E-mail security continues to be a hot-button issue for IT administrators, who now find more moving parts in mail security solutions than they did just a couple of short years ago. Fighting viruses and spam were the original spurs for creating e-mail security appliances, and anti-spam is still the most important component of mail security. But the solutions have evolved to meet a host of additional requirements. These include securing connections between users, both internal and external; preventing loss of corporate data; stopping new types of threats such as phishing, spyware, and other types of malware; and blocking DoS and other network attacks as well as some application-layer attacks on mail servers.

There are three basic types of e-mail security solutions on the market: software-only, appliances, and hosted solutions. Software-only products range from free, such as the open source SpamAssassin, to quite expensive, but there are relatively few software-only solutions, primarily because setting up all the necessary software is complex and easy to get wrong. Thus, most vendors provide an appliance to run their software on, greatly simplifying the installation process. Appliance installation is generally a matter of setting basic network information and telling the appliance where to send e-mail once it's been filtered.

Hosted e-mail security solutions work on a different model. The Internet DNS (domain name service) settings that point to your e-mail server are changed to point to the service instead. The service receives all e-mail sent to your domain and forwards the good stuff to you, filtering out spam and viruses. One advantage to a hosted solution is that the volume of mail coming to your internal network is greatly diminished -- by 80 to 90 percent in most cases. Also, because the bad e-mail is never received at your location, you need not worry about archiving it, which might be an issue if you're doing the filtering in-house.

All the solutions reviewed in this guide are appliances. Services will be added later. Due to the time necessary to allow DNS changes to propagate and other factors involved in testing, it isn't practical to mix testing of appliances with hosted solutions.

Choices in mail security

Choosing an appliance means more than selecting the highest filtering rate. The easiest way to stop all viruses and spam is to stop all mail; the trick is to stop as much of the bad mail as possible without stopping any of the good mail. This has gotten much harder over the years. Because the spoils belong to spammers who get their message through, spam evolves quickly to bypass new filtering paradigms. As with anti-virus technologies, spam is a moving target, requiring constant updates to filtering rules.

You may also find that you and some vendors disagree on what constitutes spam or malware. A number of the vendors -- Barracuda Networks, BorderWare, Mirapoint, Proofpoint, Secure Computing, and Sendio -- stopped many marketing e-mails and other types of bulk e-mails that users may have signed up for, leaving it to the individual user to add senders to the whitelist. Because all of the messages that were blocked were messages I'd signed up for -- product updates, newsletters, weekly specials from vendors I use, and so on -- they were all counted as false positives. However, I also whitelisted each bulk e-mail when it was stopped, so the total bulk false positive represents the number of unique senders that were stopped; no duplicate bulk e-mails were counted as spam.

Lots of bulk e-mail doesn't comply with the CAN-SPAM Act, which requires that the "from" address and sending domain match, among other things -- so that mail from xxx@infoworld.com comes from a server in the xxx.infoworld.com domain. Many organizations outsource their bulk e-mailing to third parties, who don't bother to set up the domains correctly. For example, a bulk e-mail (newsletter) from Secure Computing Magazine has a sender address that isn't SCmagazine.com, or even haymarketmedia.com, but bull_05_sc_01112006@ecm.hbpl.co.uk. In other cases, e-mail newsletters from legitimate senders such as infoworld.com come from a different address each time. Thus, you need to whitelist the domain, rather than the sender, which creates the potential for spam that is apparently from that site to make it through.

Some administrators may attach minimal importance to whether or not users can receive bulk e-mail, but some of these messages include security updates from vendors such as Red Hat and Microsoft. Personally, since other products match the catch rate while blocking far fewer legitimate bulk messages, I think the problem is solvable in other ways. A couple of products offer two levels of filtering: They classify messages as spam, bulk mail, or legitimate, rather than either spam or legitimate, allowing users to sort bulk e-mails into a folder for occasional perusal.

For more enterprise computing news, visit InfoWorld. Story copyright InfoWorld Media Group, Inc.