A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

GFI Mail Essentials for Exchange/SMTP

NOVEMBER 2006

www.westcoastlabs.org

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

CONTENTS
Mail Essentials for Exchange/SMTP
GfI Software, GFI House, San Andrea Street, San Gwann SGN 05, Malta Tel +356 21 382418 Fax +356 21 382419 www.gfi.com

Introduction ............................................................................................3 Spam in the WCL Tests ............................................................................4 Test Network ..........................................................................................5 Test Methodology ....................................................................................6 Product Testing Reporting ........................................................................7 Checkmark Certification ..........................................................................8 The Product ............................................................................................9 Developments in the GFI Spam Technology ..............................................10 Test Report ............................................................................................11 Test Results ............................................................................................16 West Coast Labs Conclusion ....................................................................17 Security Features Buyers Guide ..............................................................18

West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001. www.westcoastlabs.org

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

INTRODUCTION

As the war for corporate inboxes intensifies, and unmonitored emails disrupt effective and secure working practices, Anti-Spam solutions continue to evolve to deal with this menace. In this, the second Anti-Spam Technology Report, we examine the functionality and performance of the leading products in this market, which are aimed specifically at the SME network environments. A key objective of the testing is to replicate the installation, configuration and use of the solutions in a real-world business environment to enable readers of the White Paper prospective buyers to make a meaningful assessment of the product that is right for protecting their corporate email environment. Test Engineers have evaluated how the solutions install to ensure timely and effective spam protection. Consideration has also been given to the level of security administrator expertise and technical support required to facilitate both out-of-the-box operation and thereafter product training to ensure maximum effective spam protection. This reports provides an independent assessment of effectiveness with regard to:

The features and functionality of the solution. Integration into a network infrastructure. The level of user administration required to operate the product effectively. Spam detection capability and rates of detection.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

SPAM IN THE WCL TESTS

As part of the Anti-spam testing, WCL engineers used one of six domains wholly owned and controlled by West Coast Labs. Each of these domains contained several user accounts that were then signed up to a wide range of newsletters and websites with the aim of generating a significant daily spam feed. These sites included those offering free legal and financial advice, sports sites, dating sites, and some offering free adult content. These spam feeds were then left for several months before the beginning of the Technology Report so that email addresses belonging to each of the domains could propagate through an array of spam lists. In the context of this Technology Report and the specific spam testing, mail received to the 'users' in each of the domains which formed part of the tests was classified into one of three categories: Genuine, Grey, and Spam. By manually classifying each email received, engineers at West Coast Labs could report on statistical figures relating to how many messages were correctly identified as Spam, the number of messages incorrectly identified as Spam (false positives), and finally the number that were missed. Using these figures each product could then receive a percentage representing the catch rate.

GENUINE MAIL
Messages were sent from engineers at West Coast Labs from both internal addresses and external web mail hosts such as Hotmail, ntlworld, and Yahoo!. Also included within this category were some newsletters based upon particular business requirements.

GREY MAIL
Messages classified by West Coast Labs as grey mail may be described as mail where the classification is unclear. For the purposes of this Technology Report, grey mail includes email and newsletters from sites that were known to be visited during the signup process but would otherwise be recorded as Spam, for example some of the free adult newsletters.

S PA M
Incoming mail was classified as Spam dependent upon common rules across the entire range of testing, for example unrequested emails or newsletters containing content such as free pharmaceuticals and or narcotics, Nigerian scam emails, unrequested pornography, weight loss or financial advice. Included within this category are the commonly seen random-text emails containing strings of unconnected words or phrases.
Note : As a test laboratory acceedited to ISO 17025:2005, all websites visited and signed up to by West Coast Labs adhered to strict EU legal guidelines. Any messages that may be received as a result of address proliferation that contain content defined by UK law as illegal was immediately forwarded to the Internet Watch Foundation. More information about the Internet Watch foundation can be found at www.iwf.org.uk.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

TEST NETWORK

WCL has a number of domains that collect genuine spam. These domains receive varying levels of spam and are consistent with different email environments. To reflect the email usage within a corporate environment, within each domain are a number of designated user accounts with a variety of email practices and needs including some that are subscribed to a variety of newsgroups and mailing lists. Some user accounts actively contribute to mailing lists. The multiple domains designated for testing purposes were those that, between them, receive spam at a level consistent with the defined requirements of testing. Software solutions included in the test program were installed on servers that meet the minimum specifications required by the vendor. Appliance-based solutions were installed on the network according to the vendor's recommended placing. For hosted services, WCL tested through identified email domains and changed the MX records to divert the mail stream through the hosted service.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

TEST METHODOLOGY

WCL initially performed the testing with an out-of-the-box configuration, changing only those settings on the solution needed to ensure correct operation in line with the vendor's recommended installation and configuration procedures. Further testing was then performed following the vendor's advice for the tuning or training of the solution under test. WCL fine-tuned the solution each day of the test, spending no more than half an hour per day undertaking such work. Throughout the course of testing, a mixture of email was sent to the test domains from other email addresses and domains controlled by WCL to mirror genuine email activity common in business, for example, requesting meetings, sending notifications to groups and non-business related social emails. Emails were also sent from web-based accounts such as Hotmail and Google's Gmail in order to simulate external users sending non-business related social emails, and home workers. Thus, during the testing period the domains received some spam, some list/newsgroup mailings and "genuine" individual emails.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

PRODUCT TEST REPORTING

Product evaluation addresses three specific areas* - Management/Administration, Functionality, Performance plus Additional Feature Testing.

1 . M A N A G E M E N T / A D M I N I S T R AT I O N
Ease of Setup/Installation Ease of Use Logging and reporting function Rule creation Customization Content Categories

2. FUNCTIONALITY
Email Processing Steps Allow/Blocking of Email Quarantine Area Additional functionality reporting

3. PERFORMANCE
Volume or Percentage of spam detected False positive rate Spam incorrectly passed through Legitimate mail blocked Legitimate subscription mail blocked

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

CHECKMARK CERTIFICATION

Upon completion of the testing, individual product results are analyzed, resulting in accreditation to one of the two Checkmark Certifications for AntiSpam subject to achieving the following catch rates:-

Checkmark Anti-Spam Certification - Premium - 97% and over Catch Rate. Checkmark Anti-Spam Certification - Standard - 90% and over Catch Rate.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

THE PRODUCT

GFI MAILESSENTIALS FOR EXCHANGE/SMTP

GFI MailEssentials for Exchange/SMTP is a server based anti-spam, anti-phishing and email management solution for Exchange and SMTP servers. Advanced spam detection technology captures 98% of spam and phishing emails, whilst minimizing false positives. Since spam wastes network users' time, GFI MailEssentials is designed for small to medium enterprises and offers anti-spam for Exchange server and other email servers. http://www.gfi.com/mes/

G F I S AY S A B O U T T H E P R O D U C T ' S B U S I N E S S BENEFITS
With fraudulent, inappropriate and offensive emails being delivered in vast quantities to businesses every day, it is crucial to have the right anti-spam software installed. Server-based, GFI MailEssentials eliminates the need for users to manually sort and remove spam from their mailbox, which can waste network users' time and network resources, thus increasing employee productivity. This also means that there is less risk of losing valuable emails or deleting them by mistake. GFI MailEssentials also helps to eliminate disturbance which certain 'offensive' spam like emails with porn content may possibly create.

G F I S AY S A B O U T T H E P R O D U C T ' S TECHNICAL BENEFITS

GFI MailEssentials provides a comprehensive server-based anti-spam solution that facilitates effective email management. Contrary to other anti-spam products, there is no need to install separate solutions, such as blacklist and whitelist servers or client software on user PCs. It is easily configurable via a single User Interface. When not set to automatically delete, spam and suspicious emails can be conveniently stored in a series of organized folders under each user's inbox. It also protects your users from identity and information theft by blocking phishing (scam) emails and can protect against spam containing malicious objects such as scripts and exploits.

10

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

DEVELOPMENTS IN THE GFI SPAM TECHNOLOGY

A S S TAT E D B Y G F I
While GFI MailEssentials is always being developed, and new features being added to help combat spam, it now boasts various new features and improvements that continue to make it indispensable in protecting networks from this ever increasing menace.

PHISHING
GFI MailEssentials provides the ability to detect and block threats posed by phishing emails through its Phishing URI Real-time Blocklist (PURBL). GFI MailEssentials PURBL detects phishing emails by comparing Uniform Resource Identifiers (URIs) present in the email to a database of URIs which are known to be used in phishing attacks, and also by looking for typical phishing keywords in the URIs.

S Y N C H R O N I Z E A N T I - S PA M D ATA
Anti-spam and whitelist data can now be synchronized between multiple installations. This ensures that all installations are blocking as much spam as possible with the least amount of false positives.

I M P R O V E D W H I T E L I S T F E AT U R E S
GFI MailEssentials now provides the ability to whitelist based on the SMTP TO/FROM email addresses, and not just the MIME TO/FROM. This will result in yet less false positives.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

11

TEST REPORT

INTRODUCTION
MailEssentials by GFI is a server-based security solution designed to protect users from unsolicited email and potential security risks, whilst offering complete control of all email. The system requirements for this product are surprisingly low given the power of the solution and the product is able to be deployed to a Windows 2000, 2003 server or Windows XP installation. The compatible mail server list includes Exchange 4, 5, 5.5, 2000 and 2003 alongside a selection of Lotus and other SMTP mail servers allowing corporate environments a high degree of adaptability. During setup the product offers brief but appropriate instructions and advice for each step, allowing the administrator to integrate MailEssentials into the network with ease.

12

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

TEST REPORT

I N S TA L L AT I O N A N D C O N F I G U R AT I O N
West Coast Labs engineers installed the solution on to a Dell Optiplex 170L running Windows 2000 Server and Exchange 2000, both of which were running the latest service packs. The installation routine was straightforward and should be recognizable and comfortable to anyone who has performed a Windows installation routine. Configuration is carried out via a standard Microsoft Management Console-type window, which is launched from the GFI MailEssentials folder in the Windows Start Menu. It is during this configuration that MailEssentials details the levels of scanning available including URL blacklists, Anti-Spam scanning, Phishing protection, mail policies and header scanning, all of which have their own property screens inside the configuration console. Having all these options to hand easily ensures that the Administrator has a set of tools available that allow complete control over mail. These options are further split between three sub-categories, each affecting a different area of the MailEssentials system. The three categories are labelled Anti-Spam, Email Management, and General. Browsing to the Properties page of each of the sections in the Anti-Spam category presents the user with a detailed description of the options available. For example, the Properties section of the Bayesian filter allows the user to enable or disable the filter and to decide whether MailEssentials should automatically use outgoing mail as a method for learning examples of genuine mail. Also available is an option to update the antispam databases manually or to enable automatic updates after a set time period.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

13

TEST REPORT

Further inclusions within this category are both the Black and White lists used by MailEssentials to immediately decide whether mail should be listed as Spam or genuine. An Administrator may choose to define a list of known domain names as guaranteed genuine and thus ensure the correct delivery of email from these sites by using the White list option or to perhaps Blacklist unwanted newsletters. These lists are easy to configure and, when coupled with the Bayesian filter, add extra layers of protection to the defence offered by MailEssentials. From the Email Management category, the user may add customized Disclaimers to outbound email or configure autoreplies from the mail server. Included within this category are the database options used for storing reports - the Administrator may choose between MS SQL or MS Access and is also able to specify where the file should be saved.

14

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

TEST REPORT

I N T E R FA C E
The main method of scanning involved during these tests was through the use of a Bayesian filter, although as stated previously this is only part of a well integrated system offering the user multiple layers of protection. Within the Bayesian logic, the source domain is first checked against the records of blacklists and then, should a message be classified as genuine by this process, it is scanned to check for patterns relating to known malicious emails and for any links that could lead to potentially dangerous material online. Training this solution may be performed from each individual user's own Outlook Inbox. MailEssentials creates a series of public folders within Exchange that are viewable by every user. A selection of these folders include Genuine Mail, Spam Mail and Discussion Threads - these allow the end users to train MailEssentials by simply dragging and dropping mail into whichever folder they deem appropriate. The content of these folders is then automatically scanned, after which the mail is moved into a Processed folder. This method is extremely efficient and allows the users to feel they are making a valuable contribution whilst simultaneously removing some of the administrative burden. Managing mail that has been classified as Spam is yet another area in which GFI's MailEssentials excels. Instead of simply deleting or dropping Spam, MailEssentials provides the ability to either forward it on to another address, perhaps for further monitoring, moving the message to a customized folder in the user's inbox or simply deleting the message entirely. By forwarding mail classified as Spam to a specific folder in the inbox, any mail that has been incorrectly classified by GFI can be seen by the end user. They may then reclassify the message as genuine and further help to train the product. Should there be any problems after installation, or if anything is unclear, GFI provides a help tool that can be accessed from the MailEssentials folder on the start menu. If further help is required a Troubleshooter program is also installed. All advice provided by GFI to aid the user is clear, concise, and well written. With each area of the solution split into different interfaces, all of which can be launched from the Start Menu, an Administrator may both monitor and configure the product efficiently. The interfaces are well laid out and easy to navigate, thanks to the series of concise menus.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

15

TEST REPORT

R E P O RT I N G
Reports are viewed from within a separate program, which is run from the MailEssentials folder on the Start Menu. Reports may be organised into multiple formats, including statistics for each user, domain and mail server. The Administrator can choose to view these statistics either as a brief rundown or use the Search feature to select from a series of specific parameters including date. When generating a report based on User Communication, a table is produced displaying a list of every individual user, a count of their received messages and the disk space on the server taken up by these messages. Next to each individual user's message count is a button that, once selected, expands the list to display the subject, size, and count of each message received by the user. Messages with duplicate subject fields, for example multiple replies from discussion threads or system messages, are displayed initially as one single entry. Further expansion of this list is available to display the sender address for each message. For users looking to get more statistical information, one possible selection is the Anti-Spam Rules Report. This displays to the user a breakdown of how many times an individual rule was used to identify a message as Spam. Each rule is contained within the list with some, for example Header Checking and Keyword Checking, providing sub-categories. Another report format provided for the user is the Daily Spam Report displaying entries for each day. Along the top of the table is a list of each rule adhered to by MailEssentials; each entry into the table then displays the number of messages that were blocked that day by each rule. Also available from the Start Menu is a realtime monitor. This offers a brief overview of current activity displaying the number of messages currently processed along with a list of the date, time and brief description of system events relating to each message.

16

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

TEST RESULTS

Type of mail GENUINE SPAM

Detected as genuine 100% 2%

Detected as SPAM 0% 98%

GFi's MailEssentials performed well during the installation, setup, training and spam detection testing processes, delivering 100% of the genuine mail correctly and correctly classifying 98% of the Spam mail. It is also worth noting that MailEssentials delivers a good proportion of grey and list mail as genuine. This gives an organisation the flexibility and opportunity to define policies during a training period without missing mail that could potentially be business critical. West Coast Labs is pleased to award MailEssentials the Premium Anti-Spam Checkmark certification.

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

17

WEST COAST LABS CONCLUSION

MailEssentials provides a flexible yet well performing mail security tool, that due to the performance and ease of use should be on the shortlist of any business comparing AntiSpam solutions. The publicly available folders in Outlook ensure that MailEssentials undergoes constant training and refinement, allowing an organization to have Spam protection optimised for the type of traffic that they receive. The low system specification needed and the number of both operating Systems and Mail Utilities that are supported ensure that this is a solution that can be implemented by any company. Reporting for MailEssentials is both informative and well presented - the ability to present data in different formats and to drill down through results means that there is an increased amount of data should a corporation need it.

West Coast Labs Disclaimer

While West Coast Labs is dedicated to ensuring the highest standard of security product testing in the industry, it is not always possible within the scope of any given test to completely and exhaustively validate every variation of the security capabilities and/or functionality of any particular product tested and/or guarantee that any particular product tested is fit for any given purpose. Therefore, the test results published within any given report should not be taken and accepted in isolation. Potential customers interested in deploying any particular product tested by West Coast Labs are recommended to seek further confirmation that said product will meet their individual requirements, technical infrastructure and specific security considerations. All test results represent a snapshot of security capability at one point in time and are not a guarantee of future product effectiveness and security capability. When West Coast Labs provide test results for any particular product tested, said results are most relevant at the time of testing and within the context of the specific scope of testing and relative to the specific test hardware, software, equipment, infrastructure, configurations and tools utilized during that specific test process. West Coast Labs is unable to directly endorse or certify the overall worthiness and reliability of any particular product tested for any given situation or deployment.

18

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

SECURITY FEATURES BUYERS GUIDE

A S S TAT E D B Y G F I S O F T WA R E
P R O D U C T F E AT U R E S
Does the product allow end users to optionally review their spam through dedicated folders on their Exchange mailbox? - YES Does the product prevent spam from even entering your email infrastructure? - YES Does the product utilize Bayesian filtering? - YES What is the spam detection rate? - 98% thanks to its Bayesian filtering technology Can the product block phishing emails? - YES Does the product utilize keyword lists? - YES Can white-lists/black-lists be set? - YES Does the product support SPF (Sender Policy Framework)? - YES Can the product analyze headers and content of the mail? - YES Is foreign language spam blocking available? - YES

M E S S A G I N G G AT E WAY
A D M I N I S T R AT I O N
Is network reconfiguration required? - NO Is the installation of the product server-based, with no client software required? - YES Can the product download updates to spam profile databases? - YES Can filters be automatically updated? - YES Does the product integrate with Active Directory? - YES Is detailed reporting available? - YES

A N T I S PA M S O L U T I O N S T E C H N O L O G Y R E P O RT

19

SECURITY FEATURES BUYERS GUIDE

A D D I T I O N A L N O T E W O RT H Y P R O D U C T F E AT U R E S
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Does not require any client software Bayesian filtering technology Automatic updating of the Bayesian spam profile database from the GFI site Easy tuning of the Bayesian engine via public folders Anti-phishing Flexible actions in dealing with spam, such as delete, move to folder, etc List server Whitelist / Blacklist Email header analysis Keyword checking 3rd party DNS blacklists (DNSBL) Multiple 3rd party SURBL servers Automatic whitelist management reduces false positives Instant view of emails from new senders Eliminates directory harvesting Reports on spam filtering and email usage Support for SPF - the Sender Policy Framework Company-wide disclaimers Company-wide header/footer text Email monitoring of particular user or department email communications Foreign language spam blocking based on character sets Generates Fake non-delivery reports (NDRs) Personalized server-based auto replies with tracking number