Which comes first, anti-spam or anti-virus?

We used an anti-virus scanner to pre-scan messages for viruses and delete them before passing the message onto the anti-spam scanners we were testing. It raised the question - what is a best practice in the enterprise messaging space?

In our test, we used an anti-virus scanner to pre-scan messages for viruses and delete them before passing the message onto the anti-spam scanners we were testing. This simplified our test environment and offered a more level playing field. It also raised the question - what is a best practice in the enterprise messaging space?

Almost all of the products we tested included a virus-scanning component. Some, especially the service-based products, offer more than one virus scanner to increase the likelihood that infected e-mail will be caught. A short and easy answer is to simply say, "Do both in the anti-spam gateway." But that begs the question, "Which should be done first, and why?"

We found that the potential for problems in this area is tremendous. While anti-virus products are clear on what a virus is, there is not widespread agreement on exactly where all of the e-mail traffic generated by mass-mailing worms should fall. Clearly, if a worm generates a message that contains the worm, that's infected. But if a worm generates a junk message, should the anti-virus or anti-spam component catch it? And what about the double-bounce messages that are generated as a side effect of many of these mass-mailing worms? Are those spam or viruses? Or should they be let through?

One anti-spam user we spoke with during our test brought up this problem. Users were complaining about messages generated by worms. The anti-virus vendor said "That's spam," and the anti-spam vendors said, "That's a virus." This problem is one reason some e-mail administrators are moving to an integrated approach. While most products we tested integrated technologies from at least two vendors, that's no assurance that the problem won't come up.

Choosing to scan for viruses before or after spam usually comes down to performance. Different products have different characteristics. Generally, our tests showed that virus scanning is expensive in terms of performance, but anti-spam scanning is even more expensive. As a test, we installed the Sophos anti-virus scanner on the same hardware used for the anti-spam tests, and ran our spam-free, virus-free performance tests on it. The message throughput rate of about 50 messages per second was higher than any anti-spam product we tested, giving an indication of the generally more modest resources required to scan for viruses compared to spam.

However, most e-mail is spam, which means that if you cut out the spam first, you then don't have to scan that mail for viruses. Since the percentage of e-mail that is virus-infected is very low, there is a performance advantage to scanning for spam first, then scanning for viruses.

Some of the anti-spam products we tested have a way to configure which test is done first. Most, however, lock you into a particular sequence based on their own experience.

Many of the products we tested act as full e-mail policy engines, so they are designed to scan outgoing mail as well as incoming mail. Generally, companies don't want to scan outgoing mail for spam because they don't think that they send spam - and they don't want to take the hit of the occasional false positives. However, outgoing mail should always be scanned for viruses.