Disclaimer

This product review reflects my own views on this product and as such reflect my opinion. While some product documentation has been consulted for the sake of clarity, none of it has been reproduced for the sake of this review

Introduction

This document serves to document a review of SPAMfighter Exchange Module (SEM). The product was reviewed specifically for the purposes of

• SPAM handling capabilities
• Scalability and resilience
• Reporting
• Administrative and end user benefit

Executive Summary

SPAMfighter Exchange Module (SEM) is a capable product with an installed community in excess of four million users. Due to the nature of SEM, this allows the product to detect and classify a SPAM email and benefit the entire global installed user base within minutes. Due to the core differences of SEM in detecting and classifying SPAM email in this way, SEM offers SPAM protection and benefits of a different nature, which may offer better SPAM protection than traditional static filtering or learning products. This however should be evaluated individually per mail organization. SEM is available in English, German, Danish, Dutch, Spanish, French and Greek.

Installation

The first impressions you have when downloading SEM is that it TINY. The SEM.EXE executable installer is 370KB large! However, the installer is a shell which will automatically detect the correct version of .NET and download the appropriate version. For my Exchange 2003 test machine, the subsequent installer was 8051KB.

First impressions were quite favorable. The web interface is well laid out and easy to use. Something that struck me was the fantastic language support in SEM. Most European languages are supported by default and more are added all the time, as such this has to be one of the most accessible anti-SPAM products on the market today for a larger audience. If you’re in Europe looking for a localized product, I would strongly recommend SEM on language support alone. Current language support includes English, German, Danish, Dutch, Spanish, French and Greek

First off to position this product – it is not a replacement for a commercial mail edge server. SEM is designed to fit onto an Existing Exchange server with the smallest footprint possible. SEM will not intrude into the Mail Store and is well written from a privacy point of view, however, as I mentioned, it will not harden your Exchange installation in any way. If you’re an open relay, or have suffered from mail abuse in the past, then SEM may not be the right product for you, since the folks at SEM expect you to harden your network before SEM is installed.

What does it do?

SEM first and foremost is an anti-SPAM engine. As I mentioned previously, it installs with the smallest possible footprint, and doesn’t interfere with mail flow, even if it breaks! – More on this later. While it has support for a number of common anti-SPAM features, such as white and black lists, language filter and integrated AV, where SEM differentiates itself, is the Community Filter feature.

The Community Feature has nothing to do with open source. What its does do is fingerprint the email on arrival and compare it with other emails which SEM users have received and possibly blocked around the world. With a community of 4,300, 000 users globally, this allows SEM to block mail on various levels of aggression, depending on if the mail has been received as SPAM in other places around the world. Note that SEM does not transmit mail backwards and forwards, merely the email fingerprint, which makes each SPAM item received identifiable.

Where is the value?

 

“Normal” SPAM blocking methods involve trying to block a combination of a number of known attack profiles. This means, each mail organization individually, installs and “trains” their SPAM filters to understand relevant mail within the context of their organization. This involves having learning filters such as Bayesian filters learn the difference between “SPAM” and “HAM, RBL lookup’s to block known Spammers, blacklists against Spammers who are dumb enough to SPAM you from the same domain repeatedly, checking the integrity of the mail header, reverse DNS lookups, Microsoft’s sender-id mechanism etc, etc. All of these combined make for a reasonable anti SPAM defense.

However, think of a fresh attack hitting networks all over the world. Each network individually would need to work out if the mail is valid, and then block it or not. What SEM can do, and does do with the community feature is this: Spammers release yet another different kind of SPAM attack not known to our filters today. Let’s say it’s an embedded image. SEM installations in 220 countries around the world start reporting and confirming the SPAM item and/or attack, and every other SEM installation in the world benefits within minutes. That’s right, from launch to global block within minutes. That’s assuming everything works right, and the folks at SEM assure me that it does.

How does it do it?

As mentioned previously, SEM has a very low impact on an Exchange installation. It uses event sinks in SMTP and the individual mail stores to be notified of mail that arrived. This means that if SEM were to break or malfunction, baring SMTP stopping or failing mail flow would continue. As an email arrived the header is checked for consistency. The email is then checked for images, and the email body as a whole is evaluated. Each one of these is then fingerprinted and compared against a known attack profile. If any one of these flag as possible SPAM items, then the mail is flagged as SPAM and either blocked or allowed in as a marked SPAM item to appear in your SPAM folder – bear in mind that other local filters are also involved in the process.

How fast is SEM?

Since SEM offers a small installed footprint, it tends to be as fast as the number of filters chosen and the number of actions chosen within the product. By default it tends to run quickly enough not to need anything switched off, however the control is there to ensure individual settings may be switched on or off.

How Resilient is SEM ?

SPAMfighter haves put an enormous amount of effort into protecting not only continuity service but also performance with 28 servers around the world. The state of each server is available here: http://www.SPAMfighter.com/FAQ_Firewall_Edge.asp. If the server closest to your particular location becomes overwhelmed, there’s another 27 to help.

How can I see what it’s doing?

SPAM fighter offers daily/weekly/monthly statistics via email and the web interface, allowing the administrator to see a huge amount of detail including:

• Total Email Processed
• SPAM Blocked
• Mail to SPAM ratio

Here’s an example of a monthly mail an administrator may receive:

What I do like:

• SPAM protection may be switched on or off for users individually. Same with the built in AV support.
• The Community feature – makes traditional methods of SPAM protection look decidedly “old”
• Reporting capabilities in SEM (daily/weekly/monthly statistical information on email, "latest news"-updates, etc
• Outlook client integration which feed’s back into the entire global SEM community. Mail that is marked or unmarked as SPAM reflects to the benefit of the entire user base.
  

What I don’t like:

• SEM is a specialized anti SPAM product, providing no hardening of the server at all. Note that this is not a problem with SEM as such, but a personal preference of mine to see more value to the Exchange administrator.
• SEM allows the administrator to see what mail was blocked. While this feature in itself is great, currently there’s no facility for the user to see what mail was blocked for themselves, nor is there a mechanism to release mail which may have been classified in error.
• While email reporting is a great feature, I don’t have a configurable report view in the admin portal beyond the current month. This means if I don’t keep all my emailed reports I loose my monthly history.
• Reporting including the type of SPAM/phishing emails blocked. More detail on this may reveal the source of SPAM and allow the administrator to educate their user base about what not to do with their email addresses in a public setting.
  

In Summary

You’re either going to love what SEM does, or feel like something’s missing. SEM handles SPAM in a non traditional manner which is certainly worth investigating. The installed user base offers great feedback and a much quicker response to SPAM classification compared to a lot of other products on the market, especially straight after the product is installed and it doesn’t need to learn what’s “normal” in your environment as many other filters do.

SEM may be downloaded at http://www.spamfighter.com/Product_Servers.asp

 

 

Discuss this in