No doubt spam is one of the biggest concerns of today's enterprises. It not only just wastes the time of the end users by cluttering their
mailboxes but also eats up a huge amount of bandwidth. And mind you, bandwidth is not free; you have to pay for it. So today enterprises are always in search for some solution that can save them from the
deluge of spam, and they are ready to spend a huge amount of money for achieving that result. And the reason is very obvious, the recurring cost and
effort of downloading and deleting spam over your network is possibly worth the money.
So here is a product, which not only filters your spam, but also scans your mail for viruses and also does content filtering. Testing the product was really an interesting process for all of us here. This device targets mid-sized enterprises, and we tested it by deploying it in our own premises on our mail server and see how good it works in a live environment. We ran a huge list of tests on the device ranging from sending different type and level of viruses and spam to running penetration tools onto it and doing some content
filtering etc.
Overview
Look wise, the device reminds you a blade server. It runs AsysncOS 4.0 which is a specialized operating system designed for Internet messaging. The device has two parts, so you can configure it between two different networks.
While configuring the device you have to use the command line (console) more often because the Web interface can be used once the device is optimized for your network. Its Web interface is pretty enough for any kind of configuration or monitoring you want to do, after the
optimization.
This device uses Symantec BrightMail for filtering spam and additionally it uses its own iron port sender base reputation filter for blocking spam from known
addresses. For virus scanning, the C10 uses the Sophos engine and IronPort Virus Outbreak Filters. Again, the
device uses SenderBase data to predict virus outbreaks based on bad e-mail behavior.
Another good feature that this device has is content filtering which is again very powerful and easy to configure. You can set rules based on conditions and
actions and aim them at either inbound or outbound messages.
An example of such a rule is "if the message body contains the word 'application' then bcc a copy to the network Admin." Content filters are applied after message filtering and anti-spam and
anti-virus scanning. So the power of the device is not wasted in content filtering
of spam.
Tests and observations
We should admit that configuring the product is not very easy and we had to take help of the local service provider of IronPort (Apara) in Delhi. And the
service was quite prompt. Two engineers came to our office and did all the needful configurations and gave us the rights to do any further configurations using the Web-based interface, which as we said
earlier, is quite easy to use after the main configuration is done via the command line terminal window. So, we recommend that you also get the initial setup done by the vendor.
To test the device we left it to work for around one week with the default settings. That is, it was not supposed to drop any spam, but just tag it as '
observing it for around one week we changed the rule to drop all mails that were identified as 100% spam and tag the suspected ones as spam and still deliver them. And that worked perfectly for us. During the first week, to test the device we used another spam filter (ISP provided) in parallel to the C10 and we found that around a dozen spam messages per user per day passed undetected by the other spam filter but were correctly tagged by the IronPort C10.
One more interesting observation was that after deploying the product we found a dramatic drop in the number of viruses coming in through email. They dropped down to almost zero.
Good security is also very important for this kind of devices as they generally sit on the perimeter of a network and if some exploits are possible, then it can lead to compromising the whole network. We checked the device for any security loophole present in the networking stacks or the operating system itself, which some one can compromise. For this, we ran standard penetration testing tools like NMap, Nessus, and niktu and figured out that it is pretty much secure and we are not able to get any loop hole to exploit the device with a default configuration.
Bottom Line: A very nice product for mid-sized organizations (under 500 users) who want to have a good anti-spam and anti-virus appliance with great
manageability and monitoring.
Errata
The price of ConvertX PX-AV 100 Video Capturing Device, page 114, July 2005,
PCQuest has been wrongly printed as
Rs 6,500. The correct price is Rs 5,400 plus taxes.
Spamming intelligently
After configuring and running the C10 for some days, we figured out that the number of spam had decreased but still we are receiving a good amount of spam. And when we checked the monitoring console of the device, we couldn't find any reference to these messages. So we started to hunt for the problem and found that for our mail server we were having three MX records. The first record was pointing to the C10 and the second and third MX records were unprotected. The spammers are intelligent enough to
assume that only the first record will be protected with any kind of spam filter and so they have a common practice of searching for the other MX records and use them to send the spam. So you can delete the other MX records, which is not a recommended practice, as the extra MX records are provided for failover, in case the main mail server fails. The other alternative is to put a spam filter on the servers that the other MX records are pointing to, also. So, our final setup was; Primary MX record pointing to the C10 which routed to the mail server. Secondary MX record pointed to the ISP's anti-spam filters, and the third MX record had a backup arrangement.
Anindya Roy