In today’s modern world of spam and malware filtering, I’m of the opinion it’s not always worthwhile running spam filtering software on-premise. Because of the load it can put on systems and your networks, the larger the company the less value in running it yourself.
First of all, let me give you a bit of background. Between 2004 and 2010 I spent a lot of time working with on-premise solutions which processed hundreds of thousands of clean mail each day and deflected many orders more spam. During that time I had to understand a lot about where spam and associated malware comes from and what techniques work well against it. By 2010 the kind of effort required to keep up with the above was something I particularly found resource intensive, even though much of it I was delegating to my team. So around that time, I decided it just wasn’t worth it and outsourced mail scanning to the cloud – and never looked back.
Working as a TA these days I see the same decisions made elsewhere and these days it really is the exception rather than the rule when I see a customer who is running on-premises mail scanning software at the edge.
With that in mind, it’s interesting to see that GFI, who have long been a leader in the market for on-premises spam and malware scanning software with GFI MailEssentials, move to offer a cloud-based solution to compete, primarily in the SMB market. GFI got in touch with me about a month ago and asked me to give their new product, GFI MailEssentials Online a spin and share my thoughts…
I’ve worked with a number of cloud-based mail scanning solutions in the past – working on projects to migrate to them from on-premises systems, moving between different solutions and during Exchange Server migrations had experience when cutting mail over between the old and new systems.
A common theme with some of these solutions is that the user interface isn’t very intuitive and all of these products (e.g. Websense/Black Spider, Postini and FOPE) are very capable in terms of what they can do, but for your average IT administrator settings are found all over the place. If you’re not logging into the interface very often, it’s almost as if you’ve got to learn the interface from scratch. I’ve witnessed customers who have used their provider for years struggle to find basic settings through no fault of their own – the systems can be a right mess.
That’s where GFI seem to have got things right from the outset – the interface reflects that it’s not a dated offering where new features have been thrown in as time has went on; it’s fresh, clear and concise and not once did I need to refer to the actual documentation to accomplish anything. If you’ve ever had to work with policy rules or setup directory synchronization in FOPE, for example, you’ll see that this is a breath of fresh air.
In terms of features – again I am impressed. We know that for the SMB market, GFI have over a decade of experience with the on-premise MailEssentials product so we know it’s going to be capable, but I wasn’t expecting to see the option to use features like greylisting, which I think is particulary effective in the fight against spam.
Getting Started and Setup
I signed up for a trial via the GFI website, and with a few minutes was granted access to the Administrator portal. Like most other solutions, a dashboard greets the admin with statistics shown for areas such as spam volume:
The first thing you need to do is add a new domain, and configure it’s services. As I mentioned above – it’s actually very intuitive. I was asked for the domain name, and the primary mail server to list – perfect for the SMB market:
After adding the domain, we’re then led to the domain management section of the Administrative portal, which allows us to configure spam filtering service for the domain itself. First of all, we’ve got an “aggressiveness level”. This can at a high-level be compared to the built-in anti-spam features within Exchange, where blocking, quarantine levels can be specified based on score. You’ll also see configuration options for dealing with unknown users, and the ability to switch on or off the greylisting features.
One area most administrators are familiar with is making sure certain senders – such as partner companies – can send mail without being scanned both inbound and outbound. GFI call this “Whitelisting”, though personally I prefer the term “Safe Senders” as used within the Outlook client. From, To, Subject and mail server IP addresses can be specified here:
Another common area that control over blocking is required is based on the attachment type. Many forms of attachment are blocked, some to ensure that end-users cannot bypass web filtering to get access to executable files, and more commonly to ensure that malware is very unlikely to reach internal recipients. Yep, you can scan messages for known viruses, but there is a pretty big gap between a new form of malware appearing and definition updates being produced by most anti-virus companies. Therefore blocking executables (or exes renamed to a different file extension) from being received in the first place is extremely helpful.
Finally, in the basic setup we can add additional inbound mail servers, and of course make a note of the records we’ll need to change later on to switch MX records over from our on-premises mail server to the GFI service:
There’s a couple of reasons why you’d wish to synchronize your local directory with your online service. First of all, there’s the ability to block unknown email addresses at the “edge” and prevent any attempt to deliver them to your local Exchange server. Secondly is if you wish to be able to give end-user access to the spam quarantine and release messages themselves.
Typically, there are two ways to accomplish this – first is via a dedicated on-premise piece of software that sits behind the perimeter network and reads the local Active Directory or Exchange organization information and synchronizes that data to the mail scanning solution, and the second is by the mail scanning solution initiating a connection to the on-premises Active Directory or other LDAP directory.
Personally, my preferred approach is the former, as larger enterprises especially tend to deploy dedicated DMZ networks and are not able or willing to allow an external internet-based source to connect to their on-premises directory. However the downside is that the on-premises sync tool often requires some maintenance and occasional troubleshooting.
GFI’s approach is to use the LDAP-based approach, which for the target market – small and medium enterprises – seems most appropriate as it’s low maintenance and requires minimal time and effort to keep running.
The configuration is fairly straightforward; once you have allowed GFI’s IP address ranges to contact an Active Directory domain controller (via port 636, if you want to ensure traffic is encrypted), GFI provide a wizard-driven interface to enter your server details:
After entering server details, you are able to test the configuration to ensure that it is indeed valid.
And finally, it gives an overview of the users it plans to create accounts for within the GFI service:
To be honest, it couldn’t get more straightforward. Another thing I did check was that it could handle more than just mailboxes – for example in my example organization, I’ve got mailboxes hosted on Office 365 and it imported these also without any issue.
A key area most administrators in companies large and small are interested in, is the reporting facilities that a product offers. Being able to demonstrate that a product is working is very important when the time comes to prove that it’s been a valuable investment.
So GFI’s product certainly delivers in this area. I’m not a big fan of reports myself so I don’t get all that excited about them – and based on my demo experience, I haven’t been able to generate enough traffic to generate something worth showing, but suffice to say the facility is there and on a par with competitors:
The second type of reporting is message tracking reports – essential for troubleshooting delivery issues and verying that a message was or wasn’t delivered. I can definitely say that the product delivers in this area – and is equal or better to most other competitors – for example compared to FOPE it’s a lot easier to use, a bit more flexible and shows an equal amount of information:
Policy rules are an area that bigger customers I deal with do use and some find essential. The kind of things policies can do include:
Profanity rules and exceptions; for example engineering terms that double as mild swearwords, or a pharmaceutical company wanting to ensure that messages containing references to certain prescription medicine aren’t blocked.
Confidentiality rules; for example to ensure that key terms or patterns are not sent outside the organization – such as credit card numbers.
Encryption rules; for example to ensure that TLS is enforced between particular domains.
This is one area that just yet, GFI aren’t offering extensive functionality. However I don’t see these kind of features being used extensively in the small and medium business sectors, so it’s not in my opinion a big issue. For the most part this functionality can be used in Exchange itself using Transport rules or whitelisting domains or senders within the GFI service. In regards to TLS, GFI have confirmed opportunistic TLS (i.e. if the recipient domain supports it, TLS will be used) can be switched on if a customer requires it.
Overall, I’m pretty impressed with the GFI MailEssentials Online service. It doesn’t feel like a “new” offering and it’s clear that the service is based upon experience elsewhere, possibly the many years offering similar products like the on-premises product.
I also think there is a great opening for MailEssentials for the SMB market looking to move/migrate from services with an uncertain future – like Webroot, who are closing their email protection service. It will be interesting to see if this good timing pays off, and to be honest I hope it does.