Carrier class email security recommendation

I am in the process of sourcing for a carrier class email security

>solution that will replace our current edge spam gateways based on open
>source solutions. Some solutions that am currently considering are
>Ironport, Fortinet Fortimail, MailFoundry and Barracuda.

A lot of the answer depends on what you think of as "carrier class." Generally, I would consider a carrier-class device to have a couple of attributes that are different from a typical enterprise-class device:

Quarantine: carrier class: no (enterprise: maybe)
Per-user settings: carrier class: no (enterprise: maybe)
False positive rate: carrier class: very very low (enterprise: very low)
False negative rate: carrier class: low (enterprise: very low)
Performance: carrier class: critical (enterprise: important)

In other words, I think of a carrier-class product as something that sits in the mail stream and does a good job of blocking spam, but is setup so that no one needs to talk about it. You don't want to get a stream of false-positive reports, but you are willing to let some spam through in order to avoid help desk calls. The goal of this product is mostly to keep your mail servers happy, and as a secondary goal, keeps the users happy.

You could have a second level of anti-spam protection, something more Postini-esque, which is carrier-sized but has a lot more user interaction and user settings, for people who want to get premium anti-spam protection. But that's more an enterprise product that scales up, which is subtly--but importantly--different from a carrier product.

We test anti-spam products for efficacy (essentially FP & FN performance), less so for performance. If you are looking at Ironport, then you want to ask them about the Cloudmark anti-spam engine. It is a "carrier-focused" engine, and you'll find that the pricing is MUCH better than their own engine once you get to large numbers of users. In fact, I believe that they added the Cloudmark engine specifically to address queries like yours--people who like the product architecture, but are turned off by the licensing. With Cloudmark inside, you get the same product flow and features, but a less expensive engine good for large ISPs.

In terms of speed, the obvious feature to look for is reputation services. This gives you an enormous savings. Symantec used to offer a box based on Turntide, which was a standalone throttle for spam; I don't know if they have that as a standalone or not, but if they do, I'd recommend something like that. You may be able to roll your own as well fairly easily since there's no MTA to worry about.

The win with reputation services is fantastic. For example, I did a test with a Crossbeam box and Trend a while ago ( and we were getting a steady-state 600 message/second without reputation filtering; with reputation filtering, about 1645 messages/second. That's using MAPS RBL+, which is a low-risk reputation service. Plug in a service like Spamhaus or Ironport's SenderBase, and you would get closer to 2500 message/second (about 200 million messages/day).

Based on our testing, for a carrier-class deployment, I'd recommend looking at Ironport+Cloudmark, Trend, and Tumbleweed (now Axway). There are other good products (Proofpoint, for example, turns in great scores as does Sophos), but performance-wise they may not be able to scale up to the kind of load you're talking about when you say "Carrier Class."

Feel free to contact me offline if you need more observations, etc.