.<br />
The Users section allows a current administrator to add<br />
further administrators with varying scopes – they can be<br />
set up to make changes to individual domains or to the<br />
entire account. This is a useful feature that allows for<br />
the dissemination of responsibility if a company has<br />
several domains.<br />
The Accounts section allows the user to change the<br />
email address for administrative notifications for the<br />
entire Email Systems account covering all domains,<br />
and also to set rules that will apply across all domains,<br />
registered on a simple condition-action basis.<br />
The Domains section allows control over individual<br />
domains at a more granular level. Recipients of<br />
administrative notifications may also be specified here<br />
on a per domain basis, rules can be added for certain<br />
domains and not others, different mail signatures can<br />
be specified for each domain, and there are various<br />
alert and filter settings.<br />
In the Logs section an administrator can quickly look<br />
at a message subject, recipients, sender and status to<br />
see which rules have been triggered for certain groups<br />
of emails. There are also good filtering options.<br />
Messages in Quarantine can be viewed in their own<br />
separate window which displays the headers and then<br />
has a separate section for the message content.<br />
As well as a set of overall <strong>report</strong>s, the Reporting<br />
section allows searches to be performed and<br />
then saved to be run again at a later date. These<br />
are presented as Flash animations and are in<br />
keeping with the look and feel of the rest of the<br />
interface.<br />
THE VERDICT<br />
A well presented and carefully planned<br />
managed service.Any company outsourcing the<br />
responsibility for spam filtering their corporate<br />
email could consider adding this service to their<br />
shortlist. The support team is both quick and<br />
efficient. Overall, it earned our<br />
highest rating: CheckMark<br />
Anti-Spam PREMIUM.<br />
www.westcoastlabs.org<br />
FEBRUARY 2006
4 TECHNOLOGY REPORT SUPPLEMENT FROM<br />
Equiinet NetPilot Plus<br />
DEVELOPER’S STATEMENT: The protection provided by the NetPilot’s<br />
SmartUTM is the most comprehensive available and includes anti-spam,<br />
antivirus, anti-spyware, intruder detection and prevention, advanced<br />
firewall, URL filtering, email policy controls and secure VPN support.<br />
Manufacturer<br />
Contact details<br />
Equiinet<br />
www.netpilot.com<br />
Equiinet NetPilot<br />
Plus has achieved<br />
the Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
FEBRUARY 2006<br />
The NetPilot Plus device is a compact unified<br />
threat management (UTM) unit, which Equiinet<br />
claims has an anti-spam capability with Spam<br />
Assessment, SpamCop Plus and Bayesian filtering<br />
coupled to the product’s Email Policy Controls to add<br />
power and flexibility to effectively deal with spam.<br />
This acts as a two-layered approach, with each one<br />
having been integrated to provide common controls and<br />
<strong>report</strong>ing, Spam Assessment and SpamCop together<br />
with the Bayesian learning provide a powerful<br />
combination of standard spam countermeasures, while<br />
the Policy Controls can additionally provide quarantine,<br />
black and white listing and much greater management<br />
flexibility.<br />
NetPilot Plus is a compact appliance, with a sealed<br />
front that is ideal for sitting on a desktop or on a rack<br />
shelf in a server room. Indeed, the only components on<br />
the fascia are power and disk lights. The rear of the unit<br />
contains a PS/2 keyboard connector, parallel port,<br />
serial connection and VGA connection, and a rockerstyle<br />
power switch. The collection of two onboard NICs<br />
plus one further on an expansion card allows for a<br />
variety of network setups to be implemented.<br />
During the course of the testing program, Equiinet<br />
released a new version of the operating system, so the<br />
device was upgraded from version 3 to version 4.<br />
Thankfully, the interface look and feel did not really<br />
change and the knock-on effect in terms of the way that<br />
spam is handled did not affect the overall test outcome.<br />
Initial configuration can be performed either via a<br />
keyboard and monitor plugged into the unit itself;<br />
alternately a private network range is already setup on<br />
one of the NICs and a client machine may undergo an<br />
IP address alteration. All interactions are handled via a<br />
secure web interface – the client may use a standard<br />
web browser, and the device itself uses LYNX.<br />
The opening wizard asks for some basic details to<br />
perform the setup. Version 4 of the system is capable of<br />
performing lookups on both the internal network and an<br />
external ADSL line. This means that if DHCP is enabled<br />
the device can be plugged straight into a network and it<br />
can take a guess at how it should be setup. In practice<br />
this works fairly well, although if the administrator has a<br />
specific IP address set aside for the device, the network<br />
settings may need some alterations after first boot –<br />
these, however, are simple to find and quick to perform.<br />
Following the preliminary configuration of the device,<br />
the SSL encrypted interface is available to devices on<br />
the internal network. The spam functionality is easy to<br />
find, with the more generic settings being found under<br />
the section heading of email. Policy actions can be<br />
found under the Email Filter Policy section, and there<br />
are options here that allow for the creation or editing of<br />
policies in some detail.<br />
Spam functionality is enabled as part of the wider<br />
UTM functionality on version 4 or as a separate<br />
component on version 3 via a license key system, with<br />
keys obtainable from Equiinet resellers. The keys need<br />
to be entered into the interface along with the hardware<br />
serial number (found on the rear of the device) in order<br />
to benefit from the maximum protection that this device<br />
can offer.<br />
The NetPilot Plus has several options for dealing with<br />
suspected spam – it is possible to deliver it as normal<br />
with extra headers or to quarantine it on the device<br />
itself. Alternately the administrator can choose to have<br />
the message delivered to the administrative mailbox,<br />
either as a copy of the original or as an attachment. The<br />
training options available on received emails permit the<br />
reclassification of individual messages from the Email<br />
section or allow an en masse learning session under<br />
the Review and Learn banner within Email Filter<br />
Policies.<br />
Although the device adds in extra headers to emails,<br />
it does not currently allow for the alteration of the<br />
message subject line to reflect the nature of the email.<br />
The device leaves it up to the client email program to<br />
interpret these and mark them up as appropriate.<br />
THE VERDICT<br />
Equiinet's Unified Threat Management solution<br />
is well rounded. It boasts a friendly and simple<br />
interface with plenty of well written<br />
documentation. The NetPilot Plus takes the<br />
hard work out of configuration and has been a<br />
consistent performer during<br />
testing.<br />
www.westcoastlabs.org
TECHNOLOGY REPORT SUPPLEMENT FROM 5<br />
McAfee Secure Messaging Gateway<br />
DEVELOPER’S STATEMENT: McAfee Secure Messaging Gateway<br />
protects against spam, inappropriate content, phishing, worms, and<br />
viruses – all on a single appliance. It provides enterprise-class<br />
performance to meet the most demanding requirements.<br />
Manufacturer<br />
Contact details<br />
McAfee<br />
www.mcafee.com<br />
McAfee Secure<br />
Messaging<br />
Gateway has<br />
achieved the<br />
Checkmark<br />
Premium<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
McAfee has a broad product portfolio that<br />
secures systems and networks from known<br />
and unknown threats. We tested McAfee’s<br />
new e-mail security appliance called Secure Messaging<br />
Gateway.<br />
The product is a 1U rack mountable Dell unit that<br />
comes pre-loaded with a hardened Linux-based<br />
operating system plus McAfee security software and<br />
other prerequisites such as Java JRE 1.4.2.<br />
Setup was rapid and uncomplicated. The device was<br />
configured and ready to accept email within a few<br />
minutes. The well-written manuals have detailed<br />
instructions, documentation came in printed form for<br />
the hardware and in PDF form for the McAfee software.<br />
The device includes its own browser-like<br />
administration tools. Organizations that have deployed<br />
other McAfee security products will appreciate the fact<br />
that Secure Messaging Gateway can also be managed<br />
by McAfee ePolicy Orchestrator, the Java-based<br />
central management console that can direct the efforts<br />
of multiple McAfee security devices. The resulting span<br />
of control makes administrators more productive<br />
because they don’t have to visit individual clients or<br />
servers to setup company-wide security policies.<br />
It is easy to navigate around the various options and<br />
menus. The initial status screen shows a large amount<br />
of detail about the current state of the device. This<br />
includes not only traffic and detection statistics but also<br />
data such as the time and date of the most recent<br />
antivirus engine update, allowing the administrator to<br />
see at a glance the current state of play.<br />
The appliance utilizes multiple techniques to detect<br />
and block spam and phishing attacks. Some of the<br />
techniques, such as heuristic rules, are designed to be<br />
proactive in blocking “first time” spam. Other<br />
techniques, such as content filtering rules, have been<br />
developed to be reactive to new spam outbreaks and<br />
are automatically updated by McAfee every 10 minutes.<br />
McAfee’s spam management capabilities are<br />
particularly robust. The spam quarantine can either be<br />
on the appliance itself – a good choice for small<br />
organizations – or on a scalable Windows-based server<br />
that can store spam and whitelist settings for multiple<br />
appliances. Both administrators and end-users can<br />
configure blacklists and whitelists and can access the<br />
centralized spam quarantine via a web browser.<br />
In testing, the McAfee Secure Messaging Gateway<br />
did not block a single good message by mistake.<br />
However, if this were to occur, end users could search<br />
the spam quarantine for messages and release any<br />
that are found to have been inappropriately blocked.<br />
The appliance can also send each user a daily digest of<br />
the messages that have been placed into quarantine,<br />
and end users can release individual messages by<br />
clicking on the appropriate buttons in this digest.<br />
McAfee also provides an Outlook plug-in tool that<br />
allows end-users to submit samples of undetected<br />
spam, thus helping to “teach” the McAfee appliances<br />
about the user’s unique email characteristics. Once<br />
messages are submitted, the appliance can be<br />
configured to learn automatically or with administrative<br />
help.<br />
The McAfee appliance can be configured with<br />
different security policies to meet the needs of different<br />
groups within your organization. Also, messages can<br />
be scanned both inbound and outbound. McAfee<br />
claims that the latter option ensures that your<br />
organization is not unwittingly sending viruses or spam.<br />
Whilst not part of the current tests, this appliance also<br />
provides Content filtering policies which can guard<br />
against sensitive information leaving your network.<br />
McAfee’s appliance scans e-mail headers, bodies, and<br />
more than 300 types of attachments. Content filtering<br />
policies can block or modify messages that contain<br />
specific words or phrases that violate a content rule.<br />
Mcafee also claims that in addition to stopping<br />
viruses, spam and other unwanted messages, the<br />
McAfee Secure Internet Gateway blocks directory<br />
harvest attacks and other types of denial of service<br />
attacks against your messaging system to ensures that<br />
your mail servers stay up and running.<br />
THE VERDICT<br />
As another valuable tool from McAfee to<br />
protect corporate networks, the Secure<br />
Messaging Gateway solution is highly effective.<br />
It boasts an intuitive and well-thought-out<br />
interface which allows the administrator lots of<br />
control. Overall, it earned our<br />
highest rating: CheckMark<br />
Anti-Spam PREMIUM.<br />
www.westcoastlabs.org<br />
FEBRUARY 2006
6 TECHNOLOGY REPORT SUPPLEMENT FROM<br />
MailMarshal for Exchange<br />
DEVELOPER’S STATEMENT: MailMarshal for Exchange offers a<br />
fast, easy-to-use e-mail security solution that ensures a safe and<br />
productive working environment by enforcing organizational Acceptable<br />
Use Policy (AUP) and protecting against spam and viruses.<br />
Manufacturer<br />
Contact details<br />
Marshal<br />
www.marshal.com<br />
MailMarshal for<br />
Exchange has<br />
achieved the<br />
Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
MailMarshal for Exchange is a software<br />
solution, and arrived on a single CD with an<br />
accompanying printed manual, license<br />
agreement and welcome letter.<br />
This particular version of MailMarshal, as the name<br />
suggests, is a plug-in for Microsoft Exchange, but the<br />
company also offers a more generalized version that<br />
works with any SMTP mail system.<br />
The accompanying printed documentation only<br />
covers the installation and configuration of MailMarshal<br />
itself, and assumes a preinstalled and pre-configured<br />
Exchange server. Installation was a simple enough<br />
affair, with the CD version providing a copy of MSDE<br />
and patches as well as some of the other prerequisites<br />
if they are not already present.<br />
The interface itself is split into a MailMarshal<br />
Configurator and MailMarshal Console, but there are<br />
also some tools available from the start menu for<br />
migration and quarantine synchronization. By default<br />
MailMarshal quarantines messages that it classifies as<br />
spam but it provides a selection of tools that allow for<br />
further processing if required.<br />
The Configurator allows access to the nuts and bolts<br />
of the software, allowing the user to specify everything<br />
from additional local domains and spam updates<br />
through to attack prevention, by limiting the number of<br />
recipients per message. It is also possible to specify<br />
user groups and accounts from within this interface, set<br />
the location of various system folders, and set policies<br />
based upon connections, virus threats, spam,<br />
automated responses and so on. The Configurator is<br />
loaded through the Microsoft Management Console<br />
(MMC), so will be instantly familiar to anyone who has<br />
used this for other applications.<br />
The other section of the interface is the MailMarshal<br />
Console. Also loaded through the MMC, this<br />
multicolored affair is less somber than the Configurator,<br />
and allows the user to review all the messages that<br />
have been intercepted and make decisions about them.<br />
This allows a quick oversight of current trends in<br />
incoming mail and the colors have been well chosen to<br />
represent varying types of mail.<br />
The folder structure for problem messages is colorcoded,<br />
and all the messages are easy to locate, as<br />
each separate folder has subfolders that are named<br />
according to date of receipt of the offending message.<br />
It is from here that messages can be forwarded or<br />
released. The latter is either a straightforward release,<br />
or the messages can continue through the processing,<br />
or be reprocessed from scratch. The folders are<br />
grouped by Archive, Attachment, Awaiting Challenge<br />
Response, Junk, Language, Oversize, Policy Breach,<br />
Spam, Spoofed, Suspect and Virus, with various sub<br />
folders.<br />
The spam folders are split by default into Spam, Spam<br />
Type: Day Zero, Spam Type: Phish and Spam Type:<br />
Pornographic, and it is possible to set the rules so that<br />
each type is delivered to the correct folder. This<br />
potentially makes it easier for an administrator to decide<br />
which messages to discard outright and which to spend<br />
some time going through for false positives, based<br />
upon a company’s acceptable usage policy.<br />
Each message can be brought up for review in a new<br />
window and MailMarshal removes any links that it finds<br />
within the messages so that they cannot be clicked on<br />
accidentally. This is a good feature, as it can<br />
conceivably stop an administrator clicking on a<br />
seemingly innocent link and downloading malware to a<br />
corporate mail server.<br />
The use of MailMarshal for Exchange will come<br />
naturally to anyone familiar with Windows software. The<br />
combination of online help plus the printed manuals<br />
make the installation and administration of this plug-in a<br />
breeze.<br />
THE VERDICT<br />
An integrated plug in for Microsoft Exchange<br />
that is easy to install and configure,<br />
MailMarshal has a convincing engine and wellstructured<br />
interface. This solution should<br />
definitely be checked out by any company that<br />
uses Exchange for its mail<br />
services.<br />
FEBRUARY 2006<br />
www.westcoastlabs.org
TECHNOLOGY REPORT SUPPLEMENT FROM 7<br />
PineApp Mail-SeCure<br />
DEVELOPER’S STATEMENT: PineApp Mail-SeCure appliances offer<br />
a complete mail security solution for different sized organizations: ten<br />
different anti-spam engines, three antivirus engines, backscatter<br />
prevention, denial-of-service protection and mail-bombing resilience.<br />
Manufacturer<br />
Contact details<br />
PineApp Mail<br />
SeCure has<br />
achieved the<br />
Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
PineApp Ltd<br />
www.pineapp.com<br />
Mail-SeCure is a 1U short-length lightweight<br />
appliance with ten different spam engines<br />
operating together with an advanced policy<br />
management module to provide users with the ability to<br />
manage their own quarantine processes and black and<br />
white lists to maintain and improve productivity and<br />
reduce overheads.<br />
The anti-spam engine combination also includes<br />
Sommtouche’s RPD engine for increased effectiveness.<br />
Three NICs provide a variety of options for setup,<br />
allowing for a demilitarized zone (DMZ) to be enabled.<br />
Initial default settings on the Mail-SeCure device<br />
require a change of IP address on the client machine to<br />
a private network in order for it to function correctly. The<br />
interface is then accessed over an SSL-encrypted nonstandard<br />
port using a web browser. A default name and<br />
password is supplied, and the manual suggests that<br />
this is changed immediately upon login.<br />
In order to enable all the functionality and perform the<br />
appropriate updates, access to the internet through any<br />
corporate firewall in place needs to be provided for<br />
DNS, HTTP, SMTP and POP3.<br />
The remainder of the initial setup proved to be<br />
straightforward, as the manual is comprehensive and<br />
easy to follow. The only data that needed to be at hand<br />
was network settings, mail server settings, and a<br />
notification email address for alerts for licensing.<br />
Overall the setup was simple and quick; the device can<br />
be configured and functioning on a network within ten<br />
minutes. The addition of users and groups for policy<br />
management is simple, especially as the device was<br />
provided with a group already in place for everyone.<br />
This means that if the administrator is after a simple set<br />
of rules for all recipients with no exceptions, the<br />
configuration time becomes even shorter.<br />
The interface uses a strong sense of corporate<br />
branding with various shades of yellow and orange as<br />
the background with a flash of green here and there,<br />
and mostly black text. This makes a pleasant change<br />
from the more traditional presentations and is not as<br />
disconcerting as it might sound. The main login page<br />
shows a swathe of important data, from version<br />
numbers and license status, through disk usage and<br />
network usage, to queue size, and even some<br />
hardware statistics, such as CPU temperature.<br />
The main options for the interface are laid out down<br />
the side, with groupings split into System, Networking,<br />
Mail System, Mail Policy, Anti-Virus, Anti-Spam,<br />
Statistics, Wizards and Help. The subsections within<br />
these are all clearly labeled and easy to find.<br />
Supplementary information about each of the fields is<br />
provided in the manual, which is couched in plain and<br />
easy to understand language. Images are provided<br />
where necessary to smooth the learning curve.<br />
By default, the PineApp device quarantines all<br />
messages it regards as spam, thus stopping the user<br />
from ever seeing them in their inbox. It is possible,<br />
however, to deliver such messages directly through to<br />
the users, and if this option is selected, the device inserts<br />
a non-editable tag “*****SPAM*****” into the subject<br />
header, so that the recipient can be assured that they<br />
know exactly how the device has classified the message.<br />
It is possible to create an exclusion list containing a list<br />
of users whose mail bypasses the spam scanning<br />
engines by default. The Mail Policy section also allows<br />
for the configuration of rules that are to be triggered on<br />
specific extensions for users or groups of users. Rule<br />
inheritance makes potentially tricky work simpler.<br />
The spam identification methods cover a variety of<br />
techniques that can be enabled or disabled by the<br />
administrator: a heuristic engine, RBL, lookups against<br />
the Commtouch RPD database, and PineApp’s own<br />
database of zombie IP addresses.<br />
An interesting and unusual feature of the PineApp<br />
solution is that the company has the ability to send<br />
urgent updates outside of scheduled update times to its<br />
devices via the SMTP port.<br />
The <strong>report</strong>ing section within the interface gives the<br />
ability to look at a variety of logs for timeframes of up to<br />
a year. Logs are also exportable as CSV lists, which is<br />
useful for archive purposes.<br />
THE VERDICT<br />
An individually styled interface and a powerful<br />
spam engine make this recommended for<br />
consideration when shortlisting corporate mail<br />
system protection. Easy to use and configure<br />
and a useful method of emergency<br />
update delivery mean this<br />
device has much to offer any<br />
company.<br />
www.westcoastlabs.org<br />
FEBRUARY 2006
8 TECHNOLOGY REPORT SUPPLEMENT FROM<br />
SoftScan Tower<br />
DEVELOPER’S STATEMENT: SoftScan provides a hosted spam and<br />
virus email filtering service that relieves corporate organizations and<br />
SMEs from the burden of using internal resources, while enabling full<br />
configurability to comply with company policy.<br />
Manufacturer<br />
Contact details<br />
SoftScan<br />
www.softscan.co.uk<br />
Softscan Tower<br />
has achieved the<br />
Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
FEBRUARY 2006<br />
Danish company SoftScan provides a managed<br />
service with a web-based interface. The setup<br />
and configuration is managed for the most part<br />
by SoftScan support, which takes the burden off the<br />
administrator and also eliminates the need to manually<br />
update scanning engines as these are implemented<br />
automatically. SoftScan claims its Spam Filter process<br />
scans more than ten million emails daily, thus learning<br />
and improving with every one it stops.<br />
For setup purposes, the only information needed is<br />
the domain name or names to be scanned, and a<br />
forwarding name or IP address for each domain. Once<br />
support has confirmed that these have been set up,<br />
then the MX records for each domain need to be<br />
changed to point to SoftScan’s servers.<br />
The web interface itself is both functional and<br />
attractive, and the first page seen after the initial login<br />
displays data which has been carefully chosen to<br />
include the operating status of the SoftScan servers,<br />
last login time of the user, general messages from<br />
SoftScan support, a numerical count of queues in and<br />
out, a numerical count of outgoing messages that are<br />
virus infected, and numbers of potential false positives<br />
received both in the last 24 hours and since the last<br />
login. Each of these sets of numbers also provides a link<br />
to seeing more data, and in the case of those related to<br />
messages allows further drilling down through the data.<br />
From the front page, the menu system contains links<br />
to Email Statistics, Email Settings, Quarantine, User<br />
Admin, Change Password, and a link to various help<br />
data such as a downloadable Usage Guide. This PDF<br />
document is well-structured and laid out, and written in<br />
a clear and intelligible style.<br />
The Email Statistics section of the web interface offers<br />
several types of <strong>report</strong>s with user variable date ranges<br />
and provides a good range of well-presented and wellchosen<br />
results. These can be arranged either as data<br />
or graphically as pie charts or histograms, allowing for<br />
quick overviews of key parameters.<br />
The Quarantine section allows an administrator to<br />
search for messages using a variety of criteria, and<br />
then perform various actions upon the results including<br />
releasing the messages, deleting them, downloading<br />
them, analyzing them, or previewing them within a<br />
browser – usefully, this displays the HTML messages<br />
as HTML code rather than loading the full email and<br />
hence any potentially harmful links into a web browser<br />
where they may be executed. It is worth noting that if<br />
messages are released then a new recipient or list of<br />
recipients can be specified if necessary. Messages can<br />
be sent as they originally arrived or sent as an<br />
encrypted attachment in zip format.<br />
Extra users can be added to gain access to the web<br />
interface either as administrator or regular user, and<br />
each of these can have various roles assigned. This is<br />
a useful tool, allowing the dispersion of selected<br />
administrative tasks to other users on a per need basis.<br />
Administrators can build the spam rules for recipients<br />
or senders via a system of scoring. Using this method,<br />
negative scores give a more relaxed and tolerant<br />
approach to spam while positive scores make the<br />
approach much stricter. A variety of rules may be built<br />
up on clean messages as well as suspected spam and<br />
virus-infected ones.<br />
There is also a group of rule settings under the label<br />
“paranoid” which allows the administrator to fine tune<br />
some of the mail blocking settings. Further useful<br />
functionality is provided by optional daily <strong>report</strong>s via<br />
email to individual users notifying them of mail<br />
classified as “most likely false positives”. Users then<br />
have the option of releasing these messages, not only<br />
allowing them to contribute to a corporate spam policy<br />
but also relieving some of the administrative burden.<br />
THE VERDICT<br />
An accomplished, robust and flexible product<br />
that is not only easy to set up and use, but also<br />
alleviates some of the burden of the<br />
administrator. This online solution would fit well<br />
for any company who wants to outsource their<br />
spam solution to an effective<br />
managed service.<br />
www.westcoastlabs.org
TECHNOLOGY REPORT SUPPLEMENT FROM 9<br />
SurfControl E-Mail Filter SMTP<br />
DEVELOPER’S STATEMENT: SurfControl E-mail Filter for SMTP is<br />
compatible with all SMTP-based email systems and offers a scalable,<br />
secure messaging solution for organizations of all sizes and vertical<br />
markets.<br />
Manufacturer<br />
Contact details<br />
SurfControl plc<br />
www.surfcontrol.com/products/email/<br />
SurfControl E-Mail<br />
Filter SMTP has<br />
achieved the<br />
Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
Powered by SurfControl’s Adaptive Threat<br />
Intelligence, E-mail filter offers continuous<br />
protection against not only spam, but also<br />
phishing attacks, spyware, viruses and malicious code<br />
with customizable protection from corporate data<br />
leakage, compliance and email management<br />
SurfControl’s E-mail Filter is a software solution that<br />
sits upon a Windows 2000 or 2003 Server installation.<br />
The version of E-mail Filter provided for test works for<br />
any SMTP host, although SurfControl also provide a<br />
solution geared specifically toward Exchange. It can be<br />
deployed across multiple servers to provide loadbalancing<br />
and fallover protection.<br />
The installation itself was very straightforward, and<br />
provides the necessary prerequisites such as the<br />
Microsoft Database Engine (MSDE) if they are not<br />
already present on the system. We had the system<br />
ready to receive email very quickly.<br />
The E-mail Filter software itself has several distinct<br />
components, each of which can be loaded separately.<br />
They include Dictionary Management, the message<br />
administrator, a monitor application, QueueView, the<br />
Rules Administrator, various scheduler tools, and a web<br />
administrator interface. Even though these are all<br />
separate applications, each can open the others from<br />
the tools menu in each interface.<br />
The Dictionary Management tool shows the user what<br />
is in the contents of the spam filtering dictionaries<br />
supplied by SurfControl, and allows the user to add, edit<br />
or remove words and phrases as necessary as well as<br />
create custom dictionaries. This is straightforward and<br />
the methods for adding data are clear<br />
The Message Administrator shows the user the<br />
quarantine folders. Each of these that contains mail has<br />
a number next to the title indicating the number of<br />
messages, giving a rapid overview of the types of traffic<br />
coming through the mail stream. The window itself is<br />
split into four panes. These display the list of quarantine<br />
folders, some overview data regarding the individual<br />
messages (such as subject, recipient and sender), the<br />
component parts of the message that is currently<br />
highlighted, and finally a copy of the currently<br />
highlighted message.<br />
There are several options for mail within this highly<br />
intuitive interface – the messages can be released,<br />
moved to a different queue, deleted, and a search can<br />
be done based upon the recipients of mails. A notable<br />
feature is that while this application is open, new<br />
messages received are heralded by a pop-up dialog<br />
box to inform the user so that they can amend any<br />
searches or further examine the relevant data.<br />
The Monitor interface shows statistics for E-mail<br />
Filter’s Receive, Rules and Send services, and has<br />
logging panes for each of these. Within this application<br />
it is possible to track the progress of an email from entry<br />
into the system through to either quarantine or release.<br />
The rules which are being triggered can be traced so<br />
that an administrator can immediately see where<br />
decisions are made within the software.<br />
The Rules Administrator is where a user can really get<br />
to grips with how mail is processed by E-mail Filter.<br />
Complex rules can be built very quickly using a dragand-drop<br />
interface.<br />
The Web Administrator brings together several of<br />
these applications, allowing viewing of the traffic logs,<br />
rules and system logs, as well as an online version of<br />
both the Dictionary Management application and the<br />
Message Administrator.<br />
THE VERDICT<br />
A highly capable software solution with an<br />
impressive spam engine and well-thought-out<br />
mechanisms for dealing with corporate<br />
messages, this solution offers a wealth of<br />
interactive options and a pleasant interface.<br />
E-Mail Filter offers an intuitive<br />
way of building rules and lots<br />
of documentation.<br />
www.westcoastlabs.org<br />
FEBRUARY 2006
10 TECHNOLOGY REPORT SUPPLEMENT FROM<br />
SurfControl RiskFilter – Email<br />
DEVELOPER’S STATEMENT: SurfControl RiskFilter–E-mail is<br />
compatible with all SMTP-based email systems and offers a scalable,<br />
secure messaging solution for organizations of all sizes and vertical<br />
markets.<br />
Manufacturer<br />
Contact details<br />
SurfControl plc<br />
www.surfcontrol.com/products/email/riskfilter<br />
SurfControl<br />
RiskFilter – Email<br />
has achieved the<br />
Checkmark<br />
Standard<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
FEBRUARY 2006<br />
SurfControl’s RiskFilter combines content<br />
recognition abilities with multi-layered blended<br />
threat recognition and extensive <strong>report</strong>ing and<br />
analysis to provide the tools and flexibility to protect<br />
against harmful and inappropriate content – both<br />
inbound and outbound.<br />
RiskFilter is a 1U rackmountable device with a front<br />
fascia on a hinge and swivel mechanism, so that it can<br />
be pulled out, twisted down, and tucked underneath the<br />
main body of the unit without ever having to remove it<br />
fully. This gives access to the main power and reset<br />
switches, the CD, floppy and the removable drives.<br />
The arrival of the RiskFilter product in the lab was<br />
preceded by a pre-configuration questionnaire which<br />
contained a checklist of necessary prerequisites along<br />
with sections for the administrator to fill in with DNS and<br />
IP details relevant to the company. After mailing this<br />
back, SurfControl partially preconfigured the device – a<br />
great help to an administrator under a heavy workload.<br />
The initial setup of the RiskFilter was very easy – the<br />
provided starter guide gives clear and concise advice.<br />
Each separate step in the procedure is accomplished<br />
by logging in at a console or terminal for initial<br />
configuration of the networking and then updating and<br />
configuring the application itself, using the two secure<br />
web interfaces available, to setup relays and build mail<br />
routing.<br />
Both web interfaces are SSL encrypted and are split<br />
to allow administration of the device itself through one<br />
port and of the software on the other port. This is a neat<br />
implementation that allows devolution of responsibility<br />
for the central spam management without giving access<br />
to the configuration of the device itself. Further control<br />
may be given to individual end-users via a further web<br />
interface that deals with End-User Spam Management<br />
(EUSM), although that functionality was not tested in<br />
this case. Although there are two interfaces, overall the<br />
setup and configuration of this device was speedy and<br />
the starter guide is written in such a way that ensures<br />
that it was trouble free.<br />
As an overlay service that covers the essential system<br />
administration tasks, the Webmin or System<br />
Management Console provides an intuitive method of<br />
setting the parameters for logging, network interfaces<br />
and clustering on the underlying Linux installation<br />
without ever getting near the OS itself – the subdued<br />
grays and blues make this easy on the eye and easy to<br />
navigate. All the options are well-labeled and easy to<br />
find and tasks can be performed intuitively.<br />
The RiskFilter email console interface acts to allow<br />
alterations to be made to the SurfControl software<br />
installed on the device, with alterations to the spam<br />
management system being performed via this route.<br />
This interface is stylistically similar to SurfControl’s<br />
website and has the same color scheme with shades of<br />
blue and touches of red, black and gray on a mostly<br />
white background. This gives a clean uncluttered look<br />
to the presentation and this serves the RiskFilter well.<br />
The interface is split into three major groups: System<br />
Settings, Policy Manager, and Reports and Logs, with<br />
each section having subsections that are appropriately<br />
grouped so that all options are exactly where the user<br />
expects them to be. The accompanying administrator’s<br />
guide provides simple advice for navigating and making<br />
changes within the interface, and is enhanced by<br />
screen grabs, ensuring that the user is not left with any<br />
doubts when making alterations.<br />
The Policy Manager section is where an administrator<br />
is likely to spend most of his or her time, as here it is<br />
possible to create new policies or alter existing ones.<br />
These can be set to read only, or to be altered by<br />
individual users using the EUSM facility. The RiskFilter<br />
quarantines all spam messages by default, stopping<br />
users from seeing the messages in their inboxes, but it<br />
is possible to apply other actions to incoming<br />
messages, such as adding a user-defined subject<br />
alteration or X-header and then delivering the message<br />
anyway.<br />
THE VERDICT<br />
Riskfilter's dynamic and effective spam engine<br />
make this solution a convincing contender for<br />
inclusion in any administrator's shortlist. The<br />
documentation is plentiful and the system is<br />
easy to set up and configure.<br />
An intuitive interface and good<br />
support from SurfControl<br />
complete the package.<br />
www.westcoastlabs.org
TECHNOLOGY REPORT SUPPLEMENT FROM 11<br />
MailGate Edge and MailGate Email Firewall<br />
DEVELOPER’S STATEMENT: MailGate products provide companies<br />
with comprehensive email security including protection from network<br />
edge defense, anti-spam, antivirus, content filtering, and policy-based<br />
routing of secure email via multiple encryption methods.<br />
Manufacturer<br />
Contact details<br />
Tumbleweed Communications Corp.<br />
www.tumbleweed.com<br />
MailGate Edge and<br />
MailGate Email<br />
Firewall from<br />
Tumbleweed has<br />
achieved the<br />
Checkmark<br />
Premium<br />
Certification for<br />
Anti-Spam<br />
solutions.<br />
www.check-mark.com<br />
The Tumbleweed solution under test comprises<br />
two parts of its multiple device MailGate solution:<br />
the MailGate Edge and the MailGate Email<br />
Firewall. Both of these components are available<br />
separately and both perform distinct services.<br />
MailGate takes an integrated approach to email<br />
security, providing intelligent defense against network<br />
attacks, zero-hour protection from spam outbreaks with<br />
additional services in the form of anti-virus, deep<br />
content inspection of inbound and outbound messages<br />
and attachments with automatic routing and encryption<br />
of sensitive or protected messages.<br />
The MailGate Edge is a relay appliance that removes<br />
directory harvest attacks and email denial-of-service<br />
(DoS) attacks. It checks for malformed packets and for<br />
invalid recipient addresses, thus removing a large<br />
proportion of what Tumbleweed terms “dark traffic”. The<br />
MailGate Email Firewall provides the usual forms of<br />
spam protection using a policy-based system that<br />
allows an administrator to alter existing policies or<br />
create new ones.<br />
Each box is a 1U rackmounted device and the focus<br />
is on simplicity of use from the outset. The configuration<br />
was straightforward for both boxes with lots of clear<br />
diagrams and advice in the provided manuals. After the<br />
configuration the method of installing the two devices<br />
becomes more distinct.<br />
The SSL encrypted web interface for the MailGate<br />
Edge takes the user through a series of steps asking for<br />
basic information such as mail server address and<br />
proxy settings. The manual reminds the administrator to<br />
check that the corporate firewall settings are<br />
appropriately in place for correct operation. The entire<br />
process is speedy, allowing the administrator to get the<br />
device in place and functioning quickly.<br />
The MailGate Edge has a fairly simple web interface<br />
with menus and submenus arranged across the top of<br />
the screen and the main body of the page devoted to<br />
data. All of the menus are easy to navigate and options<br />
are simple to find. At the initial login the interface loads<br />
in a statistics <strong>report</strong>ing page that displays a graphical<br />
representation of the messages received, messages<br />
passed through and messages blocked by category.<br />
By not overcomplicating the web interface for the<br />
administrator this device will win a lot of converts. The<br />
running tickertape style display on the LCD panel<br />
enables users to see at a glance what level of<br />
protection the MailGate Edge is offering.<br />
The MailGate Email Firewall uses a remote desktop<br />
connection to install the software before any web-based<br />
configuration can take place. The well-written and<br />
comprehensive setup documentation details how to<br />
build and deploy the software.<br />
The device uses a licensable option called DAS<br />
(dynamic anti-spam) to do all the filtering. This allows<br />
the administrator to build policies using a Catch – Action<br />
– Exclude setup method whereby any messages with<br />
certain characteristics have specific actions applied to<br />
them unless they fall under a subset. These are easy to<br />
construct, and from the administrator’s point of view<br />
easily extendable.<br />
Further configuration is performed via an SSL<br />
encrypted web interface. The availability of a lot of data<br />
does not preclude the menus from being easy to<br />
navigate and well laid out, with options in four groups.<br />
The first group gives plenty of data regarding the<br />
operations that are being performed within a given<br />
timeframe including <strong>report</strong>s and status screen. The setup<br />
of the rules is part of the second group. Next up is the<br />
group that allows for the system settings to be altered.<br />
Finally the last group consists of a Log Out, with contextsensitive<br />
help that is clearly written and appropriate.<br />
The Email Firewall is set to quarantine by default, but<br />
can also be set to drop, return, detain, redirect, defer<br />
delivery or deliver normally for any message that is<br />
marked by the internal engines as spam. Add to this the<br />
ability to add recipients, change the subject line, add<br />
headers and add notifications or annotations and<br />
overall this system offers a lot of choice.<br />
THE VERDICT<br />
A powerful grouping of these spam engine and<br />
attack prevention devices make this a<br />
powerhouse of mail protection, well-presented,<br />
well-documented, and simple to use. Any<br />
company would be well advised to include it on<br />
a shortlist. Overall, it earned<br />
our highest rating: CheckMark<br />
Anti-Spam PREMIUM.<br />
www.westcoastlabs.org<br />
FEBRUARY 2006
Tel: +44 (0) 1792 324000<br />
For more information, contact Mark Thomas by email mthomas@westcoast.com • www.westcoastlabs.org