SurfControl's RiskFilter

Let the Filtering Begin

From the admin Web pages (https://riskfilter./admin), I completed the steps to insert the appliance into the mail stream to begin filtering. Then I set RiskFilter to relay only outgoing mail from the test domain (w2k.nwc.com) and configured domain-based routing for incoming mail.The domain-based routing entry was set to deliver mail destined for the w2k.nwc.com domain to the SunFire server. I reconfigured Sendmail to forward all mail to RiskFilter to filter all outgoing mail.

You can use other supported techniques to filter incoming mail--black- and whitelists, simultaneous IP connection limits and so on--but content filtering is the most automated and can cut mail administration overhead. However, discovering spam based on content is difficult for any antispam filter.

To test RiskFilter's content filtering, I saved 30 pieces of incontestable spam and 30 legitimate messages. Whether a legitimate article pitch or press release is labeled as spam and isolated may depend on the language used in the pitch and the number of recipients.

Using the default settings (low), I sent the 60 messages from sdoherty@ nwc.com on our production mail server to the SunFire. RiskFilter found and isolated all but six spam messages--good, considering the vagaries of the English language and lexical analysis. But it also filtered off one legitimate message--a false positive. Setting the antispam filter from low to high increased the number of false positives, but reduced the number of false negatives.Sorting the Mail

RiskFilter's EUSM (end-user spam management) tool gives users a list of quarantined e-mail and lets them release messages to their inbox. The tool also lets them manage black- and whitelists. RiskFilter's EUSM works with Active Directory and other LDAP-compliant directory stores to authenticate users.

To prevent directory attacks, you can limit the number of messages sent per IP address. I tested this with a trusted copy of Turbo-Mailer 2.2.3. I sent bulk mail to users on the SunFire test server, but once I reached the number I had set as the maximum number of messages per IP address within a configurable time frame, RiskFilter denied further mail from that address.

I wanted to test RiskFilter's ability to isolate virus-bearing messages as identified by McAfee's Anti-Virus Agent, so I sent a series of W32/MyDoom strains and some MultiDropper-KRs using various file names and packaged in zip files. RiskFilter identified and isolated them without a problem. I even added a notification option so that users would know when a message was isolated because of a virus. McAfee's AV Agent is an additional $5.50 per user, per year.RiskFilter also filters outbound e-mail using policies applicable to domains, groups or individuals. By default, RiskFilter ships with three outgoing filters enabled: antispam, antivirus, and a filter that adds a configurable disclaimer to the top or bottom of a message. I edited the disclaimer to reflect our company policy and defined the actions to take once a rule was triggered.

I created content filters for outgoing mail using keywords, pattern expressions and terms from SurfControl's Content Dictionary. I set up a number of policies prohibiting e-mail mentioning a "collaboration" project in the subject line and body of a message. If the rule was triggered, I isolated the messages on the server for review, notified the project lead via e-mail and sent a copy of the message to myself.

The Content Dictionary groups terms by subject headings, such as "adult," "hate/speech," "medical" and "violence." It even includes terms with pattern matching for common misspellings, such as "*V1agra*" for Viagra.

You can use three different operators--, and --to create rules within four different filters that contain the filtering rules or policy. You can use an operator numerous times within a rule but cannot mix and match the operators. The more complex the rule and the greater number of filters, the slower the message processing will be. Keep rules as simple as possible, and direct them at resolving single issues.

To test custom rules, I created a filter with a number of different patterns to identify and isolate messages sent with a Social Security number in the body: SSNSSN ###-##-####SSN ###?##?####. When I applied the rule, it successfully blocked messages with an SSN number in the body.

Managing the MessagesOnce you build rules, you'll need to monitor them for effectiveness. RiskFilter supplies a good depth and breadth of standard reports to monitor the filtering process and search and review isolated messages on the server to take further action.

RiskFilter covers both inbound and outbound mail with delegated administration and three options to securely proxy your production mail (IMAP, POP3 and Webmail). With McAfee AV Agent, RiskFilter is costly compared to most of the antispam products we tested recently, but the price includes one year of support, antispam agent updates, software upgrades and an Advance Replacement Unit Service if you need to return the appliance to SurfControl for repair.

Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to him at [email protected].