Spam Chat with Ron Anderson

Gaurav What about more intelligent rate-limiting options such as, the likelihood that a newly created account would get 500 e-mails in the first week is quite low?
Ron_Anderson > That's a guess, like key-word filtering. It may be accurate, but what if the new user is a prolific emailer
BarryIT Ron, how beneficial is quarantined email? I've seen the amount of mail generated by a antispam engine to outweigh the spam it's catching.

Ron_Anderson > So in that situation you'd need to tune the quarantine threshold. At two tier approach that deletes spam and quarantines suspected spam is best.
MrMike Which filtering type do you prefer/recommend? keyword, community, bayesian, etc?
Ron_Anderson > An intelligent combination is probably best although one vendor (Greenview Data) catches 95% of the spam they catch using a (URL/Phone Number filter).
Gaurav But for these more intelligent rate-limiting options, shouldn't an appliance offer some sort of alert for an administrator? It doesn't have to be a hard-and-fast rejection of the e-mails, just initiating a warning to the admin.
Ron_Anderson > That would be fine. Anything that reduces spam without limiting real mail is good.
MrMike I've never heard of that approach. Is that like a whitelist?

Ron_Anderson > No. They identify URLs and phone numbers associated with known spam. Since all spam asks you to click here or call this number it makes a lot of sense.
Gaurav Could you please specify any other open-source software that Barracuda used? Does Barracuda allow for the ability to directly modify the configuration files of these programs?
Ron_Anderson > I'll direct you to Barracuda for the first part. For the second, no.
radjr What is the best standalone appliance for a small business with a dedicated t-1 on which all the machines sit. Is the barbedwire appliance a good way to go, or should we sign up with a service like managedinet.com that supplies the box and remotely configures/upgrades?
Ron_Anderson > Any of the three types of solutions we tested would work. The best solution depends on your needs.
BarryIT Ron, for adaptive filters, do they lose effectiveness over time? Do the outsmart themselves?

Ron_Anderson > Adaptive filters can be poorly trained and would then lose their effectiveness. One guy was telling me that he installed an adaptive filter for his mother. She got the training reversed and was only able to receive spam. I don't know if that's true or not, but is an interesting story.
Gaurav How well did the products you saw respond to user/group specific configuration? Do you feel that this is a area that needs to be explored more?
Ron_Anderson > Some were really good about adapting to individually user's needs. The report card includes scores for each product on end-user controls.
MrMike what are the downsides to outsourcing with someone like managedinet?
Ron_Anderson > The biggest reservation I hear is privacy concerns since a third party has access to your mail.
BarryIT A beautiful urban legend there.

Ron_Anderson > It puts a smile on my face!
MrMike Where did the products suffer the most in your review? What do they need to improve on?
Ron_Anderson > The products that require up-front training and that didn't perform a deep header analysis suffered worse. Out-of-the-box accuracy is the most critical feature.
Gaurav Actually Ron, I believe that the adaptive filter scenario you are stating is quite possible. It has been found that if one is not careful with g..a..p..p..y words or keyword variants, Bayesian filtering can end up marking all mail as spam.
Gaurav Is multi-lingual spam support of much use in spam products? Do the products you saw have a powerful enough grasp over non-english spam, as they did with english spam?
Ron_Anderson > Sorry, we didn't test that aspect of these products.
MrMike So are pre-populated corpuses (corpusi?) the way to go? I'd heard they are outdated the minute they're made.
Ron_Anderson > Start with a pre-populated database then train to your email patterns.
rhodyt I'm late, so this may have been posed 5 products were excluded from the test without explanation as to what exactly disqualified them. Can you give some detail or explanations on some of them?
Ron_Anderson > Sorry I don't think it would be fair to the vendors to elaborate. In general some sort of technical problem during the test rendered their results unusable.
Gaurav Is the ability to categorize what type of spam one is receiving (Adult, Finance, etc.) much use?

Ron_Anderson > Spam is spam. I suppose from a legal perspective Adult content could present a special kind of problem for a company.
BarryIT How well do these products fit into a company's existing security infrastructure? Are they fully functioning siblings or outcasts?
Ron_Anderson > Consider these products as specialists in securing port 25.
BarryIT do you foresee spam/antivirus products melding with content filters like surfcontrol?
Ron_Anderson > Right now I see these as separate entities especially since the anti-spam technologies are so specialized. Maybe in a couple of years.....
Gaurav What about businesses that work with low mortgages? Doesn't the categorization of spam offer an essential benefit in detecting false-positives?

Ron_Anderson > I'm not sure I understand your question. It is important to be able to tune the filters so they work for your company.
BarryIT on the security side, are these appliances themselves targets or a security risk? I supposed they're just another device to patch and secure.
Ron_Anderson > Yes and yes. :-) But, the vendors I talked with are very aware of the security considerations a probably do a better job securing their solution than your typical administrator (the appliances were especially strong here).
rhodyt From a reader's standpoint, in all seriousness, how is it fair to me or the manufacturer to list them in a category of 'failed to deliver or experienced technical problems' without some level of detail as to the nature of the issue? I find it impossible to include or exclude these products in my evaluation based on this 'category'.
Ron_Anderson > Sorry. I have to balance the needs of the readers with the needs of the vendors. This was the best solution. If the features advertised by those five vendors fit your requirements, put them on your short list, if not, don't. Also, you might be able to find other independent test results that include those vendor's products.
Gaurav How did the solutions you saw deal with false-negatives (Spam that gets through)? Which method did you find the most user friendly?

Ron_Anderson > The best solutions allow you to simply click a button to advise the vendor that "this piece of junk got through." Other vendors permitted qualified users to submit FN for additional Bayesian training.
MrMike Ron, what's your take on real-time blacklists? They sound more immediate than even antivirus definitions.
Ron_Anderson > RBL's are out of your control and out of the anti-spam vendors control. I've seen them generate a disproportionate number of false positives for my users. If they are used to bolster a "spam score" the uses additional analysis they can be useful.
rhodyt I appreciate your answering the question even if I disagree. ;-)
MrMike How much hardware horsepower would we need to run a software-only solution? I noticed many of them support clustering. Do these things need hardware acceleration?
Ron_Anderson > Based on the solutions I had in the lab, hardware requirements weren't a problem. Depends on the solution, depends on the vendor.

Gaurav But if the user requires a button to identify a false-negative, doesn't that require e-mail client specific plug-ins? Did any vendors allow for users to simply forward the mail to the admin? I'm looking for a solution that is not specific to what e-mail server/client a customer may use.
Ron_Anderson > Yes and yes. Good point.
MrMike But would you say the requirements are on par with your existing messaging solution?
Ron_Anderson > One or two under par I'd say. :-)
BarryIT on rhodyt's question, can you tell us, were there any common issues (like the test environment)? or were the problems specific to each product?
Ron_Anderson > Specific to each vendor. The test environment was known up-front and I'm happy to say ran without error during the test.
Gaurav Following with the security discussion, for appliances based on Linux, did they all offer an ability to fix any kernel/software vulnerabilities?
Ron_Anderson > The appliances are intended for someone that wants to muck with the kernel directly. The vendor takes care of all of those issues.
Gaurav Some products such as Aladdin's eSafe 4 boast the ability to perform image analysis of spam, such as OCR and content analysis. Is this a feature that you believe is important, or just tends to slow down a anti-spam solution?
Ron_Anderson > I don't really know. I suspect this is important but question if it can be done well right now.
Gaurav How can companies such as IronPort cost-justify their product to an appliance such as Barracuda's. What is the dramatic value-add that such companies are offering, that justifies more than 30,000 dollars?
Ron_Anderson > That's a hard one for me to answer. I don't want to put words in their mouths--I'd only be guessing. Use to be that an IT professional couldn't get fired buying IBM even though there was a premium to pay. Maybe the same thinking?

MrMike Important question before we end this (if it's ending at the half), what's with the guy barfing spam in your review?
Ron_Anderson > Isn't that a horrible image? I guess that's the point--kind of a visual representation of the disgust we feel about spam?
nwc_admin Actually, that's right. It's about 5mins to the end everyone. I think we have time for one or two more questions. If not, let's put this chat in the books, friends.
Gaurav For the appliance-based solutions that you saw, did they all require constant vendor support/subscriptions?
Ron_Anderson > Yes, a yearly subscription to an update service is required.
Gaurav Their are a number of solutions similar to Barracuda's that are based on open-source projects, especially SpamAssassin. Besides the integrated anti-spam & anti-virus solution, what do these companies really provide, aside from a pre-configured linux box, that is managed by the vendor?

Ron_Anderson > Port 25 security, quarantine services, end-user controls, reports, etc.
nwc_admin We're very grateful for your participation everyone, and thanks to you Ron! We hope this was a useful experience for you. We will post this transcript on this page later today along with the previous chat session, both of which you will find on this page. Again thanks to you all. You're welcome to linger and talk amongst yourselves, of course. Have a great day.
Ron_Anderson > Thanks everyone.