Link to home
Start Free TrialLog in
Avatar of JConchie
JConchie

asked on

Spam, Spam, Spam, Spam!

No, not a call for a Monty Python reunion.........

We are a small (40-50 mailboxes) company running a single Exchange 2000 server.  Lately our spam has shot through the roof.  I am just beginning to look for a blocking solution and would appreciate pointers about what has worked.........and not worked.......for you.  Please give me as much information as you can about pros and cons of particular products.  We don't need a large enterprise capable product, but we can pay for a solution that will work at the scale of our situation.

Note:  No canned reviews please.  Points awarded only for details of your actual experience with a product in a live environment. More detail, more points.

Thanks,

SOLUTION
Avatar of peterb123
peterb123

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JConchie
JConchie

ASKER

Peter,
What kind of problems have you had with false positives..........non spam being grabbed as spam?  How big has your blocking list become?  Are you still having to manually add to it?
XWall comes with some default lists, such as subject header keywords, attactments, etc. If you enable all of their default spam catches, you'll get quite a few falses. So I removed several of their default (suggested) catches.

The first thing I would do, and I did, was ask my users for a domain listing of their larger customers. I then added those domains into my exclusion list, so I had very few problems with deleting legitimate mail. I highly recommend this.

My blocking list (ip's and domains) is pretty large I suppose (since it is done manually). I probably have about 350 or so ips on my list and maybe and 150 domains. However, about 70% of our spam is blocked through keywords and html codes.

XWall allows you to subscribe to blocking service lists, but I never checked on those prices.

Every couple of weeks, I'll spend about 20 minutes going through the last day' log and copy and paste the ips of spam blocked by keyword and add it to the host block list. After the first month, about 1% was blocked by host ip/name and I bet by the end of the year, about 70% will be blocked this way.

I wish XWall had an easy way to import and export IP and domain lists so that administrators could share them.

Anyway, for the price, I think it is an excellent product that I would definitely purchase again if I need to.
Keep in mind that you can download it and use it for free for 30 days.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Kidego,
Many thanks.......how much time are you spending sorting out false positives and maintaining filters?
false positives? Nobody has reported one yet, although I'm sure there's a few. I use Spamhaus and Spamcop for RBL, I block about 10 or 11 attachment types, and drop the whole message (no viruses!), and I use some keyword filtering, which messages that are caught on that filter get redirected to another mailbox.

How well a spam tool works for, depends greatly on what kind of spam you get, and where it comes from. In my position, most of the spam is coming from known spam lists, so Spamhaus and Spamcop do an excellent job for me, and no falsies. I'm currently dropping over 108,000 messages a day, just on attachment filtering and 1 RBL zone, which is Spamhaus SBL-XBL. Spamcop will get incorporated next week, and will drop an estimated 4000 additional emails a day ( yes, my company was TOTALLY covered in spam before I got here!)

D
check the headers of some of the spam messages, find the sending IP address, and check it against www.openrbl.org

D
Kidego,
Just want to be sure I'm understanding the setup.........Vamsoft's OpenRelayFilter can be pointed to both the Spamhaus
filter list and the Spamcop one?  So far, this solution seems like a cheap way to make quite a dent in our spam volume.

We are currently running TrendMicro's full AV suite.........and the ScanMail component does a nice job of nailing bad attachments.........does anyone out there have experience with Trend's Spam component?
Yes, you can point it to up to 5 zones, but some zones get too aggressive, and you'll get an unacceptable level of false positives. Stick with a max of 3 , and see how it goes for a while.

And screw eManager, it's a turd...even by their own accounting. ScanMail however, is my fav AV product. It does do a nice job with attachment blocking.

d
I have another solution that is different from the norm.  . Use a pre-built ISP-style mail filtering company to filter your mail for you. This is a surprising successful solution. A few companies that offer this service are; http://messagelabs.com
http://ensynch.com
These are by no means the only people that do this, do your home work for more information.
The biggest benefit can be the cost savings.
John,
Do you have experience with either of these companies?
PS........I'm looking for imput from people who already have "done the homework"........that's what the points are for  :-)
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
J Q......... :-)  yeah, it is.......not to worry, you will be among the chosen when I wrap this one up.....thanks both for the product detail......and for the further education on spam catching.
Kidego,

Our Exchange 2000 server sits behind a SonicWall firewall which points SMTP traffic to the specific  lan ip address of the exchange server...........is this going to be a problem with the vamsoft filter?
So what did you decide to go with?

D
Did the vamsoft, with SpamCop and Spamhaus, so far........in 36 hrs. it is blocking about 27 % of our email total....fair bit of spam still coming through, we are going to have to look at other methods too, but it has made a noticeable reduction for everyone.

One another topic, have a look at my question at :
https://www.experts-exchange.com/questions/20971186/Exchange-Outlook-Auto-Reply-Problems.html

I suspect that you may have some ideas, :-)
Check the IP addresses of the spam that's slipping thru, by looking at the internet mail header. Run that IP against www.openrbl.org

I'll bet there's a zone that would catch the majority of your spam. there's also some very cool Perl regex for doing attachment blocking and word searches. You using the 1.5 beta, right?

D
Using 1.5  Already blocking attachments with our TrendMicro ScanMail

Just tried putting a few ips into open rbl.org  .....seems like some of this spam is going through 2-3 ip addresses.....I'm assuming that it is the last address that relayed it that I want to check.....anyway, when I look at the results from openrbl.org, I'm unclear about what to do next...."I'll bet there's a zone that would catch the majority of your spam."...........could you explain that a bit more for me please.
Thanks,
Jim
look for the IP address that delivered the message. When you're looking in the headers, obviously you don't care about your own external IP, you want to see whcih IP delivered the message to your external IP. When the results come back, see what zones the IP tested posivtive for, should be something like, x positive, y negative.

D
Thanks
 You could try something completely different.  UseBestMail provides anti-spam protection at various levels, including stamped mail.   There are no false positives and it doesn't censor the mail.

  You can check it out at: http://www.usebestmail.com

  I'm the author and just getting started.  Let me know what you think.