Most enterprises have some type of messaging security in the form of spam and virus filtering. When installing a new or replacement messaging-security system, key areas to pay
attention to are performance, user experience, and management and operational costs. Performance is generally easy to manage. Aside from simply having enough hardware to do the job, there
are three keys to keep performance up to par.
First, some sort of reputation-based filtering should occur early in the transaction, certainly before the entire e-mail has
been accepted by the messaging-security gateway. This single step will block 50% to 75% of incoming messages in a typical
enterprise, giving a dramatic reduction in total load. Proper use of good reputation-based filtering products has an almost
vanishingly low false-positive rate -- far lower than the antispam engines themselves.
New! Watch this Network World Webcast - Security Information Management Solutions: Beyond Threat Management
If reputation-based filtering is done properly, it also results in only detectable false positives, because the sender gets
notification from his own mail gateway that the message was blocked. This allows for quick remediation and is preferable to
a typical antispam/antivirus false positive, where the message goes into a black hole and is unlikely to be discovered. Antispam
engines that can return their verdict before the message is fully accepted are even better, but for performance reasons this
is not yet a common strategy.
A second performance optimization is to make sure the messaging-security gateway has access to the directory of legitimate
e-mails, either through dynamic lookups or a regular transfer of directory information to the gateway. By accepting only e-mail
for existing users, the system performance is again increased.
Establishing ties between your messaging-security measures and your e-mail directory also solves the problem of what to do
with messages that have been wrongly addressed. If they're simply dropped, then legitimate correspondents won't know that
their messages were never received.
But if they're placed into a queue to be returned, the load of attempting to bounce misaddressed and spam e-mail will quickly overload even the largest systems. Some enterprises have been reluctant to deploy directory information
to the edge because of a misguided belief that this measure aids attackers in directory attacks. In fact, protecting against
such attacks is easily done, and all enterprise-class products have had this feature for years.
