Ottawa PC Users' Group, Inc.
 Product Review 


SpamKiller 4.0
by
Alan German

Anti-Spam signI may not be the best person to review McAfee's SpamKiller program.  I certainly get lots of Spam, but most of it is filtered by my ISP's mail server before it can reach my inbox.  So, poor old SpamKiller has to deal with (presumably) the tough stuff that creeps through the initial filtering system.  On the other hand, this may well be the situation for many users, so it may not be such a bad real-world test of the software's capabilities.

My interest in the program was certainly sparked by the fact that, over time, more and more Spam is squeezing through my ISP's filters, so I need some additional help in trapping unwanted messages.  The basic premise for SpamKiller seems reasonable for the purpose.  Each day, when I connect to the Internet through my ISP, SpamKiller goes to McAfee's web server and downloads an up-to-date set of mail filters.  The program subsequently applies these filters in order to separate all the incoming mail into valid messages and Spam.

SpamKiller's installation process is simplicity itself.  The program is relatively small and installs very rapidly, taking less than a minute on my machine.  Particularly impressive is the fact that many of the required settings are determined automatically.  Firstly, the getting-started wizard gave me the option of importing my address book as a set of "friends", messages from whom would automatically be accepted.  I actually chose to bypass this option because I use a fairly large E-mail distribution list such that most of the entries in my address book are for outgoing rather than incoming mail.  The wizard next found that I had Outlook, Outlook Express and Eudora installed on my machine, had E-mail accounts set up on two of these, and asked which account I wished SpamKiller to filter.  I selected my regularly used Eudora account.  While automatically retrieving the account name and logon ID from the values already being used by Eudora, the wizard asked me to enter my password as this was not permanently set in my mail program.  Next I indicated that I had dial-up rather than a direct connection to the Internet, and selected the appropriate telephone number to call from a pick list determined by the wizard.  Finally, I was reminded to turn off automatic mail checking by my mailer since SpamKiller wants to be the first to look at and filter all incoming mail.  SpamKiller was now all set to go.

But, before we look at the program itself, there's another feature that deserves a word - McAfee.com SecurityCenter.  This application loads itself into the Window's toolbar and, provides quite a nice interface for obtaining updates, accessing on-line information about viruses and news about various security threats.  It provides a set of coloured bars indicating the level of protection present on the computer against viruses, hackers, Spam and something it calls "abuse".  My anti-abuse index was 1.0, and in the red, not surprising since this is the first I had heard of "anti-abuse" software!  The issue seems to be vulnerability to malicious web sites stealing personal information when an individual visits such a site.  Of course, McAfee were more than willing to offer a solution to my new dilemma since they have such software available for purchase.

On the positive side, my anti-virus, anti-hacker, and anti-Spam indices were all 10.0, with a full green bar highlighting the good news.  While SpamKiller had a green circle indicating that it was protecting my mail system, VirusScan Online and Personal Firewall Plus both were red-circled as not installed.  My high security levels here evidently were due to the fact that I have VirusScan installed (but not the on-line version) and ZoneAlarm (the competition!) in use as a firewall.  Information provided on the latter is that the version was up to date; however, this isn't too accurate.  The particular version of ZoneAlarm I am using is actually an old one since a couple of updates that I tried seemed to install correctly, but prevented me from running any other applications under Windows 2000.  Consequently, I reverted back to a version that didn't have such problems.  The older version doesn't seem to be a problem.  I ran SecurityCenter's probe (http://www.hackerwatch.org/probe/) and everything checked out as secure, hence the pretty green bar for my anti-hacker system.

While this is a nice interface, I doubt that I would make much use of it.  SpamKiller also has an update button so I could use this directly without using SecurityCenter.  After a while SecurityCenter became a bit of a nag, always wanting to check for updates, and occasionally popping-up a "Medium Virus Advisory" message, providing background information on some virus or other, but nothing to do with any actual threat.  The good news is that you can configure SecurityCenter and turn off the automatic check for updates.  Anyway, enough of the extraneous stuff, let's see how SpamKiller actually performs...

The program has a toolbar across the top of the window that includes icons for checking mail in the active account, checking all accounts, deleting and printing messages, running the default E-mail program, and accessing on-line help. There is also a set of icons down the left side of the window that allow the user to check settings for SpamKiller and the available E-mail accounts; view lists of the mail filters and updates that have been received, and a list of designated friends.  Finally, there are icons to view either killed mail items (Spam) or live mail items (messages that have passed through the current set of filters and are available on the mail server).

Manually checking the default settings after installation of the program showed that SpamKiller was to report new E-mail, possible Spam, and killed Spam; all new filters were set to kill Spam, and the program was to check for updated filters automatically.  There was an option to receive mail "from friends only" that I left unchecked.  Messages larger than 100KB were to be skipped, but I opted to turn this off.  Copies of killed messages were to be retained for 30 days and then automatically deleted.

Checking the settings for my ISP's E-mail account showed that the address of the POP3 server for incoming mail, and that of the SMTP server for outgoing mail, had been pre-determined from the values set in Eudora.  Mail checking was set to take place when an ISP connection was established, and every 10 minutes thereafter.  I reset this to manual checking only since this is the way I normally access my mail.

A quick look at the current set of filters showed a long list of items, including trapping mail from users with names containing xxx, or being blank, and coming from domains ending with admail.com,  enterfoldslive.com, onestopshop.net, and so forth.  So, it's pretty clear how SpamKiller tries to filter out unwanted mail.

SpamKiller interface

My first attempt to use SpamKiller proved interesting.  There were nine incoming messages; two were trapped as Spam, and seven weresupposedly valid messages.  Neither of the "Spam" items was in fact Spam.  One was a daily message from my ISP providing me with the headers of Spam mail that their filters had trapped.  This was caught by SpamKiller because the "message" contained the F-word which, of course, was actually in the header of a Spam message that had already been filtered out of the message stream.  Quite impressive really, because the word was spelled out, interleaved with hyphens, along the lines of: F-U-*-*-I-N-G.  The fix to this minor problem was to add the address of my ISP's messaging system to my list of friends.

The second message was trapped because "From was not a valid address".  Viewing the details of the message header showed that the problem was a double period in the sender's E-mail address.  This particular message came from a listserver and I'm not sure if this was a typographical error or an attempt by the sender to mask his true E-mail address.  Either way, SpamKiller's filters didn't like the invalid format.  SpamKiller is supposed to allow such false positives to be rescued; however, in my case, hitting the "Rescue message" button produced: "Mail transfer error, code 501.  501 Syntactically invalid HELO argument(s)".  More on this problem later.

Having downloaded the seven "valid" mail messages from my ISP, using Eudora as usual, it was evident that SpamKiller had actually missed one obvious piece of Spam, an advert for an on-line pharmacy.  Valid messages can also be viewed in SpamKiller using the Live Mail option.  So, I could see that the message had merely been flagged as possible Spam because it was addressed to an entirely different user on my ISP's domain, giving the warning: "To does not equal any of your user names".  Other pieces of truly valid E-mail had been similarly flagged with warnings because, in one, the "Message text contains 1-800" and, for another, the "Subject is uppercase".

The automatic update process for the mail filters seemed to have worked as advertised since ten updates were listed for the current date including filters for:  Subject contains 'homeowner? (we can help)' and Message text contains 'very naughty girls! click below'.

Over the next few days, SpamKiller provided a very similar experience.  Without trying to tweak the filters manually, some Spam messages passed through the screening process, while some real mail was trapped and killed.  For me, the strangest message to get past SpamKiller was one for which the subject line contained "VIAGARA: 69.95".  Can it really be that McAfee don't consider messages about Viagara to be Spam?  In contrast, a perfectly valid message was trapped because my correspondent had jokingly added "Of course, that's not a money back guarantee :)" at the end of his message.

Another interesting situation was a friend's message, trapped because it contained "hgh".  I eventually realized that this text string was actually present in a MIME-encoded attached file.  Searching through the coded information using Notepad, showed that hgh occurred on no fewer than three occasions in a relatively long series of ASCII codes.  Google tells me that hgh is an abbreviation for human growth hormone, which no doubt, is the subject of lots of Spam.  However, it seems likely that this short text string will frequently occur in ASCII encoded binary files, which makes me wonder why the search engine is looking inside the code.

And, perhaps most interesting for OPCUG members was a piece of mail trapped when coming from the well-known Ottawa "Spammer", Jocelyn Doire.  His mail sending me the latest version of Ottawa PC News was trapped because: "Message text contains: address: ________".  The irony of the latter was that the specific phrase was part of the registration form for OPCUG's Beginner's Workshop, asking potential registrants for their name, address, telephone number, and E-mail address, a document that I had originally created.  Thus, poor old Jocelyn was being branded as a spammer because of a string of text being sent to me that I had actually written.  Weird and wonderful things, Spam filters!

I suppose that most such problems can be avoided by fine tuning the program by adding friends, and tweaking filters for specific messages but, for me, life is too short to spend much time on such items.  There are other ways to reduce the amount of Spam that ends up in my in-box and, personally, I find these alternatives preferable.

One major problem I had with SpamKiller was my inability to rescue messages incorrectly killed as Spam.  It seemed that the "501" error encountered was very specific; however, there was no mention of any such problem or error code in the hard copy manual, nor in the program's help menu.  Nor did logging on to McAfee's web site and searching their on-line databases provide much useful information.

The most similar problem report on the web site was "Why aren't rescued messages showing up in my inbox?"  This suggested that the SMTP settings must be incorrect.  However, if you recall, these were set by the installation routine, based on perfectly valid data being successfully used by Eudora.  The address for my ISP's SMTP server was the same as that for the POP3 server, and the latter was downloading mail to SpamKiller correctly.  Similarly, the server port number for incoming mail was set automatically to 110, and that for outgoing mail to 25, and my ISP confirmed that these are the correct values.  So, it was time to seek additional help directly from McAfee.

I filled in the on-line E-mail help form in the technical support section of the web site but it crashed, nominally on my telephone number.  I was unable to find a set of numbers and/or a format for the area code and telephone number, that it liked.  Without a "valid" telephone number I was unable to submit the form.  So, onto the next option, that of contacting a live technician...

I tried this feature on several occasions.  The system responded with various messages on different days.  Initially, it forecast a one minute waiting period, but this stretched to more than 10 minutes before I gave up.  The second time I was 10th in the queue, then 9th... before I gave up.  Finally, late one night, I held the chat session open for quite some time.  This time the system was reporting -- all our agents are busy, please wait, thank you for your patience.  So, I started writing this article, using Word in an on-screen window, and keeping one eye on the McAfee chat window...

Finally, I had a nice chat to a live technician.  The bottom line was that he had me delete my mail account in SpamKiller, and reset it manually by checking the option: "My E-mail account is not shown in the list above".  This basically ran a wizard prompting me to manually enter all of the parameters related to the ISP E-mail account.  Once I had provided all of these data elements, and relayed the input to the technician, he indicated that rescue would now work, and had me test it.  Of course, removing the mail account, deleted the entries in the killed mail box, and three new messages downloaded from my ISP at that time of night all showed up as live mail rather than Spam, so an actual test to rescue a killed message could not be conducted.  First thing the next morning, killed mail was identified, and rescue failed with the error message: "Mail transfer error, code 501.  501 Syntactically invalid HELO argument(s)".  Aagh!!!

McAfee were good enough to (automatically) E-mail me a link to an on-line questionnaire to gather feedback on my experience with their problem-solving system.  I basically fed back the above scenarios, with a number of associated comments on how they might consider making a few improvements.  I wonder if anyone reads such stuff and, if so, do they actually take any action?

As far as I can tell, SpamKiller runs essentially in stand-alone mode, independent of your usual E-mail program.  When activated, SpamKiller goes directly to your ISP's mail server, logs onto your E-mail account, and downloads copies of all the incoming mail to your computer.  The Spam filters are applied and the mail is sorted into a "live mail" and "killed mail".  SpamKiller then goes back to your ISP's mail server and deletes the messages that have been identified as Spam, leaving the other messages on the server to be subsequently downloaded by your regular mail program.

SpamKiller stores copies of all the messages in directories named "inbox" and "killed" on the local computer's hard drive.  Each message is saved as a set of two files, with each set of files being sequentially numbered.  One of the files has a txt extension and contains the body of the message together with the encoded version of any attached file.  The second file has an hdr extension.  This too is a text file and contains the message header.  These are the files that are viewed in SpamKiller's window when the Killed Mail/Live Mail and View Details buttons are pressed.

SpamKiller has a number of additional features that I didn't use.  These include the ability to send a message of complaint to a spammer's ISP, or to send an error message to the spammer essentially "bouncing" the message and pretending that it was not received due to an invalid address.  You can also configure many aspects of how the program works, such as how frequently mail should be checked, specifying multiple accounts, how you are notified when new mail is received, and customizing complaint and error messages.

As I indicated at the outset, my situation may not be typical for most E-mail users.  The E-mail address I use most is posted on a web site and so, since it is readily available to robots and spiders, it receives lots of unwanted mail.  A rough count shows some 40-60 Spam messages being filtered out each day by my ISP, leaving SpamKiller to deal with the remaining 15-25 messages.  One difficulty I have with my running SpamKiller is that it is yet another layer on top of what I already do to read my mail.  I currently use E-Remove (http://opcug.ca/public/Reviews/Mail%20Remover.html) to pre-scan message headers, and to manually tag messages for deletion from the mail server before actually downloading them in Eudora.  A particular advantage of this system is that I can delete junk messages with large attached files, thus avoiding the long download times for such messages over a dial-up connection.

SpamKiller effectively fulfills the same purpose because you can delete items from the Live Mail box, which in turn removes them from the mail server.  However, by default, SpamKiller downloads the entire message and any attachment, and has no facility to just download the message headers and perhaps a few lines of text.  So, if long messages and/or large attached files arrive, you have to wait while they are downloaded.  SpamKiller has the supposed advantage of using constantly updated mail filters but, for me, the fatal downside was my inability to be able to rescue false positives.

It seems to me that SpamKiller needs to become a full-featured mailer rather than being just an intermediate between the ISP mail server and the user's regular mail program.  It has most of the basic components for receiving and sending mail, so it doesn't seem to be too much of a stretch for McAfee to add some further functionality.  The idea of constantly updated filters seems fairly reasonable but, by their very nature, such filters are fairly simplistic and sometimes get it wrong.  In addition, the filters can't know about "new" Spam until the people writing the filters receive it, so they will never be able to catch everything.  But, for many users, such a relatively hands-free system might be much better than nothing.

Despite the huge number of filters applied by SpamKiller, real messages are trapped and Spam messages slip through the net.  In my current situation, my ISP filters out most of the junk; in fact, I have yet to see a valid piece of mail trapped by their filters.  The use of E-Remove allows me to quickly scan the residual mail and tag any obvious Spam for deletion.  So perhaps, a more effective solution in my particular case would be try tweaking my ISP's mail filtering system to see if I can eliminate even more junk at source.  Anyway, for what it's worth, that's my next tactic.  Anybody need a slightly-used copy of SpamKiller?


Monty Python: "I don't like Spam."Bottom Line:

SpamKiller Version 4.0.47.1
US $39.99 (downloaded version)
from McAfee Security/Network Associates
Web site: http://us.mcafee.com/

 

 

 

 


Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews may not necessarily
represent the views of the OPCUG or its members.