Recommendations for secure gateway vendors?
Question asked by A System Administrator - 3/11/2022 at 3:04 PM
I've been looking into using a secure mail gateway to help deal with the rising torrent of phishing / impersonating / scamware our organization has been seeing. There are several services that come up on the top of many lists such as Proofpoint, Mimecast, Avanan, etc but I was interested in seeing what the SmarterMail community is using.

What sort of secure gateway are you using (if any)? Any experience/recommendations to share?


8 Replies

Reply to Thread
echoDreamz Replied
We use rSpamD with VadeSecure, no issues with phishing emails etc.
Douglas Foster Replied
I looked at many, came away upset that most vendors do not understand the problem that they are purporting to solve.   

Currently I am using SmarterMail+Declude as my first spam filter, but my Declude implementation is heavily customized.  It blocks unwanted traffic based on source attributes.   Then my messages go through two commercial spam filters.   Those are pretty good at filtering based on content, but I cannot recommend either of them as well designed products capable of protecting you as a standalone solution.

During my search, I was close to recommending ProofPoint, only to discover that their secure web relay solution violates DMARC when a non-client responds to a message started by one of their clients.    Subsequently found evidence that Cisco IronPort does the same.  I opened security complaints with both vendors, which were ignored.   My opinion is that if you are going to advertise your skill at filtering inbound mail based on DMARC criteria, you should not be violating DMARC policies when sending outbound mail.    I do not have enough experience with Zixmail to know if the Mimecast/Zixmail combination has this problem or not.

My distributor, who handles many product lines, said that Cisco IronPort is a good but expensive solution if you buy into their whole portfolio (including desktop protection), but not cost effective as a point solution for email only.

If I were to reopen the procurement process, I would start with ClearSwift.   They appeared to have the exception management features that I wanted, and were likely to be about half the cost of ProofPoint or MimeCast.   

Here is what you should be looking for in exception management features.   Some who have seen my previous posts will recognize the content.,

My incoming spam has one of two characteristics:
1) Spammer-controlled infrastructure using the spammer's identity for both SMTP MAILFROM and message FROM addresses.   They rely on the fact that you probably don't recognize their identity and that you allow-by-default rule for unrecognized senders.   

When you catch them, you need to be able to block based on any or all of: Source IP, Reverse DNS name (or portion), HELO name (or portion), SMTP domain, and From domain or full address.   Many products do not examine or log all of these identifiers and therefore cannot filter on them.   (Spammers do not change their host identity as often as you might expect, so blocking on host name is pretty effective at blocking all of their IP addresses even when you only know one address.)

2) Spam sent from email service providers like SendGrid.com or MailChimp.com.  In these cases, the service provider identity is in the SMTP MAILFROM address and the spammer identity is in the message FROM address.  Some messages from these vendors will probably be essential to your organization, while others will be toxic, depending on the client identity.   So you must have a product that can filter on From address,  You need to be able to say that if the From address is your trusted electric utility you want the message whitelisted, but if it is from a known spammer then you want the message blacklisted.  If the service provider has a really bad track record, you might decide to quarantine any new client of that service provider, so that you can check whether it is safe or hazardous, rather than finding out the hard way.

Eventually, you will find some message source that needs to be whitelisted.  You need to be able to configure a whitelisting rule that allows messages from that sender without allowing spoofs of that sender to be whitelisted.   That means you need multi-attribute whitelisting, meaning:
(a) the message has one or more identifiers, received together, which constitute the "fingerprint" for the trusted message source, 
(b) at least one of those identifiers can be verified as true.   

Possible verification methods are:
Source IP (assumed true), 
HELO or Reverse DNS host name that forward confirms to the Source IP
Message FROM that produces DMARC PASS

For blacklisting, a single attribute match is usually sufficient reason to block a message.  Too many products implement whitelisting the same way --  you pick a single identifier and say that it is trusted, without any ability to ensure that it is verified and without any ability to require multiple identifiers to be observed together.

Finally, you need an ability to apply filter rules in test mode, to collect data, without acting on them.   Lot's of products lack this.   So maybe you decide to block based on SPF or DMARC failures, only to discover that some of your most wanted traffic is triggering false positives.   Find a product that allows you to detect your trusted-but-misconfigured senders in advance, so that you can implement a whitelist rule to workaround their defective SPF policy or missing DKIM signature.   Better to know in advance than to discard an email that the company president considers essential.

Every spam filtering product should be able to do all of these things, because these are requirements that are inherent to the problem space, and we all face the same problems.   Declude does most of these things well, and its customization capability allowed me to do the rest.  It is free, so I gave up my search for a commercial solution.   If you find one or more that can meet these criteria, I would love to know about it, either as a reply to this post or a personal message.


David Jamell Replied
I use SpamHero and I've got no complaints.
Great responses so far!

@echoDreamz: VadeSecure looks interesting; do you use the "Vade Cloud" product? What is their pricing structure like?

@Douglas Foster: I worked for a company that used Declude years ago for spam filtering and it was great but I don't know how effective it would be against things like phishing. ClearSwift seems promising though; I'll check it out.

@David Jamell: Looking at SpamHero it seems to be primarily an anti-spam tool and less of a security tool. Have you noticed if it does well against phishing/spear-phishing emails?

Has anyone used SpamTitan? They seem to offer security options though it's not clear if it's an add-on or not.

Douglas Foster Replied
 You are correct, although Declude can draw on many available RBLS, it does not provide proprietary intelligence or sophisticated content filtering.   My commercial spam filters do the content filtering, and they are needed.   

My goal with any detected spam is to determine the source and then blacklist the source by every viable identification criterion.   Customized Declude is doing that well.
echoDreamz Replied
The product we use sys admin is https://www.vadesecure.com/en/email-content-filter/ - We pay around 17k a year, covers 100k users. Handles phishing emails, spam, malware, compromised accounts and numerous other features extremely well. We've had zero complaints regarding it. Pricing really depends on how you are using it, what features you need etc.

We used Declude many years ago and had lots of issues with it stalling out and crashing resulting in a proc folder back up, of course, ymmv. We just prefer to not run a product that is "dead" and receives no updates and the new version seems to be vaporware.
David Jamell Replied
@A System Administrator: Yes, SpamHero does an excellent job of intercepting phishing/spear-phishing emails.  Provides blocking by country as well.  Highly recommend.
Fadi Hussein Replied
you can look at spamwall as well, we use it for years and it is very good product.

best regards,

Reply to Thread