May 2010 IT Business Consulting Newsletter

Got Spam?

Continuing with Spam Filters – Your Q & A!

By Tom K

This month’s newsletter WAS to discuss protecting your IT environment through Enterprise control and monitoring of Microsoft Updates. This is just as critical to your environment’s well being as the previously discussed Anti Virus protections for Servers, PCs, and email.

But… I received so many questions concerning Spam protection from last month’s newsletter "Got Spam? Eradicate Spam and Email Viruses BEFORE they get to Your Environment!", that I feel obligated to answer your questions and provide the requested detail. This newsletter is really for you, and you asked! So…

In this month’s newsletter I answer YOUR questions concerning enterprise Spam filters & clear up some misconceptions.

Many of the questions can be answered more easily once we understand the basics of Spam Filters, or “How does it work?”

A Spam Filter grabs a piece of mail and runs it through a series of about 20 different tests, starting with the easiest detection test through the most complex test. Once an email fails a test, it gets processed (usually killed) and the filter moves on to the next email. The sooner the filter can remove an email from testing, the less resources are required per email. This speeds up overall processing, which is critical when handling 200K emails/day and expecting near zero latency!

The easiest tests check the email “header” (think snail-mail envelope), to see where it came from, how it is formatted, compliance to standard mail delivery rules, where it points the user to, etc. The next level of tests looks into the actual content of the email, and then they look at any attachments, both of which are resource intensive.

Many of the Spam tests are decision based. The device has to decide whether an email is Spam or not based on its understanding of what you believe is Spam. The person managing the device tells it how conservatively (let more Spam through to reduce killing good mail), or aggressively (kill more Spam but increase the risk of killing good email) the Spam Filter should behave.

The Virus tests are much more “black and white”, with little decision processing involved. But, since the Virus tests often require digging deepest into the email, they use more processing resources. Since most of the Spam tests are pretty simple (relative to resource consumption), most devices will run all the Spam tests before running the Virus tests.

The most common question asked by folks currently using Spam Filters is “The Spam Quarantine is a real pain. Is it really necessary?” Usually, it is…

Many emails are definitely Spam, many are definitely not Spam, but many may or may not be Spam. Because the device has to make decisions (and the administrator does not want to take full responsibility for killing what might be good email), the device provides the user with the opportunity to review the emails it is least confident in its Spam determination (its Grey Area). If the administrator is very familiar with the users & the company’s business and can devote the time, she can tune the device to shrink the grey area and reduce the amount of emails sent to Quarantine. Also, the better Spam filters will learn what the user thinks is Spam by keeping track of what the user does with the emails in his Quarantine, and automatically shrinks its grey area.

Many readers questioned our numeric stats of emails containing Spam (94%) and Viruses (3%). They were surprised by the scope of the problem…

While these numbers are accurate (actually taken from the device logs every day), they are a bit misleading – on the conservative side. My belief (and that of most other experts) is that the percent of emails having Viruses is MUCH larger than listed in the device statistics. We believe that 15% to 25% of the emails tagged and killed as Spam would also be determined to contain Viruses if they made it to the Virus testing portion of the program. Since we don’t test beyond the first failure, these emails never make it into the Virus stats. If the test sequence was reversed (Viruses before Spam) and the estimates above are correct, we’d show that the “averaged” unprotected company with 20 mailboxes we discussed last month would actually have to fend off 1120 Virus infected emails EVERY DAY, while sifting through 2760 Spam emails to read their 120 valid emails. Kind of scary!

The last big question was “What’s the cost if I did decide to bring the solution in house?”

If you are bringing the solution in house, I recommend an appliance, as it will be the most efficient, have the least impact on your environment, and they generally work quite well. The device I recommend costs $2000, with an additional $1249 for a 3 year virus/spam definition subscription. So, your 3 year capitol cost is $3249. Figure about 2 hours/month for management and installation, so your 3 year labor cost is 72 hours times your staff’s loaded hourly expense.

Cost will be about the same regardless of how many users you have, so a better question would be “What’s my ROI (Return On Investment) if I bring the solution in house?” The more users you have the better your ROI. The Outsourced Managed solution, at $2/user/month over 3 years costs $7200 for 100 users, $5400 for 75 users, $3600 for 50 users, $1800 for 25 users, $1440 for 20 users, and $720 for 10 users. So, using the pricing above & “guestimating” your loaded labor costs, positive ROI begins around 70 users.

As always, if you have questions or comments concerning this article I’d be happy to discuss them with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

Next month I will continue with the next layer of protection, discussing methods that will allow you to provide enterprise control and management of Microsoft Updates. Security holes in Microsoft products are a huge issue, and you need to be sure they are properly addressed on all of your devices. A free product (and a reasonable amount of maintenance) will provide you with the necessary level of control.
See "Centrally Manage Microsoft Updates Across Your Enterprise… For Free!"