RE: Curt Monash post on anti-spam -- False positives are NOT acceptable

Over on Curt Monash's ComputerWorld blog is a post in answer to my recent blog about Postini and how I think that offsite filters are the way to go."

He makes some valid points, however, I think that he misses the mark on how many false positives are acceptable. The simple fact of spam filters is that the less false positives they grab, the less spam they are catching as well.

It's a balancing act that filters have to perform. Keep in front of the spammers changing signatures while still allowing valid emails through. I don't have enough hard data based on experience to make a good estimate, but as far as I can see, the false positives of the Postini system even when ratched up to all 5s on the filter tolerance is much less than 1%, which is what I meant when I said low.

I will recognize that for people who get 100s of spam email a day, false positives are a big annoyance as it can take some time to browse through that many headers and addresses to figure out if any are valid emails that they want/need to read.

However, this is not the norm. Most people get at most 10-50 spam mails a day so looking for false positives is not a time intensive chore. My personal email address is posted on the web in several places and that's about the level of spam that I get, for instance.

Also, Postini gives the user control over their spam filter settings, allowing them to set up their email "whitelists" and even the general tolerance of the filters.

His other comment that I wanted to touch on is that he doesn't feel that it's a value add to stop spam from entering into the corporate network at all.

He tries equating email security with other sorts of security like network security. It's not. Sure it's possible to have a firewall outside your network that filters traffic before it gets to your own firewall, but internet traffic is time sensitive and putting that sort of buffer in place will affect how the internet and web performs for your users.

Email is not as time sensitive. An additional 10 seconds to the trip time of an email isn't going to be noticed by anyone.

In the last 60 minutes, as I write this, we have had 45 emails delivered, 149 quarantined as spam and 4 quarantined as viruses. Given that most emails are around 1-10kb, that might not seem like a lot of traffic, but we only have 40 people here. Magnify that by 100 where you have 4000 people on an internet pipe of let's say 3 meg/sec. Don't laugh it's more common than you think.

Now instead of 149-1490kb per hour you are talking about 14900-149000kb per hour. Might not sound like a lot if you do the math and divide by 3600 to get kb/sec, but that's a chunk of your bandwidth that you are losing every day hour after hour.

To give you a better picture, in the last 24 hours Postini has quarantined 27mb worth of emails. That's 320 bytes/sec of traffic that is saved on our network. Not a lot, but again think of a larger organization that is getting hit by 100 times the spam.

Do you really want to let all that wasted bandwidth enter into your network?

What about the messages that are infected with viruses. How confident are you that your gateways and servers will catch all of those? A few months ago, before Postini was running their new zero-hour AV engine, we had a whole bunch of virus infected emails get through both Postini and our internal engines. Postini runs McAfee and we run Symantec, so neither service was able to catch this new virus variant.

Do most companies run multiple layers of antivirus on their mail systems? Not that I've seen.

That right there should be enough of a value add to use Postini. The amount of complexity that it adds to manage multiple email gateways running different antivirus vendors is not small. Even for an organization with a dedicated email/gateway expert, this adds a lot of unnecessary complication to the email system. Also, some gateways strip off external SMTP sessions so troubleshooting routing of emails becomes problematic at best.

At any rate, outsourcing of email filtering is, in my mind, a no brainer. And take it from me personally. I don't recommend products unless they work and work well.

Services like those provided by Postini give organizations a simplified, robust way to drastically cut back the amount of spam and virus infected emails that they get. The payoff is immediate.

I would say that any IT manager or CIO that doesn't use one of these services is doing a great disservice to their customers, but that's just my opinion.

Thanks to Curt for his comments and starting a fruitful conversation. It certainly got me thinking more about the subject.