Applications /

Be content with your content

Baltimore Technologies' MAILSweeper sweeps up e-mail messes.

By Travis Berkley
Network World, 10/15/01

E-mail is a business-critical application, but keeping tabs on it is a daunting task. How can you make sure unwanted things aren't getting in (such as viruses, spam or inappropriate material) and also make sure you aren 't sending out the same or worse things - such as company secrets? If you have an e-mail usage policy in place, that 's a start. The problem with an e-mail policy is that it operates on the honor system. The e-mail content managers that we tested help you enforce your e-mail policy, which can save your secrets, your reputation ... perhaps even your company's bacon. We reviewed Baltimore Technologies' MAILSweeper for SMTP, Elron Software's Message Inspector, Gordano's NT Mail, Group Technologies SecurIQ Suite, Rockliffe Systems' MailSite DataCenter and SurfControl's SuperScout.

MAILSweeper, despite its complex installation process, won our Blue Ribbon Award because it does a bit more than the other contenders in every area we tested.

An examination of content

E-mail content managers examine and control the distribution of e-mail based on content. To test the products, we used three single keywords: poltergeist, alchemy and concerto. But it's not enough to recognize offensive text in isolation. An e-mail content manager needs to be aware of context. If you stop all e-mail with the word "breast" in it, you also risk losing valuable mail and could face embarrassment, as a large ISP discovered when it terminated the accounts of people in a breast cancer survivor's group. In our tests, we tried to allow messages about breast cancer to go through, while stopping messages that just mentioned breasts.

Another key concern is the unauthorized release of critical-business information. Your staff telling people about an impending stock split could be seen as spreading insider information, so we set our rules to stop messages that mention stock splits. We also used this as an opportunity to test how well the e-mail content managers could recognize more complex phrases, such as "our stock is about to split" and "the split in our company's stock." Both of these should be caught. However, another test mentioned the word "stock" in the first line of a three-page note, and concluded with, "I gotta split." This note should be passed on to the recipient.

How we did it
NetResults
Archive of Network World reviews
Subscribe to the Product Review newsletter

MAILSweeper had more of a learning curve than the other products. Once we created a reference (essentially, a dictionary) that contained the words, strings and regular expressions we were interested in, MAILSweeper quickly found all of our test words. Using the regular expressions and taking into account the proximity of two words, it was easy to create a single rule for our tricky breast cancer test, and another one using the MAILSweeper "near" function to accommodate the stock-split test.

Elron's Message Inspector's text-analysis tools found all of our test words. It also handled our combinations well. Message Inspector's "collocation" option can help find words in a context. This was particularly handy for our stock-split test. Both test phrases triggered the rule, and by adjusting the collocation value, we kept the rule from triggering when the words were in separate paragraphs.

Elron's Message Inspector, Gordano's NT Mail, Rockliffe's MailSite DataCenter and SurfControl's SuperScout required us to create two rules to handle the breast test. One rule passed messages containing both "breast" and "cancer," while the next stopped those containing only "breast". This was a bit more cumbersome than creating a single condition to handle our test, but it did work. We wonder how many similar word combinations a system manager will have to create special rules for. While we could test for stock splits, without a near or collocation test it was easy to have false positives.

Playing footsie

For cynics who think lawyers and judges run companies, footers - the disclaimers of the e-mail world - may be all the proof they need.

MailSite didn't directly offer a way to add footers to messages. However, MailSite offers customizable agents that run within MailSite, and it would be possible to write an agent that would handle this function. Still, this is a function that is easier to buy than write. All of the other products offer ways to add footers based on the sender, recipient, the sender or recipient's domain, or other identifying characteristics. Not all products offer all the options, but all offer a way to get there.

MAILSweeper goes a step further and divides footers into two functions, a "legal" disclaimer and a "commercial" disclaimer. A legal disclaimer adds text at the front or end of a message body. The commercial disclaimer combines a text-analysis function into it to decide if the disclaimer needs to be added. For example, if it sees the words "sales quote," it might add a disclaimer reminding folks "this quote is good for five business days only." There are options to provide exclusions (either by name or domain) and to prevent multiple disclaimers, for example during multiple, quoted responses.

Out with the bad mail

All the products can stop bad mail and send a message to the sender, as well as the e-mail administrator. Some products add extra features, such as Message Inspector's ability to stop or delay messages based on their size or sender. This would allow the sales department, for example, to send marketing information at any time. SuperScout lets you put into isolation mail that violates standards so the system manager can determine what actions should be taken with the mail. In addition to sending e-mails to the sender and system manager, MAILSweeper can create a pop-up alert with a customizable message, such as "I found a virus!" and send information to the application event log. Group Technologies' SecurIQ lets you create rules at many levels within the Microsoft Exchange system, from systemwide in the public folders down to folders within a user's mailbox.

We found SurfControl's SuperScout unique Risk Filter to be the easiest way to filter messages. It can be added to almost any rule. Because most jokes and pictures are sent through e-mail relatively unchanged, SuperScout adds to the Risk Filter the characteristics of these messages to make them easy to spot. For example, you can turn on the Risk Filter for adult-content images without having to scan all JPG, gif or other formats. However, the Risk Filter probably won't find any content that the people in your company created. The Risk Filter is updated automatically if you have a subscription, much like antivirus programs.

If there is anything e-mail users agree on, it's that spam is bad. All the packages offer ways of handling spam, including use of the Realtime Blackhole List, allowing system managers to create lists of domains and sites from whom e-mail will not be accepted. They also have ways of testing message characteristics such as the number of recipients to a message, ensuring through a reverse DNS lookup that the sending machine exists, and disabling relaying to prevent others from using your machines to deliver spam.

MailSite had the most to offer in this arena.

Configuration and managing

Most of the packages we looked at sit between the e-mail server and the rest of the world. However, Gordano's NT Mail and Rockliffe's MailSite DataCenter are not only an e-mail content filters, but also complete messaging systems.

If you are moving your e-mail services in-house, or if you want to escape the e-mail server you have, these products can perform all your e-mail services. NT Mail can also be used to protect another system if you configure it to scan messages, and then forward the ones that pass the tests on to the protected system. MailSite also contains a list server, and specific agents can be created for any lists you may have.

Consoles come in a variety of styles, ranging from Windows-based programs, Microsoft's Management Console-based consoles, Web applications and Java applet-based consoles. Gordano's NT Mail, Rockliffe's MailSite DataCenter, Elron's Message Inspector offer full control from a Web interface which can be used from any Internet connection. SurfControl's SuperScout is partly there, offering Web-based control over its Message Administrator, which lets a remote system manager control the disposition of quarantined messages.

Logging and reports are an integral part of management - they let the system manager know what has happened to the system, and they help justify the software to management. NT Mail generates logs as it processes mail. Each night when the log files are rolled over, they can be sent to any e-mail address for review, or they can be compressed and/or archived. MailSite can log to a set of log files, the NT application log, and export data so the Windows Performance Monitor can access it.

MailSite, SuperScout and MAILSweeper can send log data to an access or other Open Database Connectivity database, which gives the system administrator access to the report-generation tools the database offers. While MailSite and SuperScout don't include reports to run against the database, MAILSweeper includes several predefined reports such as policy usage, top author, top recipient and some performance metrics.

SecurIQ's reporting is similar to what Exchange offers, making the Event Viewer your source of information. Gordano's NT Mail only includes the basics. Neither graphs nor statistics are available with SecurIQ or NT Mail.

Message Inspector maintains its own database. Defined graphs and reports list the volume of messages processed, as well as most active rules triggered, users delivered to or from, as well as most violations by a user. A nightly report is sent to the administrator giving a summary, in text or HTML, of the previous days events. This report lists total messages processed, total messages blocked, total rules triggered and other statistics. If one of the reports or graphs is tagged as a "favorite," it can be run and e-mailed with this report.

Attachments and antivirus

The really dangerous and time-wasting things that go in - and out - of our mail systems are in the attachments. Beyond viruses, the unauthorized spread of multimedia files wastes bandwidth, and exposes corporations to copyright suits when employees mail "ripped" MP3 files. We wanted to see if the products can recognize files and file types, even when their names or file types have been changed, and stop any viruses in the attachments.

MAILSweeper found our test files, and wasn't fooled when we renamed them. It can handle file types by extension, and it can also block other files by scanning the files for content. It handled archives, even nested archives, with aplomb.

NT Mail scans for file attachments, but only by file name and extension. To scan for files independently of their name, you need to create a script that scans the files for a unique identifying string. Each of our test files had such an identifier, so we added that functionality. Until that is added, a user can bypass the NT Mail system by renaming the file they want to send. Worse, NT Mail doesn't look inside of archive files (such as ZIP, ARJ, and LHZ) and scan their contents.

SecurIQ's Watchdog component looks for file attachments and it can analyze attachments by file name and a "fingerprint" of the file type. Watchdog easily caught our files by extension. However, when we renamed them, it caught JPG and PDF files, but missed MP3 files, despite having a fingerprint defined. Watchdog let us use the SecurIQ Configuration Manager to define new fingerprints for any new type of file. Checking for files inside of archives is another matter entirely. While SecurIQ supports three archive utilities - ARJ, InfoZip and WinZip - you must purchase them separately.

Right out of the box, SuperScout and Message Inspector handled archives, even nested archives, very well. SuperScout was adept at finding our test files. Not only could we scan specifically for file names and extensions, but also various types of files, independent of the name. The system manager can not modify the data file that contains definitions for these file types, although SurfControl lets you submit data to them so that they can add desired file types to the list. SuperScout let us specify file names and extensions to look for.

Message Inspector can scan for attachments by file name and/or extension, or by file type. As a result, it had no problems catching our test data files, even if we changed the name. Currently, Message Inspector groups the file types together, such as graphics files, multimedia files, executables and others. If you want to scan for a particular file type, but pass other similar types (such as catching .jpg files, but letting .gif files pass) you need to have some reliance on file extension, or simply catch all graphics files.

MailSite does little on its own with archives, but it lets you create your own software to act as an agent to extend the product.

Once the attachments are found, they need to be checked for viruses. MAILSweeper supports only three antivirus vendors: F-prot (Command Anti-Virus), McAfee (two versions) and Vet NT. There is no option for integration with other third-party antivirus products.

SecurIQ works with a variety of antivirus vendors, and can even launch scans for different products simultaneously if you want the feeling of protection that comes from using several antivirus products. While it cannot work with just any vendor, the eight that are included contain most of the major players.

NT Mail's Virus Protection Package uses F-prot's Command Anti-Virus, automatically updating the virus definition files if your subscription is current.

SuperScout is preconfigured to recognize several commercial antivirus packages. It can also integrate with any other antivirus engines, but you will need to handle configuration manually.

Message Inspector provides a tightly integrated packaged solution from either McAfee or Sophos that essentially puts a new interface around the antivirus engine. This lets the system manager set policy regarding infected messages - it can attempt to clean messages and then send the cleaned message, or quarantine or block infected messages. Notification can also be sent to the sender, recipient and/or an administrator.

Again, MailSite doesn't offer antivirus capability out of the box; however the system manager can create software agents that extend MailSite's functionality.

Installation

Message Inspector, NT Mail, SecurIQ, MailSite Datacenter and SuperScout installed easily and quickly. Message Inspector had a nice touch that we really appreciated: Its installation process put policies in place to pass messages by default, so the mail would still be delivered while we learned how to use the product.

And then there's Baltimore Technologies' MAILSweeper - the most difficult product in our test to install. Not only is it sensitive to what's in your registry, but it's also sensitive to which version of the MAPI32.DLL file is on your system. Microsoft supplies different versions of this file with many products, but you need the version that comes with Office XP. However, the version that comes with Outlook 98 (not Outlook 2000) is sufficient. Baltimore has you get the installation files directly from its Web site, and usually doesn't send installation disks. A word to the wise: Remember to download the installation guide. MAILSweeper does have a sample policy toolkit, but it is a separate piece to be installed later.

While SecurIQ's documentation seemed to be a work in progress with only one administrator guide available - the German version for Lotus Domino - the rest of the electronic documentation we received with the products was good across the board. SuperScout and Message Inspector excelled, and MailSite's documentation wasn't just thorough, it showed each screen we encountered during installation with details about each possible answer.

Conclusion

For those who are moving to an in-house messaging system, either NT Mail or MailSite could be an excellent choice. NT Mail has an excellent set of messaging features that aren't within the scope of this review. MailSite is, depending on your point of view, highly customizable or lacking in features. Shops without programming staff to dedicate to this product should probably pass on it.

SecurIQ will integrate into your Exchange or Lotus Notes system very tightly. If all you need is solid policy enforcement, you may have found your solution. Once Group Technologies adds some punch to the content scanning and adds some reporting, SecurIQ will be an all-around contender.

SuperScout and Message Inspector are virtually toe-to-toe, and neither is far behind MAILSweeper. SuperScout squeaked out second place because it has better documentation. Message Inspector has better context-
tual scanning, but SuperScout has more detailed control of attachment scanning. Both are great tools.

Even though the three top contenders were very close, MAILSweeper was ahead by a nose. While it was more difficult to install and master than the others, it offered a little bit more than the competition in almost every area.

NET RESULTS

4.03 RATING MAILS
sweeper for SMTP 4.2

3.9 RATING Message
Inspector

3.88 RATING Message Inspector 3.1

3.4 RATING SecurIQ Suite 1.1

3.08 RATING MailSite Data
center 4.5

Baltimore Tech., (877) 228-9754, Web site
Price: $8,664 for 500 users. Pros: context-
tual scans; flexible attach-
ment scanning options. Cons: Slight learning curve.

Surf
Control, (800) 368-3366, Web site Price: $1,800 for 50 users, bulk discounts available. Pros: Flexible; the Risk Filter. Cons: Doesn't scan content in context.

Elron Software, (800) 767-6683 Price: $18,900 for 1,000 users (with com-
panion McAfee antivirus bundle and one-year sub.). Pros: context-
tual scans; Java-based console. Cons: Limited attach-
ment scanning options.

Gordano, (877) 292-1142, Web site Price: $38,482 for 10,000 users, including one-year Virus- pro-
tection plan sub. Pros: Easy to use and set up; powerful scripting language. Cons: Cannot scan archives; limited reporting.

Group Tech., (877) 476-8755
Web site
Price: $10,000 for 250 users for the entire suite (modules can be purchased separately). Pros: Create your own file "finger-prints"; tight Exchange integration. Cons: Weak reporting, just needs a little overall polish.

Rockliffe Systems, (408) 554-0766, Web site Price: $4,000 for 50,000 users. Pros: Very flexible as far as adding custom modules. Cons: Very little included out of the box.

What's the score?	MAIL sweeper	Super Scout	Message Inspector	NT Mail	SecurIQ Suite	MailSite Data center
Function- ality 40%	4.5	4	4	3.5	3.5	2
Flexibility 25%	4	3.5	3.5	3	3.5	4
Ease of use 25%	3.5	4	4	3.5	3	3.5
Install 5%	3	4	4	4	4	4
Docu- menta- tion 5%	4	4.5	4	4.5	3.5	4
TOTAL SCORE	4.03	3.90	3.88	3.50	3.4	3.08
Individual category scores are based on a scale of 1 to 5. Percentages are the weight given each category in determining the total score. • Scoring key: 5: Exceptional showing in this category. Defines the standard of excellence. 4: Very good showing. Although there may be room for improvement, this product was much better than the average. 3: Average showing in this category. Product was neither especially good nor exceptionally bad. 2: Below average. Lacked some features or lower performance than other products or than expected. 1: Consistently subpar, or lacking features being reviewed.