Why just good, is not good enough
In my nearly 20 years in the messaging business, spam has evolved from a trickle of "unsolicited bulk e-mail" to a barrage of sophisticated and malicious threats. Anti-spam efficiency is becoming a major influencing factor for both security vendors and IT decision makers. Why? Because spam is highly visible to end-users, while most other security threats are almost impossible for end-users to detect.
Yet too many organizations ‘make do' with mediocre e-mail filtering and declining detection rates, assuming that the cost is nothing more than deleting a few extra messages each day. But e-mail has become a vector of stealthy threats to users' inboxes, and entire organizations. Settling for ‘good enough' solutions can result in a company becoming clogged with junk e-mail, infected with an array of viruses and even themselves becoming a source of spam or malware.
E-mail filters often state high detection rates of spam, phishing or malware, but these claims can be misleading. While a solution that blocks 90% of inbound e-mail threats may sound adequate, it equals 10% failure. This translates to users being exposed to dozens of fraudulent or infected e-mails daily.
Published detection rates often reflect product performance in an average time period when no unusual outbreaks are taking place. Or worse, tests on old e-mail messages from weeks earlier. But the real test is how well the filter performs when faced with the worst of threats.
Massive botnets spewing unwanted mail can be activated and deactivated so quickly that the ‘blacklists' many solutions use to block them simply cannot keep up. By the time most traditional defense solutions begin to provide effective protection against a new threat, the bulk of e-mail has already penetrated. Brief delays of just minutes can mean detection rates that fall dramatically at the crisis moment they are needed most. Only a live-traffic test gives the true picture of how well an e-mail filtering engine performs.
Some solutions integrate multiple filtering engines to enhance detection, but at a heavy cost. Each technology contributes its mistakes to the mix, meaning more good messages are often misclassified as threats. These “false positives” can lead to damaged relationships and lost business due to email that was mistakenly blocked.
When choosing an e-mail filter, quality is everything. Use this checklist as a guide to selecting your next e-mail defense solution:
- Zombie/botnet defense: dynamically updated sender reputation
- Real-time: no delay blocking new outbreaks
- Crisis performance: maintains high detection at critical hour
- Detection rates: highest available detection with very low false positives
- Truth in detection rates: demand a minimum one week in-house trial to test detection
An effective solution should provide superior dynamic detection, with low false positives, against today's threats, and tomorrow's as-yet-unknown threats. So I suggest you test a few solutions for yourself – I guarantee you will be surprised at the performance differences.