I work for a smallish ISP in the Midwest. In late September and the month of October we began getting blasted with spam and DHA's from all over the world. We had been utilizing a spam filtering service but it was not keeping up. We billed the customers for the service and they were starting to complain. They were getting so much spam in their inboxes that they felt like they were wasting their money. In October when the problem became so bad that it started affecting our mail servers ability to process mail any longer we knew we had to do something. We had been "test driving" a spam filter device by Red Condor. The accounts that had been moved over to the Red Condor filter were virtually spam free. We decided to implement the Red Condor solution across the board on the server that was being hammered the worst. This server has just over 9,000 accounts on it. We turned up the Red Condor box at about 4pm and by 7:00am the next morning the quarantine boxes had been created for all customers. No interaction required, it simply verified each inbox as the emails arrived for the account. If the account did not exist it threw the spam away, if the account did exist it created the inbox and then determined whether the email was spam or was legit (autodiscover does not work with Exchange Servers). March 2010
|
Deborah 279 Posts ISC Handler Mar 17th 2010 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
We use a product that includes IP reputation filtering. Out of about 8M message per day, 98% are dropped based on source IP address pre DATA. The product also uses behavioral monitoring of unblocked addresses - it it detects spam it starts to grey-list the sending IP address.
|
Anonymous |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I feel your pain. I have battled the forces of evil protecting mail servers for quite a few years. I have had great success fighting spam with the Open Source/commercial app Untangle (untangle.com) with some SMB clients. Other clients use hosted Exchange with Barracuda with some success. Still others use Microsoft Forefront for Exchange. They all have advantages/disadvantages, but it comes down to proper configurations and remaining diligent. If I only had a nickle for each spam message I have prevented from reaching a users inbox. :)
|
Anonymous |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Although we have a single domain we receive around 4 million messages monthly with typically 9%-11% being good. We were in the same boat several years back and opted to go the Barracuda appliance route. We experienced very similar results however, it appears that as Barracuda's popularity grew so did the spam transmitter's abilities. Even with constant tuning our blockage percentages are trending downward so we are investigating other avenues and will give condor a trail.
$.02 deposited |
Greg 3 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
While the number of users on my server pales in comparison to this story, I still a large percentage of attempted spam for the number of users I have. I use OpenBSD's spamd, postfix, and amavis-new. That which manages to make it by the greylisting, then gets multiple checks applied via postfix. No RR record for the connecting IP, 4xy. HELO command is checked, sender domain checked, sender address checked (as in a connection is made to the domains MX, will it accept a message for the RP my system was given. Still some spam manages to get passed all that, and for those amavis-new manages to catch the rest quite well.
|
Greg 2 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I work for a manufacturing company, not an ISP. We long ago decided that we had better uses for the time of our IT personnel than fighting spam. We outsourced to MessageLabs and can now do the things that are productive for the company. I haven't seen any spam in years.
|
Greg 1 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The 'quality' of any spam filter depends, I guess, on the amount of data available to it and its skill at interpreting it. It doesn't help when major webmail providers are the source of the spam; the real source IP is often unknown to the final recipient, who therefore has less basis on which to do any filtering. That results in a lower 'quality' of filter, so the number of false negatives must increase in order to keep the number of false positives the same. That leaves the webmail provider in a superior position since they do have that data available to them.
Emails sent between accounts hosted at the same provider can possibly be identified as spam even *after* delivery (after other recipients have complained), so that too gives the larger email providers an edge over external victims of their spam. I think spam will continue to hit smaller providers hardest, nudging people toward the major webmail providers and probably suffering a CAPTCHA every other outgoing message (or pay to 'go pro'). And business users would be pushed toward their outsourced email offerings, probably paying by volume of sent mail. I think that's a sad place for any Internet-based service to end up. So I guess SMTP was fatally flawed. Maybe its next incarnation would define a good, standard 'feedback loop' for reporting spam and maybe even the ability to 'recall' a message after sending it. Systems downstream from it would need to be prepared for messages to be recalled also. In the meantime it might be smart to reduce dependency on email. In the context of a web application, do you really *need* the user to provide you with an email address? Can you offer alternate contact methods? Can you handle account signup and authentication some other way, such as OpenID, providing unique URIs, client certificates or cryptographic tokens? Maybe you could still provide your service without requiring login at all? Could you offer your email subscriptions or notifications via RSS or other means? |
Steven C. 171 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
My concern, if I were a customer of yours, would be how many legitimate email messages did I NOT get. Do you know how many false positives it actually dropped?
|
Subelman 1 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 17th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
My experience is that checking the IP for reverse DNS, and that the PTR text doesn't look like a dynamic IP, and checking to see that it matches the HELO will catch a ton of the bot spam.
|
Subelman 5 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Great write up. I am at a small shop, only about 200 mailboxes and recently switched our anti spam solution. I was able to get a very good solution working for free. Through Exchange 2007 and the built-in ability to use RBLs, SPF and the other anti spam features - we've got a solid solution. At first it was horrible so we gathered a master "white list" from our staff and changed the SCL threshold levels. It's been great so far. One major downside is that the reporting is non existent but that's what you get for free!
|
Subelman 1 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
We use Ironport email gateway in saudi airlines company for past one year and never come across any issues and none of customer complained about spam messages or false positives. As said by many users posted here, The quality of spam filter depens upon the amount of data available about the source IP address. In this case Ironport uses SBRS database which covers almost 70% internet ISP traffic.
|
Subelman 1 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
We use Google/Postini which is SaaS. Works fine for us, and since it is in the cloud, we don't even have maintenance of a box, and don't need any IT staff to look after it. There are lots of products. Earlier I had good experience with Open Source products. It is not important what you use, as long as you use something.
|
Povl H. 75 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I work for an Telco in the UK, we implemented Puremessage for UNIX but are now looking at the cost benefits for outsourcing the work to a Saas provider (Google/messagelabs ..etc). The business is getting tiered of flogging out huge capital to cover hardware and software depreciation every three to five years, but does not mind spending a constant operational cost over a fixed term contract.
I was wondering how many security managers/engineers have evaluated in house solutions compared to outsourcing to a SaaS provider? |
Peter P 8 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The problema of dealing with spam and antispam filters is false positives. I certainly don't want to go hunting the logs and quarantine every time a user complains about the email they didn´t receive.
We tried 2 solutions (Symantec hosted mail security and Anubis Networks) that offered the daily digest sent to the end user with the mails that were in quarantine and let them do the management of their own spam. Of course they need supervision, because every once in a while a user released everything, including spam. Personaly I liked the Anubis, because of the amount of spam in Portuguese that the english based antispams dont catch very well and Anubis is a Portuguese company dedicated to antispam. Since both services were outsite our network (MX redirection) our internet link never got the impact of spam. |
Rogerio 1 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 18th 2010 1 decade ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I used to get 5000-10000 spams in a week until I used this...
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt Combined with spamassassin, amavisd-new and clamav, I hardly get any spam on my domains. Also, I've only had one false positive in years. |
Anonymous |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Mar 19th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!