Policy Patrol Spam Filter
Reviewed by: Mark Goldstein, April 2005
Published by: Red Earth Software
Requires: Windows 2000 Professional or (Advanced) Server, Windows XP Professional or Windows Server 2003, Microsoft Exchange 2000, 2003 or 5.5, Lotus Domino or other mail server; Microsoft .NET Framework 1.1 (if you do not have this installed you can download Policy Patrol with the .NET Framework)
MSRP: US$325.00 (10 user license; many license bundles available)
If e-mail Spam is not now the scourge of the Internet, it will be soon. According to the latest surveys, 75% of all e-mail is spam or spam-related and the percentage is rising every month. Unwanted, unrequested, lurid and dangerous e-mail spam clogs Inboxes everywhere. For home and SOHO computer users, reliable spam filtering depends on the use of MailWasher, new antispam tools for Outlook, and a number of other, reliable third-party programs. But for small to medium businesses (SMBs) and larger enterprises which use central e-mail servers, control of spam must always be a matter of enforcing company policy. To that end, products such as the Policy Patrol Spam Filter have been developed. The product offers advanced anti-spam using Bayesian filtering, header and keyword analysis (including word pattern matching), RBLs, SURBLs, checking for illegal HTML, remote images and more. Spam messages can be quarantined, deleted and can include a header or tag. By blocking unwanted mails, Policy Patrol Spam Filter reduces network traffic, saves bandwidth and improves employee productivity. That, at any rate, is the theory.
Some definitions first. RBL stands for (depending on who you listen to) Realtime Blackhole List or Relay Blocking List. Either way, an RBL is a list. People who administer mail systems choose to subscribe to RBLs presumably in order to block spam mail. Most mail system administrators also assume that they are blocking only spam, which is not always true. RBL operators do not promise accuracy and frequently they say that their lists are not intended for mail blocking or suitable for anything. Okey-dokey. SURBL stands for Spam URI Realtime Blocklist which differ from RBLs in that they're used to detect spam based on message body Uniform Resource Identifiers (URIs - also know as URLs - usually web sites). Unlike most other RBLs, SURBLs are not used to block spam senders. Instead they allow you to block messages containing spam hosts which are mentioned in message bodies. Policy Patrol was the first Exchange Server spam filter add-on to provide support for SURBLs.
In order to do its work, Policy Patrol uses a number of techniques to check messages before they're allowed onto a mail server. Bayesian filters calculate the probability of a message being spam based on its contents. Unlike comparatively simple content-based filters, Bayesian spam filtering learns from spam and from good mail, resulting in a robust, adaptive and efficient anti-spam approach that returns very few false positives. Bayesian spam filters build their own unique lists. Policy Patrol's RBLs and SURBLs are frequently updated automatically to make sure your installation has the latest definitions. In addition to these three methods, the software also performs keyword filtering, checks e-mail headers for certain kinds of language and IP addresses, and can quarantine or delete anything it doesn't like.
Policy Patrol offers several other less conventional methods or spam filtering including language checking, and most important lately, detection of and protection from Non-Delivery Report (NDR) spam attacks. NDRs are very sneaky and depend on a design 'flaw' in Exchange Server. By default, Microsoft Exchange Server accepts all messages received via SMTP protocol. But if Exchange is unable to find a recipient within your e-mail system, the message is automatically returned to sender (with a non-delivery report or NDR in other words). NDR attacks occur when a spammer deliberately sends a large number of e-mails to a non-existent address at your company, but with the intended spam victim's e-mail address faked as the reply-to. Your mail server dutifully returns everything to sender, thereby unwittingly spamming the reply-to address. Microsoft's approach has been turned into a potential security threat because the sender's address is not checked. A malicious sender may set any address as the reply-to. If a spammer deluges enough Exchange servers with messages that all have the same reply-to address, the server at the reply-to address will either crash or slow to a crawl. As anti-spam activities around the world expand, spammers are inventing new ways of sending unsolicited mail. NDR attacks allow spammers to bypass many server side and client side spam check filters, but Policy Patrol seems to have the problem licked.
SURBL lists are used to check URLs contained in the body of e-mail messages. Even if spammers try to bypass heuristic and Bayesian filters by replacing message text with images or by simply including very little text, they still need to include a URL. Checking URLs against a list of known spammer domains provides protection and can be successful where other filtering methods fail. SURBL lists require very little administration, are constantly updated and fine-tuned and most of them are free to use. SURBLs also provide specific protection against the growing problem of phishing since the lists include domains of known phishing sources.
Policy Patrol offers keyword filtering using case sensitivity and word scores, allowing you to combine scores found in the subject and body of a message to trigger a rule. The program also includes word pattern matching, enabling the program to find variations of words with one single regular expression. The product ships with sample filters with frequently used spam words and phrases (including regular expressions) which can be used to block unwanted messages. Since Policy Patrol removes all HTML tags before checking the e-mail text, the product is capable of successfully stopping spammers who try to circumvent spam filters by placing HTML comment tags within the text. Policy Patrol can also be configured to specifically check the HTML code, which can be useful for checking links and/or scripts.
Finally, Policy Patrol provides straightforward tools to create your own whitelists and blacklists and can also automatically add e-mail addresses to these lists. The software can also be configured to send a notification message to every new sender informing them that they must resend their message with a preset code in the subject so that their message will be allowed to pass through the filter. Known or suspected spam can be sent to designated folders for review and Outlook rules can then be created to deal with certain messages. In conjunction with Outlook also, Policy Patrol can apply a Spam Confidence Level (SCL) to a message, allowing Outlook 2003 to place messages with a certain SCL Level in a separate spam folder. Rules can be applied to selected users and can have exclusions. As well, advanced user permissions can be applied to each folder, allowing the administrator to offload tasks such as monitoring quarantined messages and updating whitelists and blacklists.
Policy Patrol Spam Filter works with Exchange 2003, 2000 & 5.5, Lotus Domino and many other SMTP mail servers. We tried it on Exchange 2003 and it worked like a champ.
Cons: Server connection must be opened every time you start the Policy Patrol administration console. Word and phrase filtering works reasonably well but isn't infallible. Rejecting RBL messages works well but the messages on your own blacklist must go through your e-mail server before you can take an action on them.
Pros: History file show all previously filtered message lists. Flexible disclaimers for e-mail. Flexible content filter sorting. Bayesian analysis is an effective and proven spam filtering method. Easy to use and administer. Additional virus scanning as part of the Enterprise installation is excellent. Automatic alerts when Policy Patrol senses a DoS attack or worm spreading on or from your network. Outgoing attachments can be compressed at the server. Remote administration is excellent. Policy Patrol works with any SMTP server on Windows 2000/XP, but it appears to be best suited for Exchange and Notes/Domino. If you're looking for a well-supported solution, Policy Patrol Spam Filter is worth a serious look. Recommended.
Letters to the Editor are welcome and occasionally abused in public. Send e-mail to: firstname.lastname@example.org