E-mail please, hold the spam
February 15, 2000
by Travis Berkley
(IDG) -- Whether it's a seldom-seen nuisance or an in-box clogger, e-mail spam is annoying. There are numerous programs to can spam at the client level, but a better solution for most organizations is to shut it off at the server.
We tested three products that seemed to be strong in different categories. Our winner, Lyris Technologies' MailShield, wasn't the flashiest program or the easiest to use, but it was best at the main task - stopping spam. Computer Software Manufaktur's Internet Mail Scanner was a close second. It didn't have quite the power and flexibility of MailShield when it came to catching spam, but it's still a very effective tool, with a nice administrative interface and good statistical and reporting tools. GFI Fax & Voice's Mail Essentials, which has less flexibility in fighting spam than the others, has many other nice features and was the only package that had additional features if it was a front end for an Exchange system.
The real meat of these products is their ability to stop unwanted e-mail from wasting your users' time. The products intercept messages with questionable content and delete them or let an administrator decide what to do with them.
Holding message headers up to scrutiny is an easy and effective way to screen mail. There are two ways to use this technique - verification and authorization. Verification checks to make sure the addresses in various tags are valid. A message claiming to come from the bogus domain Make.Money.Fast would be nixed because this address wouldn't return a valid response from the Domain Name System (DNS).
Authorization, on the other hand, lets you control whether you want to receive mail from a particular user or domain. Let's say SpamCorp.com is a valid firm but has frequently sent you mail that you'd rather didn't reach users. You can add SpamCorp.com to your list of domains from which you do not accept mail, even though a DNS query comes back OK.
Lyris' MailShield is the most flexible at scanning for spam. It has more options than most e-mail administrators will know what to do with. Its only drawback, compared with the other two products, is its inability to provide antivirus scanning.
MailShield can verify and authorize most fields outlined in RFC 822, the standard that defines Simple Mail Transfer Protocol (SMTP) mail. In addition, MailShield can limit the number of recipients who can receive a single piece of e-mail or simply slow the delivery down above certain thresholds.
MailShield also includes an interesting feature known as tarpitting. Used to discourage spamming, tarpitting is triggered when mail arrives from a domain or TCP/IP address that you have blacklisted ahead of time. MailShield will accept mail from this host, but it delays a specified amount of time between every command sent by the originating host. Effectively, it slows mail delivery from that host to a crawl without affecting performance on the receiving server. As the number of messages grows, the time adds up and the originating host must stay connected the entire time for delivery to be complete.
MailShield can also scan messages for strings that indicate spam. These strings can be single words, such as "XXX," or entire phrases, such as "make money fast." MailShield can also check the size of a message and check file attachment names. For example, you could have MailShield check for attachments called happy99.exe, or other well-known carriers of doom and gloom, and drop them.
MailShield handles offending messages in different ways. It can simply delete them, forward them to an administrator or let the message be delivered but prefix the subject with a tag, such as Suspected Spam.
In addition to its native capabilities, MailShield works with Internet-based services that help people eliminate spam. For example, the nonprofit Mail Abuse Prevention System maintains a Realtime Blackhole List (RBL) of known spam sites. Though disabled by default, MailShield can check with this service. However, using RBL can eliminate legitimate mail in some instances. If one person on America Online sends a spam message, RBL could mark AOL as a spam site, punishing many for the act of one. Lyris recommends using RBL only if the possibility of rejecting valid mail isn't critical. MailShield also works with the group's Dial-up User List (DUL) of TCP/IP addresses from ISPs known to have spammed.
Computer Software's Internet Mail Scanner has an interface that is much easier to use than MailShield's. Internet Mail Scanner employs most of the same verification and authorization techniques as MailShield. Verification of addresses can be set for the From, Sender, Return Path and Message ID fields.
Additionally, there are five more options, enabled by default, to automatically flag messages as spam: a missing or empty To header; a missing Subject header; or the inclusion of an X-Warning or X-Authentication Warning header. The omission of a To header can indicate that a message wasn't intended for a particular user; spam is often sent to users as carbon copy or even blind carbon copy recipients. Missing subject headers are a way of enticing users to open a message to see what's inside. Finally, various mail handlers can add the X-Warning and X-Authentication Warning headers if they are suspicious of the origins of the message.
For authentication, Internet Mail Scanner uses a text file that holds lists of users, domains and TCP/IP address ranges from which you do not want to receive mail.
As far as content scanning, Internet Mail Scanner only checks the Subject header for words or phrases. The same configuration file that holds the offending users and addresses also holds words and phrases that Internet Mail Scanner should consider as spam.
Internet Mail Scanner has one content-scanning feature that MailShield lacks. Internet Mail Scanner has two antivirus engines built into it, one by Trend Micro and the other by McAfee, which is the default. It also scans compressed attachments. Updates to the virus definition files are available as a separate subscription service.
Internet Mail Scanner can drop messages that are larger than a settable threshold in two ways: It can politely accept the entire message, then drop it, or it can terminate the connection as soon as the limit is hit. The default size limit is only 19K bytes, but enforcing this limit is not turned on by default.
Like MailShield, Internet Mail Scanner can take advantage of the RBL, but it doesn't support the DUL.
The third product, GFI Fax & Voice's Mail Essentials, has a variety of features but doesn't give you as many configuration options as the other two products.
When holding SMTP headers up to scrutiny, Mail Essentials only looks at the From header, but it can refuse an e-mail that doesn't have a header or has an invalid header. Mail Essentials can also be configured to refuse mail from domains you specify.
Mail Essentials does better in the arena of content scanning by employing a two-tier approach to checking messages. First, it can simply delete messages that contain key words and phrases, either in the subject or in the message body. But Mail Essentials can also forward questionable messages to an administrator for review. Mail Essentials terms this action "quarantining" the message. When a message is quarantined, an HTML version of the message is sent to an administrator, who can either approve the message to deliver it, delete the message, or delete it and notify the originator that the message was not delivered.
An interesting feature of Mail Essentials is the ability to block messages that are PGP-encrypted. Encrypted messages cannot be scanned for content, so allowing them to pass implies trust of the originator. Most spammers don't go to the trouble of looking up users' public PGP keys.
But Mail Essentials includes this feature for another reason. Mail Essentials can automatically encrypt all outbound mail passing through it using PGP if it has the proper public key. By installing PGP, which is not included but is available free to nonprofit and educational organizations, Mail Essentials can maintain a "key ring" of sites that use encryption. For example, if there is a company with which you do business, you may want to protect the content of your messages to them, but not messages to everyone else. Mail Essentials can see that a message is destined for a host for which it has a public key and automatically encrypt it. Likewise, when Mail Essentials receives a message from that site, it has the key to automatically decrypt it.
If Mail Essentials sees a message that is still encrypted when it tries to scan it, that indicates a user is trying to decrypt messages on his own at the desktop. The administrator can force users to use only the corporate encryption schemes.
Mail Essentials, like Internet Mail Scanner, can scan messages for viruses, but the engines are not included as part of the license. It knows how to interact with four popular engines (McAfee, Dr. Solomon's, Norton and F-Prot) or a custom scanner that accepts command-line parameters.
Mail Essentials doesn't currently use any of the Internet-based antispam services, though previous versions could use the RBL. Due to user requests, the company said it will probably bring the RBL back in a future release.
The flip side to spam is relaying. When a message is relayed, it is first sent to a host that in turn delivers it to the final recipient. This technique gives spammers unwarranted credibility by having their mail appear to come from a trusted source. But most legitimate mobile Internet Message Access Protocol clients need to relay their messages through a host, too. How do you let authorized users relay mail but keep unauthorized people out?
Lyris' MailShield lets you specify domain names and TCP/IP address ranges to allow or reject relay attempts. For example, you can let your internal users relay e-mail out, but not let foreign e-mails be relayed from your site to another site.
Computer Software's Internet Mail Scanner has similar antirelay functions turned on by default. Those defined as internal users can relay mail out through Internet Mail Scanner. You can also configure external users who are able to relay through the server, but not a whole domain. In addition, you can configure what days of the week and times of day relays will work. It has extra configuration options for handling relayed mail that slightly edges out the competition.
GFI's Mail Essentials prohibits receiving mail that isn't addressed to one of its internal domains. Relay checking is enabled, unless Mail Essentials doesn't know whom to protect, which would happen only if you deleted all local domain information. But there is a setting in which an administrator can define which domains are allowed to use it as a relay server. This can further be scrutinized by an IP address. Additionally, Mail Essentials can be configured to relay outbound mail destined for certain domains to mail servers other than the default.
Having these programs up and running is nice, but there are times when you also need to customize them. MailShield lets you modify its rules, which are written in a proprietary scripting language.
Internet Mail Scanner can be configured to send a notice to administrators when it has relayed mail, received spam, found a virus or received a mail bomb, Internet Mail Scanner's name for an e-mail message that is above the size threshold. When it finds spam or a virus, Internet Mail Scanner can send you a copy of the offending message. There is also an advanced alerting feature that notifies you when specific addresses pass the scanner, whether inbound or outbound.
In most cases, configuration changes take effect when you click on the "apply" button or close down the configuration tool. There are a few well-documented instances when a configuration change requires restarting the service, but these are changes that don't happen frequently, such as changing the virus scanning engine.
Mail Essentials also commits changes immediately and doesn't rely on any accompanying text files.
In addition to making changes, it's also good to be able to check up on the software, make sure it's running right and even get some statistics about how much work it's doing for you.
MailShield lacks remote monitoring tools, and its log files can only be viewed at the server itself. MailShield can log on to a file on the host system or place entries in the host machine's event log - the Event Viewer for Windows NT or the syslog utility on most Unix systems. While this helps you get a handle on the instances of bad mail, it doesn't show you how much "good" mail is being passed, and it certainly doesn't give numeric values for a quick and dirty comparison over time.
Internet Mail Scanner has a nice companion utility called the Remote Watch Monitor that lets you see exactly how much traffic it handled, how much of it was spam and how much was relayed. It keeps a running total, as well as a graph of the last 40 seconds, and tabulates the number of viruses caught.
The Web Monitor that accompanies Mail Essentials lets you remotely attach to and check the health of the server. It can access the delivery queues, logs for each day's sent and received items, and a log of all sent and received items.
Each product we tested has its own niche. If you want raw power, configurability and good multiplatform support, look no further than our winner, Lyris' MailShield. If you want a solid performer with a cleaner interface and better reporting, Computer Software's Internet Mail Scanner may be right for you. And if you want a nice tool with lots of extras, especially if you're running Exchange, give Mail Essentials a look. All in all, you won't go wrong with any of them.
Read an e-mail, lose your privacy
RELATED IDG.net STORIES:
Yahoo sues spammer
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.