E-Mail: Protection At the Top
E-mail Filter for SMTP features excellent antivirus, antispam and content-checking services. But the product's exceptional strength lies in its ability to prevent e-mailing of sensitive internal documents, to build powerful rules that implement and organize all of its protective features and to produce key planning and management reports.
E-mail Filter for SMTP works with virtually any SMTP server. It is installed on a Microsoft Windows 2000 server and acts as an SMTP relay, sitting between Internet SMTP servers and your SMTP server. E-mail-protection functions are performed as e-mail moves from your SMTP server to the Internet and vice versa. This product is not designed to protect non-SMTP e-mail such as Microsoft Exchange Server internal mail.
I installed E-mail Filter in a production Microsoft Windows 2000/Exchange 2000 server environment on a Windows 2000 server (SP 3) with a 1-GHz Pentium III processor and 768 MB of RAM. The Exchange 2000 server had more than 100 user mailboxes. Incoming and outgoing SMTP mail averaged 50 MB per day. No other e-mail-protection software was running on the server. Trend Micro's client-server-based OfficeProtect was running on the clients. Here's what I found:
The Basics
E-Mail Filter for SMTP does not come with an antivirus scanning engine. You need to install at least one compatible scanner. SurfControl offers Network Associates' McAfee Olympus antivirus engine as an add-on. I really like the ability to use multiple virus-scanning engines because passing messages through more than one increases the likelihood of catching new or unusual viruses.
The product's antispamming capability is based in a database that can be edited and that's organized around key spam categories, such as chain letters, joke lists and adult content. Antispam functionality is enhanced by LexiMatch and Virtual Image Agent. With LexiMatch, you use Boolean operators to specify word combinations that are or are not acceptable when they appear together in an e-mail message. You can even set a nearness factor such as within 40 characters. This assures that messages with such terms as "chicken breast" or "breast cancer" are not classified as adult material, for example. Meantime, the Virtual Image Agent analyzes images in e-mail for adult-content messages. This is a new way to deal with spam, and I look forward to seeing it in other products in the future. The agent worked on several graphic adult-content messages I threw at it.
Powerful Advanced Features
E-mail Filter for SMTP's most impressive feature is its Virtual Learning Agent (VLA). You train VLA to recognize sensitive documents you don't want to infiltrate outgoing e-mail messages. VLA can learn to spot sensitive material in files such as word-processing documents and spreadsheets. You create categories that are appropriate to your business and then choose a set of sample documents to train and test VLA. These categories might range from merger-and-acquisition documents to documents containing confidential patient information to spreadsheets containing internal financial information. I found VLA easy to use, although I discovered that successful training can't be done in five minutes. You need to carefully select your samples and retrain until VLA reports a categorization accuracy rate you are comfortable with.
All of the functionality of E-mail Filter for SMTP comes together in the product's rules engine. You can build rules that specify what to do when a message meets the test of one of the product's agents and to whom the action should apply. For example, if a spreadsheet is attached to a message flagged as containing protected financial information, a rule can place the message in a network folder-based holding area and alert the sender's supervisor by e-mail. The supervisor can access the message and attachment using a Web browser and take appropriate action.
Rules also can be applied to an entire organization or to specific Windows accounts or groups. A nice range of actions is available, including message isolation and deletion. I quickly discovered that, as with training on VLA, rule-making is not a five-minute activity. Rules are processed in the order they are listed in the rule-administrator window. I found myself creating rules that deleted an outgoing message, when I really wanted to isolate it for later review. You need time and logical skills to create rules and to arrange them so one rule doesn't clobber another. The software comes with a set of default rules that you can retain, edit or remove.
E-mail Filter for SMTP includes a very powerful reporting capability. Most of us tend to think of e-mail security-package reporting as a way to monitor the effectiveness of the message-screening process. This is an important function of reporting, and E-mail Filter does it well. However, its reporting was also developed to assist in another important function,the ongoing development of acceptable e-mail-use policies. My favorite E-mail Filter report shows the percent for each of the top 10 rules violations (see pie chart above). Using E-mail Filter's default rules, you can generate such reports early in the game and use them to put together acceptable use policies informed by real-world experience. Oh, how I wish I had these sorts of reports in the past when assisting clients in developing their policies.
SurfControl has done a nice job isolating administrative interfaces where it makes sense and integrating them where necessary, including separate interfaces for the Virtual Learning Agent, the Rules Administrator and the Surf-
Control Monitor.
SurfControl E-mail Filter for SMTP is loaded with a number of other powerful features, including Web-based remote administration, reverse DNS lookup to assure that a sender's e-mail domain actually exists, modification or removal of message header elements such as return path and subject, appending of disclaimers to outgoing messages and HTML stripping to avoid malicious code.
Barry Gerber ([email protected]) is a products review veteran based in Los Angeles.