Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

h
 

SPAMfighter Exchange module review

Page 1 | Page 2

Disclaimer

This product review reflects my own views on this product and as such reflect my opinion. While some product documentation has been consulted for the sake of clarity, none of it has been reproduced for the sake of this review

Introduction

This document serves to document a review of SPAMfighter Exchange Module (SEM). The product was reviewed specifically for the purposes of

  • SPAM handling capabilities

  • Scalability and resilience

  • Reporting

  • Administrative and end user benefit

Executive Summary

SPAMfighter Exchange Module (SEM) is a capable product with an installed community in excess of four million users. Due to the nature of SEM, this allows the product to detect and classify a SPAM email and benefit the entire global installed user base within minutes. Due to the core differences of SEM in detecting and classifying SPAM email in this way, SEM offers SPAM protection and benefits of a different nature, which may offer better SPAM protection than traditional static filtering or learning products. This however should be evaluated individually per mail organization. SEM is available in English, German, Danish, Dutch, Spanish, French and Greek.

 

Installation

The first impressions you have when downloading SEM is that it TINY. The SEM.EXE executable installer is 370KB large! However, the installer is a shell which will automatically detect the correct version of .NET and download the appropriate version. For my Exchange 2003 test machine, the subsequent installer was 8051KB.

First impressions were quite favorable. The web interface is well laid out and easy to use. Something that struck me was the fantastic language support in SEM. Most European languages are supported by default and more are added all the time, as such this has to be one of the most accessible anti-SPAM products on the market today for a larger audience. If you're in Europe looking for a localized product, I would strongly recommend SEM on language support alone. Current language support includes English, German, Danish, Dutch, Spanish, French and Greek

 

First off to position this product - it is not a replacement for a commercial mail edge server. SEM is designed to fit onto an Existing Exchange server with the smallest footprint possible. SEM will not intrude into the Mail Store and is well written from a privacy point of view, however, as I mentioned, it will not harden your Exchange installation in any way. If you're an open relay, or have suffered from mail abuse in the past, then SEM may not be the right product for you, since the folks at SEM expect you to harden your network before SEM is installed.

 

What does it do?

SEM first and foremost is an anti-SPAM engine.  As I mentioned previously, it installs with the smallest possible footprint, and doesn't interfere with mail flow, even if it breaks! - More on this later. While it has support for a number of common anti-SPAM features, such as white and black lists, language filter and integrated AV, where SEM differentiates itself, is the Community Filter feature.

 

The Community Feature has nothing to do with open source. What it does do is fingerprint the email on arrival and compare it with other emails which SEM users have received and possibly blocked around the world. With a community of 4,300,000 users globally, this allows SEM to block mail on various levels of aggression, depending on if the mail has been received as SPAM in other places around the world. Note that SEM does not transmit mail backwards and forwards, merely the email fingerprint, which makes each SPAM item received identifiable.

 

Where's the value?

"Normal" SPAM blocking methods involve trying to block a combination of a number of known attack profiles. This means, each mail organization individually, installs and "trains" their SPAM filters to understand relevant mail within the context of their organization. This involves having learning filters such as Bayesian filters learn the difference between "SPAM" and "HAM, RBL lookup's to block known Spammers, blacklists against Spammers who are dumb enough to SPAM you from the same domain repeatedly, checking the integrity of the mail header, reverse DNS lookups, Microsoft's sender-id mechanism etc, etc. All of these combined make for a reasonable anti SPAM defense.

 

However, think of a fresh attack hitting networks all over the world. Each network individually would need to work out if the mail is valid, and then block it or not. What SEM can do, and does do with the community feature is this: Spammers release yet another different kind of SPAM attack not known to our filters today. Let's say it's an embedded image. SEM installations in 220 countries around the world start reporting and confirming the SPAM item and/or attack, and every other SEM installation in the world benefits within minutes. That's right, from launch to global block within minutes. That's assuming everything works right, and the folks at SEM assure me that it does.

 

How does it do it?

As mentioned previously, SEM has a very low impact on an Exchange installation. It uses event sinks in SMTP and the individual mail stores to be notified of mail that arrived. This means that if SEM were to break or malfunction, baring SMTP stopping or failing mail flow would continue. As an email arrived the header is checked for consistency. The email is then checked for images, and the email body as a whole is evaluated. Each one of these is then fingerprinted and compared against a known attack profile. If any one of these flag as possible SPAM items, then the mail is flagged as SPAM and either blocked or allowed in as a marked SPAM item to appear in your SPAM folder - bear in mind that other local filters are also involved in the process.

 

How fast is SEM?

Since SEM offers a small installed footprint, it tends to be as fast as the number of filters chosen and the number of actions chosen within the product. By default it tends to run quickly enough not to need anything switched off, however the control is there to ensure individual settings may be switched on or off.

 

How Resilient is SEM ?

SPAMfighter has put an enormous amount of effort into protecting not only continuity service but also performance with 28 servers around the world. The state of each server is available here: http://www.SPAMfighter.com/FAQ_Firewall_Edge.asp. If the server closest to your particular location becomes overwhelmed, there's another 27 to help.

SPAMfighter Exchange module review

Nicolas Blank Page 1 | Page 2

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008