Slashdot Mirror
Reviewing Anti-Spam Offerings
Joel Snyder writes "Just finished looking into the innards of 40+ anti-spam products at Network World. The biggest, ugliest, and most comprehensive look at this market that's ever been done. Conclusions: lots of great products to choose from at the top (a dozen or more); a few stinkers in the bunch; and it's basically impossible to review Spam Assassin, which is unfortunate."
From deep within the article:
"Although these tests were conducted with the assistance of Borderware, we where careful to ensure results where fair and objective."
So, that would be why borderware's product got the #1 position?
I find that Mozilla's Thunderbird has excellent anti-spam control. That's just from my own "testing" though...
Mine isn't in the list.... http://www.mxlogic.com
I have said it before on here, but I use Mx-logic.com to filter e-mail before it even gets to my mail server (as their filtering is in-line). They run multiple concurrent virus scanners, and you can set all policies related to attachments, sizes, virus scanning, quarantines, SPAM (deny, accept, etc, for different "levels" of probability).
It's really efficient. I haven't gotten a virus in any attachments and maybe just 2-3 SPAM messages / month (down from 100+ / day). It also does cool stuff like remove the imbedded tracking images from SPAM HTML messages (should one get through), etc. No, I don't work for them. I used to quarantine messages and review it weekly (that were medium / high probability spam), now I trust their service so much I just deny receipt to my mail server of any Medium+ probability SPAM
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
RTFA:
We also reached out to the SpamAssassin community (see "What about SpamAssassin?"), but couldn't find someone who could act as a representative for support and configuration assistance. However, two commercial vendors, Roaring Penguin (on Unix) and NoSpamToday! (on Windows) sent products that exposed their SpamAssassin cores.
They have a whole page discussing this.
Does great for Windows
I second that. Any real comprehensive review would include some sort of mention of Spam Assassin. Yes, it's highly configurable and has plural avenues of use, but I think that's what makes it even neater.
I never thought I'd get to use it... but... RTFA jackass. Don't just see a question and post something about it. Answer: http://www.nwfusion.com/reviews/2004/122004spamsid e6.html
I just upgraded my server to the latest version 3.0.1 of spamassassin and the difference is amazing. I haven't had one piece of spam get through to my inbox today. And from what I can tell, there are no false positives yet. Unless you think that Darcy really wants me to come over and check out her new webcam.
It is clearly impossible to review SpamAssasin because there is insufficient conflict of interest.
CF the Stock analyst.
They say, "Although a few well-meaning souls volunteered to be the contacts for SpamAssassin, when it came time to test no one would step up to the plate and represent the product at a level that would make it competitive to the other enterprise-focused vendors."
I can only wonder what it was that they asked and who they asked. There are several companies that provide products based on SA, and the developers are very responsive.
I'll have to look in more depth later and see if any of the products they reviewed were SA-based.
Still, a review that does not cover common open source implementations such as DSPAM and SA is not a review that I would put much stake in.
I use yahoo mail, and I don't get much spam, even from the mailer I use to sign up for stuff on the web. Its actually sort of lonely to go weeks without recieving emails.
God spoke to me.
Using Thunderbird greatly cuts down on the amount of spam you see in the inbox. After using for only about a month, 90% of spam was automatically deposited in the "junk mail" folder. Surely this isn't as good as a paid spam-prevention service, but its free :)
Maybe it's just me and I'm one of the few lucky people in the world, but out of 5 regular email addresses that I use on a daily basis, I rarely if ever recieve spam, and during the workday, watching mailserver logs, the only people in my company getting silly amounts of spam (to me, one or two messages a day is just a minor annoyance) are people who click every popup and put their email addresses in every form available. If it wasn't for the built in spam filtering of Kerio Mail server, which is what we use here, it would probably be impossible for them to get any real work done, as out of 200 people, these 5 or so get more spam directed towards them than the rest of the company gets regular emails. Some common sense goes a long way in avoiding spam.
His comment is still valid. That's like saying "We did a comprehensive review of the leading web servers, IIS, PWS, and Netscape's baby. We recognize that Apache exists, however we couldn't review it because we couldn't figure out how to get it to work.
The mere appearance of SA, though, is impressive because those trade rags rarely include anything open source (partly due to marketing opportunity for commercial, paying companies).
Jerry http://www.syslog.org/
...is to treat your e-mail address like you treat other personal, abusable personal information.
Do what I do: create a Yahoo (or some other free e-mail) account and use that address for all questionable forms you fill out.
I've had the same address now for almost three years now and receive about five spams per week, at most.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
Funny how when you click the link to go to the article, the popup invites you to register for their spam^H^H^H^H newsletter. :)
What about built in spam blocking like that in yahoo, MSN, gmail mail as well in Outlook and other mail apps?
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
No eAcceleration/eAnthology/Stop-Sign? hmmm.
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
DynaComm i:mail? www.futuresoft.com
I know what's on your hard dr
It doesn't include GFI Mail Essentials. I would like to have seen how that stood up to the competition.
On a side note I have started using SpamBayes-Experimental on my outlook box and it is working well so far.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
From what I gather, there were. They're saying they couldn't review SpamAssassin as such because you're dealing with a community and not a company, but they do have SpamAssassin based products.
The buying guide is useful just for putting all the contenders together. But don't believe the claims until you test them. Barracuda, for example, touts the capability of millions of messages a day, but we are sending our second test unit back because it just can't handle a modest load of real world mail. Their 600, for example, claims it can process "25 million messages per day" but that assumes it is rejecting 95% of the mail -- that's nowhere in their fine print.
The force that blew the Big Bang continues to accelerate.
If you're going to review things for the enterprise, then you need to keep in mind the requirements of an enterprise. Very few large businesses are willing to trust a product that doesn't have some sort of obvious support structure behind it. If the reviewer could not find a solid support structure for it, then it isn't suitable as an enterprise spam solution.
This sig has been temporarily disconnected or is no longer in service
"However, two commercial vendors, Roaring Penguin (on Unix) and NoSpamToday! (on Windows) sent products that exposed their SpamAssassin cores. Although neither met our false-positive threshold for inclusion in the top 12 finalists (probably because of difficulty of tuning Bayesian engines and neural networks in a test lab setting), we were very pleased to have them participate in the project."
Still, a poster that does not RTFA before making such a comment is not a poster I would put much stake in.
They tried to get it to work well enough to review, but couldn't. You can flame them for not spending more time on it, but not for not trying, because they did.
Easy. A Postfix server running Postgrey and Anvil. Before mail ever hits a mailbox most spam (and a lot of viruses too) are weeded out. It can protect against distributed dictionary attacks.
The world's burning. Moped Jesus spotted on I50. Details at 11.
This is a spam filtering service that I use, In 52 weeks 22,624 spam messages out of 93,714 have been blocked before entering my users inbox. The nice thing about this service for us is our IT dept is very under-staffed and makes it useful to have someone else worry about it. The do our anti-virus scanning as well and am proud to report that they have stopped all 5213 infected messages before even touching my server. Very worth while service if you are in a under-staffed situation like I am.
If you block spam you'll never increase the size of your penis.
"We invited every anti-spam vendor in our online Buyer's Guide to participate"
And what is there "online Buyer's Guide"? - a pay for inclusion directory!
Between that and their #1 choice helping them with the review process - I have serious questions as to the value of this report
. Accurately simulating a bunch of different anti-spam systems all getting the same e-mail is a bit of a trick. If one of the major players is helping set the rules - its way to easy for them to stack the deck.
What he's really saying is that they couldn't find anyone willing to PAY them to review SpamAssassin on Apache. That's about what passes for "comprehensive reviews" these days.
Though it's a small project, bspam is an excellent Bayesian filter for *nix... I tried bogofilter and some others but nothing jived with my qmail/procmail/pine setup as nicely as bspam.
The only thing I can see would be the possiblity of increasing your database size to accomodate twice as many strings.
RBL (list.dsbl.org : bl.spamcop.net : blackholes.mail-abuse.org : sbl-xbl.spamhaus.org : multihop.dsbl.org : cbl.abuseat.org) + greylistd == average 0 spam in inbox/day.
What I like best about this approach is that you reject most of the spam at SMTP-time without accepting it. If I could I'd add spam-assassin-on-SMTP to the end of the chain, but my server is tight on memory :-(
(Unfortunately there's a bug somewhere between the debian greylistd and python whereby the daemon shuts down on me all the time, but I've lodged a bug report and hope to get some help tracking it down.)
Belief is the currency of delusion.
A well-designed RBL blocks 95+% of spam and consumes less resources than all the other solutions. Plus it has the added benefit of stopping virus and worm propagation, phish e-mails and lots of other scenarios where unauthorized SMTP relays operate.
I see no reason to use client or server-side products that analyze the mail content, when this slows down mail service and reliability. RBLs, blocking mail based on the legitimacy of the source address has proven to be the most effective method of curtailing spam, and unlike all the other solutions, this one aversely affects spammers by not allowing them to consume your resources.
If you're in the business of making money off selling spam products, I can see your support of these various half-way solutions, but otherwise, the best way IMO is to employ RBLs at the server level and slowly work towards SMTP whitelisting. I contend this is an inevitability if the authorities don't start prosecuting spammers for their illegal computer tampering.
well move those netflix messages back into your inbox and train spamassassin on your "ham"
sub your own username for "username" of courseDonald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
While it has been a year or two since I played with the Borderware product, I seem to remember that it was also based on SpamAssassin-Amavis-ClamAV. In fact, it was actually the exact same setup that I used on my mail server, except it was in a 1U system, had a nice GUI, and a 5 digit price tag.
To get a junk mail filter for my real life mailbox that auto sorts into my real life recycle bin.
Where's SpamAssassin?
Although a few well-meaning souls volunteered to be the contacts for SpamAssassin, when our marketting department contacted them regarding advertising no one would step up to the plate and shell-out for print ads like the other enterprise-focused vendors.
The one product that I am familiar with is Barracuda, as we run that where I work. They claim that Barracuda doesn't support SSL for management, which is dead wrong. In fact it's very simple to _force_ the Barracuda to use SSL for this purpose.
It's only one point, but they make a fairly big deal out of it.
Spammers will Spam you if they can Guess or Get your Email Address so the trick is to make it hard for them to get it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I dunno what it uses, but I get over 40 e-mails a day usually (about 5-10 are *real* mail, the rest is intriguing offers from diverse companies offering ways for me to extend my growth? or buy 'erbs'). Of them 40 mails, Mail.app get's all the spam, and leaves all my mail alone. Never had a false positive, and after the first week or so, no false negatives either. So why don't everyone use Mail.app? Of course it would mean switching to the worlds best OS, and the worlds nicest computers, but I see no bad side here. Mind you, I do own some stock in a certain computer company with a propensity for fruit....... :)
The truth shall always be free: Boris Floricic is Tron.
FROM TFA:
The short answer is that no one submitted it, but of course there's more to it than that. This year we reached out to the SpamAssassin community and asked them to participate. Although a few well-meaning souls volunteered to be the contacts for SpamAssassin, when it came time to test no one would step up to the plate and represent the product at a level that would make it competitive to the other enterprise-focused vendors.
Interest in SpamAssassin is understandable. In the small-business market, the open source SpamAssassin dominates many anti-spam systems. When well tuned and integrated by a value-added reseller (VAR) that knows what it is doing, it turns out to be a very effective system. SpamAssassin users routinely report 100% spam reduction and 0% false positives (although these self-reported statistics are probably biased), and are generally overjoyed with the results.
Advertisement:
By itself, SpamAssassin is little more than the software implementation of an interesting idea: apply statistics, neural networks and Bayesian probabilities to the problem of classifying mail as spam or not. Train the engine by giving it desirable and undesirable mail, and it can tell you for each new message what pile it most resembles. It turns out to work astonishingly well, especially in small businesses where mail flow is very homogeneous. SpamAssassin's Bayesian engine even redefines the meaning of spam by letting you say, "This is the mail I want," and "This mail I don't want." SpamAssassin also mixes other tools into its scoring system, such as DNS-based blacklists and collaborative scoring, as well as more traditional keyword searches and formatting tests.
The key to SpamAssassin's success, though, is a smart VAR or IT person installing it. SpamAssassin requires a significant amount of integration work to make an enterprise-class installation succeed. Without a GUI, database, quarantine, anti-virus scanner, policy or per-user configuration, SpamAssassin is a great tool for those who want to build their own anti-spam system, but is in no way a solution by itself.
This doesn't mean that SpamAssassin wasn't well represented in our test. The important core of SpamAssassin, a Bayesian engine, was recognizable in at least one-third of the products we tested and might well have been hidden in the guts of more. The strategy of combining multiple tests to identify spam is in nearly all modern, anti-spam products, including SpamAssassin.
The difficulty in testing or recommending products that require heavy engine training, or ones based on trained neural networks, is that companies with many employees have very diverse mail flows, and the training will likely generate false positives or negatives across large numbers of users. For example, a multinational company might have many employees who don't read or speak Italian, and might train all their Italian mail as spam - something that would upset the Milan and Rome offices. Or imagine IDG, which owns many publications, all which have specialized vocabularies. No one set of training mail would work for the different communities.
Products that successfully include a Bayesian recognizer, such as SpamAssassin, do so by considering it as one factor in the larger cocktail of spam identification. By weighting the Bayesian verdict with other information, vendors have followed the trail that SpamAssassin blazed and made it enterprise-ready.
Actually, the #1 selling enterprise anti-spam device (the Barracuda line) is a SpamAssassing core device.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
I happily run POPFile (http://popfile.sf.net/ http://www.getpopfile.org/). Perl-based, acts as a proxy. I can't run SA on some of my mail accounts (work, contractual jobs, etc). It's a basic word filter, and lets you see/change how words rate. It also explains its decision process to help you tweak it, for instance, any email with "penis" for my setup is 99.99999% spam.
I have a few mail accounts on yahoo.no, and only one of them has gotten spam, all of which has been caught by yahoo's filter.
People say I'm crazy, I got diamonds on the soles of my shoes...
And deleted it.
emt 377 emt 4
The way their testing was conducted, they probably had to overlook spam filters that are embedded in proprietary email services but if you are only interested in getting all your mail and none of the spam, google is doing a great job.
My gmail account has had 2 false positives out of 500 messages. Given the vulnerability to having your address fall into unknown hands that is inherent in Google's viral marketing technique for promoting the product, I would bet LOTS of other GMAIL users have the large number of spams coming in...even on new accounts where they have been careful who they gave the address too. I get about a dozen spam items a day but when one of the sh!theads sells his address list to the next spammer, I can get a burst. Bottom line: ZERO spams in my inbox...none...not any. The Bayesian stuff that spammers try to circumvent, the spoofed headers...so far none of it fools Google. And since it buffers the spam in its capacious 1Gb-per-account holdings, I have 30 days to check for false positives at my liesure.
Questions?
1. what vulnerability?
when you accept a google gmail invitation, no matter how many hands it has gone through, Google posts a notification of your new address to the original giver of the invite...who could be some spammer you never met....happened to me.
2. any pattern to the false positives?
not sure...only have two data points. Those two items were email alerts from newspaper subscriptions which tend to be crambed with ad text and ad links...in which case, gmail is clearly trying to do me a favor and I appreciate the effort.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
RTFA. Postini was in it, both in the big table and in the Dirty Dozen finalists.
Thanks for the compliment... because, you see, I first used the methodology in 2003, in the original Network World test (see http://www.nwfusion.com/reviews/2003/0915spam.html ).
m demo.html)
Or, you could go back to February, 2003, and see the same methodology being prototyped at the Demo conference (http://www.nwfusion.com/reviews/2003/0224antispa
Let's see: Feb 2003: 2 products.
Sept 2003: 16 products, with 4 top overall performers.
Dec 2004, 36 products, with 12 top overall performers.
And Network Computing? 23 products with 10 finalists, in between my two reviews for Network World.
Yeah, I'm feeling like what Network Computing does in between my reviews makes me a copycat...not.
What are you, a NWC ad salesman? Or just a bit clueless yourself?
> It's economy at work, you pinky commies
My fine capitalist customers pay to get email, not to get unwanted bulk advertising, much of it fraudulent, and a lot of it in fact coming from computers that have been made into zombies by worm writers breaking the law.
The world's burning. Moped Jesus spotted on I50. Details at 11.
At minimum, they should have taken the false positive rate, added it to the percent missed and ranked by that. Doing so sends BorderWare into the middle of the pack where it belongs, and more likely winners rise to the top. (Postini and MailFrontier). Pretty shoddy reporting when the end reader has to take your numbers and plug them into a spreadsheet to make any sense out of them.
They could have also weighted the two error rates, but deciding on weights would be pretty subjective. Some might think false positives should be weighted higher, while others might think the opposite. Ranking them without weights would have been an acceptable compromise.
I know one person who uses MailWasher Pro and swears by it.
But because of certain lame functionality, I refuse to recommend it to anyone.
The problem is that it sends fake bounce messages to the return addresses unless you configure it otherwise. That may have changed since I looked at it, but a quick look at their web page shows that they still do the fake bounces.
Fake bounce messages are incredibly lame since the vast majority of spam does not have the return address of the real source. On top of that, spammers don't pay attention to those even if they do come back.
All the fake bounces demonstrate is that the people behind MailWasher Pro don't have a clue what they are doing. Of course, if they are that clueless, you don't even feel like checking out their other products.
No one has an IT department willing to support it? Our university recently implemented SpamAssassin for the 20k+ email accounts. I'm sure there are corporations out there of our size that have a larger IT budget than us. Although Miami tends to lean towards open source more often than not (SquirrelMail, SpamAssassin, PHP, etc.). I'm glad they're spending money on enhancing existing projects than giving it to some company because they have a customer support line.
well played.
All of my RBLs that I have tried end up not doing me much. Usually I try to stack 2 or 3 of them on qmail. Do you have any recommendationson which RBL(s) I should be using? Thanks.
They have a whole page[http://www.nwfusion.com/reviews/2004/122004sp amside6.html] discussing this.
Bingo!
(10 instances of "enterprise class" in one article is bingo, isn't it?)
Grandparent does not RTFA. Posts an attack consisting of one lie + one rumor propogated by an anonymous coward as a social experiment: which he admits. Grandparent is modded up.
The AUTHOR of the article posts a defense...and is modded a troll.
great-o.Not only does it allow you to cut off spam, it gives you traceable addresses that can be used to see who leaked email to spammers. And it's perfect against phishing attempts.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
My main ISP uses it, and I think it's the best spam filtering service I've ever used. So far, anyway.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
eProvisia Spam Eradicator. If it's good enough for lcamtuf then it's good enough for me.
You can defy gravity... for a short time
I know this is only tangentially related, but as long as we're on the subject of spam, does reporting your spam thru SpamCop do any good? I've been doing that for a while (I have a script that handles it mostly automatically), and while I do get a sense of satisfaction from filing the complaints, I also wonder whether it actually helps.
FrontBridge and MessageLabs pulled out of the review at the last minute, after their products had already been in place and in operation. You can infer any reason you want to that.
d e2.html
A full conflict-of-interest discussion appears in the review at http://www.nwfusion.com/reviews/2004/122004spamsi
Several of the vendors said something to the effect of "how can you do a fair review when you use one of our competitors?" (Obviously, the competitor would be 'disconnected' during the review, something that I think FrontBridge and MessageLabs didn't quite understand). My only answer is that anyone who thinks that they can review anti-spam products but is not yet using them is clearly not qualified to discuss the matter.
It'd be like asking my Mom to review Linux vs. Windows vs. Mac. Hey, she doesn't use any of those, so she's unbiased!
I noticed that their only complaints about the Barracuda Spam Firewall were the use of a non encrypted web administration interface and it's early LDAP integration. Let's be real about this. What kind of moron does remote (ie. not within your network or over an encrypted VPN) administration with a web browser over the internet? If YOU do this kind of thing, look for another line of work. Whenever I do any remote admin, I do it over a secure connection only. This could be VPN, a point-to-point private link, within the network (from my office to the computer room) on a private VLAN or even over an SSH link with tunneling. So the protocol that a web admin interface uses shouldn't matter if it's not accesible to the public in any way.
As far as their LDAP complaint... it's a relatively new feature and hasn't been given time to have the edges smoothed. I can understand that complaint, but ther rest seem invalid to me. I use the Barracuda and it "just works".
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
You did not read the article. From the Who got left out or opted out page:I'd say that given these two statements, their motives are impeccable. They did review SpamAssassin-based products. They did not review SA on it's own because there was no way to make it fit with their methodology. There were many other products that also got left out for these reasons, and their reasons make sense.
You are full of shit.
There are no trails. There are no trees out here.
Posting it out here as a root because it's applicable to 3/4 of the "why isn't listed?"
/., I'm talking actual users.
1. Solutions like PopFile or Thunderbird:
These require per-machine or per-user configuration beyond "point the program at the mail server and go." If you had 10,000 users, these solutions wouldn't work. I love PopFile, I love Thunderbird, but for any solution to be enterprise level, it needs to occur on the server.
2. Solutions like SpamAssassin:
The packages reviewed had graphical interfaces, installs and actual support teams.
Spam Assassin was invited, but the support was lacking. When they went to the community, the community let them down. This is far more often the case than a lot of us would admit. Usually there are about 10 to 15 useful people on any given projects mailing list or on any projects community site, and a legion of trolls, flamers and other morons who will just repeatedly post messages like "fix it yourself" rather than letting the people who are in the list to actually contribute usefully can respond.
Even in that case, if you're managing 12 servers, or 100 servers, or all of hotmail (these are enterprise scenarios), you want a nice UI, you want to be able to sync all those servers, you want to be able to check their status without going out to each of them, desktop notifications, etc.
The article went to great lengths to point out that many of the products use Spam Assassin internally, calling out several by names, and saying that is wasn't excluded because of this.
3. Graduate college and spend a couple weeks in commercial IT, and then see how much patience you have for RPM, APT, etc. and editing config files. Try talking a user who can't get their e-mail through configuring their client for pop file. I'm not talking people who read
When some VP who barely understands how to work a power switch can't get their e-mail, you don't want to be trying to talk them through typing a bunch of "garbage" into a configuration field.
4. Security also comes into play here.
PopFile is not an enterprise solution. Anyone with a web browser and access to your machine can pull up PopFile and view every e-mail it has ever processed. I know of very few executives or even common employees who would consider that to be a "good thing."
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
Network World maintains an online Buyer's Guide, which allows any anti-spam vendor to submit its product information...we decided that any vendor who wasn't in the Buyer's Guide wasn't very serious about participating in a product test
"Buyer's guides" based on company submissions tend to not be very objective (i.e. the advertisers own them). A true scientific endeavor would involve finding out which products to use, regardless of how agressively they market themselves.
I use ASSP - its a transparent SMTP proxy that does RBLs, Bayesian, attachment scanning and most recently virus scanning (using clamav dbs).
Its simple to setup and works great.
ASSP
http://assp.sourceforge.net
You'd think that SA+ClamAV would be a pretty common configuration.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
The Unix factor: We spent more time tuning Unix, Sendmail and various Unix system utilities than we did tuning products from vendors that ran on Sendmail, including Roaring Penguin, Privacy Networks, Proofpoint and Cloudmark. In some cases, the differences were dramatic. A single-line change in Sendmail configuration, for example, tripled the throughput of Roaring Penguin's CanIt Software. This means companies that install their own software, rather than going with an appliance, need to be prepared for significant performance tuning.
Wow, a one-line change in sendmail.cf is "significant performance tuning". I guess I'm not overpaid after all.
Edith Keeler Must Die
Just say what happens; the commercial products fail
to detect
mis-detect OK mail ...
prevent people working by canning MS project files
till now I have to send all attachments as Base64
encoded PGP encrypted files
and all the M$-l'admins are to stupid to understand
or do anything about it.
I discovered today that the reason one of my friends keeps getting bounce messages from my address is that the company I have an account with uses exim's sender verification, and the organisation he uses has graylisting enabled. He sends an e-mail, exim tries to check back, the graylister drops the connection, and exim concludes that the MAIL FROM is forged. Be nice if anti-spam solutions co-operated, wouldn't it?
and it's an accurate assessment, but not everyone out there is an ISP, and if theirs don't deal with the Spam problem, the users are stuck trying to cobjob their own automagical miracle multiple software apps complex IT spam solution at home, OR, use something as simple as tbirds or mozs spam filter, which works good enough to at least keep it down to a manageable size. Or is spam filtering only for the "IT elite"? How long do we poor non_ISP and non pro sysadmin plebians need to wait for ya'all to deal with the Spam then? How long has it been again?
If it is really hurting the ISPs, then it's in their best interest to do something about it, but they seem to not be doing that very much. Or would you rather all those millions of regular ole surfin folks just eat the spam until such a time in the mysterious future as the web "professionals" actually do something about it? Speaking as joe internet consumer, I am tired of waiting for the "IT Network ISP professionals" to "handle" it, because they haven't "handled it", not in the general sense.
As such it's NOT "useless" at all to run a personal spam filter, it's the only thing the millions of spam deluged people have currently,and at least we can use some end user app that's easy to set up and configure. But becauae it's not the single magic silver bullet, we shouldn't use it?
Some ISPs have made an attempt to "stop spam", or their upstreams, but most haven't, and the overall results are still dismal, else we wouldn't be having these spam-problem discussions every other day, and it wouldn't be a global annoyance and cost and complexity headache problem.
Now if the poor ISPs want to pay their users, take a penny off what they pay for an account per spam, something like that, maybe that will get their attention, but most ISPs just let the slop through. Why? Don't ask me, I ain't one of them guys, but spam filters have been around awhile now, no idea why they aren't more widely used at every point on the internet. Spam shouldn't make it past the first hop, IMO, or at least most of it.
I set up SA for some users on our "departmental" mail server. I switched myself over to DSPAM as a test and it works better IMHO, although I haven't upgraded SA recently, and I think it's improved as well.
DSPAM works quite well once trained... the only problem I have is that there were still occasional false positives. I get so much SPAM now though that I can't afford the time to dig through my SPAM folder looking for FP's.
Of course, plans are in the works for IT to move us onto the Exchange server so I may not bother upgrading SA again. I'll probably continue to run DSPAM/cyrus for my own use after the big day. Hooray for an all MS IT shop!
So to correctly interpret your Astroturfing
the purpose of a review is to help inform the less informed readers, not just to collect cash from suppliers
Spamassassin is NON intrusive, better than 99.9%
accurate and free
since I run all my machines on Linux or Solaris I dont
have to worry much about viri, and
thanks to Spamassassin,
no longer have to read 500 solicitations to buy Viagra or have my breasts or penis enlarged!
What if the post office were to start a service where an advertiser could give them one copy of a piece of junk mail along with a list of recipients. The post office would then duplicate the mail, stuff them in envelopes and then send them out to the recipients postage due. Eventually you would need a wheel barrel to get your mail everyday.
That's how spam works and that's why people complain.
Uhmm... did you mean to reply to me?
If you did, wtf? I just quoted the article. That's in no way astroturfing and I in no way denegrated Spamassassin.
How about the Apache Software Foundation who now develops the product? ApacheCon happened about a month ago and I'm sure was swarming with all the folks who work on these Apache projects.
While I realize what they are saying (They'll actually have to take an hour, search google, and get directions with _might_ work as expected, rather than clicking NEXT>NEXT>NEXT>FINISH>), I still disagree with it.
Most of the other products are commercial and would cost money. If they paid for them (doubtful), of course there's an 800 number. If they got them free, I'm sure there is a big flag labeled PRIORITY next to their serial number.
So with Apache, there's no 800 number or authoritative contact. Ask any Guru and they'll tell you all about
Bug a developer and you'll probably get great features like Razor and RBL activity in there.
All I'm saying is this happens all too often. Because there isn't a support@[opensourceproduct], reviewers look no further.
I would have been more impressed if they didn't mention it at all, as at least then they'd be ignorant rather than lazy/unresourceful
when you see the word 'Linux', drink!
The project home page (number one hit on a google seach for SpamAssassin) has a link to a list of commercial support solutions written with a large font at the top of the page.
Indeed.
SpamPal is best Win32 antispam product for the following reasons:
- ease of use and configuration
- multiple plugins to extend abilities
- active plugin developers
- active core development
- Open Source (see http://www.spampal.org/license-src.txt)
Argh. Who modded up that comment? Is this some kind of a troll? You want spamgourmet to be included in the test? Are you fscking nuts? Jesus Christ, did you even read the damn review? How can Spamgourmet EVEN be a part of the test?
Spamgourmet is NOT a software. It is a WEB service. You CANNOT install it on your network gateway. So it cannot even be a part of the test! For a company with an enterprise mailing system for 400-1000 employees, you expect them to use spamgourmet?
Just because you don't understand something doesn't make it false. Somtimes, people more clever than you have actually already looked at the problem.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
A copy of what we sent to the editor of NW:
Your magazine's analysis of 0Spam.Net completely missed the boat as to our service's accuracy level by reporting our false positive rate at 5% of message traffic. Clearly we would not have any customers if that were the case. Your results are statistically irreconcilable with the fact that for the last 18 months our service's false positive rate has been less than 1 in 2,000,000 false positives. You made no attempt to determine why your findings on a small sample of 10,000 messages differed with our production results of hundreds of millions of messages. As such, your reporting of our service as having a "dismal 5% false-positive rate" is not only inaccurate, but disserves the needs of your reader base. Your analysis was far from a realistic test of our service.
The problem with the test analysis is simple: it primarily boils down to your attempt to review 36 products simultaneously. While Mr. Snyder is to be commended for his efforts and did as well as he could with such an unrealistic task, he could not spend the time with each vendor that would be expected by a company's executive management for acceptance testing of a vendor chosen to solve such an important business problem as spam.
0Spam.Net is a service offering with real customer support personnel behind it and numerous feedback opportunities, NONE of which Mr. Snyder chose to explore. Perhaps no one expected a product to offer real service levels and direct interaction with the customer. While many vendors don't offer high service levels to their customers, our practice of doing so has shown with real production results that it leads to phenomenal quality, accuracy, and security levels.
To be specific as to how the testing was unrealistic, our normal acceptance testing process for new customers involves a 30-day period during which time auditors and trial account coordinators work closely with customer staff to collect feedback and adjust filters appropriately. The "tuning" period offered by Network World involved no interaction with Mr. Snyder ("the customer") and was considerable shorter in length. Further, we were not able to "touch" the service settings once the test period started; auditing and customer interaction go on 24x7 (as needed) with our service because, well, it's a service - not a piece of software or a box. Sadly, while there is not much need to have interaction after the acceptance testing, it is critical at the start of the acceptance process and was not possible given the test methodology.
Mr. Snyder also stated that our product "has no knobs" to make adjustments; it is unfortunate that he appears to have had so little time to read and follow the most basic of the end user documentation available for our service. There is no need for end users (or an administrator) to tune lots of knobs - most whitelisting, blacklisting and other tuning operations are easily done with an existing interface they are already familiar with: their email client.
In summary, we are dismally disappointed that your magazine spent such a small amount of effort understanding and testing the products as compared to what would have reasonably been expected by an enterprise IT staff in evaluating a product for actual acceptance testing. At a minimum, one would have expected you to seek to understand why your statistically tiny test sample of 10,000 messages might differ so much from the results of a much statistically larger body of production results with real customers. While we understand the pressure Mr. Snyder was under to try to evaluate 36 products simultaneously, your methodology came up short in our case and allowed a product with a customer track record far better than any of the other products in your review to be greatly shortchanged.
-Bill Franklin, President, 0Spam.Net "Imagine a world with: No Spam, Viruses, ID Theft or Spyware - Guaranteed"
That means no misdirected bounce messages and anyone whose mail is rejected is notified by his/her MTA.
By the way, I have never had anyone tell me his/her legitamate email was rejected by my server. What false-positive rate do you consider to be acceptable?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Yes, the parent post is misguided (and yes, Joel is doing a great job with his replies here on /.), but there's a big problem with this testing methodology.
Basically (please correct me if I'm wrong, Joel), they replay a bunch of incoming messages at the product under test "in real time." This has the advantage of making the tests repeatable. However, it takes no account for the newer spam filtering methods that look at "out of band" information to see if the sender is a spamtool or a zombie.
The methodology was OK a year ago, but I have serious reservations about it now. I'm guessing this is why several of the big names declined to participate this year.
Of course, what's Joel to do? The alternative methodology is to give each product a real live inbound stream to work on, but that's hardly a repeatable test, is it?
r.
And the issue of spamtool/zombie identification is a real one; thanks for bringing that up. As is the much more important issue of the 'sending' IP address. The 'sending' IP address problem in this methodology is one that can be dealt with by a good product (and several products can and do deal with it just fine); some others are so restricted that they cannot work effectively except as first hop. To me, that's a bug. I had one VP of Marketing scream at me "no one ever puts our product anywhere except as first hop," and I barely held back from saying "yeah, that's because your product is such a piece of crap it can't go anywhere except for first hop."
However, the "looking at the SMTP conversation" part is impossible to really deal with. But, I'll note that the majority of the products sit on top of an MTA. Either they install for themselves or they use tools like sendmail, qmail, or (for Windows boxes) the MS SMTP MTA. So those products don't actually know anything about the SMTP stream. There are a few products that specifically brought up this issue because they DO look at the SMTP stream, and they probably did not do as well. How "not well?" Maybe a couple of percentage points in spam catch rate. Maybe less.
In the review, I wrote a short side-bar where I admitted this up front: (http://www.nwfusion.com/reviews/2004/122004spamsi de5.html) "You may notice our numbers are not as optimistic as the marketing literature from vendors' products. There are four reasons for this:
1. Side effects from our test bed probably shaved a few points off of each product's ability to identify spam. ..."
I also brought that issue out when I wrote : "The false-positive and false-negative rates we found are useful for comparing products but a real installation will likely have a lower false-positive rate and higher spam-catch rate." (and mention things like the SMTP catch rate) in http://www.nwfusion.com/reviews/2004/122004spamsid e.html
OK, so now that I'm done defending myself, what's the point? Well, one of the vendors told me "you know, all these products basically have no false positives and catch all spam." But that's completely wrong. We discovered a bunch of products that are still dark-age when it comes to catching spam, ones which have enormous false positive rates (in particular).
However, if you look at the top 10 or 12 products, you can see that while there are differences, they are not showing a huge variation in behavior.
What this means is that you can take a test like mine and use the spam catch rate/false positive rate as a "first cut." Because I believe that where you want to make your buying (or implemention, in the case of open source) decision is based on things besides just spam catch rate/false positive rate.
We have to do the FN/FP rate tests just to say "you must be this high to attack this problem." But from then, there are huge differences in the products, and that is what is important. I don't want to seem like I'm lashing out at the people who say "oh, I use (insert product here) and it never falses and never misses," but those folks just don't get it. It's not the spam catch rate that differentiates the products; it's everything else.
An easy example is CloudMark. Talk about Zen. This product doesn't do
Yes, you reminded me of my other methodology comment. This thing about putting AV in front of the spam filter.
I think this is likely to significantly reduce the effectiveness (ie, increase FNs) of *some* of the products. That very fact makes your effectiveness comparisons dubious, because you're no longer comparing apples with apples.
"Shaving a few points off" the effectiveness of all the products would be fine, but I don't see that you're shaving off equal amounts across the board. How can you be? The products are different, using different methodologies.
In order to achieve 95%+ with vanishingly-small FP rates, these guys have to make some incredibly subtle judgements. By insulating them from the out-of-band data, you're going to reduce their ability to make those judgements.
That doesn't necessarily make those products a "piece of cr@p". On the plus side, it does make them less susceptible to content-mangling tricks, which is a "zero-hour" benefit, at the very least.
I hear your point about FN/FP rates not being the only criteria, but it's absolutely Job #1 to get this right. Especially with FPs, otherwise the cure is worse than the disease.
richi.
Seriously, break out of your bubble. Or somebody is going to pop it.
Spamgourmet is open source software. And its free. However, there is NO VENDOR SUPPORT for this software. You get that? Who is going to support it once it is in place?
Secondly, have you ever ever come across corp email id's in the format- bestbuy.5.linda@xyzcorp.com ?
Where do you get the faintest idea that companies will think of using that kind of email addresses?
Have you come across one medium sized company using such a solution? NOPE.
You think any company is going to use bestbuy.5.linda@xyzcorp.com?
That sounds and looks like shit.
Nobody would like to be caught using such email addresses.
The problem the author of the review stated with spamassasin is ALSO the problem with spamgourmet. Nobody is selling it, so nobody except volunteers are supporting it.
If something goes wrong, then you better not be the one who implemented such a system because your ass is definitely going to be on the line.
Email is sacred to companies. Why the heck do you think anybody is going to use such a system? The author of the review did not EVEN consider
So as I stated in the grandparent, you are a troll. Don't bother replying to this message.
I'm not sure that I agree that putting AV in front of AS is going to change much. What we do with AV is what people should be doing with AV today: delete that crap. So what that means is that the AS products didn't see viruses, or cleaned messages. Back before mass-mailing worms, we used to see a few viruses a day that could be cleaned and such, but now we see a constant flow of about 1000/day (about 10% of our flow) where they are ALL worm traffic. I can't find a non-worm message in this month's log, in fact.
So what would the effect on AS be? Well, some AS products DO detect mass-mailing worms (sure, why not); those guys didn't see them. Some AS products do NOT detect worms; those guys didn't see them. So I am not sure that we're going to see much of a change in the behavior, given that whether a worm is spam or not is something that varies from vendor-to-vendor. (It tends to be spam if the vendor only makes AS tools; it tends to be a virus if the vendor makes both and packages them in a single device).
In general, our detaching the product from first-hop-SMTP had to have some effects, as you & I have both just noted. Intuitively, what I think you would see is a higher spam catch rate (i.e., lower FN) but no change in the FP rate. For example, a common technique we are now seeing is that spammers will hit an open HTTP proxy, and do a POST to smtp-server:25 with a bunch of crap that happens to also contain a valid SMTP transaction. Many SMTP servers will accept what is effectively pipelined SMTP (even if it is not negotiated). So, if you were in the SMTP engine, you could look for "POST / HTTP" before the HELO/EHLO and say "this guy is a spammer, screw 'em, reject."
That would increase your spam catch rate if the spam would not otherwise have gotten caught. It should not increase your FP rate.
One thing I thought would be true is that people would have lots of subtle tuning that they wanted to do. So we opened up this review to let them do that---everyone could SSH or RDC into their boxes and try and tune things up. What we observed is that only a tiny number wanted to do that. My thinking is that the vendors did not have very subtle dials to turn regarding spam catch/false positives that might have been affected by this insulation we were artificially creating. So, I am inferring that FN might have gone up by some small number but FP not at all.
I regard that as A Good Thing. I think that 1st generation (whatever that means) anti-spam was VERY 'person' intensive in terms of tuning, management, etc. Actually, I KNOW that they were intensive; I wrote an anti-spam product back in 1995 that effectively implemented what we call "Graylisting" now, as well as put in rate-based controls. That was great for its day, but you had to watch it all the time to make sure that big senders didn't get blocked.
However, I believe that most email admins are sick and tired of playing with their anti-spam software. I talked to a bunch of them when I was constructing this test because I thought that the antispam market must basically be "done." Don't we already have nearly 100% adoption of anti-spam products? The answer is "yes, but..." Most of the people I talked to were looking for a better solution. They were early adopters and were dissatisfied with the amount of effort that went into maintaining their anti-spam solution. (Or they were looking for features, such as quarantine, that might not have been in the original product they bought.) They want it to work, and they want it to work well without a lot of screwing around. This is not an unreasonable thing to ask. We used to screw with O/S tuning all the time; then the O/S guys figured out that they could do it better than we, and now we rarely have to do that. Same thing for databases, etc. Now, the anti-spam guys are raising the state of the art as well.
This is why a lot of new products (and services) are coming out which are essentially untunable or are only tunable at a very coarse level. The