supervacuo.com

GFI advertises its "MailEssentials" software as "The most effective way to beat spammers at their game", and I can only agree. Spammers' game is to part unsuspecting internet users from their money in exchange for shoddy or non-existent products, and GFI and its resellers have successfully been using Mailessentials (formerly "Mail essentials") for this purpose for at least 12 years¹.

Coming from a GNU/Linux background, I had (possibly unreasonable) high expectations of a paid-for (and expensive) anti-spam product. It would integrate seamlessly with major popular proprietary mail server solutions, require almost no configuration, have an almost-flawless detection accuracy and have genuine thought put into its configuration interface. Having spent days at my previous employer fighting with clients' SpamAssassin installations, I was looking forward to an easy ride. Man, was I wrong.

Installing GFI is as painful as installing any other piece of Windows server software: it's large, it requires a pointless, disruptive system re-start and it doesn't (of course) integrate with the built-in Server Manager, the built-in Exchange Management Console or, well, anything. Maybe this is Microsoft's fault (I'm sure that'd be GFI's excuse, anyway), but even this lowly web programmer managed to find documentation on writing a Microsoft Management Console in about 45 seconds. So, as ever, the long-suffering sysadmin has to battle dozens of tiny Windows 95-style dialogues, all apparently designed without the realisation that someone will have to use them for something at some point. Case in point: close your eyes and imagine the worst possible interface for managing a large e-mail whitelist. Ready? Now, compare with GFI's suggestion:

But the real problems with GFI aren't visible in the administrative interface. If an anti-spam system had inadequate and fiddly reporting, randomly-scattered options and a heart-stoppingly bad installer², it could still be forgiven if it did a good job at preventing spam. GFI categorically does not.

Ignoring for the moment the shocking mistakes it's made (oh yes, block an e-mail for including the words "do not reply", what a fantastic plan!), the real pain for people attempting to use Mailessentials comes after that point, when they try and convince the software not to do exactly the same thing again. Sane anti-spam systems deliver junk (or suspected junk) mail into a folder — reviewing incoming spam is as simple as checking the messages in that folder, and re-training either involves moving messages to a different folder (good) or forwarding them to a special address (bad, evil and wrong). GFI, by default, does neither. Messages that GFI thinks are spam³ go nowhere near your client, and get held in a non-standard, inaccessible, proprietary central database.

Quite apart from the sheer insanity of bypassing decades' worth of established spam management metaphors, the really unforgivable thing about GFI's "Spam Quarantine" is just how lazy the implementation is. Loading up the page is like taking a trip down Myspace memory lane, with confusing forms, an awful and unattractive layout and missing basic functionality (like remembering how many items per page you'd like to display). Oh, and one in four times you load the site, it'll forget who you are and show you a full list of every single quarantined message in your organisation. Safe as fuck.

Finally, the head-desking stupidity that tipped me over the edge into writing this post. Within the web-based quarantine, and — helpfully — not in the list of messages, there is a button which says "Whitelist and Approve":

This sits next to the "Approve" button (transfers the message to your Inbox, does not prevent precisely the same message being quarantined in future), "Delete" (which doesn't confirm that the message was spam) and "Download" (which makes up for the sub-standard built-in viewer by allowing you to open suspicious messages in your desktop client). Clicking it might, you expect, "Approve" the message and … err … "Whitelist" it. It turns out that it does, but only if you're an administrator. If not, it'll claim to have succeeded (including the obnoxious javascript pop-up confirmation dialogue, straight out of a 90s JS tutorial), approve the message, and silently ignore the request to whitelist anything.

An ex-colleague, who has been working tirelessly to try and make Mailessentials into something approaching a decent programme, asked GFI support why it showed the "Whitelist and Approve" button to users at all, if it did nothing. Their reply:

That is correct. They can click it but nothing will happen. I believe this is being looked at with the next version so they do not see that button at all.

I can imagine the changelog entry now.