Quarantine review - Filling the feature gap
Problem reported by Douglas Foster - Today at 7:24 AM
Submitted
Assume this simplified email filtering model:
  • An inbound gateway evaluates the message and tags it for allow, block, or quarantine.
  • A second system receives messages from the incoming gateway, and logs every message it receives.   Messages are dispositioned based on headers added by the incoming gateway    It provides a review tool for deciding how quarantined messages should be handled, while also providing an interface for auditing the allowed and blocked messages for disposition mistakes.
The purpose of quarantine is to choose a message disposition and choose how to modify filtering rules to bypass quarantine in the future. Since everyone makes mistakes, we also need the ability to check for allowed messages that should have been blocked, and blocked messages that should have been allowed (if the blocked message was captured).

We only need to review recent messages, so the system should automatically discard older messags that are no longer needed for review.    (If permanent archiving is needed, I assume that it is done elsewhere.)

It is difficult to acquire this message review function.
  • The free options do not have a message review interface, and either do not log processed messages or do not provide automated management of the log history.   
  • The expensive options are cloud based, impossible to use behind a proprietary gateway, and lack flexibility.
  • Some products offer quarantine review only.    Allowed and blocked messages are difficult to audit, because the system does not retain the full message.
I have asked this forum for alternatives, but none have been suggested.

I am currently using the only product I know which fits in this space, an Email Security Gateway appliance from BarracudaNetworks.com.    I started using their appliances 20 years ago, when I knew little about email filtering and I believed security vendors could be trusted to provide security.  Years later, when i understood the problem better, I got mad about its limitations.   I intended to change vendors and went shopping.  When I could not find a vendor, at any price, that met my expectations, I built a customized inbound gateway around SmarterMail Free and Declude.  The Barracuda appliance became a necessary part of the solution because it provides the message review function (and a little bit of proprietary filtering.)

As most products are moving to the cloud, I was worried that Barracuda would drop support for their appliance business.  Fortunately, they just accepted a 3-year support renewal with us, and I just deployed their newest hardware platform this year, so it looks like they will be staying in this business for awhile.

Why I think they fit this user base:
- Licensing is capacity based, not user based.
- Annual support is reasonable.  I think we are paying less than $4 (US) per year per user
- If  you buy full support, you get a new appliance every four years, for free.
- If you use an inbound gateway in front of their appliance, to do the heavy lifting, you don't need the appliance to have optimal filtering feature.

Because of free replacement, I have no idea about initial purchase costs. 

Hope this helps some of you.   If it also sells some appliances, it protects me by keeping their appliance business alive.

Zach Sylvester Replied
Employee Post
Hey Douglas,

Thank you for sharing this. Your post highlights an important gap in the email security market. Most systems focus only on quarantine, but administrators also need a practical way to review recently allowed and blocked messages so they can identify false positives, false negatives, and gaps in their filtering rules.

SpamFoo’s next release will add the ability to review message content directly from the dashboard, report messages back to SpamFoo, and create rules based on those messages.

SpamFoo currently makes a binary spam determination, meaning a message is classified as either spam or not spam. It also performs additional threat detection, including identifying domain typosquatting and checking links against PhishTank for known phishing threats.

I think the workflow you described would fit well into SpamFoo. A useful future enhancement could allow administrators to quarantine specific domains or senders directly from the dashboard. It could also provide an option to automatically quarantine messages that contain known dangerous links.

The ability to temporarily retain and review allowed, blocked, and quarantined messages would also be valuable. That would give administrators a central location to review recent decisions, correct mistakes, and create rules without requiring the system to act as a permanent archive.

SpamFoo is not currently intended to function as an email archiving platform. However, I could see value in connecting this type of review functionality with SmarterMail’s existing archiving system. SpamFoo could handle temporary message retention for review, while SmarterMail’s archive could handle long-term compliance and retention requirements.

We have also tested SpamFoo’s upcoming GPU support using an NVIDIA RTX 4060. In our testing, the average scan time was under 50 milliseconds per message. For high-throughput gateway servers, adding an inexpensive GPU could become a practical way to increase scanning capacity.

Your ideas align well with SpamFoo’s focus on privacy and local processing. Since the processing is performed on the customer’s own infrastructure, stronger quarantine, review, auditing, and rule-management features would make a lot of sense.

I will bring your ideas to the SpamFoo team so they can be discussed as potential future enhancements.

Thanks again for taking the time to share your experience and suggestions.

Zach Sylvester

Software Developer
SmarterTools Inc.

Reply to Thread

Enter the verification text