Ottawa PC Users' Group, Inc.
 Product Review 


SpamNet
by
Chris Taylor

Last month I took a generic look at the problem of spam. As a general rule, I still recommend that you deal with spam simply by deleting it and getting on with your life.

But, if you are really frustrated with the volume of spam you receive and you really want to do something to eliminate it, there are some products on the market that may be able to help you. This month I take a look at SpamNet from Cloudmark.

Most anti-spam software tries, with varying degrees of success, to identify spam by its own rules. It may look at information in the header, words or phrases in the subject or body of the message, etc. As you might imagine, this can be a really difficult way to identify spam. And it can be problematic. Every e-mail I have ever received that contained the word “Viagra” was in fact a spam trying to sell the drug to me. However, the same is not likely true for a doctor, hospital or drug supply house.

Cloudmark avoids the problem by not doing a single thing to identify spam. Instead, they let their customers identify spam. An ingenious turn-about. Once you install SpamNet, currently at beta 6d as I write this review, it begins filtering out spam automagically. As well, if you want, you can immediately begin to contribute to the body of knowledge of known spam. Here’s how it works.

While it is difficult to describe a spam e-mail, everyone knows one when they see one. When you receive an e-mail and you identify it as being spam, you can click a button on your toolbar labelled Block. SpamNet takes a copy of the spam and sends it to a Cloudmark server. The Cloudmark server creates a statistical signature, or fingerprint of the message and stores this fingerprint in a database. Now, say someone else receives the same spam e-mail. When the e-mail arrives, a fingerprint for that message is created and then checked against the database of known spam to see if a similar fingerprint already exists. When it finds the match, SpamNet knows that the e-mail is, in fact, spam and the software then moves the e-mail to a spam folder.

There is strength in numbers. As more and more people use SpamNet, more and more people are identifying spam and reporting it to Cloudmark. The more people are involved, the more likely it is that, by the time spam makes it to your mailbox, someone else has already identified the spam, and your copy of SpamNet can whisk it away to your Spam folder before you have to deal with it.


But things are seldom perfect. What if someone accidentally reports an innocent e-mail as spam? Perhaps they forgot that they actually did sign up at some web site to be kept informed about product information or whatever.

Besides the Block button on the toolbar, there is an Unblock button. If you notice that something was caught as spam that should not have been treated that way, you can click the Unblock button. When you do so, the statistical representation of the message is sent to Cloudmark to let them know that this e-mail was not spam. At the same time, the message is moved from the spam folder back to your Inbox.

But what if the spammers got a copy of SpamNet and simply sent an Unblock for every spam they send out? Or what if you get some dolt who can’t figure out what they are doing and are constantly pressing the wrong button?

Cloudmark has thought of that. Each user gets assigned a ranking in a “Truth Evaluation System”. The more spams you accurately report, the higher your ranking and the more weight your blocks and unblocks carry. Anyone who consistently reports incorrectly will end up with a ranking that carries no weight.

Finally, if you have mail from a particular source that is always being accidentally treated as spam, or you don’t want to take a chance of e-mails from a particular source being treated as spam, you can use the Whitelist option. This is a simple string match. For example, entering “Minisoft” would allow Minisoft-user@spammer.com or Connie-Coder@- Minisoft.com through. Entering “@Minisoft.com” would allow the second example to pass through with no spam checking.

I would estimate that over 90% of the spam I received during my testing period was caught by SpamNet and moved to my spam folder.

Given the simple way that SpamNet works, the user controls are pretty limited. You can enable and disable SpamNet, specify the folder that spam should be moved to, create entries on the Whitelist and configure SpamNet to use a SOCKS 4 or 5 proxy (if required). There is a configuration option called Custom Confidence Level Settings which is currently disabled. I am intrigued, because I expect this will give a bit more control to the individual users over what is considered spam or not. We will have to wait and see!

About the only other thing you can do with SpamNet is run it against existing e-mail already in your mailbox. You can specify any folder and SpamNet will chug away checking every e-mail in the folder. If you have thousands of messages, expect it to take some time.

So how effective is SpamNet? Well, Cloudmark’s web site says you can expect SpamNet to catch about 75% of all spam. Their home page lists numbers for the day, and on September 14th, it was reporting that they had 72,456 users, they had processed 5,024,097 e-mails and had caught 1,721,925 spams. Not too shabby for a single day!

My experience with SpamNet’s ability to catch spam has been very good. I would estimate that over 90% of the spam I received during my testing period was caught by SpamNet and moved to my spam folder.

But what about dreaded false positives? Everyone wants spams removed, but nobody wants legitimate, non-spam e-mails to be accidentally caught.

On this front, I found that SpamNet tended to catch one or two non-spam e-mails a day. For most of them, I could see why they might have been treated that way. I am signed up for a lot of electronic newsletters, most of them related to information technology. They are all legitimate and have clear instructions on how to unsubscribe. But perhaps some people had a hard time unsubscribing and decided to treat them as spam and use the Block button. I used the unblock button and it seems to have helped, but not eliminated, the problem of non-spam e-mails being blocked.

Quite a bit more puzzling was the result of running SpamNet against a couple of thousand e-mails in one of my existing folders. It identified an e-mail from my boss as spam! Ouch! Now, I am not sure how this could happen, except that the fingerprint calculated from this message happened to match the fingerprint of a completely unrelated spam that someone reported? I am told this can’t happen and the e-mail was identified as spam “…because there was a common background, part, or signature within the messages.” The proper thing to do is unblock the message so that it is not treated as spam in the future.

I had another e-mail, a daily humour digest and it was getting caught as spam every day. Every day I unblocked it. I finally gave up and whitelisted the sender address. But I guess that’s part and parcel of being beta software!

And therein lies the rub. As with other anti-spam programs I have looked at, you cannot be absolutely sure it will catch all spam and you can’t be absolutely sure that it won’t have false positives. Not catching all spams is not really a problem, although you really do want it to catch the maximum possible. But most people have a pretty low tolerance for legitimate e-mail being treated as spam.

Most anti-spam programs, SpamNet included, handle the problem of false positives by refusing to silently purge spam so you never see it. They will only move it to another folder.

And therein lies the other rub. Even though SpamNet can move spam out of my Inbox for me, I still have to deal with the spam at some point. Until I am confident that there are never any false positives, I must look through the spam folder to make sure nothing was accidentally caught. If and when I ever get that confident, dealing with the spam will be a simple action of emptying the spam folder.

The final caution I have about SpamNet relates to your privacy. Normal e-mail arriving at your Inbox is not sent to Cloudmark – only the statistical signature is sent. Even when you Unblock a message that was accidentally treated as spam, only a signature is sent. But, when you hit the Block button, that message is sent to the Cloudmark server. In most cases, this is not a problem. The message is just a spam, right?

I can understand why the Cloudmark lawyers would insist it be in the license agreement, but users should be aware that any message they block by hitting the block button is sent in its entirety to a Cloudmark server and you “assign to Cloudmark any and all right, title, and interest that you may have (including any intellectual property or proprietary rights) in and to any such e-mail messages and digital signatures thereof.” I am promised by Cloudmark staff, “All I can do is assure you that we never look at, or acknowledge these messages in anyway. No human beings are doing anything with the reported messages, your privacy is protected.” But seeing the wording in the license agreement, I would say you better not accidentally hit the Block button when your partner sends you your latest business plan or the source code to your program that is going to make you a millionaire!

SpamNet requires Outlook 2000 or Outlook XP. A version for Outlook Express is in the works, but no release date has been announced. If you are behind a firewall, you need to be able to make an outbound connection with a destination on TCP port 2703. Most firewalls will allow such outbound connections.

The SpamNet beta is free and will remain free even after the final release hits the street. The final release version will cost you something, but the pricing has not yet been set. An Enterprise version is also in the works that will be appropriate for ISPs and large organizations.

You can download a copy of SpamNet from www.cloudmark.com.


Bottom Line:

SpamNet
freeware
from Cloudmark
Web site: http://www.cloudmark.com


Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews may not necessarily
represent the views of the OPCUG or its members.