Solved

Spam, Spam, Spam, Spam!

Posted on 2004-04-19
23
993 Views
Last Modified: 2010-03-05
No, not a call for a Monty Python reunion.........

We are a small (40-50 mailboxes) company running a single Exchange 2000 server.  Lately our spam has shot through the roof.  I am just beginning to look for a blocking solution and would appreciate pointers about what has worked.........and not worked.......for you.  Please give me as much information as you can about pros and cons of particular products.  We don't need a large enterprise capable product, but we can pay for a solution that will work at the scale of our situation.

Note:  No canned reviews please.  Points awarded only for details of your actual experience with a product in a live environment. More detail, more points.

Thanks,

0
Comment
Question by:JConchie
  • 10
  • 7
  • 3
  • +2
23 Comments
 

Assisted Solution

by:peterb123
peterb123 earned 125 total points
ID: 10861181
I was in the exact same situation, and I decided to use XWall (http://xwall.us/).

Pros:
1. Cost $398.00
2. Easy and fast to set up. It took me less than an hour from start to finish.
3. Easy to configure. You can block by key word, subject, ip, domain, etc. etc.

Cons:
1. No way to set up for automatic exclusions (not that I could find).
2. Will not automatically import exlusions from users address books.

We have about 53 users, and XWall is blocking approximately 1,400 spams a day (no lie).
0
 
LVL 18

Author Comment

by:JConchie
ID: 10861257
Peter,
What kind of problems have you had with false positives..........non spam being grabbed as spam?  How big has your blocking list become?  Are you still having to manually add to it?
0
 

Expert Comment

by:peterb123
ID: 10861746
XWall comes with some default lists, such as subject header keywords, attactments, etc. If you enable all of their default spam catches, you'll get quite a few falses. So I removed several of their default (suggested) catches.

The first thing I would do, and I did, was ask my users for a domain listing of their larger customers. I then added those domains into my exclusion list, so I had very few problems with deleting legitimate mail. I highly recommend this.

My blocking list (ip's and domains) is pretty large I suppose (since it is done manually). I probably have about 350 or so ips on my list and maybe and 150 domains. However, about 70% of our spam is blocked through keywords and html codes.

XWall allows you to subscribe to blocking service lists, but I never checked on those prices.

Every couple of weeks, I'll spend about 20 minutes going through the last day' log and copy and paste the ips of spam blocked by keyword and add it to the host block list. After the first month, about 1% was blocked by host ip/name and I bet by the end of the year, about 70% will be blocked this way.

I wish XWall had an easy way to import and export IP and domain lists so that administrators could share them.

Anyway, for the price, I think it is an excellent product that I would definitely purchase again if I need to.
0
 

Expert Comment

by:peterb123
ID: 10861748
Keep in mind that you can download it and use it for free for 30 days.
0
 
LVL 24

Assisted Solution

by:David Wilhoit
David Wilhoit earned 250 total points
ID: 10861764
www.vamsoft.com

99$ per server, does RBL, reverse DNS lookups, IP blacklists/whitelists, sender blacklist/whitelist, AD sync-up to block invalid addresses, and the new 1.5 beta version does attachment blocking, keyword search filters using Perl expressions (regex), and it takes up about 5 MBs of drive space. I like it :)

D
0
 
LVL 18

Author Comment

by:JConchie
ID: 10862293
Kidego,
Many thanks.......how much time are you spending sorting out false positives and maintaining filters?
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10862429
false positives? Nobody has reported one yet, although I'm sure there's a few. I use Spamhaus and Spamcop for RBL, I block about 10 or 11 attachment types, and drop the whole message (no viruses!), and I use some keyword filtering, which messages that are caught on that filter get redirected to another mailbox.

How well a spam tool works for, depends greatly on what kind of spam you get, and where it comes from. In my position, most of the spam is coming from known spam lists, so Spamhaus and Spamcop do an excellent job for me, and no falsies. I'm currently dropping over 108,000 messages a day, just on attachment filtering and 1 RBL zone, which is Spamhaus SBL-XBL. Spamcop will get incorporated next week, and will drop an estimated 4000 additional emails a day ( yes, my company was TOTALLY covered in spam before I got here!)

D
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10862438
check the headers of some of the spam messages, find the sending IP address, and check it against www.openrbl.org

D
0
 
LVL 18

Author Comment

by:JConchie
ID: 10862818
Kidego,
Just want to be sure I'm understanding the setup.........Vamsoft's OpenRelayFilter can be pointed to both the Spamhaus
filter list and the Spamcop one?  So far, this solution seems like a cheap way to make quite a dent in our spam volume.

We are currently running TrendMicro's full AV suite.........and the ScanMail component does a nice job of nailing bad attachments.........does anyone out there have experience with Trend's Spam component?
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10863319
Yes, you can point it to up to 5 zones, but some zones get too aggressive, and you'll get an unacceptable level of false positives. Stick with a max of 3 , and see how it goes for a while.

And screw eManager, it's a turd...even by their own accounting. ScanMail however, is my fav AV product. It does do a nice job with attachment blocking.

d
0
 
LVL 1

Expert Comment

by:John_Q_Jr
ID: 10864079
I have another solution that is different from the norm.  . Use a pre-built ISP-style mail filtering company to filter your mail for you. This is a surprising successful solution. A few companies that offer this service are; http://messagelabs.com
http://ensynch.com
These are by no means the only people that do this, do your home work for more information.
The biggest benefit can be the cost savings.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 18

Author Comment

by:JConchie
ID: 10864170
John,
Do you have experience with either of these companies?
0
 
LVL 18

Author Comment

by:JConchie
ID: 10864184
PS........I'm looking for imput from people who already have "done the homework"........that's what the points are for  :-)
0
 
LVL 1

Accepted Solution

by:
John_Q_Jr earned 125 total points
ID: 10864787
JConchie -

I wasn't really looking for the points, just offering a suggestion. but I'm a sucker for points  . . . so here you go.
I hate spam!

Messagelabs has some good general information below here are the links you should check out.
Ensynch's information is more specific and technical.  (It's posted below)
I have had experience with both on the Sales front. I can tell you one is much cheaper than the other(Ensynch), but MessageLabs provides more product.
I did use Ensynch Mail bagging system and it does work, you have to spend a little time creating white-lists, but after that it routinely tagged about 99% of the inbound SPAM. One sshortcoming is that they don't archive the tagged messages for you, would be nice if they did for that moment when you need a high-priority message you have to  retrieve.


http://messagelabs.com/binaries/Casestudy%20Marshall%20AS.pdf
http://messagelabs.com/binaries/ManagedServices.pdf


Ensynch’s mail-bagging system uses two distinct tools. The first, SpamAssassin, utilizes a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email. The spam-identification tactics used include:
•      header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.
•      text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text. SpamAssassin can spot these, too.
•      blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.
•      Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it.
Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.
The second, Sophos, is designed to block the viruses contained within the email. Virus scanning is fairly intensive, so emails are only checked after they are checked for spam. The Sophos virus scanner analyzes the incoming email for viruses from a database updated every 5 minutes. The virus scanner even checks multi-layered compressed/archived files for embedded viruses. Visit www.sophos.org for more information on the solution.

NOW that's worth some points?
0
 
LVL 18

Author Comment

by:JConchie
ID: 10869247
J Q......... :-)  yeah, it is.......not to worry, you will be among the chosen when I wrap this one up.....thanks both for the product detail......and for the further education on spam catching.
0
 
LVL 18

Author Comment

by:JConchie
ID: 10893140
Kidego,

Our Exchange 2000 server sits behind a SonicWall firewall which points SMTP traffic to the specific  lan ip address of the exchange server...........is this going to be a problem with the vamsoft filter?
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10942770
So what did you decide to go with?

D
0
 
LVL 18

Author Comment

by:JConchie
ID: 10943583
Did the vamsoft, with SpamCop and Spamhaus, so far........in 36 hrs. it is blocking about 27 % of our email total....fair bit of spam still coming through, we are going to have to look at other methods too, but it has made a noticeable reduction for everyone.

One another topic, have a look at my question at :
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20971186.html

I suspect that you may have some ideas, :-)
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10944755
Check the IP addresses of the spam that's slipping thru, by looking at the internet mail header. Run that IP against www.openrbl.org

I'll bet there's a zone that would catch the majority of your spam. there's also some very cool Perl regex for doing attachment blocking and word searches. You using the 1.5 beta, right?

D
0
 
LVL 18

Author Comment

by:JConchie
ID: 10950034
Using 1.5  Already blocking attachments with our TrendMicro ScanMail

Just tried putting a few ips into open rbl.org  .....seems like some of this spam is going through 2-3 ip addresses.....I'm assuming that it is the last address that relayed it that I want to check.....anyway, when I look at the results from openrbl.org, I'm unclear about what to do next...."I'll bet there's a zone that would catch the majority of your spam."...........could you explain that a bit more for me please.
Thanks,
Jim
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 10951811
look for the IP address that delivered the message. When you're looking in the headers, obviously you don't care about your own external IP, you want to see whcih IP delivered the message to your external IP. When the results come back, see what zones the IP tested posivtive for, should be something like, x positive, y negative.

D
0
 
LVL 18

Author Comment

by:JConchie
ID: 10951896
Thanks
0
 

Expert Comment

by:mfiring
ID: 11476545
 You could try something completely different.  UseBestMail provides anti-spam protection at various levels, including stamped mail.   There are no false positives and it doesn't censor the mail.

  You can check it out at: http://www.usebestmail.com

  I'm the author and just getting started.  Let me know what you think.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now