Friday, December 25, 2009

Section C.6.  Content Scanners









C.6. Content Scanners


Antispam and antivirus are the two popular solutions in the content scanner area. Most are available on the server side; a few antispam and antivirus solutions are available on the client side as well. ClamWin, for instance, is a free antivirus checker that is available as an Outlook plug-in, and SpamBayes is an Outlook plug-in for spam control.


Most email clients in the open source arena are being designed and developed with antispam solutions built in. For example, Thunderbird has a naïve Bayes classifier for identifying spam that works well.


Antispam and antivirus software can be used independently if an enterprise has an email server solution already in place.


Antispam software integrates with either email servers or email clients to provide an effective means to block spam. For enterprise use, antispam software that works on the server side is recommended, as it is easier to manage and deploy.


Most open source antispam software tends to be immature, since blocking spam became necessary only in the last few years. However, the open source community has risen to the challenge of spam and has begun to provide software that is more effective in rescuing a user's mailbox from the brink of disaster. Various methodologies of spam detection are currently being tested, including Bayesian filtering and collaborative filtering. The best antispam control software uses a combination of these features.



C.6.1. Antivirus Software


We define antivirus software as software that integrates with email servers to provide an effective means to block or quarantine incoming email compromised by viruses. Open source virus detectors and blockers tend to be uncommon because of the need to keep the virus signature database up-to-date, but recently the open source community developed technology that reports new viruses in the wild. Again, a variety of techniques is being pioneered in various projects. Clam AntiVirus follows the standard "detect by virus signature," and MIMEDefang has extensible mechanisms to detect suspect email. Some antivirus software can also function as antispam software.




C.6.2. Content Scanner Capabilities


Basic features of email content scanners include:



Header analysis


The ability to detect inconsistencies and discrepancies in email headers that are usually indicative of spam.


Text analysis


The ability to analyze the full text of an email to detect patterns that indicate that the email is spam.


Learning classifier


The ability to improve header and text analysis over time, by learning what messages a user marks (or unmarks) as spam.


Blacklist and whitelist support


The ability to support and manage a list of senders whose messages should never be considered spam (whitelist) and a list of senders whose messages should always be considered spam (blacklist). These lists can be a combination of lists indicated by the user, or those downloaded from external authorities, such as real-time blackhole lists (RBLs).


Real-time scanning


The ability to scan a message in real time and to keep up with email volume without introducing delays in delivering email.


Frequently updated database


A message signature database for antivirus software, and the database of rules to identify spam for antispam software.


MTA/MDA integration


Well-supported and documented support for major email servers; for example, Sendmail support (via milter).




C.6.3. Clam AntiVirus


Clam AntiVirus is a powerful antivirus software program and toolkit that integrates with most popular email servers for scanning attachments.



C.6.3.1 Product strengths

  • It features a virus database that is kept up-to-date and is easy to update automatically via the Internet.

  • It features a toolkit that makes virus scanning capability available for software development.




C.6.3.2 Product weakness

  • It is not tightly integrated with Microsoft Exchange.





C.6.4. ClamWin


ClamWin is the Clam AntiVirus product but with a graphical user interface. It runs on Microsoft Windows and provides basic virus scanning functionality for the email client that Clam AntiVirus provides for the email server.



C.6.4.1 Product strength

  • It offers full integration with Clam AntiVirus's virus database.




C.6.4.2 Product weakness

  • It does not include an on-access real-time scanner.





C.6.5. SpamAssassin


SpamAssassin is the de facto choice for spam detection and control in open source circles. It uses many sophisticated techniques to identify and label spam. Labeled spam can then be filtered and/or deleted by email readers. It has a learning classifier that gets more precise with detecting spam over time, and it is designed for integration with email servers that handle large volumes of email.



C.6.5.1 Product strengths

  • It features a wide variety of local and network tests to identify spam signatures. There is no single test that spammers can identify and circumvent.

  • It is easy to extend, since rules, weights, and user-configurable options are in text files.

  • It integrates with all major message transport agents, including Microsoft Exchange.

  • It integrates with many popular distributed hash databases that store spam signatures, such as Vipul's Razor, DCC, and Pyzor.

  • SpamAssassin technology is built into many commercial antispam products.




C.6.5.2 Product weakness

  • Users need to implement at least client server configuration for good performance.





C.6.6. SpamBayes


SpamBayes does for email readers what SpamAssassin does for email servers. It is a Bayesian classifier that provides a web-browser-based interface that allows an end user to instruct SpamBayes how to classify incoming email as spamor not.



C.6.6.1 Product strengths

  • It learns very quickly how to classify your email properly, and it improves over time.

  • It works on Microsoft Windows and has an easy-to-use web interface for learning and classification.

  • It provides a plug-in for Microsoft Outlook.




C.6.6.2 Product weakness

  • It offers no initial spam training set.











    No comments: