Postini

Since I've left the anti-spam business about 9 months ago, it's nice to see that it's still a brutally competitive market where everyone sounds the same. It does seem that innovation on email hygiene (meaning inbound mail) has slowed. I can't recall anyone really introducing a new, important capability over the past 6 months. It's been a lot of point releases aimed at either adding better enterprise management capabilities, scalability or broadening the product scope beyond just inbound email. So now things like IM and compliance/encryption are becoming the battleground - the differentiation so to speak.

At the tail end of my anti-spam tenure, reputation services were all the rage. The concept is that if you know a lot about the sending IP address, you can tell whether they are very likely to be sending spam or good mail. IronPort was the reputation innovator with SenderBase and CipherTrust came later with TrustedSource. Standard disclaimer: I used to work for CipherTrust and am a shareholder (because I can't sell the stock).

Folks like Symantec and Postini always said they had reputation services under the covers, but never really made them visible enough to prove it. Recently (like within the last two weeks), BorderWare (link here) and Habeas (link here) have introduced their own reputation services. Either broader, BorderWare's tracks IP and VoIP data, or larger, Habeas claims 60 million IP addresses in their database - which may or may not be true. I'm sure they have 60 million things in a database. What those things are is subject to interpretation. You have to love marketing.

But if you are a customer looking at these solutions, does it matter? The vendors will try to paint their reputation stuff as broader, more accurate, bigger and will let you drop more bad messages at the gateway. Who do you believe? I say believe none of them. Reputation is now a standard part of the game and its certainly under the covers. You don't buy an anti-spam product because of a reputation service. You buy it because it stops your bad mail.

Content security is a different animal. That is hard for many to believe that have grown up in the network security space, where an attack is an attack is an attack. Maybe 50% of spam is ridiculous. Dealing with nasty inappropriate stuff or prescription drugs, all the products catch that stuff - or they don't get to play.

It's the borderline stuff that is very difficult to categorize. One man's spam is another man's gold. A lot of spam is subjective, so it's very hard to say in absolute terms whether a message is really spam. That's why end user quarantine is so important, then the users at least get to see if there are false positives in the mix. Then you've got the language issue. Non-English spam provides a lot of variability in results. You can't just drop a US anti-spam product into the Far East. It's not a firewall.

But getting back to reputation, your definition of spam may be different and your traffic is going to be different. So you'll need to figure things out for yourself. In the content security space, the eval is everything. You need to test these products out. Maybe the specific vendor's reputation database works great for you. But it may not. And the only way you'll find out is by running the products against actual mail. That's right, run the email gateways against a subset of your live mail flow.

Theoretically, reputation should still be a differentiator. But folks like Proofpoint and MailFrontier/SonicWall continue to stop spam without it. So maybe it doesn't matter. Unfortunately I can't answer the question for you. You'll need to be the judge.

I spoke about maturity in my recent Network World article (here), and I stumbled across another HUGE example of what happens when a market matures. Having spent a while in the anti-spam business, I still follow the space closely. I saw that SC Magazine published a group test on email security services. So I clicked on the link to see what they had to say. It was kind of funny to say the least.

This quote says it all:

We were disappointed by the poor turnout for testing. Managed service companies have always been reluctant to allow testing. Taken to extremes, as in the case of the now-bankrupt Avecho, we received a complete stonewall response to queries about the service risks alienating the market. In this test, over a dozen vendors were approached, and while several indicated interest, only four finally provisioned services.

Non-participants included high-profile players like Postini, Frontbridge (now owned by Microsoft) and MessageLabs.

So basically out of the 15-20 vendors in this space FOUR showed up. And these four are pretty low profile (Black Spider, Mimecast, MIMEsweeper, Softscan).

Why wouldn't the leaders show up? Are they scared? Of course not. THEY HAVE NOTHING TO GAIN.

Remember the role of product reviews in the procurement cycle. I described that here. If I can talk to real reference customers, why do I care about a product review? You don't. Each of the vendors passing on the review have thousands of customers. They've got plenty of references.

The other key issue is THEY CANNOT AFFORD TO LOSE. The last thing you want to do is show up and lose, especially to someone that you have 1000x the number of customers. That would be a bad day.

Do you wonder why Cisco doesn't show up for IDS or firewall reviews? They don't have to. People will look at their stuff because they are Cisco.

If a market is mature, product reviews are useless because the true leaders will not show up. So you can find out who is the strongest of the weak. But you won't learn a thing about who you should pick.