Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1012
  • Last Modified:

Spam, Spam, Spam, Spam!

No, not a call for a Monty Python reunion.........

We are a small (40-50 mailboxes) company running a single Exchange 2000 server.  Lately our spam has shot through the roof.  I am just beginning to look for a blocking solution and would appreciate pointers about what has worked.........and not worked.......for you.  Please give me as much information as you can about pros and cons of particular products.  We don't need a large enterprise capable product, but we can pay for a solution that will work at the scale of our situation.

Note:  No canned reviews please.  Points awarded only for details of your actual experience with a product in a live environment. More detail, more points.

Thanks,

0
JConchie
Asked:
JConchie
  • 10
  • 7
  • 3
  • +2
3 Solutions
 
peterb123Commented:
I was in the exact same situation, and I decided to use XWall (http://xwall.us/).

Pros:
1. Cost $398.00
2. Easy and fast to set up. It took me less than an hour from start to finish.
3. Easy to configure. You can block by key word, subject, ip, domain, etc. etc.

Cons:
1. No way to set up for automatic exclusions (not that I could find).
2. Will not automatically import exlusions from users address books.

We have about 53 users, and XWall is blocking approximately 1,400 spams a day (no lie).
0
 
JConchieAuthor Commented:
Peter,
What kind of problems have you had with false positives..........non spam being grabbed as spam?  How big has your blocking list become?  Are you still having to manually add to it?
0
 
peterb123Commented:
XWall comes with some default lists, such as subject header keywords, attactments, etc. If you enable all of their default spam catches, you'll get quite a few falses. So I removed several of their default (suggested) catches.

The first thing I would do, and I did, was ask my users for a domain listing of their larger customers. I then added those domains into my exclusion list, so I had very few problems with deleting legitimate mail. I highly recommend this.

My blocking list (ip's and domains) is pretty large I suppose (since it is done manually). I probably have about 350 or so ips on my list and maybe and 150 domains. However, about 70% of our spam is blocked through keywords and html codes.

XWall allows you to subscribe to blocking service lists, but I never checked on those prices.

Every couple of weeks, I'll spend about 20 minutes going through the last day' log and copy and paste the ips of spam blocked by keyword and add it to the host block list. After the first month, about 1% was blocked by host ip/name and I bet by the end of the year, about 70% will be blocked this way.

I wish XWall had an easy way to import and export IP and domain lists so that administrators could share them.

Anyway, for the price, I think it is an excellent product that I would definitely purchase again if I need to.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
peterb123Commented:
Keep in mind that you can download it and use it for free for 30 days.
0
 
David WilhoitCommented:
www.vamsoft.com

99$ per server, does RBL, reverse DNS lookups, IP blacklists/whitelists, sender blacklist/whitelist, AD sync-up to block invalid addresses, and the new 1.5 beta version does attachment blocking, keyword search filters using Perl expressions (regex), and it takes up about 5 MBs of drive space. I like it :)

D
0
 
JConchieAuthor Commented:
Kidego,
Many thanks.......how much time are you spending sorting out false positives and maintaining filters?
0
 
David WilhoitCommented:
false positives? Nobody has reported one yet, although I'm sure there's a few. I use Spamhaus and Spamcop for RBL, I block about 10 or 11 attachment types, and drop the whole message (no viruses!), and I use some keyword filtering, which messages that are caught on that filter get redirected to another mailbox.

How well a spam tool works for, depends greatly on what kind of spam you get, and where it comes from. In my position, most of the spam is coming from known spam lists, so Spamhaus and Spamcop do an excellent job for me, and no falsies. I'm currently dropping over 108,000 messages a day, just on attachment filtering and 1 RBL zone, which is Spamhaus SBL-XBL. Spamcop will get incorporated next week, and will drop an estimated 4000 additional emails a day ( yes, my company was TOTALLY covered in spam before I got here!)

D
0
 
David WilhoitCommented:
check the headers of some of the spam messages, find the sending IP address, and check it against www.openrbl.org

D
0
 
JConchieAuthor Commented:
Kidego,
Just want to be sure I'm understanding the setup.........Vamsoft's OpenRelayFilter can be pointed to both the Spamhaus
filter list and the Spamcop one?  So far, this solution seems like a cheap way to make quite a dent in our spam volume.

We are currently running TrendMicro's full AV suite.........and the ScanMail component does a nice job of nailing bad attachments.........does anyone out there have experience with Trend's Spam component?
0
 
David WilhoitCommented:
Yes, you can point it to up to 5 zones, but some zones get too aggressive, and you'll get an unacceptable level of false positives. Stick with a max of 3 , and see how it goes for a while.

And screw eManager, it's a turd...even by their own accounting. ScanMail however, is my fav AV product. It does do a nice job with attachment blocking.

d
0
 
John_Q_JrCommented:
I have another solution that is different from the norm.  . Use a pre-built ISP-style mail filtering company to filter your mail for you. This is a surprising successful solution. A few companies that offer this service are; http://messagelabs.com
http://ensynch.com
These are by no means the only people that do this, do your home work for more information.
The biggest benefit can be the cost savings.
0
 
JConchieAuthor Commented:
John,
Do you have experience with either of these companies?
0
 
JConchieAuthor Commented:
PS........I'm looking for imput from people who already have "done the homework"........that's what the points are for  :-)
0
 
John_Q_JrCommented:
JConchie -

I wasn't really looking for the points, just offering a suggestion. but I'm a sucker for points  . . . so here you go.
I hate spam!

Messagelabs has some good general information below here are the links you should check out.
Ensynch's information is more specific and technical.  (It's posted below)
I have had experience with both on the Sales front. I can tell you one is much cheaper than the other(Ensynch), but MessageLabs provides more product.
I did use Ensynch Mail bagging system and it does work, you have to spend a little time creating white-lists, but after that it routinely tagged about 99% of the inbound SPAM. One sshortcoming is that they don't archive the tagged messages for you, would be nice if they did for that moment when you need a high-priority message you have to  retrieve.


http://messagelabs.com/binaries/Casestudy%20Marshall%20AS.pdf
http://messagelabs.com/binaries/ManagedServices.pdf


Ensynch’s mail-bagging system uses two distinct tools. The first, SpamAssassin, utilizes a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email. The spam-identification tactics used include:
•      header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.
•      text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text. SpamAssassin can spot these, too.
•      blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.
•      Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it.
Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.
The second, Sophos, is designed to block the viruses contained within the email. Virus scanning is fairly intensive, so emails are only checked after they are checked for spam. The Sophos virus scanner analyzes the incoming email for viruses from a database updated every 5 minutes. The virus scanner even checks multi-layered compressed/archived files for embedded viruses. Visit www.sophos.org for more information on the solution.

NOW that's worth some points?
0
 
JConchieAuthor Commented:
J Q......... :-)  yeah, it is.......not to worry, you will be among the chosen when I wrap this one up.....thanks both for the product detail......and for the further education on spam catching.
0
 
JConchieAuthor Commented:
Kidego,

Our Exchange 2000 server sits behind a SonicWall firewall which points SMTP traffic to the specific  lan ip address of the exchange server...........is this going to be a problem with the vamsoft filter?
0
 
David WilhoitCommented:
So what did you decide to go with?

D
0
 
JConchieAuthor Commented:
Did the vamsoft, with SpamCop and Spamhaus, so far........in 36 hrs. it is blocking about 27 % of our email total....fair bit of spam still coming through, we are going to have to look at other methods too, but it has made a noticeable reduction for everyone.

One another topic, have a look at my question at :
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20971186.html

I suspect that you may have some ideas, :-)
0
 
David WilhoitCommented:
Check the IP addresses of the spam that's slipping thru, by looking at the internet mail header. Run that IP against www.openrbl.org

I'll bet there's a zone that would catch the majority of your spam. there's also some very cool Perl regex for doing attachment blocking and word searches. You using the 1.5 beta, right?

D
0
 
JConchieAuthor Commented:
Using 1.5  Already blocking attachments with our TrendMicro ScanMail

Just tried putting a few ips into open rbl.org  .....seems like some of this spam is going through 2-3 ip addresses.....I'm assuming that it is the last address that relayed it that I want to check.....anyway, when I look at the results from openrbl.org, I'm unclear about what to do next...."I'll bet there's a zone that would catch the majority of your spam."...........could you explain that a bit more for me please.
Thanks,
Jim
0
 
David WilhoitCommented:
look for the IP address that delivered the message. When you're looking in the headers, obviously you don't care about your own external IP, you want to see whcih IP delivered the message to your external IP. When the results come back, see what zones the IP tested posivtive for, should be something like, x positive, y negative.

D
0
 
JConchieAuthor Commented:
Thanks
0
 
mfiringCommented:
 You could try something completely different.  UseBestMail provides anti-spam protection at various levels, including stamped mail.   There are no false positives and it doesn't censor the mail.

  You can check it out at: http://www.usebestmail.com

  I'm the author and just getting started.  Let me know what you think.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 10
  • 7
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now