Carrier class email security recommendation

Joel M Snyder Joel.Snyder at Opus1.COM
Mon Apr 12 14:57:02 UTC 2010


 >I am in the process of sourcing for a carrier class email security
 >solution that will replace our current edge spam gateways based on open
 >source solutions. Some solutions that am currently considering are
 >Ironport, Fortinet Fortimail, MailFoundry and Barracuda.

A lot of the answer depends on what you think of as "carrier class." 
Generally, I would consider a carrier-class device to have a couple of 
attributes that are different from a typical enterprise-class device:

Quarantine: carrier class: no (enterprise: maybe)
Per-user settings: carrier class: no (enterprise: maybe)
False positive rate: carrier class: very very low (enterprise: very low)
False negative rate: carrier class: low (enterprise: very low)
Performance: carrier class: critical (enterprise: important)

In other words, I think of a carrier-class product as something that 
sits in the mail stream and does a good job of blocking spam, but is 
setup so that no one needs to talk about it.  You don't want to get a 
stream of false-positive reports, but you are willing to let some spam 
through in order to avoid help desk calls.  The goal of this product is 
mostly to keep your mail servers happy, and as a secondary goal, keeps 
the users happy.

You could have a second level of anti-spam protection, something more 
Postini-esque, which is carrier-sized but has a lot more user 
interaction and user settings, for people who want to get premium 
anti-spam protection.  But that's more an enterprise product that scales 
up, which is subtly--but importantly--different from a carrier product.

We test anti-spam products for efficacy (essentially FP & FN 
performance), less so for performance.  If you are looking at Ironport, 
then you want to ask them about the Cloudmark anti-spam engine.  It is a 
"carrier-focused" engine, and you'll find that the pricing is MUCH 
better than their own engine once you get to large numbers of users.  In 
fact, I believe that they added the Cloudmark engine specifically to 
address queries like yours--people who like the product architecture, 
but are turned off by the licensing.  With Cloudmark inside, you get the 
same product flow and features, but a less expensive engine good for 
large ISPs.

In terms of speed, the obvious feature to look for is reputation 
services.  This gives you an enormous savings.  Symantec used to offer a 
box based on Turntide, which was a standalone throttle for spam; I don't 
know if they have that as a standalone or not, but if they do, I'd 
recommend something like that.  You may be able to roll your own as well 
fairly easily since there's no MTA to worry about.

The win with reputation services is fantastic.  For example, I did a 
test with a Crossbeam box and Trend a while ago 
(http://www.opus1.com/www/whitepapers/crossbeam-perf.pdf) and we were 
getting a steady-state 600 message/second without reputation filtering; 
with reputation filtering, about 1645 messages/second.  That's using 
MAPS RBL+, which is a low-risk reputation service.   Plug in a service 
like Spamhaus or Ironport's SenderBase, and you would get closer to 2500 
message/second (about 200 million messages/day).

Based on our testing, for a carrier-class deployment, I'd recommend 
looking at Ironport+Cloudmark, Trend, and Tumbleweed (now Axway).  There 
are other good products (Proofpoint, for example, turns in great scores 
as does Sophos), but performance-wise they may not be able to scale up 
to the kind of load you're talking about when you say "Carrier Class."

Feel free to contact me offline if you need more observations, etc.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms




More information about the NANOG mailing list