Review: NoSpamProxy (AntiSpam)

Here is another short review. I am often asked which anti-spam / email security product I would recommend and what my experiences are with it. There are countless solutions on the market and almost the entire spectrum is covered: special hardware appliances, VMs, Windows or Linux, software that is installed directly on the Exchange server, Outlook plug-ins, cloud services and who knows how many other different approaches... (sometimes a mix of everything).

This review is now dedicated to NoSpamProxy. I have chosen NoSpamProxy (NSP) because it is only software that runs on Windows servers. It is therefore possible to install NSP on Windows servers running on hardware or as a VM. Installation directly on the Exchange Server is also supported (if you want to). NSP therefore offers a great deal of flexibility that many other products cannot match and is therefore suitable for small and large environments.

NoSpamProxy may not be familiar to everyone, but the software has been on the market for some time and is developed in Germany (more precisely, in Paderborn, which is about 35 km away from me). NoSpamProxy is probably one of the few products for e-mail security that is developed in Germany and is also close to me, which is something I would naturally like to support.

So here is an article / review and test report on NoSpamProxy.

Test environment

For NoSpamProxy (NSP) I continued to use my test environment for the Exchange 2019 DAG. The Exchange environment is already described here. There is now only one new VM with the name NSP.

NoSpamProxy supports multiple deployment variants, from single server to separate roles and high availability, everything is possible. This means that NSP can be adapted to almost any environment, including cloud scenarios.

For this test, I installed all NSP roles on a VM; this is described in the NSP manual as "NoSpamProxy upstream":

I have to confess: I am new to NSP. Although I am familiar with various e-mail security gateways and spam filters from different manufacturers, I have hardly had any contact with NSP.

So now the free 30-day NSP test phase begins for me...

Installation

The installation of NoSpamProxy is kept simple, basically you just have to start the setup and click "Next" a few times. In this case, I have chosen "Advanced installation", as this allows me to better display the possible options:

The license agreement is of course read carefully (license, very British, tea time?):

I install all features on a server in my test environment:

The Report Viewer 2010 is only required for the management tools, but this component could perhaps be replaced with something more up-to-date, because you don't really want to use such old software any more:

I leave the installation path as it is, but it makes sense to move it to another partition:

The SQL Server 2012 Express Edition is also a bit outdated, but here you would have the option of using a newer version. However, I have left it at SQL 2012 Express:

These were all the dialogs for the installation; click on "Next" to carry out the installation:

The NoSpamProxy setup automatically downloads and installs SQL 2012 Express:

Setup completed, log out once and log in again:

The installation of NoSpamProxy is now complete. Continue with the basic configuration.

Basic configuration

NoSpamProxy offers a configuration wizard for the basic settings. This makes commissioning much easier, but you will still need to make some changes later on.

Here are the steps using the configuration wizard for the basic configuration:

The configuration wizard first requires the license file. I am using the free 30-day demo for this test:

After specifying the license file, an overview of the features follows:

As I have installed all NSP roles on one server in this test environment, the roles are also directly connected. If the gateway and intranet role are installed on different servers, the roles must be connected here:

The next dialog asks for the existing e-mail domains; all domains for which NSP is responsible can be specified here:

In the next step, the company's mail servers (internal mail servers) are queried. The servers that are allowed to send mails with the company's own domain (in this case frankysweblab.de) must be specified here. Application servers (CRM, SharePoint, etc.) that must send mails with a sender from your own domain to external recipients must also be specified here:

The wizard then queries the servers to which incoming mails are to be forwarded. In most companies, the Exchange server will probably be responsible here. I would have liked to be able to specify several servers here, but as this is not directly possible, I have specified the address of the load balancer here.

Note: The "queue mode" for incoming mails can be configured retrospectively, meaning that it is also possible to specify several internal servers without a load balancer. Version 13 completely dispenses with proxy mode, allowing multiple servers to be specified directly in the wizard.

If you only have an internal Exchange server, you can enter the address here:

Similar to the Exchange send connectors, the next dialog allows you to specify how NSP should deliver mails to external recipients, smarthost or delivery via DNS (direct delivery, MX):

The next question of the configuration wizard seems inconspicuous, but is a pretty cool feature. Via OpenKeys, NoSpamProxy can retrieve the PublicKeys of the SMIME certificates and thus send encrypted mails directly:

If the recipient's PublicKey is stored in OpenKeys, there is no need to exchange keys. This means that signed mails do not have to be exchanged before encrypted mails can be sent via S/MIME. In my test environment, a user of frankysweblab.de could therefore use S/MIME encryption directly without having received a signed mail from me first, as my PublicKey is known to OpenKeys:

In the next step, the senders for notifications can be configured:

Sensitive data (cryptographic keys and authentication information) can be protected by a password:

This was the last step of the configuration wizard. The NoSpamProxy MMC now contains significantly more points:

However, the configuration is not yet complete. Although a few basic settings have now been made, further configuration work is still required for NoSpamProxy to work properly.

Advanced configuration

The extended configuration includes the configuration of the host name for the gateway role; the host name must match the MX record and the certificate:

For this test, I am using a certificate from Let's Encrypt (issued under the name mail.frankysweblab.de). The certificate is already stored on the Windows server for NSP and must now be assigned to the connectors.

First, the existing certificate is bound to the connector for outgoing mails:

The certificate must be available in the computer's certificate store so that it can be selected:

In this case, the same certificate can also be bound to the connector for incoming mails:

Again, the certificate can be selected from the computer's certificate store and StartTLS can be activated:

After the configuration has been changed, the gateway role must be restarted once:

The following setting optimizes the TLS configuration (deactivates insecure encryption methods) and should definitely be carried out:

The settings in the "Monitoring" category should also be checked and adapted to your own requirements. I have changed the values for message tracking slightly:

Another important point is user import. NSP should of course know the internal e-mail addresses of the company, so that e-mails to invalid addresses can be rejected at an early stage. The import from the Active Directory can be configured in the "Company users" category:

A name and a cycle are first defined for the automatic import:

At this point the wizard asks for a "specific domain controller" (by the way, this is the first time in my life that I have written "domain controller", it triggers a small brain hiccup...) :

The import can now be further restricted, for example, only "users" could be imported, but not groups. Groups that should be publicly accessible (caution, "Mail to all"...) can thus be granularly enabled or blocked:

In the next dialog, different functions can be assigned based on AD groups, so the marketing department could be allowed to receive larger mails, while other users are only allowed to receive or send small mails:

It is also possible to filter on AD attributes, but it is up to the user to decide where this is useful and usable:

Once the wizard is complete, the imported users are displayed:

Unfortunately, the NSP setup does not configure the Windows firewall during installation, so in order for NSP to receive mails, at least port 25 for SMTP must be opened on the Windows firewall:

Now I can start testing. The rest of my network is of course already prepared (MX, NAT, etc).

Test

To test NSP, I unleashed my collected "works of good humor" on the system, from typical SPAM nonsense to virus-infected mails to sophisticated phishing mails, everything was included.

I did not record the complete test and which emails were rejected or delivered. You can check exactly what happens to an email using the message tracking function:

The details for each mail in the message tracking are very clearly displayed, which makes troubleshooting particularly easy in my opinion. Here are 3 examples of message tracking:

Another mail that has passed the filter:

Here is an e-mail that was rejected:

In this case, the e-mail contained the EICAR test virus:

The detection rates of NSP were very good in my test, but my test did not involve "real data". I collected SPAM and malware mails from other domains over a longer period of time and then had them delivered to NSP via a relay. Since NSP recognized the test relay as a spam slinger at an early stage, all other mails were also rejected by the relay. This also affects harmless mails, which is due to the way NSP works, Level of Trust is the magic word here.

Conclusion

NoSpamProxy works differently to the products I have come across so far. When it comes to email security, most other products (that I know of) rely on special appliances. Most of these appliances are based on Linux or BSD and are delivered as "black boxes" (as VM or sheet metal). NSP takes a different approach here: Windows as the operating system, MS SQL for the databases.

Another big difference between NSP and other solutions: There is no quarantine. An email is therefore delivered or rejected. The middle ground "Quarantine - Dear user decide for yourself" does not exist with NSP.

NSP requires some old components, for example the Report Viewer 2010 and SQL Express 2012 in the standard installation, and the MMC for administration also looks outdated. This is no longer up to date, so I have made an inquiry to the manufacturer about this (for the result, see "Outlook").

However, once you have familiarized yourself with how NSP works, you will definitely enjoy it. The detection rates were excellent in my test, only mails with links to malicious sites were not always detected (but this will probably change in the future, see "Outlook").

I will spare myself a long conclusion at this point, there is a free 30-day trial version, so everyone can test for themselves whether the requirements are met. I will therefore interrupt my conclusion here and switch to "My opinion"

My opinion

Once you get used to the somewhat different concept and the way NSP works, you quickly feel confident in using NSP. I really like the different deployment options, NSP can be operated redundantly and securely in a DMZ, but can also run directly on the Exchange server in very small environments. Probably no other product offers this flexibility.

I think it's great that NSP also comes with countless CMDLets for the PowerShell:

• NoSpamProxy Powershell cmdlets

Another plus point: support and development take place entirely in Germany, specifically Paderborn.

If you are looking for a new SPAM filter, I think you should take a look at NSP.

Outlook

While I was testing NSP version 12, I received the test version of the upcoming version 13. There will be some very interesting new functions here, for example:

• PDF Reconstruction and ICAP
• Cyren Sandbox
• URL Safeguard

PDF Reconstruction makes it possible to convert potentially dangerous attachments, for example Word documents with macros, into harmless PDFs and deliver them to the user. The Cyren Sandbox is a cloud-based sandbox in which attachments can be executed and analyzed. URL Safeguard replaces hyperlinks in emails to protect against malicious links. Using ICAP, data can be forwarded to other security solutions for analysis.

It is also planned to dispense with the old components such as Report Viewer and MMC.