GIAC Report
Thursday, September 11, 2003


MailWasher Pro
www.firetrust.com/products/mailwasherpro

FEATURES:

  • FREE 30-day trial
  • $29.95 to register (license and support)
  • One license covers multiple computers for one user (e.g., home & office, or two at home)
  • Handles as many POP3 and/or Hotmail mailboxes as you wish
  • Next release (free upgrade) will also handle MAPI and AOL mailboxes

BENEFITS:

Over the past several weeks, I have enjoyed using MailWasher Pro to get rid of thousands of unwanted spam and virus messages from eight e-mail accounts without having to download any of them to my local machine:

    Center @ Centerway
    Neil @ Centerway
    Center @ Hotmail
    Neil @ Hotmail
    WebMan @ Hotmail
    GIAC @ Greenbelt
    SysMan @ Greenbelt
    WebMan @ Greenbelt

Each time I use the product, I remove the junk from all eight accounts in one sweep! Like MailWasher Free, in addition to deleting unwanted messages, this version of the product also bounces whatever it can back to the sender and accumulates an ever-longer whitelist and blacklist of good and bad guys. It’s so quick and easy to use that it’s actually great fun and gives you the exhilarating feeling of finally being able to fight back against all the morons out there who would waste your time or even do you harm.

An unexpected benefit was the ability to preview the content of new messages in all of the protected mailboxes without having to login to each account individually or download any messages. Because I use many mailboxes and try to be rigorous about checking them frequently for new mail, this preview feature alone saves me a lot of time each day.

[Another extremely fortuitous and timely benefit of this product over the past few weeks has been the identification of thousands of copies of the SoBigF virus that arrive daily in the mailboxes I am covering. While not billed as a full-featured virus-checker (and should not be considered so), the product’s built-in heuristic rules had no trouble spotting SoBigF, allowing me to effortlessly dispose of all those virus-laden messages that have been plaguing users and overwhelming mail servers all over the world.]

CONFIGURATION:

In addition to generating a user-approved whitelist and blacklist, the product can be configured to check messages against public spam databases (e.g., SpamCop and ORDB). You can define very simple or very complex filters and/or use the product’s built-in heuristic rules to filter messages in sophisticated ways that suit your needs and preferences. Or, you can obtain very effective results simply by using the product with its default settings.

I tested (and continue to use) the product in two ways:

  • At home, by reviewing the flood of incoming message traffic, I developed a list of “black domains” from which I would accept no messages and “white domains” from which I would accept all messages (e.g., greenbelt.com). Domain-level filters are used to avoid having to blacklist or whitelist each individual sender within the domain. Messages that “spoof” the sender's address (to appear, for example, as ‘someone@greenbelt.com’ in order to qualify for your whitelist) can be marked for deletion with one mouse click.

    Next, I defined numerous filters to screen out messages containing various spellings of common marketing and pornographic words.

    Later, as I noticed patterns in spam messages that were not caught by my subject line and content filters, I defined an additional filter to identify all messages not sent to me – in other words, any incoming message not addressed to one of my eight mailboxes (proof positive that the message header had been spoofed) was filtered. This turned out to be my “killer filter”, catching many messages that otherwise would have been missed.

  • At my office, I used a much simpler approach, starting with the same short list of “white domains” and the filter to catch messages not sent to me, but defining no header or content filters. This abbreviated approach to filtering saved me a lot of time.

Occasionally afterward, at both home and office, I reviewed the accumulated blacklist of individual addresses looking for significant repetitions (i.e., many addresses in the same domain). Whenever I found any, I combined them into “black domains” to reduce the length of the blacklist. To accelerate the process of accumulating your blacklist, I recommend utilizing the public spam database option to pre-assign a status to messages originating from well-known spammers (all of which can be safely blacklisted).

With both testing approaches, my objective was not to automatically block or delete filtered messages but to have the filters and rules assign a status to each message before I examined the entire message list visually. Individual messages that evade your filters can be whitelisted or blacklisted by simply hitting the “+” or “-“ key, respectively. Based on the assigned status and your filtering rules, the program proposes disposition decisions for each message; however, you can override any of those decisions simply by checking or unchecking little boxes. (One example: There is no point in trying to bounce a message with a spoofed return address -- you would just get another message later telling you that the bounce couldn’t be delivered.)

After using both filtering approaches for several weeks, I judge that it is much easier and just as effective to start “cold” (i.e., by defining very few filtering rules). Using either approach, your blacklists and whitelists will end up looking much the same. With that realization, I deleted all the subject line and content filters I had so carefully crafted for my home configuration as being cumbersome and unnecessary. For me, it is actually quicker to visually locate the subset of messages I need to examine (see paragraph below) if they have not been assigned a status by my own filters.

TECHNIQUE:

I found the task of reviewing the incoming messages to double-check the program’s disposition decisions to be quick and easy, even when covering many mailboxes. The displayed message list is a work area (table) that can be sorted on any column with a single mouse click, making it extremely easy to review. The quickest approach turned out to be sorting the table on the Status column to group messages of like status together. Only those messages with a status of Filtered (if you use filters), Possible Spam, Possible Virus, or "blank" need to be examined. All of the other status groups, Friends, Blacklisted, Blacklisted Origin, Probable Spam, Probable Virus (i.e., most of the messages), can be safely ignored.

THE FINAL STEP:

After several weeks of experience with this product, I finally decided to utilize the option to automatically bounce and delete blacklisted messages. With this option enabled, blacklisted messages are removed from the mail server on a time interval defined by you and never even appear in the program’s work area, much less in your local mailbox. Keeping in mind the Spam Committee’s Prime Directive “Thou Shalt Have No False Positives”, I had been extremely cautious about not accidentally allowing the program to delete any legitimate messages (especially from other people’s mailboxes) due to false positive (erroneous) analyses. Gradually, though, I began to understand the subtleties of the program’s design. Even when fully configured and enabled with all the fancy filters, heuristic rules and spam databases (or not), and with the automatic delete option enabled, the program could not make a mistake on its own because only messages that were previously blacklisted are automatically deleted. The final decision to add an individual address or an entire domain to the blacklist is always made by you, based on your review of the status assigned to each message in the program’s work area.

With that realization, I was able to save even more time by enabling the automatic option. The two computers at my home and office are now disposing of previously blacklisted mail every ten minutes 24/7 and keeping mail only from new sources for my review. Because I can preview the content of all Inbox messages and delete those I don’t want to keep directly from the MailWasher work area, I only need to login to my several e-mail accounts in order to send replies or reorganize my kept messages into different folders. The previously onerous task of trying to stay on top of my daily flood of e-mail has become a pleasure again. Imagine that!

ADDITIONAL COMMENTS:

Even though MailWasher Pro can monitor multiple POP3 and Hotmail mailboxes, only one e-mail client program (e.g., Outlook, Outlook Express, Eudora, etc.) can be started from within the product. Web-based e-mail programs such as Hotmail must be accessed via your web browser. Initially, this factor seemed to be a limitation of the product, but I eventually realized that starting any e-mail program from within MailWasher Pro was unimportant. In Windows, MailWasher can be run independently of and in parallel with one or more instances of the same or different e-mail program(s), making it suitable for use with almost any of them, unlike many of the other spam blocking programs that are tailored for use with a specific e-mail program.

USER-SAFE AND HIGHLY RECOMMENDED – In my opinion, while this product is very effective and easy to use in its default configuration, it is also flexible and capable enough to satisfy the needs of the most demanding user.

-Reviewed by Neil McLeod

SUPPLEMENTAL REVIEW:

The promised new version of MailWasher Pro, with added support for AOL and IMAP e-mail accounts, is now available. For licensed users, this is a free upgrade -- all your configuration settings are retained.

-Supplemental review by Neil McLeod - 9/28/03


 

    


| Feedback | Home | Back | Top |
//www.greenbelt.com/giac/reports/spam-mwp.htm     Updated 9/28/03