June 19, 2008

EEMA has found a new role

EEMA was founded in 1987 as the European Electronic Messaging Association, mirroring the now defunct EMA.  EEMA has continued with a loyal group of supporters and shifted focus with industry trends.   It's focus is now Electronic Identity, and we recently attended the two day European e-Identity Conference in The Hague.

EEMA is outsourcing its operations, which is working well.  This change has restored its finances to a sound footing.    There are regular meetings around Europe and special interest groups.

There was an attendance of almost 200, and a good selection of worthwhile talks.   Corporate membership is low cost, and worth considering for organizations and individuals interested in Electronic Identity.

- Steve Kille, CEO.

June 11, 2008

M-Switch Anti-Spam False Negative Rate Graph Update

As mentioned in previous posts (Blog post May 9th 08 and Blog post May 14th 08) we have been paying particular attention to the False negative rate of the copy of M-Switch Anti-Spam running here at Isode's offices. We wrote a whitepaper on our findings:

“Measuring the False Negative Rate for Isode’s M-Switch Anti-Spam.”

The whitepaper included graphs showing the daily quantities of Spam we received and the daily False Negative rate going back over 4 months (up to 30th April). We always intended to keep these graphs up to date so that they would continue to track M-Switch's performance and today we've updated them to include May's figures.

We will continue to update these graphs, at the end of each month, so that they always show current data.

June 05, 2008

Isode at the European e-Identity Conference

Isode CEO Steve Kille will be speaking at the European e-Identity Conference in The Hague next week. Steve's talk on "International Passport Verification and the Role of Secure Distributed Directory" comes out of the work we've been doing at Isode on Directory in Support of Machine Readable Travel Documents (MRTD).

Steve will be speaking on Day 2 of the Conference, which is being organized by EEMA and taking place in The Museum of Communication in The Hague. More information on EEMA and registration details for the conference can be found here

May 14, 2008

Measuring False Negatives and IP Reputation

Richi Jennings noted in a recent post on the Ferris Blog (BorderWare Claims Amazing Reputation Filtering) the claim from BorderWare of getting 98.3% detection using IP Reputation (DNSRBLs), and that other sources suggested 75%.

Isode has been making measurements of false negative rates, published in a white paper, “Measuring the False Negative Rate for Isode’s M-Switch Anti-Spam.”

Our measurements suggest that the (public) DNSRBLs we use hit about 90% of spam. Well-managed DNSRBLs seem an effective way to detect spam, because they have a very low false positive rate. We use DNSRBLs to mark messages (rather than reject at the SMTP server), so we can examine quarantine to check for false positives.

A further 5% can be hit by two other reputation mechanisms:

  1. SPF (which is well known) is reasonably effective, but can produce some false positives, particularly in conjunction with mailing lists.
  2. SURBL detects URLs within messages, using an underlying RBL mechanism.

Isode’s M-Switch anti-spam can hit most of the remaining spam with a variety of other spam markers and content scoring (using Support Vector Machine derived tables). General-purpose content scoring appears to work very well for many users, but aggressive checking leads to false positives for others, which can be mitigated by use of whitelists.

It seems conceivable that rates higher than 90% can be achieved using public DNSRBLs, although experience suggests that some (poorly managed) DNSRBLs lead to false positives.

This has been cross-posted from the Ferris Blog.

New Evaluation Guide: Directory Access Control using Security Labels

Isode's M-Vault now supports Directory Access Control using Security Labels, this is a feature we introduced with R14.2 and which we've talked about in a number of our recent Directory Whitepapers.
To illustrate how this works in practice, we've produced a new evaluation guide that leads an evaluator through:

* Setting up security label and security clearance controls for the directory
* Testing authentication restrictions and object access permissions
* Testing object addition restrictions

The evaluation page for this feature, together with links to documentation, can be found on the evaluation page.

As new features are added to Isode software and new documents added to our evaluation library, this guide will change. To make it easier for evaluators to keep track of potentially important changes and additions, we've made an RSS feed available for this guide.

May 09, 2008

Measuring the False Negative Rate for Isode's M-Switch Anti-Spam

A key feature of any anti-spam solution is how effective it is at removing spam. A perfect anti-spam system would have a zero false positive rate and a zero false negative rate. In practice, this is not usually achieved, and systems will invariably trade off the two measurements.

A new whitepaper on the Isode website describes how false negatives can be measured and looks at false negative rates from the beginning of this year for Isode's M-Switch Anti-Spam.

"Measuring the False Negative rate for Isode's M-Switch Anti-Spam"

The graph below shows the false negative rate from January 2008.

Mswitchfalsenegatives2_3

May 08, 2008

Isode R14.2v1 now available


We're pleased to announce that a new version of R14.2 is now available for download from the Isode website.

Details of features and fixes in R14.2v1 can be found in the accompanying release notes.

The binaries for this release can be downloaded from the Partner Index Page or by following the relevant links from the Evaluation section of the website.  You'll  need a Partner or Evaluator login and password to download the binary files and the accompanying Release Notes which details the features and fixes in R14.2v1.

If you wish to evaluate Isode software and do not have an evaluation login, you can obtain one by filling in this short evaluation form.

April 23, 2008

ClamAV--Useful, Free Anti-Virus

ClamAV is an open source, free anti-virus tool, designed for email scanning on mail gateways.

It is owned by Sourcefire, which employs the ClamAV developers and provides commercial support for ClamAV.

The most important capability of an anti-virus product is to be able to remove a high percentage of viruses, including rapid reaction to new viruses.

A test by Untangle put ClamAV as one of the top three (along with Kaspersky and Symantec). This test generated a lot of controversy, with some arguing the test methodology to be flawed and others suggesting that commercial vendors are trying to suppress a free alternative.

A comment from AV-Comparatives, which provides independent testing, gives useful insight in explaining why it does not include ClamAV in its standard list. AV-Comparatives notes that ClamAV is not designed or suitable for use on an end system, but is designed to detect spreading viruses, and has a very good response rate to new threats. This is confirmed in its report and other references on the net.

ClamAV detects phishing attacks, as well as conventional viruses and worms. During one day’s operation on the Isode servers, the following viruses and phishing attacks were detected:

  • Exploit.HTML.IFrame: 10 Time(s)
  • Exploit.WMF: 6 Time(s)
  • HTML.Phishing.Auction-144: 1 Time(s)
  • HTML.Phishing.Auction-222: 2 Time(s)
  • HTML.Phishing.Bank-1232: 1 Time(s)
  • HTML.Phishing.Bank-474: 18 Time(s)
  • HTML.Phishing.Pay-36: 1 Time(s)
  • W32.Sality.Q-1: 5 Time(s)
  • Worm.Mydoom.I: 1 Time(s)
  • Worm.Mydoom.M: 4 Time(s)
  • Worm.SomeFool.AA-2: 9 Time(s)
  • Worm.SomeFool.D: 1 Time(s)
  • Worm.SomeFool.P: 17 Time(s)
  • Worm.Stration.YY: 1 Time(s)
  • Worm.Womble.D: 8 Time(s)

The integration with an email gateway is straightforward and efficient. This is important for gateway/boundary use. A number of AV vendors are focusing on appliance and “complete solution,” and either dropping or reducing support for integration with other products.

ClamAV is a good anti-virus option for boundary checking.

April 11, 2008

HF Radio & Network Centric Warfare

Modern military communications are a key component of Network Centric Warfare. HF Radios are used extensively for military communications, and, although very slow, provide effective long distance communication in a wide range of situations.

A new whitepaper on the Isode website looks at how HF Radio fits with Network Centric Warfare, and looks at approaches for integrating HF Radios to maximize their effectiveness.

"HF Radio & Network Centric Warfare"

April 04, 2008

Tricast Mail

We've blogged before about how important it is that mobile device manufacturers take seriously the user interface of the email clients that they ship with their phones (as Apple have done) and how their failure to do this so far has helped make retrieving and sending email on a phone an unattractive proposition.

We came across the Tricast Mail email client recently and this blog post (and the video of the interface half-way down) makes the v2 version of the client look rather special. Can't wait to try it out.