After McAfee End of Life, What Size Antispam Provider Should You Switch To?

With Intel announcing the End-of-Life to McAfee SaaS Email Protection, it has been suggested that if you have a large number of mailboxes (let’s say 10,000 or more), you should only consider vendors cited in sources like the Gartner list. While that might be one valid consideration for some companies, it reminds me of the old saying from the 1970s: "You can't go wrong with IBM". It’s a way to play it safe with your management, but it may not give you the best protection or service for your particular business.

With Ted Green, CEO of Greenview Data and co-designer of SpamStopsHere.

Bigger is Not Always Better

The move to hosted services, combined with open-source tools like SpamAssassin*, has made it much easier for smaller players to enter the anti-spam market. That doesn't guarantee all vendors will be able to handle larger capacity customers, but vendors like us tend to be more agile than huge conglomerates and can scale up quickly to meet the volume of new customers. We can so do while still maintaining incredible filtering accuracy and personalized 24/7 service.

*Note: SpamStopsHere does not use SpamAssassin and does not rely on unpredictable methods like Bayesian Heuristics to filter out spam. It is built on our own proprietary algorithms and tools..

The approach to spam and virus filtering taken by large vendors like ProofPoint and huge hosting companies like Yahoo and Microsoft are completely different from a smaller company like us. That’s also true of technical and customer support, which can make a big difference in the security of your email.

You can replace your McAfee SaaS Email Protection with SpamStopsHere. For a limited time, we'll match your McAfee pricing and give you an additional 10% off during your first year of service. Click here for McAfee transition pricing details and a free trial.

IP Reputation Blacklisting

To filter for millions upon millions of mailboxes, big providers need to be very efficient. For one, they rely heavily on aggressive “IP reputation” blacklisting to knock out a lot of spam with very little work. Basically, if an IP is sending spam, they block it. Period. While that’s efficient, it tends to block a lot of legitimate email (known as “false positives” in the antispam world).

Many systems also automatically block emails from IPs with unknown reputations. While this helps block malicious emails from "bots" that take over otherwise legitimate servers, it also creates false positives. For example, after the server is disinfected and is again sending out good email, these services continue to block the IP for some time.

We know all about IP reputation. When we add new outbound servers to the network for our hosted email service, we have to notify the big providers so they don’t blacklist the new servers and automatically block email sent from them. Also, in the rare case one of our customers has an infected computer and sends an unfiltered spam through our service, companies like Yahoo might then block our servers until we clear up the issue.

It’s a little ironic, because our servers send out very little spam, whereas on some days about half the spam we block comes from Yahoo servers. That’s not to blame Yahoo; we just have very different customer segments.

See how SpamStopsHere beats typical antispam

False Positives and Fine Print (The Two FPs)

Watch out for services that claim miniscule false positive rates (like 0.0001%) and always read the fine print to see how they are defining or counting false positives. You’ll often find something like ".0001% false positive rate from reputable IPs", or other wording that obfuscates what a "false positive" really is.

At SpamStopsHere, instead of complex definitions of "false positive" with lots of caveats, we define a false positive as simply any legitimate email that does not make it through our server cluster within 5 seconds. Our threat analysts are charged with keeping our false positive rate to less than 0.001% (fewer than 1 per 100,000 emails), so our customers are very unlikely to ever lose an important email. That’s especially important for professionals like doctors and lawyers, and other businesses that can’t afford to miss email. We’ve got data to back it up.

Speed vs. Accuracy

We only have to filter for hundreds of thousands mailboxes, as opposed to millions upon millions, so we are able to focus less on raw efficiency and more on accuracy

We do block emails by IP, but much less aggressively than other antispam providers. Using a proprietary algorithm, we only block servers that have never sent legitimate email and are unlikely to ever do so. Our staff further confirms each IP that we block. Without revealing our trade secrets, suffice it to say that an IP can send many spam emails without us blacklisting it, because it is probably also sending legitimate emails that our customers want and need. Yahoo servers are a good example of this.

Beyond mere size, another reason we can use less aggressive IP blacklisting to increase accuracy is that we have other independent filters (e.g, URL, Phrase and Pattern) that block better than 99% of spam even without IP filtering!

In short, while the big services take the attitude of "if an IP is sending spam then block it", ours is "if an IP might send legitimate email, don't block it based on just the IP". This is especially important with foreign email, because a lot of low-volume spam comes from servers that also send legitimate emails (for example, servers in China).

Live Professional Threat Review

For our size, we employ a relatively large staff of highly trained threat analysts. They work 24/7/365 feeding new information to our spam filter databases, which are in turn updated every two minutes, instantly protecting our global customers. It is tedious work, but well worth it. Our customers love not having to worry or even think about spam or missed email.

Some providers claim higher spam blocking rates than we do, but that always comes at a cost - usually many more false positives, which means a much greater chance that you’ll miss an important email from a patient, client, court clerk, etc. Those we’ve seen claiming lower false positive rates define the term differently or achieve it using controversial methods like aggressive “graylisting”.

We also know this because we have several times explored licensing a product from one of the larger services to augment or replace our own SpamStopsHere. We test them by running their service in parallel with our own and analyze the differences. While they typically had a similar spam blocking rate, every one had a much higher false positive rate, sometimes 10x higher, especially for email coming from low reputation countries like China and Vietnam. It was also amusing to see them blocking emails from Yahoo and similar providers whose customers send a lot of spam, but also legitimate email.

What About Quarantine Features?

We also notice that bigger antispam vendors offer quarantine (e.g., spam box) services with hundreds of features, fancy searching and more. You really only need that if your spam filter is blocking too much legitimate email. In any case, you should use your quarantine cautiously. Over-reliance on it (for example, to make up for a high false-positive rate) can actually increase the risk that you or your coworkers will click on a phishing scam, reveal login information, send money to a spammer or download a virus.

By contrast, our quarantine is very straightforward and we even discourage using it. The reason? Our false positive rate is so low, many users will never have an important email blocked. In a typical month, less than one percent of our customers even bother checking their quarantines, let alone find anything there. Many stop checking altogether. They almost never see missing email.

Use of a quarantine is so unnecessary with SpamStopsHere, we only include it in our Professional and Enterprise editions, not in the Standard or Business editions. In the rare case a legitimate email is blocked, the sender will receive a bounce, and they or the customer can report it to us. We then update our databases to ensure it doesn't happen again. We only need to make a few corrections per day.

When SpamStopsHere was rated the most accurate antispam service by Network Computing Magazine back in 2005 (and compared to all the big boys), we had a huge surge in our business. The vast majority of those customers are still using our service due to our accuracy and customer support.

Live 24/7/365 Support

This really separates us virtually all other providers. Some offer “24/7” support at extra cost or have complex and expensive support licensing. Not so with us. Every edition of SpamStopsHere includes our amazing 24/7/365 live support for all issues from our Ann Arbor, Michigan headquarters.

Call us anytime, and a 3rd-level support specialist will be working with you within moments. You can also email us or send us a chat from our website and you’ll get a response right away. Our support personnel are all highly trained technical specialists who love helping out our customers with the occasional issues they may have: from help switching MX records to adding the rarely-needed custom filter rule.

We encourage our 24/7 support team to go the extra mile. As IT types, they love the occasional troubleshooting challenge! If you need a unique feature, contact us anytime. We can often implement it within hours, if not minutes. While the larger vendors may need days just to approve your request (if at all).

Adapting to Change Quickly

Back in 2005, one of the biggest providers, BrightMail, was rated 2nd in antispam accuracy after SpamStopsHere. BrightMail was subsequently bought by Symantec for about $600 million. It is rumored that a year later, when image spam and other new types of spam came out, BrightMail was unable to block it and was effectively shelved. By contrast, we were nimble enough to learn and block new variations of image spam quickly.

The same is true today. Many providers now effectively block common types of spam and malware, so it appears that spammers are shifting their strategy to exploit the weaknesses in fully automated systems. More creative threats like massive short bursts of new campaigns, complex macros that hide viruses in multiple layers, and trojans (like Cryptoware) that mutate within hours or minutes, are becoming more and more frequent.

We see evidence that new malicious campaigns are being tested against the major vendors, probably in part because they are such large targets. Only the most nimble providers can keep up, but some still rely on their customers to make filter configuration changes. That is a weakness in itself. A delay of only an half hour, sometimes less, can mean the difference between keeping your company protected or being flooded by dangerous email.

These new threats require constant vigilance, but many companies cannot afford to maintain that level of expertise internally. And purely automated "free" systems are too slow to recognize the threats until it's too late.

Our 24/7/365 professional analysts, in combination with our automated, database-driven approach and global updates every two minutes protect our global customers, regardless of their size, day and night, every day of the year, from constantly evolving threats.

Conclusion

Big hosting companies have approached us for licensing, but when they learn how CPU intensive our service is, requiring them to run a hundred filter servers, they lose interest because they want to provide "free" antispam.

For a typical customer of ours, accuracy and customer service are important, not our internal efficiency. If you want to sign up say 10,000+ mail boxes with SpamStopsHere, we will likely want a few days to set up dedicated servers for you. So, in that regard we cannot accommodate you as fast as someone on the Gartner list. But, waiting a few days to free yourself from constantly worrying about email threats, and have our brilliant 24/7/365 support if you ever need it, seems well worth it.

More About SpamStopsHere

SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.