Spam Filtering For Small/Medium Business?

or_is_it writes "The company I work for has been growing dramatically and I've been charged with the task of being the gatekeeper for our GFI Spam filters. This involves manually inspecting the subject line/to/from for all caught messages in each filter rule folder. For a company of about 50 people, in one day the number of spam messages can exceed 2,000. Neglect it for a day and you end up with quite a task on your hands. I've made the rules lax enough so important messages can go through, along with a few stray spams, for which I get bitched at. Tighten the rules up and then maybe an important time-sensitive email never gets to its intended recipient, and I get bitched at. Manually reading through all those subject lines is supposed to prevent that, but I'm only human and genuine messages can easily get overlooked. How do larger organizations deal with the spam issue? I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution. Purchasing a different commercial mail filter product is a possibility, but I'd like to hear some anecdotal evidence before jumping ship."

Despite other issues

I just run my mail through a google account and it does great spam filtering.

Re:Despite other issues

[Dan541]

Why do people keep suggesting gmail as a viable option?

It's really not that good.

Re:Despite other issues

[neokushan]

I'm not really "in the know" of what's good or bad when it comes to spam filtering packages, but in the years I've been using gmail, I'd estimate maybe less than 20 emails that have hit my inbox have been spam. It only happens to me once every couple of months and I get around 100 pieces of spam a day, so I'd say that's pretty good.
As for the "false positives", only the most dubious of mailing lists seems to get caught (I still regularly check my spam just in case) and when I report them as "not spam", they never get mistaken for spam again, so I can't really complain either.
I'm not disagreeing with you, I'm simply just curious as to what makes it bad? Have I just been fortunate enough to not have any major problems or is there something that it should (or shouldn't) do when it comes to corporate use?

Re:Despite other issues

[SerpentMage]

I have the option of running my own email server, or using Google hosting... It really is not that much anymore a matter of cost (reasonable). The reality is that SPAM is a ROYAL PAIN IN THE ASS!

GMail actually does a really good job. I am very impressed. So what I did was move our domain to hosted Google Apps. That gives you the benefit of your own domain, while still getting the look and feel of Gmail.

Besides their search business, this single feature of Google I find very compelling. Google REALLY knows how to take the pain of administration from your shoulders.

Do I use the spreadsheet, or docs? Naahh... Not a chance. Too simplistic...

Re:Despite other issues

[MoeDrippins]

Probably because for them, it works? Maybe for you it doesn't, but unilaterally declaring "it's really not that good" doesn't make it so.

Re:Despite other issues

[Dan541]

Someone's never heard of personal opinion I see.

Re:Despite other issues

[mikey1134]

I think what the parent is getting at is that free webmail accounts are not an answer to a corporate spam problem. You can't just set up gmail accounts for everyone and call that a solution.

Re:Despite other issues

[jelle]

"You can't just set up gmail accounts for everyone and call that a solution."

Of course... It's not like google offers special special services for exactly that", either free or paid...

Re:Despite other issues

Why do people keep suggesting gmail as a viable option?

It's really not that good. GMail is a viable option now that it has IMAP support. My small business uses it for several reasons:

1) It is a hell of a lot easier to maintain for me (sysadmin)
2) It comes with a webmail interface.
3) I don't have to have redundant mail servers
4) Even our marketing guy can set it up. It's that easy
5) I get a lot of spam on my personal account, it filters it like a charm. I never get false positives and only once or twice will a spam message get through to my inbox.
6) It is free (as in beer) for businesses with fewer than 50 employees

That is why GMail is a viable alternative for small business.

Re:Despite other issues

[letxa2000]

Just get a Bayesian filter for your enterprise and call it done.

Re:Despite other issues

Actually, technically I'm talking about Google Apps. Google Apps is great for small business.

Re:Despite other issues

One thing alone, not truly related to spam filtering, makes gmail useless for at least my company:

They silently delete emails with various attachments, including .zip attachments.

This makes performing technical support a nightmare.

Re:Despite other issues

[MoeDrippins]

You asked the question, indicating your desire to have an answer.

Or were you just showing your coolness by taking a cheap shot at something that works for others?

Re:Despite other issues

[LiquidFire_HK]

In my experience, Gmail's filtering is really good. I've been using it since it started service and I've only gotten 2 false negatives so far, and 0 false positives (that I know of, though I routinely look through the spam to check for such). And I've been very careless of where I post the e-mail address, so it's probably in just about every spam list.

Granted, that's only my personal experience, and for a corporation using Gmail is probably not the best option.

Re:Despite other issues

[EmotionToilet]

Because for those of us who have been using it for the last few years, we've realized just how amazing it is, and if everyone used gmail then spam would almost cease to exist as a problem.

Re:Despite other issues

what is wrong with gmail?

i use it and love it

Re:Despite other issues

[markb]

I just tried sending a zip attachment to my Google Apps email, and it worked fine.

Re:Despite other issues

gmail seems to do far better with gmail addresses than it does for other addresses forwarded to gmail. I guess it's to do with the number of identical emails they get or something. I never got any spam in my gmail inbox until I forwarded my work email there and now I get 1-2 a day

Re:Despite other issues

[Kalriath]

Don't use Gmail then - Postini (brought by Google) is actually quite impressive. Users can log in and browse through the spam and decide if they want to deliver it or not, they can receive an email listing all the spam at the end of the day and asking if they want to deliver any of it (for those pesky false positives), it does Virus filtering, you can control the aggressiveness of the spam filter, reporting is great, it can archive users email (for those companies that need to), and you can whitelist people that actually don't spam you.

Re:Despite other issues

[hesiod]

Someone's never heard of "stop burying yourself" I see.

Re:Despite other issues

[andyKucharski]

1) you get rid of all your SMTP hardware and dont have to worry about keeping it up 2) you push the responsibility of managing spam to the users (problem in the original post) 3) admin interface is easy and there is no impact other than training your users (google help is good) CONS: 1) if you manage the it in your shop it can be perceived as "giving up" 2) google apps email does go down more than you'd think (havent tried the paid version) 3) computer reads your message to put relevant adds - some people dont like this but it goes away in the paid version

Client-based?

[Gaxx]

To be honest, for somewhere of that size I'd be tempted to use some sort of client-based filtering (along the lines of spambayes [http://spambayes.sourceforge.net/]) which would put the power and responsibility in the hands of your users.

Re:Client-based?

[TheCodeFoundry]

I've used a client based solution in the past, Cloudmark. It was a very good solution, but required user intervention and wasn't really cost effective for small-medium sized businesses.

My company switched to using MXLogic and we absolutely love it. Previously, I was receiving 100 spam emails a day; one spam email now leaks through maybe a month. It is probably the best spam solution we have used. We have tried Baracuda, Postini and others, but MXLogic was the best solution.

(No, I do not work for them. Yes, my company resells their service)

Re:Client-based?

[gravyface]

Postini does this and all, for ~30 bucks a year per user. Plus, you're not using your cycles and bandwidth to do the dirty work: it's all done upstream before it even hits your network. Users can maintain their own white/blacklists, plus, they get a quarantine email sent daily that lists all the spam that was trapped over the last 24 hours, with an option to click "deliver" to send to their inbox immediately should a false positive be spotted.
Another plus is outbound filtering: we route all our outbound mail through Postini (coupled with dropped LAN-side SMTP traffic), protecting us from getting blacklisted should a nasty spambot find it's way on our network.

Re:Client-based?

[DetpackJump]

We're about the same size company, but get around 7k spam messages a day. We use GFI, with spambayes installed on the few clients who get the most spam, and things work great. GFI is fantastic once you get it tweaked to your needs.

Re:Client-based?

Ever since they were bought by Google, Postini has gone downhill fast. We have used Postini for a long time and its quality has gotten so bad that we are actively searching for a better solution.

Re:Client-based?

[holophrastic]

Pardon me, but I just don't see the "size". I personally (and professionally) receive well over 3'000 spam e-mails each and every day. I take about three to five minutes to run through them. For 6'000 in two days, I take four to seven minutes.

I do it without a spam filter of any kind. I have only two technique.

First, simple rule-based filters throw clients and friends into their own folders by from: line alone. That covers everyone I know in advance.

The second set of rules simply looks for my full name, my company name, my e-mail signature, my telephone number, or my mailing address. These into the "it's damn likely a legitimate e-mail" folder. This folder gets about 2 spam e-mails per week.

The remaining I simply run through, in outlook express of all clients. Sorting wins the day. The greatest trick? Sort by the to: field. It doesn't take long to see that 75 messages went to moocow@mydomain.com, 75sevens@mydomain.com, or some other horribly malformed address to that doesn't exist. Sorting by subject does similar things -- like give you "70% off . . ." which get selected and deleted in a block of one hundred at a time.

Your spam has very simple patterns to look for. Sort by them, click the first, shift-click the last, and hit delete.

Last year, I was contracted by Viagra's H.R. department to do some quick work, I made it through unscathed.

Re:Client-based?

[Eggplant62]

I've seen Postini-filtered mailboxes. Don't bother.

Only solution that I know works is my own: Postfix with amavisd-new, spamassassin, clamav, postgrey, along with FuzzyOCR on smaller installs, though setting that up on a separate system to filter through might cover a large organization. Don't forget to include things like Spamhaus' Zen list, any of the *.countries.dk.net blocklists to filter out any geographical areas from which you don't expect legitimate mail, and also helo filtering--if the connecting mail server can't say helo/ehlo with something that resolves in DNS, it can just bugger right off.

Tell your boss that expecting not to lose email with spam filters in place is unreasonable, and that tasking one human to eyeball all the rejects is a serious misapplication of time and money.

Best of all, you should educate your boss to realize that email is not a reliable messaging system. There are far too many points of failure that could cause a message to be lost, most of them being outside of your own or your company's control. There exist many better ways to send time-sensitive material, like fax, overnight mail, and telephone calls. If a severe amount of money is to be lost because an email didn't make it on time or made it not at all, then the message should have been sent over a more reliable medium in addition to being emailed.

Only the severely clueless would rely on a system like the one you have set up. You have to allow for a certain failure rate in any system. That's a basic principle of quality control methods that have been in use for decades.

Re:Client-based?

[zimmy6996]

Forget client based ... That is useless ... Try a hosted solution! ONLINE SPAM SOLUTIONS - WE STOP SPAM, YOU DO NOTHING http://www.onlinespamsolutions.com/ They provide hosted solutions for as low as $9.95 per month! Amazing value for businesses looking to filter 1-250 boxes.

Re:Client-based?

[Wdomburg]

Cloudmark isn't just a client based solution. They offer a wide variety of server-side (e.g. Exchange and Spam Assassin plugins) as well as full edge solutions.

That said, I've also had pretty good experience with MXLogic. Definitely solid choice for external filtering.

Re:Client-based?

[Kalriath]

Ironic that in a story about spam, you are spamming about an anti-spam solution.

Personally, I avoid any company that uses spam-vertising like yours (and if you think we believe you aren't affiliated with them like you claim in your other post when your only posts are about them, you're mad).

Re:Client-based?

[sigipickl]

Why not bother with Postini? I would like to hear about your experience with it.

I have over 4000 mailboxes protected by Postini with nothing but positive results. Such good filtering that the end users actually call the helpdesk when they get a spam email, and that is about 2 times per week. Currently, Postini is blocking anywhere from 30,000-60,000 spam messages/day. I'd be satisfied with a 99% block rate, I'm stoked with a 99.999% block rate.

We have maximum protection (5/5/5) on by default for most users, and get very few false-positives. When there is a false-positive, it is normally a solicited bulk message. I have yet to see a legitimate person-to-person email get flagged as spam.

On average, I spend maybe 2 hours per month managing spam filtering. The efficiency in man-hours alone has paid off our investment many times over.... with no software or hardware to manage.

I am in no way affiliated with Postini and own no stock in Google (owner of Postini).

Re:Client-based?

[trupoet]

we use MXLogic as well and it seems to work well. We still see one or 2 spam emails come through once in a while

Re:Client-based?

[BagOBones]

You get 3000 to 6000 spam a day, unfiltered and you are telling me it only takes you four to seven minutes to process it all manually?

You ether get very obvious spam or are a spam processing machine.

I find the spam that each individual gets tends to be very unique in our system. Sure some you can dismiss by the sender or subject alone but we are increasingly seeing messages that are hard to spot off the bat.

I really wish more organizations would use SPF and DomainKeys correctly so that spoofed senders were not as much of an issue.

Re:Client-based?

[smyle]

The problem from a system administrator's POV here is bandwidth. Why receive and process 30,000 spam messages per day (that's about average here), when it's trivial to reject them with greylisting and zen.spamhaus.org. Sure, we run rules on the ones that come through after that point, but receiving them knowing you're going to throw them out is ridiculous.

Last year, I was contracted by Viagra's H.R. department to do some quick work

I can't believe nobody has touched this. Maybe it's just too easy?

Re:Client-based?

[eth1]

Not sure why you say don't bother. I have nearly 100,000 mailboxes behind Postini, including, of course my own. I haven't had a SINGLE SPAM hit my inbox the entire time I've been working here (almost two years). Yes, I do get some false positives (I have the filters turned up to max), but the nice thing about Postini is that it sends a daily summary of your quarantine, so I spend about 5 seconds scanning the email, and can deliver false positives via a hyperlink.

Currently, I can't run a comprehensive report for all users, but here are some stats for a subset of "only" 53,000 for April:

over 409 million emails totalaling over 2TB
only 11.4 million forwarded to inboxes (2.8%)
341 million blackholed, and 56.7 million quarantined.

It ain't bad at all. We used to do this ourselves, but scaling that environment up to our current volume would mean about 30 Linux/sendmail frontend relays with Spamhaus datafeed feeding 30 front-end Tumbleweed filter boxes with about 12 back-end/logging servers. Very expensive and a *lot* of headaches.

Re:Client-based?

[holophrastic]

There's no way that I'll ever configure my server for any anti-spam technology based on the destination server requiring more of the source server after successful receipt.

If I mail a letter to you, and you don't like the return address on the back of the envelope, you can do with it whatever you please, but it's not my responsibility to ensure that you'll open your mail. It is my responsibilty to deliver your mail. If you don't like the colour of the envelope, that's your problem.

I have a lot of clients who routinely call me saying that one of their messages bounced from some server that says their message won't be delivered for one reason or another. The server received it, and then chose to request that I reconfigure mine. That's just not going to happen. I'm not going to reconfigure my server because another server admin wants me to make his life easier. My server is configured for my reliability, not his ease.

As for my being a spam processing machine, it's actually a lot easier when you get a lot more spam. If I received only 1'000 per day, it would be difficult. But by the time you cross 2'000 spam messages per day, it becomes a lot easier. And by 4'000, it's just funny.

For example, you may find it hard to tell if an e-mail is real by the subject. But if you've received the same subject three times, at three different addresses, it's spam. So when you sort 1'000 messages, how many are duplicate subjects? When I sort four thousand, there are loads of duplicates.

So I've actually got a bunch of extra addresses that I use loosely enough to be spammed thoroughly. It adds to the bulk, and makes sorting easier.

Re:Client-based?

[holophrastic]

Heh, I'm surprised to, now that you mention it.

Here's the reason. First, and simply put, grey-listing and every other technique isn't free. They consume resources. And I'll bet that they consume about the same amount of resources as a user actually accessing the message like any other.
But that's not the reason.

The reason is that I'm not running some charity e-mail service that people are all-too-happy to have. I'm running a business and providing quality products and services, and guarantee their reliability.

Right now, I guarantee that every e-mail is delivered, without fail. I run a conservative operation of about 6'000 e-mail accounts. Most anti-spam technologies run at a 99.97% true-positive rate. That basically means that 3 in every 10'000 messages is marked as spam when it shouldn't be. I process an average of 100 messages per account per day. That means 600'000 messages per day. That means that there will be approximately 180 false positives every day.

That means that my clients will lose out on 180 legitimate e-mail messages every day! I don't have the customer-service department to solve that. I don't have the mobile phone plan to solve that. And I don't have the training department to teach clients to find lost messages. And I certainly don't want 180 clients upset each and every day, and have them calling me in that state.

Now, about once a week someone calls me to say that they get a lot of spam. I ask them what they think is a lot. They usually say 80 messages per day. The delete key is readily available, and there is no chance of a paper cut. Those that continue to contest, get to answer the big question -- how many legitimate e-mails are you willing to lose in a year? If their magic number is fewer than 10, they won't be happy with anti-spam. If they insist, I get to have them sign something that says I'm not responsible for missing e-mail -- i.e. they can never call me to say that someone sent them an e-mail, and it never arrived. They've asked me to delete their e-mail willy-nilly.

In the end, most of my clients are business owners. Losing 9 e-mails per year is simply unacceptable. And my line of "we deliver all of your mail, guaranteed" goes over very well.

Re:Client-based?

[smyle]

Here's the reason. First, and simply put, grey-listing and every other technique isn't free. They consume resources.

Absolutely true.

And I'll bet that they consume about the same amount of resources as a user actually accessing the message like any other.

This is where we differ. First of all, even with inefficient methods, CPU-time is cheap compared to my hourly rate. It may not be quite as accurate, but it can get close. Secondly, the amount of system resources we used on spam processing dropped to less than 10% of what it was before we started using Zen, SPF, and greylisting. In other words, they are very efficient uses of CPU time. Additionally, in the cases of greylisting and SPF, they are breaking RFCs if a legitimate mail server doesn't handle them correctly.

I run a conservative operation of about 6'000 e-mail accounts

...and...

I don't have the customer-service department to solve that. I don't have the mobile phone plan to solve that. And I don't have the training department to teach clients to find lost messages.

...don't jive. If you're running that many accounts, you should have some help-desk staff.

We run Maia Mailguard for our clients (we only have a few hundred accounts). They can either process them for themselves and we will teach them how to do it, or they can call us and we'll do it for them. I agree with you that mail shouldn't be "dropped on the floor", and that's why we use Maia. It holds onto the mail it detects as spam for a configurable period of time (we use a month). Now *those* I can go through in just a few minutes and see what it detected as spam that isn't.

I'd also be willing to bet (not that I could prove it one way or the other) that you have at some point deleted legitimate mail. Your buddy sends a message with a subject of "Hi Joe" (or whatever your name is) on the same day a batch of spam with "Hi [firstname]".

One last point. Our clients are small businesses, too, who don't like to lose legitimate mail. However, most (as in well over 95%, and probably over 99%) e-mail is with people with whom they already have a business relationship, rather than new sales leads. In the case of the former, a missing e-mail is usually easily detected (e.g. "why haven't you answered by question about xxx?") and our system lets them (or us) fix that problem quickly and easily.

Re:Client-based?

[holophrastic]

Yeah, I'm with you all the way. But I still have no customer help desk, and don't want one. 30 clients, 60 domains, 6000 e-mail accounts, all guaranteed to work, and no help desk to speak of -- of course they can call 24/7/52, and get all the help they need, but I could never handle any significant number doing so. E-mail is not one of the services that I support -- it's one of the added value additions that I include, and it's guaranteed to work the way e-mail should -- not more so.

As for deleting legitimate e-mail, it's not that I've never done I'm sure, but it's different when I screw up as a result of my own hand, than when a process upon which I rely fails. If I'm expecting some weird e-mail from someone, I can find it. But if it's possible that the machine dropped in on the floor, as you say, which I love, then by the time I realize that the anti-spam system may have taken it, it'll have been too late to do anything with the e-mail.

Yes most of their e-mail is from existing clients, and yes between telephones and more e-mail someone will realize. But days go by. And new clients are the growth of the business.

Re:Client-based?

[jon3k]

We recently purchased three IronPort C150's with 3 years of service and 3 years of platinum support for about half the price Postini charges and it also includes Email Encryption (they acquired the old PostX software). The email encryption is pretty slick. It will pick up on socials, aba routing numbers and anything in any dictionary you upload (ships with a pretty robust HIPAA dictionary we're using now). Spam filtering is phenomenal, includes Sophos anti-virus and the web interface for it is sweeeeeet.

I used to run 3 fedora mail exchangers with clamav and spamassassin and everytime I realize how much of a hassle it was relative to the IronPorts I just want to hang myself for not doing this sooner.

Re:Client-based?

[jon3k]

#1 You're lying, no one can go through spam that fast
#2 Even if that was all in fact true, I spend zero minutes a day dealing with spam (IronPort)

By the way, even if it was true (and it's obviously not) and we take an average of 4 minutes per day to deal with spam, that means you give up entire 24 hour day per year to spammers or three entire work days.

Now, consider that most spam solutions cost about $20-$50/user/year and you're wasting three entire business days dealing with spam, all the sudden your system doesn't sound so ideal.

Re:Client-based?

[holophrastic]

keep reading pal. can't handle th ecustomer service of "I'm not getting by e-mails" for al of teh false-positives.

and again, when you get more spam, it gets easier to find spam, not harder.

and 24 hours per year is no big deal for 20% of my communication. if it isn't important enough to you, then by all means let someone/something else do it for you.

Re:Client-based?

[jon3k]

I spend 0 hours per year.

How do you not understand this? This problem has been solved with software.

1. Spam filtering software stops 99.x% of spam, the rest is put in a quarantine and held for X days (user configurable)
2. User says "OMG!!1oneone!1 I cant findz muh emailzz!11"
3. You remind user of where they can login to view e-mails marked as spam (normally a pre-written e-mail, copy->paste)
4. User logs in, finds message, clicks "deliver e-mail"
5. You go back to browsing horse porn

Do you not understand that this is how multi-billion dollar international business work? I'm not sure who you are or who you're clients are, but I promise that their communication aren't any more important than some of the THOUSANDS (millions?) of people who use a system that functions as outlined above.

Re:Client-based?

[holophrastic]

Two things. First, your list costs me money already. #2 results in my client being upset. #3 has me answering the phone at least ten times a day. #4 has me maintaining yet another on-line system, that has it's own problems, bugs, updates, patches, security and customer service and technical support.

You've got the business world backwards. Smaller businesses care more, not less. Multi-billion dollar business can miss an e-mail or two. Hell, most of this just don't answer e-mails in the first place. Small businesses, on the other hand, don't have millions of customers, they have a handful of clients. Just a single e-mail is really all you get from a potential client. Something like "Hi, I saw your ad in the paper, do you sell this type of thing.". If you miss it, it's gone, and you never know. Similarly, if a client is supposed to send something to you, something that's urgent, every hour counts. By the time you realize that maybe it got caught as spam, you've already lost a few hours. It's the difference between getting the e-mail at noon, versus getting it at 8pm.

So that leaves you, me, and my clients having to read through that quarantine folder every time they check their e-mail. That makes it totally and completely useless.

Re:Client-based?

[jon3k]

Your time costs money, too. In time. I've already illustrated that it's cheaper to outsource it, that is not even a point of contention anymore. The only argument you have left is that you're worried you'll lose a single e-mail.

Guess what, manual filtering isn't perfect either. If you try and sit there and tell me that you're 100% accurate while you go through thousands of spam PER MINUTE and *NEVER* not even *ONCE* miss a single legitimate e-mail, you're just lying to yourself, because I don't buy it for a second.

Re:Client-based?

[holophrastic]

First, I love the way you refuse to believe that someone else is significantly better than you at something. It's a good bet that you can play baseball, but no where near the level of a professional. It's a good bet you can bench-press 100 pounds, but not 400 pounds. So why is it so difficult for you to believe that I can sort through more e-mails than you can? I'm not saying I can handle an infinite number of messages, simply about 1'000 per minute. In this one stupid little skill, I may be more able than are you.

Second, you seem to be operating under that most popular falacy that time is money. The truth is that you can only exchange one for the other when you have more of both. It takes time to make a purchase, and it takes money to do things yourself. I don't have the time required to outsource everything, and I don't have the money necessary to do everything myself. Business is an interesting world.

Re:Client-based?

[jon3k]

There is "better than" and "impossibly better than". I don't know why you would think I care about how much better you are than me at sorting spam since I DO NOT DO IT AND COULD NOT POSSIBLY CARE.

Sorting through 1,000 individual, nearly unique, messages in 60 seconds - we're talking about analyzing 16.6 messages PER SECOND. It is not feasible. It's just not reaslistic, I'm sorry. Post a video, prove me wrong.

IF YOU CAN POST A VIDEO OF YOU IDENTIFYING AND SORTING WITH 100% ACCURACY 1,000 E-MAILS PER MINUTE I WILL POST A VIDEO OF ME EATING MY OWN SHOE

Second of all, if you cannot turn 3 business days a year of your time into more than $50, you are an absolute moron. It's really that simple since you can find spam filtering services for FAR FAR FAAAAAAAAAR less than $50/year/mailbox.

Third, you're ignoring the point that most of the systems are much better at identifying spam than the average person - especially someone operating at nearly 17 messages per second. You claim their accuracy isn't good enough, implying that yours is better. Impossible. At least not at the rate you claim to process messages.

In summation, you're either an idiot, or a liar -- take your pick.

Re:Client-based?

[holophrastic]

I'm either an idiot, or a liar, or you're mistaken.

"Sorting through 1,000 individual, nearly unique, messages in 60 seconds "

That's not what I said. You don't see your spam, you have no idea what it looks like. As I said originally, once you cross about 2'000 per day, there are a tonne of duplicates. Take your your 17 messages per second, and realize that I get identical subject lines. Often five duplicates. Do you think you could handle 4 messages per second? And by the way, legitimate messages kind of stick out when you see a group of four above and a group of three below. Think table stiping -- it's not hard to distinguish one line when it's coloured.

You also have no techniques. I have my e-amil client showing me the information that I need, in an easy-to-see manner. It's not like I'm reading every subject and every address at the letter-level.

But you have no experience in any of this. So throwing a baseball at 160 Km/h seems crazy unattainable to you, because you can't even reach 30. And the rocket that you built can carry a one kilogram payload 50 meters into the air, so a space shuttle is also impossible.

As with any technology, you'll find that "the study of technique" tends to product new techniques. Coupled with the realization of threshhold effects (like terminal velocity, escape velocity, and duplicate spam) things that first seemed logically impossible become a matter of course.

Re:Client-based?

[jon3k]

You continue to ignore the fact that you cannot possibly have 100% accuracy, which, was your entire reason for not using spam filtering software in the first place.

Your numbers are absurd. You're implying that 75% of your messages are duplicates (from ~16 a second to 4 a second).

NO.

I'm not sure what else to tell you, just no, that's not true.

Your analogies are stretched to beyond reason. You are not super human. You are not the Cal Ripkin of spam filtering.

Re:Client-based?

[holophrastic]

You don't see your spam. How do you know what it looks like?

And I do have 100% accuracy, but I only need to be better than the 99.7% accuracy of anti-spam software.

I also need to expend less time and trouble, and between configuring, trusting, and dealing with the anti-spam measures, it's a pain that I don't want. I also don't want to start challenging people to send e-mail to me, having them do additional work to get a message through. That can often lead to not getting the message at all, or getting it hours or days later. That's not e-amil, that's hand delivery.

Finally, when I say 75% of it is duplicate, I don't mean that the duplicates are 100% identical. I mean that they are partially identical. Either they have the say subject, or the same invalid to or the same crazy from.

Take a few days, turn off your spam filter, get up to 4'000 or 6'000 or at least 2'000. Sort by subject, flag the duplicates. Sort by from, flag the duplicates. Sort by te, flag the duplicates. Sort by flag, and you'll notice that the vast majority of the spam that you get is flagged.

But again, or still, you're not willing to believe that someone else has skill and technique that you lack, in something that you've never done. That's just plain ignorant -- in the proper sense of the word.

Re:Client-based?

[jon3k]

yes, you manually sort through spam while the rest of the world let's computer software do it for them, and I'm the idiot.

First off - I have of course seen spam, I used to run half a dozen sendmail+sa+clamav boxes located in a couple datacenters in the southeast to handle spam filtering. I've seen more than my fair share of spam.

Second of all, I still doubt you are even 99.7% effective, let alone MORE effective. But its irrelevant, your original point was you could not afford to miss even a single e-mail, a point you now concede isn't in fact the case at all. Both systems have acceptable levels of failure, the difference is that your way also sucks up valuable time.

If spammers were as bad as you indicate by your back-of-the-napkin math then we wouldn't even need spam filters, I could write a one like procmail script and end all spam. The fact of the matter is it's not that simple or easily identifiable.

You seem to be intent on comparing me to you, when the point is I'm comparing what you say to simple reality. I don't care how fast you can sort spam because I'll never do it! Why are you having so much trouble wrapping your brain around that? I'm not impressed because it's not true!

Prove me wrong, make a video of you sorting through thousands of e-mails with ZERO errors in less than 5 minutes. Or wait no the argument changed, now you just need better than 99.7% failure rate, which, is still a statistic I'd like to see cited somewhere, since I can probably find you spam filtering solutions guaranteeing closer to 99.9%.

Re:Client-based?

[jon3k]

You seem to make such a big deal about the possibility of a single missed e-mail. Are you OCD or something? I don't understand. What happens if your secretary accidentally disconnects a call? Do you immediately fire her and say that since secretaries don't have 100% success rates in delivering communication that they can't possibly be used? It's just silly.

Re:Client-based?

[holophrastic]

As I said, I am 100% accurate, I simply said that you would need not be. Read again.

Second, and make no mistake, if your anti-spam worked as well as you say, then it would have ended spam long before your one-line procmail script. Nice way to work yourself out of a point. Oh, and incidentally, I have fewer bugs than most software. Or do you think that yoru anti-spam software has no bugs?

Now we all know that I'm not going to spend the time to make a video of anything. Not only is that work for me, but you'll undoubtedly be consistent and say that in five hours you could edit down a one-hour process to make it seem like an accurate 5 minutes. Would you have me list the keystrokes too? Submit the raw data of my confidential e-mails? Or would you simply say that your spam is of a different nature and that my techniques couldn't possiby work for the majority of cases?

It would be idiotic of me to teach you something that you clearly don't want to learn. Not only would I have nothing to gain, but you'd surely find someway to further insult it.

Re:Client-based?

[holophrastic]

Oh, that's easy. I run a small business. I have a total of approximately 30 clients, and only about 5 in active development at any given time.

I get a few types of calls. I get active clients calling about a change, or a question, or an addition. If I miss that communique, then they call again. Perhaps they are a little upset, but generally they are going to be understanding of just about any problems.

I also get existing clients calling to start a new project. If I miss that communique, then they may wind up with a work-around or another supplier by the time I find out that I've missed something. When I do speak to them again, I get the expected "you know, I would have liked to have you bid on the project, but these other guys got back to us, and it was an urgent matter." In these cases, I lose out on a project.

Finally, I get random strangers calling from a reference, referal, ad, or random phone-book/web-site search. If I miss these, I'll never know. These are the ones where someone sends an e-mail request for quotation to a dozen suppliers. If I don't answer it, they won't try me again -- they have 11 others to talk to, and they owe me nothing. I only do about 10 significant projects per year. Each of my clients averages one project every three years. And churn, even in my industry, results in my losing about three to five clients each year as they out-grow me, change their business, lose their business, retire, someone else outbids me, or they otherwise find an alternate solution to whatever problem I was solving for them. So I need to gain a few new clients each and every year. Out of the three-to-five, how many would you be willing to lose?

Re:Client-based?

[jon3k]

If you have that few clients that are that important, explain to them how much you value their business and how unreliable e-mail is, and offer some alternative form of communication. Check in with them regularly. Invest in some type of CRM system for christ sake. What if your e-mail server was down? Or theirs? Or you accidentally deleted their message?

And you still have yet to prove you have a lower failure rate than spam filtering software while processing 17 messages per second.

Re:Client-based?

[jon3k]

You're also still ignoring the secretary analogy, I'd love to hear your response to that.

Re:Client-based?

[holophrastic]

E-mail isn't unreliable. In fact, it's exceptionally reliable when you configure it to, oh, I don't know, DELIVER YOUR E-MAIL.

I have no need for a CRM system, because I rarely if ever need to look back on anything. A text file suits my needs just fine. If my e-mail server were down -- which happens for less than 5 minutes per year, then their e-mail server would retry for up to a few days, and they'd get error messages from their own server reporting the delays, as wel as any eventual failure. If I accidentally delete their e-mail, I've just done it, and can call to have them resend it -- oh, and my e-mail is backed up in two locations.

As for _proving_ anything in a chat thread, that's just not going to happen. Suffice it to say that hwen you search through 6'000 messages, you can quickly delete everything that starts with the name of your not-so-favourite drug. That already culls about 500 in two seconds. That kinds of helps you out with the average. And the e-mail is sent from "Tony Sneider" to "Tobby MacIntosh" and I don't know a Tony Sneider, and I'm not Tobby MacIntosh, then it's also spam. So basically anything that I receive, that was sent to some random person not me, is an easy delete. My name can't be misspelled as "Tobby MacIntosh". Oh, and back-scatter is also easy. If it's a mail send error, and I haven't sent any e-mail recently, then it's carp. And if I have sent e-mail recently, I know the five or fifty e-mail servers, and can easily see in the legitimate from field the original of the back-scatter. Again, that's 200 messages in five seconds.

But again, I can't prove anything to you if you're just being defensive and couldn't care less. I can only tell you to wait and accumulate 6'000 messages, and see how easy it can be delete hundreds at a time with simple sorting. You wind up with about a thousand to actually look at, and about 300 to seriously consider. You wind up examining (headers) about 10. And you likely open/fall for 3.

Re:Client-based?

[holophrastic]

You are correct, I guess I dismissed it.

"What happens if your secretary accidentally disconnects a call? Do you immediately fire her and say that since secretaries don't have 100% success rates in delivering communication that they can't possibly be used? It's just silly."

First off, I don't rely on people who aren't perfect. Either they are doing things that aren't actually that important, in which case, I suffer with lesser performance, or I double-check everything they do for anything important. Second, I hold people responsible and accountable for their actions. If my secretary makes a mistake, that person finds a way to make it right retro-actively. And yeah, if they can't fix the problem, then I don't work with them anymore.

In truth, most problems can be fixed by the person who made the mistake. My secretary can call the client, appologize, and help them out with something. If that's what happens, my clients will almost always be happy again. But I can't do it instead. If I appologize for my employee, my client sees me as incompetant -- and rightfully so.

If my anti-spam solution could fix the problem, then I'd have no qualms about letting it create a problem. But it can't solve a problem. It can't bring back a client who's in the process of walking away.

My secretary, or really any employee, is a part of my business, and therefore a part of the service that I offer to my clients. My clients get something from them, or could if need be. The anti-spam is simply a convenience tool for me. My clients couldn't care less how difficult my back-office work is, nor could they care about my schedule. Again, rightfully so.

Re:Client-based?

[holophrastic]

But hey, it doesn't stop with e-mail. On the first day of grade 10 science class, so many years ago, my professor said to the class "go out and buy and extra printer ribbon tonight, that won't be an excuse for why your essays are on-time". He went on to list a dozen items like that.

But you needn't go back to school. As an adult with a job, "car trouble" is not an excuse for not making it to work on-time. It may be tolerated in some scenarios, but missing that big meeting due to car trouble is simply no excuse, and grounds for dismissal. Hey, when public transit goes on strike, it's still no excuse even for people without cars.

Welcome to the world; no one else cares about your stupid little problems, especially those that result from your taking shortcuts, being irresponsible, or simply not having the experience nor fore-sight to compensate for unexpected problems: traffic, weather, car, sleep, whatever.

Re:Client-based?

[jon3k]

1) You still haven't proven that you're system is more accurate than spam filtering, and, much like spam filtering, you don't know if you deleted it. Unless they call you and tell you, in which case it doesn't matter who deleted it, you, or a piece of software.

2) If you have so few clients, use spam filtering with a white list.

3) Your explanation of the failure rate of a secretary doesn't align with your explanation of why you don't use spam filtering. Your secretary can't call them back if they don't know who it was. At a 99.8% error rate, which, would be acceptable since to quote you everything just needs to be more reliable than 99.7% this random number you made up for spam filtering, she could disconnect 2 calls in 1,000 and that's ok. But 3 e-mails in 1,000 is not ok. Right? Nothing is perfect, everything has an acceptable failure rate, and you'd waste 3 working days of your life a year to receive one extra e-mail. Good game.

4) The rest of us will use spam filtering, you can be the crazy 0.00001% that's afraid of technology because it might delete 1 in 1,000 legitimate e-mails, which, for your admittedly small operation is probably like one message every 5 years. All while you waste 3 business days a year dealing with spam. I'll spend mine on a beach.

Have a nice day.

Re:Client-based?

[holophrastic]

Ok, you clearly aren't reading what I type, so I'm done here. I'll respond this one more time, then you can take the last word, and I won't reply.

1) It does matter who deletes it, me or a person or a filter. It's called accountability, and someone gets held accountable for such mistakes in business. Also, I don't accidentally delete legitimate e-mail during my spam filtering (I may accidentally hit delete while reading a message, which is easily undone) because I look at every message with due attension. You don't know how, I do.

2) I have so few clients, for them white-listing would be fine. But white-listing would kill any chance of getting new clients. As I've said three times now, I'm not worried about existing clients nearly as much as I am about missing new clients, err, potential clients, e-mailing me for the first time.

3) Again, I said that for you, 99.8% would suffice. I also said that for me, 100% will suffice, and not less. 99.7% is not a random number that I made up. It's a random number that most spam filters market to me. Wasting 3 days of my life every year to get one new potential client is a great deal. My average client revenue is approximately $4'000.00 per project, and an average of 5 projects. 3 days of sorting e-mails for $20'000.00 worth of work is a perfectly reasonable sales effort. And if my secretary were to miss two calls, or three e-mails out of every thousand, I'd be incredibly upset. It would be up to that employee to fix the problems, or lose the job.

4) I am definitely a small operation, but there are a lot of e-mails that go flying around since I work very closely with my clients. I'd probably risk losing about 10 e-mails per year. That's about one per month. And that doesn't even consider all of the customer service and tech support nightmares that I'd have to deal with if I didn't deliver my clients' e-mail to them. I serve well over 6'000 e-mail accounts, and about 600'000 e-mails daily. I'd receive a lot of telephone calls from clients saying that their e-mail doesn't work. I don't have the time to deal with 18 calls every day. And no, they won't go into any sort of quarantine to retrieve it themselves.

Re:Client-based?

[jon3k]

1) No, if the message is deleted, it's gone, be it you, or software. You claim to have a 0% error rate, that's just dumb, I can't believe I'm even responding to that.

2) It would not "kill any chance of getting new clients". let's assume your 99.7% is accurate (even though you still haven't cited anything). Now, let's assume that all your clients are whitelisted. This 99.7% only applies to non-whitelisted e-mails. That means, 3 in 1,000 messages will be lost, that could be potential new clients. Are you getting it yet?

3) So is that a 0.3% false positive, false negative, or both? You're also assuming the legitimate e-mails being tagged aren't from your sister's new e-mail address or the thousands of other avenues you get besides potential new clients. You're saying that every single one of the e-mails missed will be a new client which was guaranteed work. That's hilariously bad statistical analysis.

4) Again, you wouldn't lose anything white listed.

So let me get this straight, your clients have no spam filtering whatsoever? You filter their spam for them, or they do? I can't believe someone would rather have to manually sort through 90 pieces of spam to get one legitimate e-mail versus possibly theoretically missing 3 in 1,000 legitimate e-mails.

The best part is, your secretary (assuming you have one) probably has a much lower than 99.7% success rate and you either don't know it or ignore it. She forgets to file X, or call back Y, or whatever, but somehow that's acceptable. Or how about the number of times a potential client called and got a fast busy! OH DEAR! Well there's a lost potential client. Quick, throw out all your phones.

Barracuda SPAM filter

[spacepimp]

I purchased a Barracuda for my organization of about 120 employees, and it has been fantastic. I fine tuned a few options on the config and it has blocked about 200,000 emails in the almost two months i have deployed it. There are very few false positives, and very few that get through its filters. I actually get calls of gratitude from the end users about how happy they were not receiving any more SPAM messages. The hardest part was informing them the user base on the difference between the mailing lists they were on and SPAM. Barracudas support has been good as well.

Re:Barracuda SPAM filter

HAH - I had the same problem with my users, they just couldn't understand that the "Myhome.ie Monthly Newsletter" or whatever was not in fact spam, they understand perfectly that spam has to be unsolicited .. BUT claim to have never signed up to this newsletter although they are regular users of the site. I say we do away with our users, maybe organize a mass suicide or something? Save us the hassle of dealing with them!

Re:Barracuda SPAM filter

[B00yah]

Ya, i rolled a baracuda out in a similar environment back in 04, and the users couldn't stop singing the praises compared to the filtering our mx offered + my manual filtering. I strongly recommend baracuda for this size roll-out.

Re:Barracuda SPAM filter

[ewwhite]

I'd also have to recommend the Barracuda. We moved to a Barracuda Spam FIlter 300 from Symantec's software product for Exchange. Although we didn't have an issue with Symantec's offering, the Barracuda was cheaper over the long-term and much more configurable. The logging is also a benefit. I think the OP's firm can get by with a Spam Filter 200.

Re:Barracuda SPAM filter

[SlamMan]

Seconded. We've since outsourced our mail, but back in '06 we purchased a Barracuda for my 200 users, and had nothing but praise. A little spam still made it through (with a spam/ham ratio of 18 to 1, its impossible to let not a little through), but almost no false positives.

Re:Barracuda SPAM filter

Agreed. While I normally stay away from commercial products, this one is a winner. The combination of per-user filters plus quarantine of borderline email just solves the problem.

Re:Barracuda SPAM filter

[Astralmind]

The problem's I've noticed with Barracuda's is they seem to like to accept then bounce emails. I've had to put special checks in my email filter to block them and a lot of places I know that have them end up on RBLs that watch for backscatter.

Re:Barracuda SPAM filter

[Lershac]

Gah they are so expensive. And to keep them up to date is ridiculously expensive. I prefer free with ASSP.

Additionally I have a serious problem with the backscatter they cause. They should reject mail at SMTP time and not bounce them.

But Barracuda support is very very good. Very responsive and timely and overall a good people orgaization which can make the difference for wanting to deal with them.

Re:Barracuda SPAM filter

[Arrogant-Bastard]

There are multiple, very serious problems with Barracuda appliances. I've already commented on their propensity to generate backscatter elsewhere in this thread. They're also poorly supported, have systemic security issues, may have privacy implications (since Barracuda personnel have unauditable access to your mail stream), are expensive, use community resources such as DNSBLs in ways contrary to those resources' policies, and do not use current best practices in spam control. (This last is unsurprising given that Barracuda personnel do not participate in the discussions and consensus-building which generates those BCPs.)

Consider as well that the Barracuda appliances consist of (a) an open-source operating system (b) an open-source MTA (c) an open-source web server (d) an open-source spam scanner (e) an open-source virus scanner (f) other pieces of open-source software and (g) use community-mintained DNSBLs and RHSBLs. This is all held together with proprietary (closed-source) code, mostly for the purpose of providing a poorly-designed GUI interface. Any competent email system administrator should be able to create their own near-equivalent in an afternoon; it's not difficult. Such homebrewed creations have repeatedly been shown to vastly outperform Barracudas on multiple metrics, including cost, scalability, customization, security, and perhaps most importantly -- adaptability to new spammer techniques. (Barracuda is years behind the times and falling further back.)

It's very tempting to "just buy an appliance" and consider the problem solved, but it doesn't work. There's no substitute for expertise -- and given that much of that expertise is available for free, for the asking, on lists such as spam-l and spamtools and so on, it's difficult to understand why anyone would choose not to avail themselves of it.

Re:Barracuda SPAM filter

[atamido]

I'll just add another "Me too." We purchased a Barracuda Spam Filter, and it's been working quite well. You also have the option of integrating with LDAP/Active Directory and letting users check their own spam lists if they think they missed something. I believe there is even an Outlook integration client, but I haven't used it.

Another nice thing is that it has a virus filter which is an excellent first line of defense. It means those virus emails don't create an extra load on the Exchange server by making the virus software there remove them.

We actually pulled a REGEX list of rules that someone posted on their forums which significantly increased the effectiveness of the filtering. It was a little heavy handed, but checking for incorrectly labeled ham showed up which expressions to remove for our organization.

As another person noted, it is expensive. For our organization it was certainly worth the peace of mind for the money. If your organization is strapped for cache, then I'm certain you could put together your own box using freely available tools (which is essentially what Barracuda builds their boxes using). For us though, the maintenance headache wasn't worth it.

Re:Barracuda SPAM filter

My company also uses a barracuda spam firewall. Its great. Barracuda updates your spam rules every hour to ensure spam never gets through. They also have a little addon to outlook that you can install on the user side that marks mail as either spam or not spam. This in turn helps your appliance learn. Configuration was very simple, and we pretty much never touch the thing now that its deployed.

Re:Barracuda SPAM filter

[mortonda]

I'm a little biased, but Maia Mailguard is a great way to focus that expertise, and we've had many people prefer us over Baracuda.

Maia's greatest strength is user based quarantine caches to help spread the load of watching for those few misclassifications (very few) and because it's all open source, you can use the very best of the spamassasin modules, and MTA level checks such as policyd, greylisting, RBL's....

It's the ultimate in configurability, and scales from my own personal mail server up to fortune 500 companies.

Re:Barracuda SPAM filter

I love barracuda as well. But for Barracuda on a IT budget WITH a knowledgeable Sysadmin, Basically barracuda is a canned linux, running postfix, clamav, and spamassassin. It will just not have the web-based gui configuration / log viewing that barracuda does so well.

As for fighting spam, the best practice is education of your users. If they want to subscribe to Victoria Secrets mailing list (which they sell) tell them to send an optout to the reseeling of their name. Let your users know how they get sucked into spam.
For a server based fight: Set-up a 450 or no response or a /dev/null for any name that is improper i.e. don't let them keep slamming away till they find a name. Also set-up timeout rule for errors. Most modern mail servers don't make mistakes when sending and receiving mail. I currently timeout for 5 minutes on 3 soft errors I find this has the spam bot move on. Also like others said use multiple blacklists, I'd suggest njabl.org as a good place to start. Lastly no matter how good you are unless your going to open and look at each email that comes through spam is going to find a way.

Re:Barracuda SPAM filter

Looking at it from the perspective of a small company that depends on e-mail to communicate with customers Barracuda is a major obstacle, it frequently intercepts e-mails to customers. It seems to be one of the worst offenders but that could be due to market share.

Maybe it is just stupid admins who don't know how to configure it, but some of the rules seem ridiculous.

For example I had a customer who wanted a receipt, I sent them a link to their receipt page. After they complained about not getting a response it turned out Barracuda was configured to block anything with an https link in it. There was no notification to the sender that the e-mail was blocked either.

Bottom line spam filters don't work. Your users will lose e-mail they need. I think admins who like Barracuda are fooling themselves, it seems to be blocking spam, they just don't realize how much else it is blocking.

Re:Barracuda SPAM filter

[TheLink]

We use them the company I work for, and:

1) They don't seem much better than the usual OSS antispam stuff
2) They seem to generate bounces
3) I've had a false positives to _work_ _related_ stuff I sent from home to office. I do NOT write like a spammer (if spambayes can tell and barracuda can't, it's a waste of money).

Example of 2) + 3):
Your message to: <redacted>@<redacted> was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: Contract of Employment Reporting-MTA: dns; mx.<redacted>.com
Received-From-MTA: smtp; mx.<redacted>.com ([127.0.0.1])
Arrival-Date: Sun, 20 Apr 2008 19:18:48 +0800 (MYT)

That said I wouldn't be surprised if the box isn't configured right, causing higher false negative and false positive rates. But it's supposed to be one of those "boxes for dummies", if you need to have so much clue, then why use them?

On my personal spambayes set up at home, while there are "false positives" that end up in my "SPAM" folder, they're typically "forwarded emails from that aunt/friend" which I don't mind being filed as spam, so they're not exactly false positives ;). And I like the "unsure" concept.

Re:Barracuda SPAM filter

[LowKeyLieSmith]

I agree with my parent poster. I evaluated a Barracuda box not too long ago and found that it would be a considerable waste of money. If you have the know how to manage an email server, then you should have no problem setting up an open source based mail filter yourself.

Google around a bit and you should have no problems finding dozens of tutorials for setting up an entirely open source based mail filter running on your choice of *nix.

Re:Barracuda SPAM filter

[stevey]

There is a fair amount of truth in your comment - speaking as somebody who has taken a bunch of open tools and made them play nice though it is harder than you'd expect.

My own solution is built upon the top of QPSMTPD exim4, and a Debian operating system.

Whilst you can come up with something similar there is a lot of benefit to scaling up and handling messages en masse. That's why Google's gmail has such a good reputation (until recently?).

If you have 1 million spam messages passing through your system at any given time and 50 people mark them as spam you've managed to collectively filter out the messages with no real overheard. (Sure you need to make sure they're not malicious reports; but basically getting a lot of users to report the 1/2/10 messages they see as spam helps out all your other users.)

Also, and I might be overemphasizing this because I find it hard personally, designing a good user interface, can be the difference between a "meh" service and a real winner. So it's not a good idea to write off that amount of effort!

Re:Barracuda SPAM filter

[Nethead]

I installed four Barracudas for a large real estate firm (10k+ users) and they were wonderful. This was for users that like to advertise their email addresses as much as possible and for whom the subject line "mortgage" is quite valid. The 'cudas have some good clustering features too which allow you to deal with load and failures. The report screens and emails make the bosses happy. A good admin could build all the tools in a Barracuda but they have already done that well and have packaged it together nicely. It also makes it easy to hand off the mail admin job to someone else when you move on.

Re:Barracuda SPAM filter

[ewwhite]

What's your time worth? Of course the Barracuda utilizes open-source solutions and *could* be better.... However, the time involved in maintaining and managing those solutions may not be worth it. For me, following the initial configuration and bayesian setup, the Barracuda hasn't required much in the way of administration.

Re:Barracuda SPAM filter

[goddenm]

While their may be no substitute for expertise, there certainly is a good substitute for time spent recreating the wheel and that's why I ended up with a Barracuda on my network. I previously managed two MailScanner units and spent a great deal of time doing maintenance and upkeep. Since I dropped the Barracuda in the network I've spent very little. E-mail spam filtering has become one less thing I have to worry about and while the interface could use some work, it is still simple enough that any task I need to do like trace a message, etc. is quick enough that I never have to go sorting through maillog files and try and find out what happened to a specific message again. Time saved = time used on other important tasks within the company. Don't reinvent the wheel.

Re:Barracuda SPAM filter

[oglueck]

Thanks for this post. I didn't even know what Barracude is until today. But I know that I have had the following header check in my postfix for a long time:
/^From: Barracuda Spam Firewall/ REJECT Stop bouncing spam to faked sender addresses, you idiots

Re:Barracuda SPAM filter

We went through 3 Barracuda 400's in the space of 2 years. Reliability doesn't seem to be their strong point. Bear in mind that they come with only a 90 day warranty. There is an instant replacement service (although the last time we had to use it they asked for an extra $130 for overnight) but it's not inexpensive.
One of the firmware releases caused issues too, causing the SMTP service to shut down at random intervals. Occasionally, the spam definition updates block swathes of legitimate e-mail.
We gave up on Barracuda in the end and moved to a Mailfoundry 4100 instead. No complaints there at all.

Re:Barracuda SPAM filter

Sorry to disagree, but I am on my second Barracuda Box, after the first one died after more then five years of excellent service.

My only complaint about the Barracuda is the web based interface is a little slow. The only real work is to go through and mark some as spam, and some not. We probably put it about an hour a week whenever the Scumballs come up with some new technique.

I vote for the Barracuda box. It works well for my 80 user company.

Re:Barracuda SPAM filter

[cavtroop]

you can turn off backscatter in the 'cudas.

http://postmaster.gtcs.com/CudaFix.php

Re:Barracuda SPAM filter

[Lershac]

Ah but that just addresses the symptom and not the fundamental problem. You should NEVER accept and email and then not deliver it without a bounce. If a message is spam, decide so at transaction time and terminate the transaction with a failure code.

Email systems that do not do this, yet do not send a bounce message "break" email. Possible to get a false positive and block a legit email with no error message back to sender. This is never a desired operation. If the message get a spam designation and the transaction is ended at smtp time, the onus returns to the sending server to create and deliver the error message back to the sender. For spam, no problem they dont do it anyway, and for ham that was false-positived, the sender gets a descriptive notice why.

Re:Barracuda SPAM filter

Out of the box, they don't send any NDR or other bounces.

The guy in the server room (or his Marketing-and-Sales Droid), want that crap turned on "so potential customers know when something doesn't go through". And the sysadmin would be directed to do the same thing even if he built his own box.

Since IT has turned into a place where Jim-Bob the 2nd cousin of the VP of Sales gets hired into and put in charge of (no matter his real experience), and all their major installs etc get contracted out, it's a pipe dream to expect most admins to be able to roll their own. I'd expect that to be about the effective penetration of Linux into the Windows market- 5-8% or so, now, isn't it, at best?

Re:Barracuda SPAM filter

There are also many reasons why you should always build your own furniture, etc. Time and effort cant be ignored.

Its sad that your comment reflects why business doesnt buy into OSS. Its the bullshit elitism. "OH they're in compliance of the gpl but they dont give back enough for my standards." Well, to0 hell with your standards. Everytime I read a thread here about business using OSS its just one negative remark after another. This is the perfect way to chase OSS from business and the desktop. In fact, look where we are. A blip on the radar.

Compliance of GPL is the only standard.

PS: I also like to read your comments in the voice of the Simpson's Comic Book Guy.

Re:Barracuda SPAM filter

My company uses a barracuda spam filter and it blocks about 30,000 e-mails a day. It is expensive, but i think it is very effective. If you now how to setup all those open source codes and make it better, kudos to you. Maybe you can help us barracuda guys out and show us how to make it outperform barracuda.

Re:Barracuda SPAM filter

There are multiple, very serious problems with Barracuda appliances. I've already commented on their propensity to generate backscatter elsewhere in this thread. Really?

Any mail server improperly configured can have serious problems and generate backscatter. We have many barracudas properly configured without any problems, so please...

They're also poorly supported If poorly you mean they get back to your issue within an hour and resolve it.

have systemic security issues Such as? Or is this more FUD?

may have privacy implications (since Barracuda personnel have unauditable access to your mail stream) This may be possible, but pretty much any mail administrator can have unauditable access to all the mail stream for your domain. But I'm sure people have better things to do than to read the millions of emails coming in for other users. I barely can keep up with my own mail.

are expensive That's subjective. And compared to other mail appliances like IronPort, Barracuda is actually super cheap.

use community resources such as DNSBLs in ways contrary to those resources' policies, and do not use current best practices in spam control. More FUD....

Consider as well that the Barracuda appliances consist of (a) an open-source operating system (b) an open-source MTA (c) an open-source web server (d) an open-source spam scanner (e) an open-source virus scanner (f) other pieces of open-source software and (g) use community-mintained DNSBLs and RHSBLs. This is all held together with proprietary (closed-source) code, mostly for the purpose of providing a poorly-designed GUI interface. Any competent email system administrator should be able to create their own near-equivalent in an afternoon; it's not difficult. Such homebrewed creations have repeatedly been shown to vastly outperform Barracudas on multiple metrics, including cost, scalability, customization, security, and perhaps most importantly -- adaptability to new spammer techniques. Really? Show me one barracuda opensource FREE equivalent project like FreeNAS or Trixbox?

(Barracuda is years behind the times and falling further back.) More FUD...

It's very tempting to "just buy an appliance" and consider the problem solved, but it doesn't work. There's no substitute for expertise -- and given that much of that expertise is available for free, for the asking, on lists such as spam-l and spamtools and so on, it's difficult to understand why anyone would choose not to avail themselves of it. Yes it's tempting to buy it, since it usually makes a lot of business sense. It's easy to properly configure, easy to manage for the admin and users, and it just works.

Personally I would love to skip buying the appliance if there was a toaster/appliance that has a nice interface, is easy to manage for admin and users, is updated and is offered at no cost so I could set it up on hardware of my choice. But since there isn't, that's where Barracuda falls in for many companies.

Re:Barracuda SPAM filter

[huckda]

I did the same after battling SPAM on my own for 3 years...

the Barracuda(I got the cheapest they had) b-slap'd the snot out of 99.9% of the incoming spam, as well as virus's in emails.

The higher-end models allow USERS to fine-tune their own incoming e-mails which in some organizations would definitely be an attractive feature...I was dealing with Teachers...thus I maintain control.

Re:Barracuda SPAM filter

If it only takes half a day I'd suggest spending your weekend putting together a competitor. Looks like there's a ready market for your expertise.

Re:Barracuda SPAM filter

Because I need an anti-spam solution working today. Once I hire a consultant and dig around on some fabled spam-l and spamtools forums like you suggest, I'm lucky if I have anything deployed in 4 months.

Your solution sounds great for a hobbyist. But, when it comes to the bottom line, I have no problem paying for expertise. Because I never, ever want to be a spam expert.

If it's so easy to filter spam then why don't you go ahead and put Barracuda out of business?

Re:Barracuda SPAM filter

In a few hours, I unpacked, configured, installed, tested, and deployed for use, a Barracuda appliance. I have never had a security issue with it. It receives its updates every few minutes without a hitch, I have never had any delivery problems whatsoever, generate no bounces, and at the very maximum get 4 spam emails a week. The device has been running for well over a year now without any failure in mail delivery, failure to block spam, or system errors requiring my attention.

Testament to their effectiveness and ease, something like 99% of their free demo units are purchased instead of being returned. Virtually everyone who gets one loves them, and keeps them.

And to be sure, having used probably 20 other spam solutions (commercial and otherwsie) before it, it is the most cost effective silver-bullet to the SPAM problem a small or mid-size business could ever consider. Given how inexpensive the devices are, and how considerably less expensive the constant updates are, the device made our SPAM problem a cheap and easy one to solve.

I suppose you'll have to take my word for it, but I am not affiliated with Barracuda networks... I'm just a customer. But I recommend them, first thing, to anyone who even mentions they're having a problem with spam at their place of business.

Re:Barracuda SPAM filter

[Omega996]

The company I currently work for has a Barracuda. I think it does an OK job, but it's not fantastic.
The Bayesian filter and spam scoring both need a bit of work. I have a fairly large non-spam database (per the Barracuda configuration information), and it frequently still lets spam in. In one instance, it will block one of those 'Extend your rod' messages, and yet then pass the same thing at a later time.
I also despise the subscription model of the thing, though I suppose there's nothing keeping a company from continuing to run it once it can no longer receive firmware upgrades.
It is easy to configure, but not so much so that someone who doesn't know what they are doing can set it up effectively. I think it would be worth the time and effort to set up ASSP or a postfix-based solution. It's a lot more flexible and configurable, and you won't have to pay upkeep on it to make sure that you continue to get the spam database updates, etc.

Re:Barracuda SPAM filter

Its nice that you purport to be such an expert on the Barracuda Spam Firewall. Its quite clear that you probably work for a competitor in the space. I am a long time Barracuda user. The product has solved my spam problem for over 4 years now with little or no maintenance. I have not had to deal with the changes of spam attacks over the last four years. Barracuda has dealt with it all for little more than $400 per year. What a great deal!

I have investigated your claims. Your data and claims are incorrect.

1) The early versions of Barracuda generated backscatter by default. This was easily fixed by adjusting the bounce option. Barracuda has since changed the default in order to minimize this.
2) There is no privacy issue. Barracuda does not have access unless you grant access to them.
3) Barracuda does not currently use "community resources". They can be used as an option.

As you say, there is no subsititute for expertise. I have no time or desire to become an expert. I would rather the team at Barracuda who has been doing it for years do it for me!

Sincerely,

Not A Spam Expert

Re:Barracuda SPAM filter

[BagOBones]

Some times experience has nothing to do with it, it comes down to time. If your organization has the budget to allow an admin the time to constantly maintain a custom multi application open source filtering system, good for them, a custom solution will always work better however I am not sure how many organizations allow for this level of staffing these days.

The Barracuda is a tool box, what you decide to do with it is up to you. The big benefit is that Barracuda maintains all the internal workings of the solutions for you and pushes them out as firmware updates.

The Barracuda bundles 12 layers of filtering that you can turn on and off at will. If you don't like the message body filters that only act after the message has been receive, ether tag the messages and deliver, quarantine or don't us the feature. \

In response to some other posts I have seen here.
Backscatter is an result of an administrators decisions not necessarily the core function of a device.

As far as cost goes it is actually one of the cheapest solutions as far as bundled appliances with enterprise support go.

Of the DNSBLs and RHSBLs, spamhaus is the only provider bundled with the solution other than Barracuda's own RBL. Despite what is still listed on the Spamhaus site it is my understanding that they have kissed and made up coming to an understanding.

Any other RBLs you add are up to you to do ethically, just as if you were to apply them to your own home brew MTA solution. Donate or don't ad them, it is as simple as that.

Re:Barracuda SPAM filter

[BagOBones]

As part of the OPTIONS in the Barracuda you can filter on the message contents which the unit will only get after receiving the body of the message. At this point the mail has been delivered as far as the sending party.

Smart spam these days will do a good job of sending from an address that has a valid SPF and will have a subject that is not easy to catch.

End users don't like spam, and if you have email archiving policies and users under a mailbox quota you don't want to be processing all this SPAM and storing it.

The Barracuda allows you to Block,TAG, Quarantine or just turn off the filters that happen after delivery. AGAIN it is a full tool set that is up to the admin to configure correctly. The initial filters that happen at the IP and header filter WILL reject the message with the correct error code to the sending server.

Re:Barracuda SPAM filter

[Lershac]

Oh and for the money? Is there a FREE option? I missed that checkbox.

Default config for cudas is broken, and most folks that buy them arent tweaking them, they just listening to paul harvey and jumping on it.

Re:Barracuda SPAM filter

[BagOBones]

Yes, go grab the almost half dozen OpenSource subsystems it built on, and purchase as server of your own to run them on.

Now take the next X weeks to build and test them together and be prepared to update each subsystem as new releases come out.

If you have piles of time to do this sort of thing on your own for free (if your time is free), then this is not the solution for you.

Re:Barracuda SPAM filter

[Lershac]

takes less than an hour to install assp, and it does the job for free and without ongoing cost. And it does a better job by adhering to standards.

And it does not take a dedicated piece of hardware to run, it runs just fine on the mail server itself.

Now who is wasting other peoples time and money?

Re:Barracuda SPAM filter

[jon3k]

It *IS* the "usual OSS antispam stuff" you twit. It's a highly customized version of spamasssassin. You don't have a *clue* what you're talking about. I'm glad you have one example of an e-mail being blocked. How about the trillions of e-mails correctly marked? No system is perfect, but the alternative (no anti-spam) isn't acceptable.

Re:Barracuda SPAM filter

[cavtroop]

Thats funny, mine rejects just fine with a 550 error s for invalid domains/users, etc. It's up to the admin to configure it correctly, but it works properly, and very effectively.

dajones70

Use MailScanner with the MailWatch GUI and after a few weeks or so of monitoring and tweaking, it will run on autopilot and you can sleep well. http://mailscanner.info I have it running on a number of small businesses and they are very happy with it.

Re:dajones70

[Linker3000]

Absolutely MailScanner - thread over!

http://www.mailscanner.info/

Our organisation runs 5 Linux Servers around the UK for mail services and they are all using MailScanner + Postfix + SpamAssassin + ClamAV + Bitdefender.

Great installation instructions (all-but bitdefender) here: http://www.hughesjr.com/content/view/14/

The mailing list for MailScanner is very well supported by the users and the devs.

Re:dajones70

Previously I used mailscanner on ubuntu, but it had a tendency to break. I've had much better luck with amavisd-new. Also, I like the way amavisd-new works, with an internal SMTP server, a lot better than Mailscanner's queue inspection + copy methode.

Why doesn't spam filtering work?

[XxtraLarGe]

I use Apple's mail client on OS X 10.3.9 as my main e-mail, and the junk filtering is only so-so. I set it up so that unless a recipient's e-mail address is in my address book, it should go to the "junk" folder. Still, I get about a half-dozen junk e-mails in my regular mail in-box every day. I looked at the headers and there's nothing hidden in there to suggest that they're forging an e-mail address in my address book, but they still make it through. Seriously, the set-up is very straight-forward, why does it still not work?!?

Re:Why doesn't spam filtering work?

[RiotingPacifist]

Thats just apple sucking, while spam filtering sucks if your working on a whitelist you should get no-spam in your inbox but lots of emails in your spam box.
Last spam filtering i used was turning up false positives too often, although its been a while since i botherd with an automated system, i just relly on social engeniering now (dont give out my email to strangers, and use a webmail(yahoo as i had one lying about) for any signups.

SpamAssassin

[hlt32]

SpamAssassin.

http://en.wikipedia.org/wiki/Spamassassin

http://spamassassin.apache.org/

Re:SpamAssassin

[Dan541]

I cast my vote for SpamAssassin.

When set-up with good rules and RBLs it blocks at least 99% spam with very low false positives (I've never had a false positive).

Send anything tagged as spam to another account such as spam@domain (I do this) then you can manually check for false positives to further reduce the chance of losing legit email. (or if a user complains that an email they expected never arrived)

Re:SpamAssassin

Seconded. After throwing a few months worth of mail at sa-learn, no one's complained to me about a single false negative and I've only received a handful of false positives (again, easily thrown at sa-learn). Even if you don't have a mountain of spam/ham ready to throw at it, SpamAssasin can also run messages past DCC/Pyzor and various DNSRBLs to make up for it. (As for RBLs, I recommend zen.spamhaus.org.)

Re:SpamAssassin

[Lershac]

RBLs suck. Though they do generate business for me when a non-client gets on one, I usually pick them up as a client when I get them off and set up ASSP for them.

Re:SpamAssassin

[Dan541]

Why do RBLs suck?

You can't get on them unless your server sends spam.
Why would you take a client who has been blacklisted?

Re:SpamAssassin

[Lershac]

Turning down a client b/c they got on a blacklist is just stupid... They get a zombie machine within their network... thats easy to fix. Some RBLs are run by penny ante little tyrants and getting off the list can be a pain in the arse and an exercise in patience dealing with someone who seems to be 12.

Re:SpamAssassin

[pclminion]

(I've never had a false positive).

How would you know?

Re:SpamAssassin

[Hal_Porter]

Turning down a client b/c they got on a blacklist is just stupid... They get a zombie machine within their network... thats easy to fix. Some RBLs are run by penny ante little tyrants and getting off the list can be a pain in the arse and an exercise in patience dealing with someone who seems to be 12. I've told you before Michael. Your request for removal from the list is due to be processed by our Parole Board once they are convinced you have been reformed by your Sentence. Spamming complaints under a pseudonym on websites will be noted by the Board and may result in your application being rejected once again, just like complaining to me personally will.

For this comment I will recommend to the board to move your hearing back one quarter, to Q3 2028.

Note that Parole Hearing dates mentioned are the earliest date, subject to work load. The board currently has a 66 month backlog.

Re:SpamAssassin

[Nullav]

It's not like any sane person outright drops a flagged message. It's just a matter of skimming the spam dir every now and then/

Re:SpamAssassin

[Lershac]

Exactly.

Re:SpamAssassin

[Dan541]

Because I check all my spam email when my schedule allows it.

Re:SpamAssassin

[dbIII]

I have a few false positives but you get that when users send chain letters to each other or manage complex love lives via work email.

Re:SpamAssassin

[InvisiBill]

I used SpamAssassin/procmail/IMAP on an e-smith/SME Server running on an old P200 machine in a company of about 20 people from 2000-2003. Procmail passed a copy of the message to SA. Depending on SA's verdict, the email either went into the Inbox or a Spam subfolder. I also setup learning subfolders and used a cron job to pass those emails to sa-learn.

No messages got altered (procmail passed a copy of the message, not the actual message) and all were just a click away, so false positives were a very minor issue. sa-learn did a good job of getting messages scored correctly. Using SA's RBL tests allows you to get the benefits of marking spam from known sources without flat-out rejecting those messages (which does cancel out the benefit of an RBL completely blocking spam traffic).

The biggest issue I've heard of with SpamAssassin is the processing power it requires. spamd/spamc helps that (compared to running the full spamassassin for each message) and even allows you to have multiple client machines connecting to one SA server. We didn't get nearly as much email as you do, but we never had any issues with that old PC we used, so I would think you'd be fine with any modern server running it.

Re:SpamAssassin

[Kalriath]

Or SORBS who demand $50 to get off the list. That's a royal pain in the arse.

Re:SpamAssassin

[Dan541]

That's extortion!

I would never use an RBL that resorted to those kind of tactics.

It's important that we steer away from that direction.

You should never have to pay anyone other than your email provider to send mail.

email != IM

[Viraptor]

> maybe an important time-sensitive email never gets to its intended recipient

When will users learn...
Email is not instant messaging - with bad greylisting / random connection reset / busy server, you can get >=2 hours delay. And it's normal.

Re:email != IM

[cfulmer]

Your assessment of the current state of email is correct. But, blaming users for using it to fill a need when there is no realistic alternative is silly.

email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else?

Re:email != IM

[Dan541]

Email isn't intended to be used as instant messaging but it is instant in most case's I've tested my email in the past againsed MSN Messenger and sometimes it's faster.

So it's easy to understand why user's assume that the email is instant (Altho their still wrong to assume so), most email delays I've gotten have been with large amounts of attachments

Re:email != IM

[SCHecklerX]

Businesses shouldn't be using those for internal communications anyway. Set up a jabber or irc server internally for that.

Re:email != IM

[phoenixwade]

Your assessment of the current state of email is correct. But, blaming users for using it to fill a need when there is no realistic alternative is silly.

email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else? if it's time critical, pick up the phone or send a fax, and IM, a text message, or use features in one of the groupware offerings, there are viable alternatives in the wild, using old and new technology.

The simple fact of life is that if you depend on eMail for time critical message transfer, then you will, sooner or later, get burned.

Re:email != IM

Your command of written English is very poor.

Re:email != IM

[BenoitRen]

I argued yesterday with someone I know on the Internet about exactly this. Said person always leaves his computer on with AIM open to "collect messages". When told this is what e-mail is for, the reply was that e-mail isn't always instantaneous. This is not true unless you're on Hotmail.

To paraphrase: "What if my girlfriend wants to tell me she will be a bit later, and her cell phone's battery is dead?".

He isn't the only one. I used to know someone else with the exact same excuse.

They don't have an AIM account for just that, though, but it's still quite silly.

Re:email != IM

We all pay big bucks for reliable phones, fucking use them.

Re:email != IM

"Time Sensitive" doesn't mean immediate either. It could be within 2 or 24 hours. An order is an order regardless of whether it comes in the way YOU want it.

Barracuda has been helping my brother-in-law's company for years. He's very happy.

My company is larger and has a small army of dedicated mail filter (in/out) servers and a filter, spam, security team that works together on policy, filters and reporting.

For my personal mail server, I use postfix regex matching capabilities to block 99.999% of the spam. Most of the remaining spam is handled by procmail rules and the final tiny bit is client side rules or simply manually deleted. I found that having an old, unused email address active is a good spam honey pot. Anything THAT account gets is spam by definition and used to block spam to other users.

If I were setting something up, I'd definitely look at Barracuda and Astaro and home grown OSS solutions, but only if I had the time to tweak and manage them. There's no crime in paying for a turnkey solution for this. It is not as trivial as it seems and having a central person review the headers is **not** cost effective.

Re:email != IM

if it's time critical [...]a text message

I LOL'd at that. If you think text messages are "time critical", you must not be from America. Text messages can be delayed for as long as email messages can. What's worse about them is, if the delay is long enough, the message never reaches the destination and the sender NEVER gets notified that the message didn't get delivered.

Re:email != IM

[TheLink]

1) If you're not always on that computer, I don't see the difference in "isn't always instantaneous". Most sane email service isn't that slow.
2) You don't have to leave your IM on all the time to collect IM messages if you use Yahoo Messenger- you can receive offline messages. When you re-login, you get those messages.

Nowadays, in _theory_ MSN's IM (or whatever they are calling it this week) allows you to do that, but in my experience(I use both), they are a lot more unreliable than yahoo.

Re:email != IM

[Lershac]

just punctuation huh?

Re:email != IM

[BenoitRen]

That's a good point, thanks. I remember getting an offline message from a buddy on AIM upon signing in months ago, actually.

Re:email != IM

email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else? At my place of employment we have this brand spanking new technology for this type of instant real-time communication. We call it "telephone". It's really cool. You pick up the handset and enter a passcode and can then communicate with the other party in real-time voice communications.

Re:email != IM

yes

Re:email != IM

[wvmarle]

My business communication is largely done via e-mail. I use a little IM thought Skype (actually don't like it as it requires instant attention). E-mail is fantastic as it's asynchronous; you can read/reply very efficiently that way.
But when time is critical: I always will try to call that person. If that doesn't work, send an e-mail, and continue trying to call. When time is critical e-mail just doesn't do the job, not just because of the possible delays, but because you never know when the person on the other side actually reads them. Even sitting at the computer I sometimes just don't read e-mails when they come in, they can wait.
With a phone call you know the person is reached (or not) at that very moment, and you can get a reply that very moment. It may be old-fashioned tech, but it does the job very well.

Re:email != IM

[Viraptor]

But, blaming users for using it to fill a need when there is no realistic alternative is silly. [...] Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else? Local Jabber server is a good alternative, because your office messages should never leave office network - forget about google, yahoo, ms and everyone else. It's working out pretty well in my company. (dept. chat + global contact lists + other nice things)
And if you need instantaneous messages to other companies, there are always fax machines, so you can get feedback from other side about your message right away.

Re:email != IM

[camerooon]

But, blaming users for using it to fill a need when there is no realistic alternative is silly. email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else? Surely the majority of the time something is time-sensitive a phone call is the way to go!

Re:email != IM

[ChengWah]

Time-critical messages can easily be handled with......... a telephone!

Re:email != IM

One word: the telephone.

Re:email != IM

[sznupi]

Google service could actually also blend into that sort of usage, since it's Jabber; so...enforce policy in which computers on local network can connect only to local Jabber server (so that messages between them won't leave your network), but connect this server with the outside world?

Re:email != IM

[sznupi]

IM also fills a need - that those users prefer to use e-mail for that need has mostly to do how IM currently is broken; specifically, the "many networks" problem. But some work to correct that - for example Google (which sort-of shouldn't be on your list) by using standard Jabber protocol and allowing server-to-server communication.

Re:email != IM

You might want to consider using a telephone....

Re:email != IM

[SuseLover]

For time-sensitive communication, there are these cool devices called telephones that let you instantly have a converation with someone at another location. Why won't anyone use them anymore?

Take a tip from the BOFH

You cannot win. Redirect the lot to /dev/null and quit.

Greylisting

[Kiall]

I've found Greylisting to be very effective... The only issue is that it delays the first e-mail from someone outside the domain by a few mins. http://en.wikipedia.org/wiki/Greylisting

Re:Greylisting

We had to stop using Greylisting because many state and federal agencies use email appliances that are incompatible with Greylisting and respond to any 400 reply as if it were a 500 reply. That is, when told to try again later, they treat it as a fatal error.

Re:Greylisting

[gmuslera]

Greylisting alone proved to be great... until Srizbi started to generate sizable percent of spam (spambot very widely deployed, and that can handle greylisting rejects and retry).

Considering that 80+% of all spam is generated by botnets mostly in desktop PCs, not servers, using a blacklist that targets specifically personal pcs (home dsl, dynamic connections, etc, whatever NOT meant to be a mail server) like i.e. Spamhaus's pbl or zen (adds known/real servers used to send spam, closes the other hole in the graylist), should take away a big percent of spam, even without having to receive the message itself. But is good to take this with care, not every server follows standards so greylisting could stop real servers (you can whitelist the ones you really want here), and a blacklist could stop something you want too (mail server logs could be useful to check what is being stopped).

There are far more things you can do to reduce spam, but the bulk could be handled with this 2 simple measures..

Re:Greylisting

[lars_boegild_thomsen]

Shhhh - don't tell the spammers!!!

Seriously - right at this moment in time, greylisting is just about the best defense there is, but I am sure sooner or later the spammers are going to start resending spam to get around it (I am actually seeing that happening right now).

I am maintaining the mail system for a 150 user network and I originally played around with greylisting because spamassassin had problems keeping up with the load (I guess it rejected around 10000 emails daily). After pointing the primary DNS to an IP address with no SMTP server running and doing greylisting on the real SMTP server, this number dropped to less than 100 a day.

It's a two-edged sword though. I reckon that the low number of rejected messages now means that whatever spam is clever enough to get around the greylisting is ALSO clever enough to get through spamassassin and in reality this might be because spamassassin has very little real spam to train it's bayes filter on.

Anyway - for now - while it last - nothing beats greylisting in my opinion.

Force keywords in the subject line

[therufus]

I've had to send emails to recipients within the Australian Defence Force (specifically, the Army), and every email sent from a civilian must include a keyword within the subject line. The keyword is to do with whether or not the information is classified or unclassified. Sure, getting all the clients to send all their emails with [companyname] in the subject line is a little annoying, and may not be possible depending on your circumstances, but the chances of spam having that keyword within it is virtually impossible.

Set up an automated filter whereby anything that doesn't have the keyword in the subject gets dumped into a spam box to be sorted later. If the senders do the right thing, it assures their emails will be directed to the correct person.

This is just one example of active spam filtering as opposed to the passive spam filtering used in IT today.

Re:Force keywords in the subject line

I'm fairly certain that the classification keyword system has nothing to do with spam, rather it is designed as a informational service between AU government departments. (the classified, unclassified system)

I'm not actually sure the gain, but you are meant to configure your gateway to deny/accept based on the trust level of the sending gov department.

It would be a trivial system to work around as a spammer if implemented with the intention of reducing spam

Re:Force keywords in the subject line

[wvmarle]

My filter keeps a list of known senders (those who are present in my saved e-mails), e-mails from those senders are delivered without filtering. Goes fine as most spam uses some random from: address these days, never had problems with that.
Then mails with a SpamAssassin score of 5-13 go into a spam box for manual sorting. That results in about 10% of my daily spam, or about 30-40 mails.
Anything with a score greater than that is sure enough to be spam, and gets ditched.
In rare cases (once a month or less) I have a false positive, the score is usually less than 6 pts. This way my spam-problem is manageable.

Re:Force keywords in the subject line

Thanks for the info. I am not configuring my botnet to put a random company name in the subject.

Re:Force keywords in the subject line

[pclminion]

I've had to send emails to recipients within the Australian Defence Force (specifically, the Army), and every email sent from a civilian must include a keyword within the subject line. The keyword is to do with whether or not the information is classified or unclassified.

You send classified information over email? What the hell are you smoking?

Re:Force keywords in the subject line

[justinlee37]

Just implement it; when people who don't address their e-mails correctly realize that they end up in the spam box, they'll catch on quick. Just make sure that you get the approval of someone higher up than you so when no one gets the CEO's e-mails it isn't your job that ends up in jeopardy =)

Re:Force keywords in the subject line

[afidel]

Classified != Top Secret. Also encrypted email is pretty damn good for protecting data, it leaves only traffic analysis as a major source of information leaked.

Re:Force keywords in the subject line

[linuxpyro]

It could work for most smaller businesses I would think, but it is a great idea if you just want to throw your Email on your Web page (even though you should obscure it like many do here on /., chances are it'll get on some spam list somewhere).

Re:Force keywords in the subject line

[jatougas]

Sure, getting all the clients to send all their emails with [companyname] in the subject line is a little annoying, and may not be possible depending on your circumstances, but the chances of spam having that keyword within it is virtually impossible. A spear-phishing attack like we've been seeing for the past few months where I work would actually make that extremely likely, unfortunately. For the OP, I've had a great deal of success running a Postfix/SpamAssassin/ClamAV setup. Not very hard to setup, and does a great job.

Re:Force keywords in the subject line

This is not true in my experience. I've got some mates in there and I haven't need to do such a thing. However, when they respond, the subject line has been altered to "... [SEC = UNCLASSIFIED]" which I find particularly hilarious.

Power to the people :)

[grantdh]

Whatever solution you get, the simple answer is:

1) Set up the system to put junk mails in a folder the user can see

2) Train the end user to check their junk mails

3) Show the user how to set the spam triggers high or low and what the implications are

If user says they're too busy/important, advise them that due to your workload, their email box will be added to the "manually checked list" which gets done once per week. Point out the impact of losing a time-critical email wrongly flagged.

Most times they do it themselves. For those who are dead set on having someone else do it, hire a temp or arrange for an office junior to do it.

If you're in IT, you have better & more important things to do than check for real mail in a junk mail box...

Re:Power to the people :)

1) Set up the system to put junk mails in a folder the user can see
2) Train the end user to check their junk mails I don't understand why spamfilters come up with this solution. What is the point if I still have to go through each and every mail manually ?

Re:Power to the people :)

[paganizer]

BOFH, is that you?
Up until 2006 (I retired) I ran a in-house mail server (well, in-basement, actually) with about 250 users; when the SPAM started hitting the 200+ mark per day I figured the bandwidth savings alone would be a good reason to stop it as much as possible at the server.
I used ORBS, blocked all of asia-pacific net, and ran ASSP (Anti-Spam SMTP Proxy). After around 5 days of training I had SPAM down to maybe 3-5 a day per mailbox; I never could beat that number.

Re:Power to the people :)

[phoenixwade]

I used ORBS, blocked all of asia-pacific net, and ran ASSP (Anti-Spam SMTP Proxy). After around 5 days of training I had SPAM down to maybe 3-5 a day per mailbox; I never could beat that number. I'm managing a little better than that with Spamassassin, a few SARE rules and some tweaks to the scoring (mostly upping the scores on the RBL's) We seem to be averaging around 2/day/act for around 3000 user accounts.

The sacrifice is 2 or 3 false positives a month.

If I can get an acceptable handle on the backscatter problem we're currently dealing with, we can improve this, I believe.

Re:Power to the people :)

[Lershac]

oh ASSP has improved tremendously. For a ~75 user ~500-1000 message a day traffic (legit messages) we get about 1 or 2 a week spams getting through... and its blocking a couple of THOUSAND a day with false positives not even being on the RADAR.

But this guy does remind me of BOFH!

Quick way to give someone else your business... that BOFH attitude. Idiots put money in my pocket, I always smile and be polite.

Re:Power to the people :)

[RealGrouchy]

1) ...junk mails ...

2) ...junk mails

3) ... spam triggers I encountered a user who did not realize any difference between the "junk" folder and the "trash" folder, and was subsequently confused as to why legitimate mail was not showing up in the Eudora mailbox.

Given the dictionary definition for "junk", this is not an unreasonable mistake.

- RG>

Re:Power to the people :)

If you're in IT, you have better & more important things to do than check for real mail in a junk mail box...

Whoa now. "Information Technology: a broad subject concerned with aspects of managing, editing and processing information."

And s/he's IT for only 50 people. S/he handles their 'computer stuff'. S/he is mailroom & infrastructure-repair dork, very probably for entirely ordinary people -- there's no mention that the company is technology oriented, only that it's been "growing dramatically", which indicates all staff members are really busy dealing with whatever the normal daily business is.

No surprise the IT dork has been told to get rid of the time-wasting spam. And seeing spam and false positives indicates that the IT dork isn't very good at the job, just like if the cleaning staff misses wastebaskets and throws out stacked papers.

If the IT dork can't do it, then the IT dork better be able to explain simply and utterly convincingly that perfection is a practical impossibility, or they'll be shopping for a better IT dork.

I generally agree with you and your outline of practical solution, but "If you're in IT, you have better & more important things to do" doesn't reflect the real position of IT in normal business hierarchy. And this IT dork is handling it well -- ran out of ideas so is asking if there really is or isn't a better way before havinging to play Scotty to Kirk.

If it comes to that, usually better than 'it canna go capt'n' is have a meeting with the supervisor where dork presents (on one piece of paper) the identified shortcoming, and two or three ways forward with their respective time/budget requirements.

Re:Power to the people :)

[grantdh]

Hmmm - maybe I should have rephrased that last line a little better so I don't appear quite so BOFH. After all, if I were the BOFH, I would have figured how to electrify the (l)user or dump all their emails :)

Perhaps it should have read:

If you're being paid the big bucks of a good SysAdmin, IT consultant or IT Manager, it is an inefficient use of your client's money for you to wade through junk mail looking for valid messages.

Does that sound better?

How about:

If you're being paid a constant rate, have lots to do and have bigger issues to resolve that need your time, what the heck are you doing trawling through junk messages???

When I setting up IT environments for my clients, my goal was to get them as self-sufficient as possible to:

a) reduce their spendings on IT

b) let me focus on the big issues

c) keep them happy

I didn't just say "Read the Frackin Manual" and walk away - I'd review what they wanted, present options and come up with the most cost-effective use of everyone's time. In the majority of cases, it worked and all were happy.

So yeah, I guess those last bits of my first message could lead to a BOFH situation, but that certainly wasn't my intention :)

Re:Power to the people :)

[or_is_it]

OP here... I'm actually a "junior" programmer (newest guy on staff), but in smaller organizations, we're often asked to wear many hats. Just last week I was moving office furniture. The "senior" Network Admin had "delegated" the tasks of email maintenance and backups to me, which in my humble opinion are 2 of the biggest responsibilities of a network admin. ...so I'm actually inheriting methods I don't agree with so I'm looking for better solutions. I know almost nothing about networking, but to anyone outside of IT (management), anything having to do with computers is interchangeable, even though the training/schooling you go through to be a programmer vs. network admin are entirely different.

Re:Power to the people :)

[dbIII]

I simply rename the box "spam" for everyone and change the rule for junk.

Re:Power to the people :)

[paganizer]

Wow. Thats pretty impressive.
I'm talking to ISP's near my ex's house (the only Basement I have access to where there is a possibility of broadband these days; she lives there rent free, so I don't think she'll complain) near Louisville about getting a commercial 512k+ line installed; If I get them talked down to a sane $ amount for what is essentially just my hobby, I'll probably drive a server up there and VNC it from here (The Sticks, TN) and take back over my e-mail from the company that has been mismanaging it for the last few years. Knowing that ASSP is kicking ass is a nice cheery thought, although I'll need to find a replacement for ORB.

In my experience you can get away with thinking like the BOFH, but not talking like him; If you want to pass a time consuming onerous task over to your users, make them think it's their idea.
"Phil, I need you to sign this consent form...why? well, the anti-SPAM software we're using is really great, but there are some e-mails that get flagged for administrator review automatically if the software can't decide whether it's legitimate; usually they turn out to be legitimate private correspondence, but it still means I have to go through some of your private mail..."

Nothing's perfect...

[msauve]

As you've found, an automated system can be tuned, but you'll always have false positives/negatives.

I like the way spamassassin works - it can provide a rating for each message, which provides a mechanism for users to set the bar to their own preference, instead of having a single setting for the entire organization.

I'm not talking about using individual configurations for spamassassin, it's not realistic to expect most users to be able to deal with all the gory detail of spam filters.

Rather, spamassassin can set a header to indicate its confidence that a message is spam:

X-Spam-Level: ****

It adds an asterisk for each "point" of spam score. Users should be able to create an email filter which picks off suspected spam and puts it into a separate folder based on a header like that. Maybe drop all 10+ messages centrally, and let users tweak a local filter to their liking, depending on whether they prefer false positives or negatives.

I use spamassassin as an example only because that's what I use. There are no doubt others which can provide something similar which users could filter on.

Re:Nothing's perfect...

postfix (require fqdn in helo and rdns) + spamassassin + greylisting (postgrey) + spamhaus/dsbl

Im administrating a mail server with this config. a RBL hit gets your a 24 hour ban in iptables and a greylist hit gets you a 5 minute ban in iptables (just stops the dictionary attacks)

I get about 20-30 connections per minute

spam-stats.pl (from a log a couple of hours since rotated)

            1 User unknown
            3 Relay access denied
            4 Bad HELO
          79 RBL list.dsbl.org
          93 Sender Domain Not Found
        412 Need FQDN address
        690 Recipient address rejected
      1098 Greylisted delivery attempt
      1855 RBL sbl-xbl.spamhaus.org

      4235 TOTAL

Spamassassin stats:
            8 spam
          12 clean
          20 TOTAL

Percentages:
spam:non-spam (4243/4255) 99.72%
tagged messages (8/20) 40.00%
rejected spam (4235/4243) 99.81%

# iptables -L SPAMMERS -n | wc -l
12095 ... banned IP addresses in iptables, from within the last 24 hours.

From all that, 8 emails have hit mailboxes in the last 24 hours... 99.81% hit rate cant be bad :)

If you touch GFI, you deserve to have it delete all your emails... A very good friend of mine worked at GFI in malta

Re:Nothing's perfect...

[frisket]

My university uses SpamAssassin to rate all incoming mail for 18,000 student accounts and 3,000 staff/faculty, and prepend "***SPAM???" to the Subject header of all potential spam. Spam for student accounts is dropped on the floor; spam for staff/faculty is forwarded to their mailbox, and they have a local filter rule to put it into Junk or Trash or somewhere where *they* can check it.

I haven't had a false positive for over a year, and only a handful of false negs. The systems guys do a great job of keeping it tuned, and I don't know anyone who has had complaints.

Re:Nothing's perfect...

This becomes a problem when the email client is outlook express, which can't filter on custom headers and X-Spam-Level isn't one of the normal headers, Spamassassin can put that in the subject but then every email has #'s added to the subject line. It's not a problem if people don't mind switching client applications.

Commercial Services

[Secrity]

You might want to consider using a commercial email filtering service, such as messagelabs.com.

Re:Commercial Services

[testostertwo]

I agree, you should check these out at least.

When we first implemented messagelabs' spam filtering my biggest problem was dealing with a large number of users thinking their email setup was broken, there was such a drop in traffic.

Re:Commercial Services

[travisd]

+1 on this. Let someone else deal with it. They have a whole lot of aggregate data to use to create their filtering, and it's what they do. Also, by having someone else do the filtering you don't end up paying for bandwidth and storage for the spam.

hosted spam filtering

I'd say it really depends on the budget. For 50 users, I'd use hosted solution like from Google Postini which cost about $12 per user per year. The trend nowadays for any spam filtering is really look like going toward SAAS model.

Alternatively, if you prefer an in house solution, you could use Barracuda Spam Firewall, but it still requires some tweaking building the bayessian filter by marking legitimate emails and spam.

Best purchase ever...

Postini.com completely managed service.

Postini

[chill]

Postini's anti-spam service does wonders. We use it for about 200 accounts and people love it. It works, rarely gets things wrong and is simple. IT (me) loves it because spam is no longer my problem. For a fee that would be less than my effort and aggravation is worth, they take care of it. We are currently investigating expanding use to compliance filtering and archiving as well.

For the record, Google purchased Postini in the not to distant past.

Re:Postini

[SkyDude]

Postini's anti-spam service does wonders.

I would second that. My former employer went with Postini in 2003 and the management of spam became a piece of cake. I used to see about 2-3 false positives in my email each month, but it usually was due to the sender creating newsletters that were "spammy", in other words, had many spam characteristics. After several attempts to get them to test their emails on a testing site, they finally did and never got caught in the Postini filters again.

We had used SpamAssasin from 2000 until 2003 and while it worked well, the definitions had to be updated regularly or spam would creep through.

Re:Postini

[Nimloth]

I agree. We wanted to make the move out of a similar service we were using: Modus Gate. Simply wasn't cutting it anymore. I tried to setup GFI but the tweaking and triple-checking was just too much work for me (IT) alone. We went back to Modus.
Last month I proposed switching to Postini for which I'd read a few positive reviews, the switch was easy, the complete setup for 30 users was done in under an hour, and it's been working GREAT so far.
We paid 3$/month/user with Modus Gate. Positi gives us the same service with better results for 3$/user/YEAR!
Try it, your headache will go away.

Re:Postini

We're using Postini to filter almost 2000 accounts across several domains. Just the reduction in bandwidth we are using is worth the cost of filtering. We are rejecting close to 250,000 emails a day, and hardly any false positives.

Re:Postini

I agree, Postini is the best solution out there - I love the fact that you don't run any server OR client software, instead it works as a sort of proxy. Accounts are $3 a piece for an entire year - for your 50 person company $150/year for MANAGED spam service is incredible.

Re:Postini

[ralphdaugherty]

For the record, Google purchased Postini in the not to distant past.

      I did not know Google had purchased Postini. I use it as an individual for my ISP mail account, and also handles my web site email whcih I forward to my ISP email account, and it does the job perfectly. Intercepts hundreds of spams a day and lets through very few of them to me.

      That includes doing a very good job on bouncebacks when my web site domain is used for mass mailings by spammers. Postini deals successfully with thousands of those not deliverable meesages in those cases.

      I pay a very small fee per month for it, included as part of my ISP account.

  rd

Re:Postini

We recently set up postini in our store. We only have about 10 email accounts but we were getting 300+ messages a day.

After setup, we've reduced the number of spams coming through to about 2 or 3 a day and false positives are easily sorted out by glancing at the junk email folder a few times a day.

Most importantly, we make sure people have our phone number. Things always run more smoothly if we know in advance that a client is sending an important email.

Re:Postini

[bogibear]

Postini or Messagelabs are two excellent alternatives. Yes, they cost money, but for a very good reason. I work for a large corporation and we have 15,000 mailboxes. About 2 years ago, we were the recipient of all the bad emails that came of a phishing attack. The perpetrators of the phishing scam sent out emails supposedly from a bank using our domain name as the bank's domain (i.e., bank was foo bank (foobank.com) and our company was foo (foo.com)). Our email was totally jammed up for over a week while this was going on. In the past 6 months, we went to a hosted solution with Messagelabs. They have guaranteed SLA for uptime and speed of delivery. All of our inbound mail goes through them before coming to us. We get the additional benefit of on the fly antivirus to further filter out bad email. They are large enough and are able to handle even the largest of attacks. Again it isn't cheap, but we never have to worry about adding Internet bandwidth or increasing the number of anti-spam servers because they manage everything. We even give them our email addresses to filter out emails addressed to non-existent users (i.e, bob@foo.com). Spam is just an unfortunate byproduct of the Internet. I heard somewhere that the first advertisement (spam) was sent out 15 or 20 years ago on arpanet... Who would've thought it'd get this bad....

Re:Postini

[KeithJ2020]

The organisation I work for has 600 users and we use Postini; fabulous results, rare instances of a spam getting through. Definite spam items are discarded, each user gets a daily summary of trapped items that are probably spam; the user can release (unless it contains a forbidden attachment, such as a virus) or if ignored for 14 days the trapped item is discarded.

I have clients with >100,000 users on Postini, and others with as few as 50 users on Postini; all are just as happy with the service. My organisation will not go back to running our own infrastructure for trapping spam. By having Postini do the "heavy lifting" we experienced a 76% reduction in bandwith consumption as spam was trapped at Postini, instead of being downloaded to our mail infrastructure only to then be discarded.

Frontbridge Spamshark

[_Hellfire_]

How do larger organizations deal with the spam issue?

I used to work for a mining company you've heard of. Our department had responsibility for managing the email vendor, who used Spamshark to filter spam coming into the organisation. From my limited knowledge of the setup, Spamshark does basic blacklisting etc. but also does selective blacklisting on specific IPs when an email is flagged by a user. So Alice flags a message as spam, Spamshark figures out the message id, grabs the IP address it came from (it knows because it previously handled the email), and then blacklists that IP for a certain amount of time. Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.

Like I said we just handled vendor relations, and the above description might not be totally accurate, but this is what I gathered when we dealt with them. I also remember getting about 10 complaints of spam a month for an organisation with 10's of thousands of email addresses - so it was very effective.

Re:Frontbridge Spamshark

[badger.foo]

> Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.

And more false posistives than you would actually like to have. I've been at the business end of one of Frontbridge's blacklists. One of the domains I admin got blacklisted a full three weeks after the hosting company screwed up and let phishers set up a paypal scam site as the "test1" user to live for all of 22 hours. Three weeks later, one of the company's main customers, who happens to be a frontbridge customer, is no longer able to receive mail from us. A an unfinished writeup is at bsdly.net - I just gave up in disgust after trying to write an article about the incident.

Re:Frontbridge Spamshark

[mrbooze]

Friends of mine in various retail businesses say it is *very* common for a few customers who actually requested to join their mailing list to report them as spam later. They have to deal with being blacklisted for their opt-in only mailing list 2-3 times a month.

Re:Frontbridge Spamshark

[_Hellfire_]

I don't know if it would be as simplistic as 1) get email 2) check for spam 3) if spam then blacklist host. If I was creating a spam firewall for use by large corps I'd employ some sort of hit counter and other funky mathematics to determine heuristically if the connecting server is an open relay; or if it is a closed relay relaying one or two dodgy messages.

Re:Frontbridge Spamshark

[KGIII]

I can confirm this to be true in my experiences. I own a small hosting company and a few of my clients have newsletters - some of which are really popular. I've seen the scripts that they use and I know the confirmation process of all of them - they had to subscribe AND confirm... Yet they still get people coming to us to "stop the SPAM!!!"

I investigate them all and the sad part is that they could have easily unsubscribed but, then again, I've told people for years to never bother with the unsubscribe options in SPAM because that just proves to the spammer that the email address is real.

Fortunately I don't get too many to deal with. *sighs*

Slightly off-topic but still along the same lines we have had people who have done this time and time again with the same address and the only rational thing I can come up with is (the site in question is a polically motivated) and the only reason we can come up with is that they would like to get the site shut down. Go figure?

Re:Frontbridge Spamshark

[stevey]

That solution sounds interesting, but utterly unworkable.

Consider what happens if a spam mail comes from googlemail.com - happens a lot - just one report would be sufficient to stop the legitimite googlemail accounts.

(OK in practice big companies have multiple outgoing SMTP servers, so you'd still get it. But it sounds like a very big hammer approach..)

Re:Frontbridge Spamshark

This doesn't work in the case of shared servers. It also is flimsey criteria because sometimes people who mark 'spam' really mean 'I don't want to hear from this person' for reasons other than junkmail.

Re:Frontbridge Spamshark

[Megor1]

I read your article, from what I can tell you were not even blacklisted? If you are blacklisted on MEHS (Microsoft Exchange hosted Services) your email is bounced back right away, I don't see any such messages in your writeup.

You mention in your write up that

"Not to worry, was the message from their admin, all they needed to do was release the messages from their holding area
every now and again, and then start training the system that my messages were not spam."

I use MEHS, and mail that is marked as spam by their filtering can be released by any user not just an admin (These are the mails that go into spamshark).

There is a feature that allows admins to setup their own custom rules that will put the mail into a custom quarentine area where only the admins can release the messages. So for example you might set a rule that all mail from monster.com goes into this location. The rules created for this are created by the customer Admin not the service, so perhaps what happend is the people you were trying to sent to created their own rule that sent all mail from the domain (or containing something in the company signature) into the mail jail.

Re:Frontbridge Spamshark

[badger.foo]

I read your article, from what I can tell you were not even blacklisted? If you are blacklisted on MEHS (Microsoft Exchange hosted Services) your email is bounced back right away, I don't see any such messages in your writeup. When I tried sending that writeup to Microsoft, the message was indeed bounced immediately. I have no idea how the admin interface works or what it looks like, but I got the impression from the customer's admin guy that it was (is?) a very complicated and confusing GUI application.

The main thing is, however, that the process was totally opaque, and how the system is supposed to work is a trade secret. Getting any kind of information out of Frontbridge at all was just not possible.

It's possible that the system was designed by very smart people, but I strongly suspect that those orignal brains took the money they got from Microsoft and ran, leaving the code and operation in less capable hands.

Time to ditch GFI

[RichMeatyTaste]

The lack of OCR image scanning is reason enough to ditch GFI. My previous employer sold GFI for years but as it became less reliable we switched to SonicWall Mail Security appliances. They are less expensive than Barracuda, but the accuracy rate has been out of this world. A little secret: the devices don't enforce their license limits. No matter what size you buy (among the smaller units) the devices are the same. I've found that the device works fine as is, but if your company gets a lot of spam (say 200+ daily per person) you might want to enable at least one DNS black list. I usually added the entire sorbs DNS black list. I also set up catch all email addresses (john.smith@xxxx.com) that the device uses to train itself. The device reads all email sent to these nonexistent users and uses it to identify spam/train itself for everyone else. The device can be configured to send daily summary emails that users can read and unjunk directly from the email if need be. In all honesty after a few months the users will find it so accurate that they will just ignore the email alltogether. Make sure you update it out of the box, they never ship them with the current hd image). You can view the web UI at the SonicWall site, they have a demo unit set up. The device costs more than GFI (about 2G up front for the smallest unit, a few hundred a year to renew the updates) but trust me it will pay for itself in terms of less spam management labor all around. I've installed/configured about 20 of the SonicWall devices and probably 80 GFI ME/MS and they really don't compare. You can go with outsourced solutions, but the truth is that people will never log in and check their spam.

Re:Time to ditch GFI

[nguy]

Why not reject all messages containing images? Images in E-mail are almost always either for tracking, for spam, or for viruses.

Re:Time to ditch GFI

SonicWALL is a good option. If you have a Windows box available, you can buy their software for a few hundred dollars. The one thing it has over Barracuda is that each user has the ability to unjunk emails. Barracuda only offers this on the more expensive boxes.

Re:Time to ditch GFI

[ColaMan]

Images in E-mail are almost always either for tracking, for spam, or for viruses.

or for :
- smilies and other emoticons (gah! Learn to write formal business prose without needing the crutch of emoticons)
- "stationery" - you know, flowery backgrounds and the kind of crap that secretaries like.
- company logos. A legitimate usage.
- a digitised copy of someone's sig (madness, if you ask me, but you see them on occasion.)

These are all the sort of things that you see on business email every single day.

Re:Time to ditch GFI

[Kalriath]

Never, EVER, use SORBS! SORBS have been sued at least once for blacklisting a large ISP without good reason, and my personal favourite is that even if you inherit a released IP from a previous spammer, they wont remove the IP from their lists unless... wait for it...

You donate a minimum of $50 to a "recognised" (by them) charity.

They send a reject reply for all mail from a server with a reverse DNS entry not matching Matthew Sullivan's (rejected) draft RFC, and the owner is basically an egotistical tosspot.

Charged with WHAT TASK?

Charged with WHAT TASK? Manually sift through the entire company's spam folder?

Somebody, please tell me this is not a regular thing at U.S. companies. It's not, right? It's not, no, it's not? It just can't be, no? You can't just tell a human being to read all junk mail for fifty people, 'cause it's inhuman, right? Right?

(a European A.C. about to move to the Americas)

Re:Charged with WHAT TASK?

[Lershac]

How do you think we keep our unemployment so low?

Just kidding, we all work at McDonald's.

OpenBSD spamd

[DaMattster]

I've had excellent results with this particular product. Spamd uses blacklisting, greylisting, and tarpitting. It really is delightfully evil and still makes me smile because it includes a fake smtp daemon which sets the tcp rcv window to 1. This is a kick in the nuts to the spammer. I've used it with resounding success at a client who was recieving 2000 spam emails a day. Prior to implementing spamd, we were using just a Barracuda. When I combined spamd and the Barracuda, spamd caught about 1975 of the spam messages and the barracuda took over from there. No false positives and we've been running for three months. This link details how to set it up, http://www.linux.com/feature/61103.

Re:OpenBSD spamd

spamd is superb. The University of Alberta uses it to filter out 95% of the spam hitting the network. If you use the universities whitelist, you'll have a great starting point.

Re:OpenBSD spamd

[grub]

I'll second (or third) OpenBSD and spamd. I've been using it since very early on and it's just outright awesome.

Even if you don't want to use any of the cool firewalling features in the system, just putting a box with this in front of your mail server acting as an SMTP 'prefilter' will save you oodles of pain. Not a unixish person? Hell, mail me and I'll help you set it up.

Re:OpenBSD spamd

[valenti]

Ditto on spamd. My little departmental mail server was getting about 1000 messages per day. I turned on spamd and that dropped to about 100. Spam is now a small enough problem (less than 10 spams/day for about six accounts) that I haven't had to resort to other methods.

SPAM solution

I work for a company with about 500 users on the network for email purposes and we use Trend Micro IMSS (InterScan Messaging Security Suite)7.0 for Linux. (They offer a windows solution for IMSS but we prefer the Linux solution) This is basically a linux box (RHEL 4.0/CENTOS 4.0) with postfix as an MTA and the postfix server is used as an email gateway for our Microsoft Exchange server. This system catches about up to 10,000 spam a day with a miss rate for less than 1 % (I track these numbers every day). In the month of April we caught about 267,000 spam for the month. The reason why we don't use the windows version of IMSS is while running version 5.7 of the linux version we had an attack that would have allowed a hacker to gain admin rights on the box had it have been a windows box. We were considering changing to a windows version of IMSS (I have one co-worker who is VERY windows centric and just doesn't understand linux at all!) at that time but that one attack sold us on the linux version of IMSS. I have no idea what this all cost, I don't get involved in that side of the business but as a solution it is great! I'm sure you could also build a CENTOS 4.0 with Postfix and spamassassin with the same effect. Much good luck.

Maia

[online-shopper]

I wouldn't bother with most commercial systems, and greylisting is only part of the solution. What I have done multiple places (and always been happy with) is to have an offsite mail filter / mail backup such as no-ip.com(I happen to use them, anybody with similar service is fine should be no more than around $50/year). They do some basic filtering. then send the mail on to you. At that point I use maia mailguard ( http://www.maiamailguard.com/maia/wiki ), it's essentially a frontend to spamassassin(which is what most commercial appliances use) that gives each user the ability to set their own spam threshold as well as how often they get notifications of spam. It provides per user statisitics as well.

For example, at work I have my spam threshold set to 2, while the suppport mailbox is 10. so I get very little spam, but the occasional email is blocked, while support email always goes through, but we get a bit of spam.

I have the opposite problem...

We run a mid sized hosting company and we need a way to filter the spam complaints out to our customers. The problem is that every spam database sends a different kind of email with different information, most include the mail server IP but some don't. Is there any solution available for that?

Re:I have the opposite problem...

[Lershac]

ASSP can do that

Subscription based anti-spam solution

[LinuxDon]

IMHO, in the long run a subscription based anti-spam solution is the only way to go. Spam is mutating every day and having to keep up with it yourself is an exhausting task. So you'll have to treat the spam problem as you do with viruses: purchase a subscription product that is updated daily.

We're using Astaro Mail Security (www.astaro.com), which works great. Spam is down to a minimum, and it delivers much better results than open source solution I had in place before that.
FYI: I receive about 300 spam messages a day and only once in a few days one or two messages slip through with the solution mentioned above.

But please note that there are a lot of different anti-spam vendors, all with their own advantages/disadvantages, price tag and quality.

In my personal experience, while I'm a big fan of open source, open source anti-spam solutions require too much configuration and maintenance to really be practical in the long run. But your mileage may vary depending on the requirements your company sets forth.

Re:Subscription based anti-spam solution

[SerpentMage]

>IMHO, in the long run a subscription based anti-spam solution is the only way to go. Spam is mutating every day and having to keep up with it yourself is an exhausting task. So you'll have to treat the spam problem as you do with viruses: purchase a subscription product that is updated daily.

I came to that conclusion about a month ago. I simply became too tired with all of the SPAM. I decided to go the route of hosted domain Google Email.

>In my personal experience, while I'm a big fan of open source, open source anti-spam solutions require too much configuration and maintenance to really be practical in the long run. But your mileage may vary depending on the requirements your company sets forth.

I was using Open Source (ASSP and SpamBayes). It was not that they were not working. They were working like a charm. The problem was that I need to constantly update and tweak the database. I can appreciate that Open Source would have a hard time coping with that and I don't blame Open Source. It's just that I am getting tired of this SPAM game.

Re:Subscription based anti-spam solution

[Lershac]

I disagree. ASSP requires about 20 hours including reading ALL documentation and setting up, and experimenting THE FIRST TIME YOU SET ONE UP. Once you have set one up it takes less than an hour to set up another, and ZERO maint besides taking a peek at a log filter once a month just because I am paranoid.

ESVA all day long

[erroneus]

I've been running this for quite some time with fantastic results. It's a VMWare appliance.

Inside, there is greylisting and MailScanner. Within MailScanner, there is SpamAssassin, some RBL, ClamAV and all sorts of things.

For my organization, I find that in addition to everything else "stock" I can safely filter out all countries but the U.S. since we don't do business outside of our state, let alone our country... so it's safe to assume that anything from outside the US will be spam.

It is extremely effective. I have helped to get the VM set up in environments with multiple domains and it works very well too.

One problem with it is that it is rapidly aging. The user community has made some effort to get the VM up to date in some ways, but the 2.0 version as far as anyone can tell is still in discussion and planning. The project creator and leader is a one-man-show and he seems to have a life outside of this project for some reason. The user community is frantic to get something to replace the aging 1.7.1.5 machine we all use as the reference point for our installs.

Re:ESVA all day long

[rotinom]

+1 to MailScanner, but I would add MailWatch for administration purposes. Between this and client-side SpamBayes, my last company (where I was the sole IT admin) was able to clear out about 99+% of the spam it received, with a false positive only about every 2 weeks to a month. It's a completely open-source, free as in beer (surprisingly relevant for small companies).

The setup was servicing about 50 employees, and would pass the email traffic through to an Exchange back end. We were also able to cut down a bunch of traffic, by writing a script to output the valid email addresses on the Exchange box, and letting the spam front end take care of it.

If you didn't do this, then the spam server would accept all email to your domain(s), and then your back end server would have to deny it. This keeps the traffic and cpu utilization down on your back end server (which is a good thing).

Re:ESVA all day long

[Rabid+Cougar]

FYI, ESVA makes use of MailWatch. Also, I assume you're talking about relay-recipients and postfix? That feature is worth its weight in gold. I have a php script on a cron job that pulls all valid SMTP addresses from our Exchange server and creats the relay-recipients list and applies it. So that way I don't have to worry about manually updating anything when new employees come on board.

Life is good!

Re:ESVA all day long

[swanes]

Please take a look at MailScanner: www.mailscanner.info MailScanner is the most widely used open source anti-spam / anti-virus Application and has won several awards. It works by acting as the control application for SpamAssassin, ClamAV and over 30 other commercial anti-virus products as well as adding many of it's own filtering options. It supports most open operating systems and is relatively easy to install and maintain. And there is excellent almost real-time support on the users email list. Commercial support and commercial products based on MailScanner are available at Fort Systems Ltd. www.fsl.com.

Re:ESVA all day long

[erroneus]

Sounds like you didn't actually read my comment. ESVA is a VM with a Linux OS and in that is MailScanner, Mailwatch and all that stuff.

Set up greylisting, preferably OpenBSD PF + spamd

[badger.foo]

Subject says it all, really. The best approach is to set up an OpenBSD machine as your gateway, filter traffic using PF to any degree you desire, and please set up spamd in greylisting mode (the default).

That will take care of most of your spam right there, and you could usefully have something like a spamasassin and clamav combo running in the delivery phase on your real mail server.

Useful references: Firewalling with OpenBSD's PF (tutorial)
The Book of PF
and Effective spam and malware countermeasures: Network noise reduction using free tools

And yes, I've blogged a bit about this too, over at my blog

This is largely a known-solved problem

[Arrogant-Bastard]

The place to ask this question isn't here, it's on the "spam-l" mailing list, which arguably has the highest concentration of the world's most experienced anti-spam researchers and developers. Simple techniques for tackling this have been repeatedly covered there over a period of many years, and their behavior is well-understood and predictable, making them viable choices for production systems. So I would suggest that you subscribe to that list (via listserv@peach.ease.lsoft.com) and repeat your question there, along with some indication of your MTA environment.

Meanwhile, here is some general guidance. First, do not waste your money on commercial products -- they're expensive, poorly-maintained, and in many cases (e.g. Barracuda) actually make the spam problem worse via backscatter. (There are now several thousand Barracudas on a communally-maintained blacklist, making it obvious to everyone working in this field that Barracuda is completely incompetent.) Second, do invest your money and time in open-source solutions: it is easy for anyone who possesses baseline competence in mail to craft their own, superior spam handling system using postfix or sendmail or another open-source MTA, DNSBLs, RHSBLs, judicious configuration, and other tools such as rbldnsd, mimedefang, SpamAssassin, ClamAV, and so on. Third, a little googling will reveal near-cookbook procedures for combining these pieces of software together into a useful system; which cookbook procedure is appropriate for you depends on your environment -- which brings me to the fourth point, which is that you need to perform log analysis in order to understand your particular mix of spam/not-spam. Everyone's is different, which is why one-size-fits-all solutions usually fail. Only after you have some clue about the size and shape of your problem will you be able to determine which approach(es) are likely to minimize both false negatives (FN) and false positives (FP).

As an aside, one set of highly effective anti-spam tactics involves enforcing RFC requirements that have been in place for many years: for example, all mail servers must have rDNS; that rDNS must resolve to a host which in turn resolves back to the IP; the domain of the host must exist; the host must HELO as a valid FQDN or bracketed-quad IP; the envelope-sender's domain must exist; the host must not HELO as you; the host must wait for the SMTP greeting before HELO'ing; the host must handle a multi-line SMTP greeting; the MX records for the host must point to valid IP space; and so on. Enforcement of these requirements yields differing rates of spam control (which is again why log analysis is crucial) but has the very valuable property that it can be done at low computational and bandwidth cost. Substantial experience with these suggests that enabling them and augmenting them with a few DNSBLs (especially the Spamhaus Zen zone) is enough to deal with the overwhelming majority of the spam problem at most sites, reducing what's left to a much smaller issue to be dealt with.

Re:This is largely a known-solved problem

[SlamMan]

Barracudas have a checkbox to disable sending backscatter. Their documentation even recommends checking it.

Re:This is largely a known-solved problem

[Arrogant-Bastard]

We know. We've known for years, and in fact it is the advocacy of the professional members of the anti-spam community which directly led to Barracuda's reluctant decision to change the default state of that checkbox. The problem is that this should not even be an option because -- as we are painfully well aware -- many people who do not fully understand the consequences of that checkbox will set it to the incorrect state, promptly begin spewing spam, and soon after get themselves blacklisted.

This is by no means the only problem with Barracuda systems (their miserably poor security is another, for example) but it's the one that directly impacts everyone else on the Internet, since it results in an anti-spam strategy consisting largely of "throw your garbage at someone else".

As an aside, it's quite telling that across all the mailing lists used by experienced professionals to discuss spam -- spam-l, ietf-asrg, spamtools, etc. -- that there are no active participants from Barracuda. This speaks volumes not only about their systemic failure to learn from the far-more-experienced members of the community but about their willingness to explore solutions beyond merely stopping spam. (After all: if the spam problem were actually significantly reduced in scope, what would Barracuda sell?)

Re:This is largely a known-solved problem

[TiredOfCrap]

I absolutely endorse everything you say. We are a corporate web hosting company, and constantly receive praise for the lack of spam received.

There is, however, a downside. The solution you advocate, which is the system we use, takes time and expertise to administer, making e-mail hosting a proverbial pain.

We enforce RFC requirements, and this occassionally causes a problem, and we are forced to whitelist an IP to overcome it, but it is becoming less of a problem as mail admins are learning that the rules are there for a purpose. Anything with an X-Spam level of 10 or more is automatically rejected. Anything with an X-Spam level between 5.0 and 10 is retained for administrative sorting, and is then either delivered to the recipient as valid, dumped into a special mail folder for bayesian filter training, or plain dumped.

There are really three kinds of mail: valid mail, semi valid mail and viral/spam mail.

Using the systems Arrogant-Bastard has advocated means that valid mail passes through, semi-valid mail is held for administrator attention, and 99% of spam is rejected. Consequently your prime worry is the semi-valid mail. This is usually bulk e-mail sent by legitimate companies like Amazon or Borders. It is pure advertising, and the mail admin has to determine whether to dump it or move it along, and we make this decision based on the principle that all our mail users are corporate users who require real messages, and do not want their mailboxes cluttered with advertising from a website they once made a purchase from.

There is no simple "one-stop" fix for this problem, it does require administration, but administering 50 users is a lot easier than administering thousands of users, and, once configured, your admin effort will probably be about 1 hour per day.

Re:This is largely a known-solved problem

[Lershac]

(After all: if the spam problem were actually significantly reduced in scope, what would Barracuda sell?) DING DING DING WE HAVE A WINNNAH!

Re:This is largely a known-solved problem

[Lershac]

I manage thousands of users email across many different companies. If I had to spend an hour a day doing it, I would take a hard look at what I was doing wrong. Seriously, an hour a day?!

Re:This is largely a known-solved problem

Good advice. Going further I also check SPF and block entire ISP's/netblocks (hinet etc...). The other issue is that many legit SMEs have misconfigured Mail gateways and these usually have to be manually whitelisted.

Spammers don't deserve anything other than 5xx. IMHO doing any kind of spam scoring based on message content is the wrong approach for mail servers, much better to keep that on the clients.

Re:This is largely a known-solved problem

[Arrogant-Bastard]

I think "an hour a day" on average is entirely reasonable. I don't think an hour a day, every day, is.

The reason I take this stance is that shifts in spammer tactics and strategies require measurement and evaluation so that appropriate countermeasures can be deployed. As one trivial example: if a domain you handle mail for is the target of a concentrated backscatter attack, you may have to adjust SMTP connection acceptance rates or throttle back SMTP clients attempting delivery to many nonexistent addresses. Figuring out that this is happening, deciding what to do about, implementing that decision, etc. all takes time.

Granted, this is a limited example, but similar things happen relatively often, and effort needs to be expended to deal with them. This has become, unfortunately, part of the normal role of postmasters, which represents a marked shift from 10 or 20 years ago, when mail systems were somewhat set-and-forget. There's no good way around it though: the threat keeps changing and evolving, so defenses need to as well. That need -- the requirement to keep up with spammers -- is one reason why I strongly recommend open-source solutions, as they offer the best chance.

Re:This is largely a known-solved problem

[Lershac]

well, lemme tell you I must be lucky, coz ASSP handles that stuff on autopilot. Once I installed ASSP, the system returned to a pretty much "set and forget" status. Most of my mail admin duties involve responding to folks who have misconfigured email systems (small domains with admins who aren't following the RFCs...)

I spend more time dealing with other admins who do not have their systems configured correctly than with end users.

Even then this amount of time is so small I do not even budget it.

Combined effort is necessary

[Z00L00K]

I have a setup where I use a configuration of Sendmail as first line protection and I use several sources for spam filtering.

dnsbl/enhdnsbl is enabled for zen.spamhaus.org, bl.spamcop.net, combined.njabl.org, list.dsbl.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net and sbl-xbl.spamhaus.org. With all these enabled there are very few spam messages falling through.

Adding to this I am using Mozilla Thunderbird which has a very good intelligent junk mail filter. The only disadvantage is that the junk mail filter has to learn what's junk or not.

The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.

Re:Combined effort is necessary

[Wolfkin]

zen.spamhaus.org IS sbl-xbl.spamhaus.org , per their website.

Re:Combined effort is necessary

[entrigant]

The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.

Do you generate a bounce, or do you reject with a 500 error and a proper message at spam time? You should not generate a bounce to remote mail. Ever. This is the cause of e-mail backscatter and is a significant problem. Always reject at SMTP time with a 500 error.

Re:Combined effort is necessary

[tokul]

Do you generate a bounce, or do you reject with a 500 error

RBL filters work during SMTP dialog. RBLed address gets 5xx or 45x error.

Re:Combined effort is necessary

[Z00L00K]

It is a reject that in turn generates a bounce in the sending mailer, but if it's a stupid spam mailer it doesn't bounce.

Re:Combined effort is necessary

[ClemensW]

dnsbl/enhdnsbl is enabled for zen.spamhaus.org, [...] and sbl-xbl.spamhaus.org.

Save yourself (and Spamhaus) one query. zen.spamhaus.org includes sbl-xbl.spamhaus.org. so there's no need to query them twice.

"ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist."

http://www.spamhaus.org/zen/index.lasso

Re:Combined effort is necessary

[Sleepy]

Wow. You need to review your config!

From experience: you only need Spamhaus Zen and SpamCop for connection checking.
If you parse DATA before you accept it, you should incorporate URIBL.COM it's very good, and helps catch Yahoo and Gmail spam (which will get past Spamhaus and Spamcop all the time) because it scans bodies for naughty links

dsbl.org is REDUNDANT -- incorporated in Spamhaus Xen.
Spamhaus SBL-XBL -- incorporated in Spamhaus Xen.
NJABL.org is dead and a mirror of the CBL, I believe (-- incorporated in Spamhaus Xen also)

Never send bounce notices for spam. What notices leave your server are likely going to forged From: addresses....

Re:Combined effort is necessary

[flyingfsck]

Uhmm, note that zen.spamhaus already include most of the other RBLs you mentioned.

Re:Combined effort is necessary

[Wdomburg]

s/IS/includes/

sbl-xbl.spamhaus.org is sbl + xbl
zen.spamhaus.org is sbl + xbl + pbl

Re:Combined effort is necessary

[entrigant]

This is not set in stone. It is still implementation specific, and many mis-configured mail servers do send a bounce to the envelope from address if mail is rejected due to a dns blacklist entry.

Re:Combined effort is necessary

I'm pretty sure he was saying that the "error message" (direction to a URL or whatnots) is in the 5xx. Then real users will get a bounce with the error message from their relay..

Re:Combined effort is necessary

Zen is $500/year for small biz commercial use.

Re:Combined effort is necessary

dnsbl/enhdnsbl is enabled for zen.spamhaus.org, bl.spamcop.net, combined.njabl.org, list.dsbl.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net and sbl-xbl.spamhaus.org. zen is a superset of all Spamhaus block lists. It would be to your benefit and to that of Spamhaus.org (lookup traffic decrease) to remove all other Spamhaus lists from your config:

http://www.spamhaus.org/zen/index.lasso

Google Message Filtering service

The best service I ever subscribed for: $3/user/year. As a non-profit, my company got another 50% discount.

http://www.google.com/a/help/intl/en/security/compare.html#utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha&utm_term=google%20message%20filtering

This came from Google's Postini acquisition.

For this service, you change your MX record to Google's filtering server and set your mail server to only receive incoming SMTP traffic from Google. Google's email filtering for spam and virus is real-time. Google do not retain your email so your privacy is assured. I was able to cut down 80% of traffic from my SMTP server.

Use a bayesian filter system

[mconstable]

You could try a dynamic bayesian filter system like Bogofilter or Dpsam. If the internal staff use IMAP then create a couple of training folders and let the end users train up their own filter database by dragging ham or spam from their Inbox and Spam folders to the appropriate retraining folder. A bash script on a 5 minute cron job can do the retraining, which is effectively instant retraining. Bogofilter on it's own in tri-mode (ham, spam, unsure) works great without even thinking about Spamassassin. I use Dspam now and get about 1 spam per day in my Inbox out of 100 to 200 spams in my Spam folder. It takes me 5 seconds to drag it into the retraining folder, ie; no effort at all. All spam is kept in the Spam.Unsure folder for 24 hours but that could easily be for a week, or more, so nothing is actually immediately deleted. If the end-user checks their Spam.Unsure and Spam folder every now and then for false positives then you don't have to do anything. Woops, maybe you need the job... hang on, leave things the way they are and keep your job.

sender IP

[stabiesoft]

I've found filtering on sender IP to be very effective. Greylist IP's that don't match sender domain name, blacklist all unknown sender IP's and all dynamically assigned IP's. (Real companies don't use an ADSL or cable dynamic IP address). My latest tweak (and I'm not excited about adding it) is to do a check of the nameserver for the domain. If it is domaincontrol.com, I dump it. I guess the spammer's have figured out some of the registrar's will collude with the spammers for the 10 bucks per domain. After all that, I get 5 spam's per week(max) and have not had complaints of bounced mail. Because it is not examining content, it is very fast as well.

Re:sender IP

Unfortunately, many blacklists that claim to only contain dynamic IPs also lump in IP ranges that appear to by dynamic but aren't. I run my own mail server from my ADSL line, and occasionally get my mail blocked (or worse, silently deleted) because some dumb sysadmin accepts the result from a single blacklist.

PS: You won't get complaints of bounced mail if the sender can't contact you. :-)

SpamStopshere will solve it

[websiteadvice]

I don't work for them, but I sing their praises. http://www.spamstopshere.com/ Tell them Scott Clark sent you. Good Karma.

earthlink does whitelist only:

[simplerThanPossible]

This the email earthlink sends out:

I apologize for this automatic reply to your email.

To control spam, I now allow incoming messages only from senders I have approved beforehand.

If you would like to be added to my list of approved senders, please fill out the short request form (see link below). Once I approve you, I will receive your original message in my inbox. You do not need to resend your message. I apologize for this one-time inconvenience.

Click the link below to fill out the request:

https://webmail.atl.earthlink.net/wam/addme?a=%5BEMAILHERE%5D&id=%5BIDNUMHERE%5D Does anyone have experience with this?

Re:earthlink does whitelist only:

[SCHecklerX]

As a sender, yeah. I'm sorry but unless you actually want mail from me, you're not going to make me jump through hoops to send it. This is a broken design. Not to mention all of the automated emails from online business transactions you would lose. Not a good idea.

Re:earthlink does whitelist only:

[Lershac]

UGH

So basically, no I dont want automated emil receipts from any online vendors or anything like that. Yuck.

This approach is broken out of the box.

Re:earthlink does whitelist only:

[cdrguru]

This is the correct approach, if you can really afford it.

Emailed receipts from online vendors? What are they thinking? Email is fundamentally broken and results in most real mail not getting through. Why bother with the emailed receipt, because the user isn't going to get it. Maybe 1 out of 10 times.

If everyone used solid whitelisting email would either be replaced or it would just be abandoned. Replacement would be tough, but once there was enough motivation it would happen. As things are today it is just broken and consists primarily of spam.

Yes, we are running 10,000 or so spam emails a day with four real users. One "sales" email address and one "support" email address get maybe 50% of the spam. Does this sound broken to you? If you send an email that somehow is classified as spam, there is no way we are ever going to find it, much less respond. Better use the telephone or fax - email is broken.

Exim + Spamassassin

[_ivy_ivy_]

I use exim4 with the sa-exim patches to allow spamassassin checks while the TCP connections is open. We use this in a 160 user company.

Be sure your setup does all the checks at while the SMTP connection is open, so you can avoid backscatter. I use greylisting to help avoid false positives. I also use callbacks to verify the authenticity of the sender. I'd recommend caution here, because this can really cause false positives.

Be sure to have good HELO filtering rules, as that will detect a surprising majority of spam and viruses, as well as misconfigured exchange servers that don't use a FQDN in the HELO line.

Re:Exim + Spamassassin

[pclminion]

We use this in a 160 user company.

How about s/user/person/ or at least s/user/employee/ ? People are people, not "users."

Add a fronline Spam Filter Relay

[RaBiDFLY]

We've been using PureMessage for Unix for about 3 years, but most likely won't be next year when it's time to renew.

We use a dedicated postfix server (that comes with PureMessage). Each message is sent to PureMessage via "content_filter=". After the message has been tagged as spam, it's sent back to postfix with the subject line tagged with "[SPAM:####" (the number of #'s are an indication to the messages spam level). Then the message is relayed to our Exchange server.

Yesterday afternoon I was working on configuring the postfix system to perform message checks to get rid backscatter http://en.wikipedia.org/wiki/Backscatter_(e-mail)

While searching for ways to have postfix do this I ran across some basic spam fighting tips. Before I implemented the below postix additions, I myself was recieving on average 5 messages an hour tagged with [SPAM:####]. Not one single spam message has hit my inbox since yesterday, and I've been watching /var/log/maillog to make sure nothing is being rejected that shouldn't be.

#main.cf
smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client zen.spamhaus.org,
    permit

So far everything that has been blocked is due to the sending server being listed on those RBL lists. RBL checks can be easily added to other MTAs if you're not using Postfix.

Of course I'll be monitoring the situation closely for awhile to make sure nothing is being rejected that shouldn't be, but if this sort of configuration can save you from looking at hundreds of messages a day, it might be worth a look.

Dan

Re:Add a fronline Spam Filter Relay

[TheLink]

You sure your reject_non_fqdn_XXX causes no false positives?

I won't personally be that sure.

You have to do a bit more checking - e.g. try sending an email to a nonexistent user in some other company and see if you still receive bounces after your changes.

Imagine if your users make a typo and don't realize it till a week later, because they never got the bounce.

Re:Add a fronline Spam Filter Relay

[RaBiDFLY]

This is where postfix "The Order of Rules" falls into play.

I have header_checks before the smtpd_recipient_restrictions that follow http://www.postfix.org/BACKSCATTER_README.html My myorigin is set to a hostname.mydomain, not mydomain and this works out perfect as our postfix and exchange both use hostname.domainname.com

Thanks though, I did just double check that things were working in this respect, and they are.

Dan

Kind of obvious

[SCHecklerX]

Use whatever you want for your internal mail server, but use sendmail with miltering for your internet facing relays.

With sendmail, use mimedefang, spamassassin, and milter-greylist (actually that last can be implemented yourself in mimedefang, I just never had the time).

The nice thing about this solution is that it does not require you to pay some third party a huge amount of money each month, while doing exactly what they do (actually better), and it is fully customizable to fit into your environment (want to do a virus quarantine? Custom rules per employee? do interesting things based on different domains?). You can really get to pretty much 0 false positives while removing all of the cruft with this solution.

In sendmail configuration, use greet pause, bad receipt throttling, and all of the privacy flags.

For your mimedefang filter, add rejects for these things:
  - relay is in the spamhaus zen list or dsbl.org blacklist
  - helo of sending relay is not FQDN or IP Address
  - sender claims to be from your domain
  - relay's helo claims to be a system on your domain
  - relay's helo is RFC1918 address

For your spamassassin (which now that you are rejecting obvious stupidity, won't be called as often, saving CPU and Disk cycles on your relays!) use automatic SARE rules.

Train your help desk on basic mail troubleshooting (greylisting can be troublesome at first) so that they can help with the trivial stuff rather than call your mail admins all of the time. Give them an interface to see what is going on in the logs.

that's actually a good solution

[nguy]

I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution

Actually, that strikes me as a good solution; it's certainly better than having other employees dealing with spam as part of their daily routine and losing 30 minutes/day for everybody in the company. And by centralizing it, you have the ability to pick the tools to make your work more efficient, as opposed to having 50 employees each fiddle with their own spam filters.

Re:that's actually a good solution

[Spinalcold]

That's extremely expensive to pay a person to filter spam manually. Your right though, it is cheeper than having each end user filter it themselves.

I'm suprised no one has mentioned a hosted solution like Postini or better yet Frontbridge (although I don't really know what happened to the later since Microsoft bought it). It's extremely easy to implement and it uses many of the techniques people are saying here such as ability to block by country, flagging IP address that are sending spam (rating the e-mails, not blocking outright), plus your standard Spamassasin keyword rating system. Also, because of the rating system you can determin what you what to happen with the e-mail after by what catagory it falls under (high, low, medium or no threat).

And to curb most people worry about this method, no the company doesn't save any e-mails that are processed, they're just send on to the e-mail address.

It may be more expensive than a software product but it's a hell of a lot cheeper than paying a yearly wage to someone.

Re:that's actually a good solution

[pavera]

Yeah Frontbridge is not really an option anymore. We are in pretty much the same boat (25 users, up from 10 6 months ago), and needed spam filtering. Our main sysadmin is a windows guy, he recommended frontbridge, and signed us up for a 30 day trial. It worked great, came to the end of the trial and tried to sign up. It took 5 days, and 8 sales reps to get us an answer. The answer being, unless you have MS Volume licensing, and greater than 100 seats, you can't sign up for Frontbridge.

So we signed up for Google/Postini, saved about $500/yr, and so far, same results as Frontbridge, no spam, everyone's happy.

ASSP

[chipperdog]

I've found ASSP to be very effective in our organization of 150 mailboxes. Supports Greylisting, Bayesian filtering, SPF, RBL, REGEX, and more...It is a two-way filter, so recipients of mail sent from your organization will be whitelisted for a period of time, and SPAM is stopped at the SMTP level (resulting in a SMTP failure), so no messages should be lost...end users can submit spam messages by simply forwarding them to a specific address (e.g. asspspam@domain). All spam can also be sent to a specific email address for easy retrieval of false positives (although after the Bayesian filter is trained properly, there is VERY little), in addition, all legit messages can be cc'd to another email address, which we use for email archiving (maildir is tar.gz'd weekly)

Re:ASSP

Same here! The best part (as I think you mentioned) is that it's a distributed system, so you get the bennefit of what others systems are reporting.

This... is a joke, right?

This has to be an utter fake. 50 employees and you're hand-tagging the spam? I'd say it's possible you've never heard of spamassassin, but this is SLASHDOT for fucks' sake.

SpamAssassin

If you have the technical ability to roll your own, I HIGHLY recommend a SpamAssassin solution. We run SpamAssassin/Amavis/ClamAV running on OpenSUSE 10.3 and Maia Mailguard for quarantine management. It is VERY effective at stopping spam.

MXLogic is good choice

[linkerjpatrick]

I run a small business who primary source of income is web development and we were recently approached by MXLogic to be a partner. We tried out the service first before offering it to our current and future customers and it is the best solution I have encountered and glad we can offer it as a solution to our customers. MXLogic works by directing your e-mail through their servers first so your servers don't have to do the extra work. You actually get a better deal working through a partner and directly through MXLogic. I don't want to give a direct link because I don't think comments should be used to advertise but you can contact me via my profile to learn more. I think it was eWeek or Information Week or similar magazine rated it the top solution.

GMail for domains

Have you considered migrating to GMail for your domain? That way, Google does the SPAM filtering for you.

In addition, you get an excellent webmailer and additional apps, if you want.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Lots of optinions and solutions out there...

[gonk]

You're going to get a ton of different advice. A lot of it will be total crap. A lot of it will be valid. It is going to be hard to know the difference.

Personally, like many folks, I've been battling spam for years, and have used a lot of different solutions: DSPAM, SpamAssassin (SA), and a lot of other random tools. DSPAM and SA both worked reasonably well for me, but many of my users, for one reason or another, had troubles with them. I'm sure I could have put effort into making either of them work better, but frankly, a fair amount of labor had already gone into them, and I didn't want to invest more. About a year ago, I decided to try Kaspersky Anti-Spam[1], and have been very, very happy with the results. It was a simple install, there aren't too many options, and it seems to "just work".

Professionally, I have administered some very large mail service provider systems. The largest of them used a pool of Proofpoint[2] PPS servers to filter mail. While I am not sure it was the best product for what we were doing, it was an impressive product, and if I were handling mail for a business of any size, I would seriously consider this product. It is highly configurable and the results were solid.

Good luck,

robert

[1] http://usa.kaspersky.com/products_services/anti-spam3.php

[2] http://www.proofpoint.com/products/pps.php

3 Steps

[v(*_*)vvvv]

This is just a simple guide compiled from my experience:

1. Do what you can on the server. I like to use SpamAssassin to add spam scores to beginning of subject lines, so they sort by score in my inbox (I use "/*_SCORE(0)_*/"). I also automatically delete anything over a score of 11, since the highest I've ever seen a legitimate email score has been "10.something". Realistically, anything above an 8 is the sender's fault and they need to do something about it and anything above an 11 you can safely blame the sender (you won't be the only spam filter deleting their emails).

2. Provide the tools on the client. ThunderBird's "spam marker" is a must, and because it learns from what you mark, you aren't just marking them in vain. Also, to deal with spam in real-time, instead of using the junk folder, I like using the "delete junk!" button from the "Buttons!" add-on. Incoming junk gets marked and marked as read, and after marking the spam the filter missed, I hit "delete junk". Very easy and quick. Pre-configure Thunderbird for everyone.

3. Educate and support. If you have 1 and 2 in place, then make sure everyone knows what you are doing and why you chose to do it. Write a short manual or something. Educate them about their tools. They also need to know NOT to publish their addresses.

The idea is to make spam highly visible, and to make it *quick and easy* to deal with. Knowing you've facilitated these two goals should be enough to impress your employer and earn the respect you deserve from everyone you serve :)

I spent a few days migrating 100,000 emails from Windows Mail, because it was horrible. Thunderbird is a godsend and the add-ons make all the difference. If there is something you dislike or want, chances are someone made an add-on for it.

btw 2000 messages is *not* a lot of spam. It will get far worse with time.

Re:3 Steps

Who the hell uses thunderbird in a real business environment?

ASSP in front of our exchange server has been very good for us in a decent sized environment (1600 users). Just the HELO checking alone eliminates 90% of spam as most of it is from zombies anyway.

You could outsource it ?

I suspect your allready paying for backup email servers. Why not expand this with spam/anti virus. By using smarthost servers. Shoudn't cost too much.
  http://en.wikipedia.org/wiki/Smarthost

Often ISP have very expensive equipment todo the job perfectly wich you could never buy yourself.

And another + is that they will prolly be better suited to 0 day attacks and your e-mail server isn't publicly known by the word (hence its not mentioned in the MX records).

But get informed of what solution they are using so you make the right choice for your organisation.

Don't accept spam messages.

If you accept a spam message (i.e. if you don't reject it before the SMTP dialog is finished), you've made it your problem and the rest is only a matter of finding the person whose time is the least expensive to take care of it.

Dealing with spam means rejecting it as early as possible. You can't "bounce" after accepting mail. Bouncing mail after the fact would only create backscatter and the people whose addresses have been forged in the header will not take that lightly.

Once the mail has been accepted, it is your responsibility. Mistakenly deleting it may cause a liability for your company. That's another reason for identifying spam before it is accepted by the border SMTP server.

Rejecting mail at the border server will provide a notification to legitimate senders, who can then try and contact you in a different way or work with you to correct whatever causes the misclassification.

Comment removed

[account_deleted]

Comment removed based on user account deletion

mail-scanning.com

This company allows you to outsource spam filtering. The founder is a well-known OS developer, so it may be worth a try.

Re:mail-scanning.com

[stevey]

Thanks for the pimping!

(I've obviously got a perfect story here to recommend myself, and have done so, but it is genuinely flattering and suprising to see other people mention me/it).

Barracuda

[certain+death]

Barracuda costs about $800.00 US. They do a great job, and you can delegate the releasing or deleting to your users. It has a decent web interface, and with a little training, you can go on to other more important things.

The Best Answer

[bensode]

http://www.mailwatch.com/

It's cheap and it's extremely effective. I've been using them for our small business for over 5 years now. Enjoy!

MessageLabs vs Google Apps

[nevali]

We use both MessageLabs and Google Apps for different domains.

Personally, I find the two pretty comparable in terms of spam filtering (Google lets less through, but has the odd false-positive, in MessageLabs' case, I-as an end-user-don't even SEE potential false-positives, which means ultimately I prefer Google).

PS. When is Slashdot going to fix UTF-8 handling of this poxy in-line comment box? Why can't I use â(TM) (apostrophe) or â" (em-dash)?

Untangle

For an open source solution, I recommend Untangle.

The best open source projects, integrated and made easier for spam blocking, web filtering, remote access and more

        * Commercial-grade open source alternative to SonicWALL and WatchGuard
        * 14 integrated apps - use one or all of them
        * Runs on off-the-shelf hardware

Site: http://www.untangle.com/

Re:Untangle

[amliebsch]

Second this! And I'm surprised nobody else has mentioned it. I've deployed this to several locations, and it works great. It's a very nice pre-built linux distro that includes all the network tools you'd need (it uses SpamAssassin with optional quarantines for spam filtering.) Best part is setup is a breeze. Just grab decent machine with two NICs, pop in the CD and boot. Easiest method is to put it between your WAN and your LAN, and set it to transparent bridging mode - zero network configuration and your other equipment doesn't even know it's there.

And it's FREE! I mean, you could pay big bucks for a Barracuda, but why would you?

filtering services

i use what was formerally called frontbridge. now called microsoft exchange hosted services. it is a very accurate system that you can use to just scan incoming messages, and send them on to your mail server. very little config to worry about and very acurate. it isnt terribly expensive either.
www.frontbridge.com

Let Sprint or someone else do it for you

[mgoldey]

If you want to outsource the entire problem, try a service like Sprint's "SEPS", which costs $250/month, and works very well. 97% of e-mail to our domain is spam, and SEPS handles it correctly to at least 4 9's. All admin is via web browser and, although it's sometimes slow, it's pretty straightforward. Set up a reject list, put your valid users on it, and save SPAM for a day or so, just in case. Then, you simply point your DNS for incoming mail to SEPS IP address, and collect your mail internally from their mail server instead of yours. A side advantage is that, if your MTA goes down, or you lose Internet service, etc., SEPS queues the mail up for you, and delivers it when you come back online. If you can spend $3000 a year, it's one less headache and worth the cost, IMHO. http://www.sprint.com/business/products/products/spamFiltering_tabA.html or thereabouts, to get started.

ARGH! Barracuda SPAM filter

I've got so much backscatter from ill-configured Barracudas that I suspect them to have some really sick defaults.

To me, Barracuda has become more a synonymous of spam. Sigh.

Re:ARGH! Barracuda SPAM filter

[BagOBones]

I don't know about the past but the current recommended and default setting is Not to send and even if they do an SPF check on the sender is also a default option.

So if you have a published SPF record you should not be getting backscatter from a Barracuda unless they have a bad admin.

Spamassassin for dummies (nospamtoday)

[transporter_ii]

In a small business wanting to not devote a lot of time to this issue, we are using nospamtoday. There isn't anything perfect, and it isn't either, but it does a good job, is fairly priced, and is server side. Basically it is a front-end for spamassassin, with some RBLs and other measures used as well. Yeah, you could install spamassassin for free, but this gives you an easy installer and at least someone to e-mail if you have issues. And it is a one time fee, as there are no monthly or yearly subscription fees!

Educate your users

[gregmark]

I've seen a lot of good responses here, covering several different strategies, attitudes/perspectives, and of course, our favorite products. Let me add another dimension: user education.

1. Create an FAQ that covers all the big boogie monsters in spam: false positives, false negatives, spam backscatter, MAIL FROMs are 100% forgeable and offer no guarantee of identity, outright blocking by rarely works anymore, and above all, no spam system -anywhere- is perfect.

2. Provide your users with a meaningful way to report false positives and negatives. You don't have to provide guarantees, just let them know that they're being heard.

3. This is the most important one: Show them the statistics. If you're blocking 2,000 a day, illustrate! This can be particularly dramatic in a large organization like mine, where 95% of SMTP connections/messages get dropped. A nice little bar graph puts little miss bitchy-face's 1-2 spams per day in stark perspective.

Spam sucks the big one, boy howdy. Cheers!

Re:Educate your users

[Lershac]

Yeah, I got called out onto the carpet at a customers... beacuse little miss bitchy face got ONE spam. In over a year since we implemented the filter. Yes ONE.

I asked them to take a 10 minute coffee break while I gathered info.

I did some quick calculations and had them roll in a couple of boxes of copy paper.

Told them this is what they are missing.

Also showed a graph.

I had set this customer up on ASSP for about $500 ($150 went to ASSP fund).

Got a formal apology and a bonus check.

Totally Wrong

[TheMysteriousFuture]

The best solution currently in the marketplace, *BY FAR* is CloudMark. http://www.cloudmark.com/

They have a desktop and a server version and charge per user. I think we pay about $1000usd per year for 50 users. They catch everything except the occasional backscatter Non deliverable report from when your address is joejobbed.

The way it works is they generate various hashes from message content and aggregate those in their central DB.

Mail (from what I remember) is never blocked until a sufficient number users, who are weighted differently based on trust (reporting history), mark it as spam.

This doesn't cause any delay as they have zillions of users, and I believe most of the reporting comes from users of their desktop versions. I don't believe I have *ever* had a false positive, as in zero in 2 years of use.

Can't recommend them highly enough. Software used to be a little crappy and would hang sometimes (runs as a service hooking to exchange...or maybe it's mapi), but they've fixed that earlier this year.

Any questions let me know

Spamassassin

[Idimmu+Xul]

We catch about 12,000 spam emails daily for our customers using just spamassassin, it took a bit of setting up but works fine and it's as accurate as my gmail account

SpamAssassin!

[tyldis]

I have made a virtual appliance I deploy to my customers, mainly in the 10-100 employee range.
It has Ubuntu server LTS-release, postfix, amavisd-new, postfix-policy-dæmon, clamav and spamassassin. It works really great, and I have have Postfix insert Exchange-compatible headers so that the users can use the features included in Outlook/Exchange.

Fully integrated, no quarantine management (other than the 'junk'-folder) and from what I can tell: no false positives and extremely low rate for false negatives (my guesstimate is less than 0,5%).

And all I need is a server present with some free RAM!

Automatic updates of all the components and automatic bayes learning means the system is self-supporting aswell.

Well, if you want an *anecdote*...

I'm listed as the technical support contact for my employer's listings on eBay, and our PayPal account links to me as well. No spam filter on God's green earth is going to cull the spam from the ham for me.

Re:Well, if you want an *anecdote*...

[Kalriath]

Really? I've got an email on the "Contact Us" page of my employer's website as well as being the administrative contact for something in the order of 40 domains (all my employer's as well)

I get virtually no spam (2 since I started here ~2 years ago), and our MailMarshal server says that it filters literally 98% of all mail inbound to us as spam.

ASSP is your answer

[Lershac]

I manage self-hosted email for several small-medium companies. ASSP is platform independent, low resource, and does a VERY good job. VERY very configurable, and free, open source, easy to modify, easy upkeep (almost zero action required beyond checking the logs to keep an eye on things) and free software.

In a company of about 75 email accounts it has blocked 4 million spams in a little over a year.

The false negative rate is so low it might as well be zero, and the false positive rate as well.

It uses among many other things whitelists,so your people never miss an email from an established contact, redlists, so a known spammer cannot ever be accidentally added to the whitelist, does spf checking, checks headers against spoofing, has an antivirus component, can forward a copy of all spam to a spamlover address and much much more.

and its free.

For a single sbs server, you can install it on the same box and zero out of pocket costs except for your time to install it (I would personally budget 20 hours for R&D for a first time administrator to install it).

Please email me if you want more detailed information on how it works for my clients. I can also put you in contact with end users at the executive level of these companies to ask how they like it (the final litmus test)

Good luck

Re:ASSP is your answer

[DevionNull]

I whole heartedly agree. I use ASSP in an enviroment where I host 120 domains. I also use ASSP for many of the companies I do technical work for as well as my own corp mail server. The intergration with Exchange is relatively painless. I would also recommend deploying the ASSP Outlook toolbar as well. It gives your end users a little more control over their White/Black/Red lists. (just google ASSP)

Automatic Whitelisting

[tonyray]

We have about 5000 users and recieve about 1,200,000 emails a day of which all but about 100,000 are spam. We use IceWarp's mail server which is very heavy in antispam features that you can configure and fine tune. I've found what works best is to have it automatically whitelist anyone our users send email to and then really crankup the spam filtering. If someone talks to a business prospect, they ask if they can send the prospect contact information. If so, that person is now whitelisted and we will receive email from them unmolested. We also have one email address with light antispam filtering (catches about 70% with no false positives) for unsolicited inquires.

Well, you asked for itâ¦

[gaggle]

Want a hands-off solution with zero configuration? gMail. Switch everyone to google's company tools.

Yeah yeah switching a company to gMail is a ridiculous suggestion, you can't store company information remotely, users will panic at the change, fire will break out in the streets and cats and dogs will run together.

But all that aside, if you can look at the suggestion without all the doomsday scenarios in mind, gMail offers completely autonomous service-free zero-configuration spam-filtering. Which is about as easy as spam-filtering can get, I think.

Google (Postini) Message Filtering

[unixfanatic]

http://www.google.com/a/help/intl/en/security/compare.html

Switch to google Apps for small buisness

[Onetrack]

Thats what I did back in september 06 when I joined the company I manage IT for now, they had an aging win2k exchange server which I threw down the stairs - set them up with google apps for small biz and let gmail content filter for them.

They get all the benefits of gmail, with their own domain.

Spam problem solved...for next to nothing.

[cptndigital]

I've tried dozens of solutions for ridding my small company of spam, and nothing worked - that is until I dumped Exchange server and signed up to have Google's Gmail admin all the email accounts. (http://www.google.com/a/help/intl/en/var_2.html) I was wary of using Google for something as mission critical as my company's email, and tried it out of desperation. I've used my domain/email address since 1995 or so, and even though I'd been pretty careful with it (not using it on newsgroups, mailing lists, etc.) we were still logging at least 100 spam messages per day - and that was AFTER the anti-spam filters had a crack at the inbox. The cool thing about Gmail's approach is that I can still get to my email from anywhere (as with Exchange Server) but it's now virtually spam-free. I've gone from at least 100 spam messages per day that got around my filters to MAYBE one or two per week. Same email address - but now almost entirely spam free. For companies of 50 or smaller, the Gmail-hosted domain solution is free. (For larger domains, they charge a fee - but it's fairly reasonable.) If you can live without Exchange Server (and it's evil twin, Outlook), it's worth a look.

Re:Spam problem solved...for next to nothing.

[Kalriath]

Actually, thanks to forwarding (this is what I do) you can even keep Exchange and Outlook if you want.

Well, I can tell you about my decision. YMMV.

[jimicus]

I was faced with exactly this problem myself around October/November last year.

You've basically got three options:

1. Go for a completely outsourced service.

Pros: It's someone else's problem to look after.

Cons: A company of 50 staff will never be terribly important to such a service provider. Unless they provide an extremely good control panel and logs, sooner or later someone's going to ask where an email is and your answer is going to be "er... let me get back to you on that.... er... I don't know".

2. Go for an appliance - either in the form of a prebuilt lump of tin like the Barracuda system mentioned elsewhere or in the form of a precooked Linux installation which is literally just a matter of "insert CD, boot, tell it what it's IP address is and what domain it's providing email for".

Pros: Dead easy to set up. Most also provide a nice web-based UI.

Cons: The decent ones are almost universally commercial and you have to pay licensing fees on a per-active-email-address basis, which can get very expensive - particularly when the vendor won't tell you how their system decides how many email addresses are regularly active and the first you know that you're exceeding the license is when suddenly all the spam filtering is disabled.

If you look closely, expect to find that many of them are architected around a number of single points of failure. And in the real world, nobody is likely to check a web-based UI on the offchance that they find an email misclassified as spam sat there.

3. Roll your own. If you take this route, I can strongly recommend rolling it around an existing framework rather than following a bunch of complicated instructions to configure Postfix that you have to re-learn every time anything needs tweaking. This is the route I took, and I based it around MailScanner. MailScanner provides a framework for plugging in spam and virus filters and allows you to divide spam according to its score. Delete high scoring spam, let low scoring spam through with a note in the subject line that it's suspected spam and let non-spam straight through.

Pros: You get to keep a close eye on all the configuration, can keep close track of the logs and respond quickly to any issues. Your users can easily set up filters for spam (for that matter, so can you) and their "potential-spam" where misclassified mail may wind up is in their email client rather than a separate web-based system.

Cons: You need to become intimately familiar with every aspect of your email system in order to manage it effectively. I would argue that any self-respecting sysadmin should be intimately familiar with his email system anyway, but YMMV.

What I use

[neonsam]

We have slightly more people in our office - approx. 65. We used GFI for a while - it sucked to administer and use, it just isn't good enough. While not inexpensive, I have been very pleased with the IronPort C series device. Very pleased. Even thought they were purchased by Cisco, they still operate independently. Their support (that I've used twice in 3 years) is also very good. I manage mine like yours - I manually review the stuff that gets quarantined - maybe 15 a day all of the rest of the "definite" spam gets bounced. We've only had about 3 false positives in 3 years.

Don't do it!

[emperorp]

I was in the same situation and found that I just didn't have the time to deal with it effectively. We crossed paths with the folks at mxlogic and they convinced us to give their service a try. They have a small army of people maintaining a defense against spam. It's worked out great for us and only costs about 50 bucks a year. There's no way you can beat that unless you don't really have anything else to do.

Re:hosted spam filtering

[Lershac]

Ack, I would rather a one-time cost than an ongoing one like that...

TRy ASSP, works great.

MXLogic

Several clients use it - and there's next to no work on your side.
www.mxlogic.com

gmail

[bmartes]

At home with a private domain-name, I forward all my email to gmail, let gmail do the job of filtering, and download it after that. (1300 spam messages in 2 days) After that I redistrubute the mail to my family-members. At the office we have a provider who checks our mail for spam, so there is a spambox centralised at our provider. ( > 3000 a week) This is also our fallback, just in case our company email fails. At the office we have a dmz and a server with trend micro, which filters spam. Also a large quarantaine area with quarantained emails. Even then there is spam reaching the users. In the local network of our office is an exchange server. The users are working with outlook and have the opportunity to make filter-rules for spam. When users know for sure there is an email sended and it has not reached their email-box, we can connect to the quarantaine-area in the dmz, search for the email and release it to the user. So the positive effect of all these things is, that I can use my time for orther things. (games and so on...)

Just use Mail Avenger

[alfrenovsky]

Your can use mail avenger. It rejects span in the smtp chat, so no reject notificacion need to be made. MailAvenger filters by compliyng the rfc strictly so if any "non spam" mail is rejected is not your fault, Is because has been sent out of the SMTP protocol.

Re:Barracuda google Apps is better

[kurt555gs]

Sorry, but now that I have been using Google Apps for email, if you have up to several hundred people, you are just plain nuts to do your own email.

Why would you even want to?

Do not discount what Google Aps does before you try it.

I used to have my own email servers, .... no more, no way.

Milter

Use the sendmail Milter. If the email gets bounced the sender is told and THAT way important emails can be resent.

Manually inspecting?

[ocbwilg]

Are you freaking serious? You're manually inspecting messages tagged as spam looking for legitimate messages? Do you have to wipe people's asses for them too?

Most companies who have effectively dealt with the spam solution have implemented a product that can do filtering based on multiple criteria, and they don't worry about sifting through what was caught by the filters. There are many, many good products out there, but one of my favorites is called XWall. You can get it from www.dataenter.au. The thing that I like best about XWall is that it is inexpensive (less than $500 per SMTP gateway) and that it has a TON of criteria that you can use. Of course you can have it query various blacklisting services, that's pretty much standard. One thing that it supports that I found was highly effective was greylisting. Then there are a number of other criteria including using bayesian filtering, setting up whitelisting, etc. In most cases where I have deployed it I've just set up greylisting along with a couple of common blacklists (Spamhaus and one that lists servers in dynamic IP ranges, which are usally broadband connected zombies), and the reduction in spam is so dramatic that most people are satisfied. After running it for a few years I finally got around to tuning the Bayesian filtering enough to turn it on. You just set the spam detection threshold pretty high initially, then gradually lower it as the system is tuned for the user base. If you have critical clients/business partners, you just whitelist their domain from the beginning.

If you don't want to just drop messages that are flagged as spam, you can have your application prepend the subject line with "SAPM:" and then set up a client-side rule to sort those messages into a spam folder. That way if the user thinks that the filter is overzealous they can check their own spam messages for legitimate content. This also helps when initially tuning the anti-spam system, but it does end up eating up tons of email storage if you support a large number of users.

Every once in awhile we'd have an issue where something important got tagged as spam, or it took longer than expected to get a message delivered due to greylisting, but those things are usually pretty easy to fix. If anyone complained about "time sensitive" emails not getting delivered in time, I'd usually tell them not to use email for something time critical. After all, email isn't a real-time application, mail delivery is handled on a best-effort basis, and while messages usually are delivered within a minute or two there are sorts of things that I have no control over that can cause delays in delivery.

we use MailMarshal for SMTP

Very intuitive to setup and stops 95% of the spam. Has a nice web interface for your users to whitelist/blacklist addresses and to release messages stuck in the filter. I think you can get a 30 day trial to check it out, but you will have to deal with the salespeople. www.marshal.com

We have about 4000 employees.

Offload the Problem

A few years back, we implemented Sprint Spam Assassain service. It was one of the best decisions we made--very turnkey, no maintenence and has nice fringe benefits like still being up to collect mail when your mail server goes tits up.

I would definitely look for a hosted, outsourced option rather than have to worry about anything yourself.

Postini and SpamAssassin

[neight108]

I work for a small hosting company, and we found that a combination of Postini, along with SpamAssassin works very well

They use me!

[stevey]

They use me!

More seriously there are many approaches that you can take, from the DNS-blased blacklists, bayasian filtering at SMTP time, and then any local content-filtering rules.

Spam is constantly evolving though, so you might find it more productive to just outsource it as others have suggested. (I couldn't recommend gmail though!)

Companies such MessageLabs, etc, exist and do a good job. There is even my own service which uses a nice configurable combination of DNS blacklists, bayasian filtering, valid user detection and more - the advantage to my service/system is that each rejected message is quarantined for a month so you can easily catch false positives.

Ironport is the way

I'm messaging engineer for one of the top 20 companies in the Fortune 500.

276 million emails in a month
271 million of those blocked and dropped (no NDR, SMTP rejects with 500 code) (roughly 98%+ dropped before reaching the end users.

No end user quarantine or notification to end user. WE don't have to worry about 'educating' the users about spam and all the resultant training, end user support and burden on our IT help desk.

Ironport is accurate enough that we don't have to worry about reviewing what's blocked.

3+ years running it.

Mind you, Ironport likes large corporate customers, but they also had small under (the c10 or C100 when when bought our other ones... and I think Dell does, or did, sell the C10/C100 under the Dell label as well. They are reasonably priced, particularly if you consider the accuracy and the lack of having to train endusers about spam.

www.ironport.com

grassroots model works best

[h_thrilz]

My firm utilizes MXLogic. MX records redirect all mail to them for 40-odd spam tests. Only non-quarantined mail is then delivered to users (we find that the load on mail servers reduces by 60%). The real advantage is that users all receive a quarantine report in their inboxes daily. This allows them to release (white-list) items quarantined. Because 1 man's spam is another's ham, this "grassroots" approach seems to work best. Aside from a few global white-listings (business partners) and black-listings (mischevious ex-employees), there is very little top-down administration. Also, there is nothing to install or maintain on workstations like with SpamBayes or other client-based filters. The cost per user is very resaonable, especially when you consider the time it will save admins.

Multiple layers of filtering

[kmassare]

I have the same duties at a similarly sized company. First of all, your users are to be congratulated for good internet practices that result in only 2000 SPAM emails a day. Typically, our filters capture about 40,000 SPAM per day. We use three layers of filtering. Our first defense is a commercial real time black list service. Email from an IP address on the black list results in a rejection with a 500 error. This blocks about 65% of our incoming SPAM. Email that makes it through the RBL gets processed by Spam Assassin which tags suspected SPAM but lets it pass through to the next stage. The third stage is another SPAM filter contained in the mail server anti-virus scanner. This also just marks suspected SPAM. I have set up rules on our local user's machines to dump any emails marked SPAM into a SPAM folder on their machines. It is the user's responsibility to periodically screen the SPAM folder for false positives, and yes, I still get occasional complaints from users.

Using a Service Provider

[jonnyboy3us]

Since we are part of a larger umbrella corporation, we've been using a product called MX Logic. Basically, MX Logic is a service provider intercepts all of our email and scans it for viruses and spam. Our MX records point to their servers. Our Email Server then accepts only email from their server farms. This does a couple of things:

1. The email doesn't touch our email server until it's been scanned.
2. If the email is dubious, the user gets an email allowing them to accept or deny the email from them (No work on my part).
3. It hides our email server from any would be spammers since MX Logic is the interceptor.

While this does cost a little bit of money, it's worked extremely well and since it's a Service Provider, we don't pay for any hardware or maintenance costs. We just pay a yearly fee per user. Once the email hits our server, it is then scanned again for viruses and then passed on to the user. We've had a lot of success with this product. Of course, the OSS solutions are great too (I use those at home), but for our needs, MX Logic has done a great job.

Barracuda is a rip off. Spamassassin all the way!!

Barracuda uses Spamassassin with many layers. I built myself a Spamassassin filter and added many layers. There are few false positives and some people went from 200 spam messages a day, to 10 a day. I called about a Barracuda system and asked the m about customizing their filters and they said it wasn't possible. So.. why pay $6,000 when I can do it myself and it only costs my company, the time for me to do it? Barracuda is a rip off. Read all about Spamassassin and build yourself one damn good filter with many layers and it's going to be just as good, if not better than Barracuda.

MX Logic just plain works

[aauu]

MX Logic filters before your mail server downloads the spam. Don't clog your pipes with garbage. There is excellent user access to blocked mail.

External spam filters

We've moved all of our clients to external spam filters (specifically Messagelabs). We *MIGHT* get 1 false positive (across 500 mailboxes) a month. The users have direct access to their quarantines as well, so they can do a double-check.

There's one other really important bonus to external filters - if your server ever goes down, mail queues on their side. That alone is worth the price of admission.

There are cheaper filters than Messagelabs too .. like Exchange Defender. I don't know the quality of them though.

Exchange 2007 Edge

[lukas84]

We're using an Exchange 2007 Edge Server, with ForeFront Security for Exchange and it's integrated Spamfilter.

Works well. Spam is tagged and automatically sorted to the users Junk-Mail folder, directly accessible within Outlook. Each user checks their Junkmail folder on their own.

There's no maintenance involved.

(We're around 35 People).

Spamassasin? untangle?

[yorugua]

I'm using spamassassin + exim on mail relay gateways of a 2000+ email installation. It works great.

You need to add the dccproc ( http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html ) and razor ( http://en.wikipedia.org/wiki/Vipul's_Razor ) plugins in order to use those "reputation" services, turn on bayes filtering, wait for 200 messages to be "marked" and there you go. If you have enough load, you might need to switch from the DB database backend to mysql. One thing you might be interested in is http://www.untangle.com/ ... looks interesting.

I can feel your pain...

[ClemensW]

I had a similar experience several years ago: No matter how you tweak the filters, it's wrong - catch 22.

Besides, spending several hours a day releasing mails from quarantine is not really an enjoyable or satisfying task.

So, here's what I did: We're also using GFI, so you can as well keep it. Maybe it's not the best system around, but I currently use a combination of postfix and RBLs on the perimeter and GFI Mail-Security and -Essentials on the inner network to handle ~150k messages/day for about 500 using. And I look at the quarantine folder just every other day...

I configuredthe system as follows:
- I accept only mails from correctly configured servers (reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_non_fqdn_hostname)
I'm still amazed how many spammers think 'localhost' is a good idea.
- No catchall account. One of our domains was badly burnt and just removing the catchall and standard accounts (except postmaster) eliminated ~ 30k mails/day.
- RBLs. I'd recommend the zen list from spamhaus.com.
- Greylisting. Most spambots still can't handle it.

Anything else is rejected. That alone gets rid of about 50% to 60% of all messages.

Bonus: Any 'false-positive' will get the rejection message, so the sender knows his message didn't get through.

Then comes GFI:
- Virus/phishing mails get deleted w/o further notice.
- Anything that MIGHT be harmful (like password-protected ZIPs) gets quarantined. If users complain about the delay, I give them an lecture about using PGP or X.509 to safely encrypt messages.
- Anything else looking suspicious (based on bayes, other RBLs including my own, SURBLs, header checks and keaywords) gets tagged as spam and redirected to a spam folder in user's inbox.

The last part is the biggest change. It took me some time to get this through, but I feel the only person to make a decision about whether or not to delete a mail is only up to the user. My decision is based on my personal knowledge and is therefore error-prone (and if some people didn't believe this... well, let's just say my error rate increased ;-)

HOSTED SPAM

[fdiaz5583]

Try Katharion (www.katharion.com). We use it at my job and it works pretty well. You will get an e-mail once a day or once a week (whatever you set it up) summarizing all the e-mails it's blocked and you can release any of the ones you want. Check it out...

Appriver

[Icyfire0573]

Personally my company resells a service called Appriver. This company is great. You point your MX records to them then they do all the filtering $50 a month for 20 users. They can do Open or Closed domain mode (Open means they filter all mail and deliver it to your server, closed means you give them a list of valid accounts and they /dev/null everything else. Also, the best thing is you have the option to receive an email every day of all the email that was destined for your inbox that got held up so you can release it from the spamfilter to your mailbox. Also they do statistics, we had one company that was a dance club in NYC. All that they did was send mailings to anybody that signed their guest book with an email address. On average they had 10,000 spams a day for 10 users and this was phenomenal for them.

MessageLabs sucks.

[khasim]

I had a problem with spam from one of their clients and they kept claiming that even though it came from one of their servers, it was not "from" them so they could not do anything about it.

Their tech support people really knew nothing of SMTP. Even when I mailed the headers to them, they still couldn't understand it. I had to spell it out for them.

Any legitimate "email provider" must have some way to handle complaints about their customers sending spam. MessageLabs did not.

Re:MessageLabs sucks.

[travisd]

Since messagelabs doesn't require that you relay your outbound thru them, it's entirely possible that they could, in fact, do nothing about the spam you were receiving. In SMTP, your inbound and outbound do not have to be the same path.

Have you considered outsourcing?

[dlur]

I run a shop with around 50 users and growing. I looked at various options and did TCO estimates for them and looked at feature sets and easy of management. In the end I chose to outsource our SPAM filtering to a 3rd party, namely MX Logic.

The reasons for choosing outsourced filtering/MX Logic over an inhouse solution:

1) Cost: Less expensive than choosing a commercial inhouse solution that requires annual maintenance for our size of userbase (cost would have favored inhouse solution after around 150 users).

2) Security: I don't have any mail servers open to the internet at large anymore (not even in my dmz). All incoming mail flows from MX Logic so I'm able to filter out all other incoming SMTP traffic at my firewall with an ACL that only allows MX Logic's IP block to access the mail server in my DMZ. I no longer have the whole of the asian pacific rim IP range trying to flood my mail server every day.

3) Ease of management: if a user gets a suspect message that goes to quarantine that individual user gets an email digest alerting them to each quarantined message. The user is able to decide whether to delete or allow the messages. They are also able to set an allow_always for specific senders that got quarantined. I don't have to do anything.

4) Other Features: MX Logic also scans for viruses, blocked attachment types, etc all before anything gets to my internal mail server.

Now implementation cost would be less of an issue using an open-source solution for sure, but I don't think the ease of management or firewall-level security would be as good. The TCO may actually be higher when you consider time spent managing the solution. With MX Logic I haven't had to do jack since implementation. If you do choose to use an outsourced filtering solution like MX Logic or Postini, or whatever I'd recommend using that service to relay your outgoing SMTP and create an SPF record for it also or you may have issues with servers that use greylisting.

Re:Have you considered outsourcing?

[Lershac]

how about free?

ASSP

Re:Have you considered outsourcing?

[RaymondRuptime]

We have also had good success with MX Logic, and the TCO is still lower than an internal implementation for our 1000+ users. Based on our couple of years of experience, just the security aspects you mention would prevent from ever doing anything but outsourced again.

Reasonable expectations

[rueger]

Fora small operation you really need to teach people to have reasonable expectations. Ten spam per day in your in box? Fifty? One Hundred?

Figure out what's a reasonable number and teach people that it's just one of those things that they'll need to deal with. No-one should expect that they'll never see any spam, or that no false positives will ever happen.

Whatever solution you choose make sure that there's a fast and easy way to search the filtered mail. At one point my former webhost switched spam filtering systems, and suddenly the only way to look for falsely tagged messages was to scroll through pages and pages of messages.

an outsourced solution

[hexfortyfive]

Has anyone suggested the "cleanmx" service from dragonfli.ca? I have a few small/medium-business clients I do IT support for and it's worked amazing as an anti-spam solution.

From what I understand, you point your domains' MX records to their "cleanmx" box, it does all the spam filtering, then forwards the mail on to your real MX server. They offer several behaviors like "just mark the spam" VS "delete the spam", and at the end of the month they let you know how many emails it processed for each domain, and how many spam messages it found.

They advertise no false positives and 96% efficiency on false negatives.

Vamsoft ORF

[hohokus]

i was in a similar situation. ~50 users, gfi mailessentials. the software is bad -- you have to get away from it. there are too many bad things to list. try following the support forum for a month or so, and see how much progress gets made..

i moved to vamsoft's "orf filter". this cuts out about 98% of the spam at the MTA level, as god intended. (gfi accepts all mail, period, and then backscatters NDRs out into the world.)

i left gfi in place for awhile after installing orf and used it strictly as a categorizing filter, moving everything to the users "junk e-mail" folder.

eventually i replaced gfi with spamassassin for windows (http://sawin32.sourceforge.net/), an exchange event sink to score the messages before they were accepted (http://www.christopherlewis.com/ESA/ExchangeSpamAssassin.htm), and the mailshell event sink to move tagged messages to the users junk folder (http://www.mailshell.com/mail/client/oem2.html/step/exchangeplugin).

aside from vamsoft, which is extremely reasonable in price, these are all $free solutions which work incredibly well. orf blocks most spam at the MTA. anything that makes it past is categorized by spamassassin, put in the user's folder, and it becomes the user's problem. the users manage their own email, without anyone else looking at it. better for them (privacy), better for me (don't have to deal with it). the change was essentially transparent for the users; they only noticed that they were getting less junk.

i still follow the gfi support forum, but it's mostly just to chuckle. i'd love to share some of this with the folks who are struggling with the software, but any post that suggests a different, non-gfi solution is quickly deleted -- i understand they need to try to keep the rats on the sinking ship, but the censorship it pretty hard to stomach.

anyway. hope this helps.

Use a service like MXLogic?

[walterbyrd]

A commercial service will probably do a better job of filtering spam than any in-house solution. Commercial services use very high-level processes, techniques, and software. Commercial services constantly update virus filters and the like. Such services are not that expensive.

Sendio SAV solution

one word: Sendio!

My REAL problem with Gmail/Google Apps

[thatseattleguy]

Well, it's a two-edged sword.

I run email for several of my domains through Google Apps for Your Domain - essentially, Gmail. On my largest account, I get several hundred legit emails and 200-1000 spam messages each day. The problem isn't Gmail's filtering of this - it's actually damn good, with maybe 2-3 false negatives a week and maybe one false positive. Better than almost anything else I've seen.

The problem is that Gmail gives me NO options - as a user or domain administrator - to sift through the spam box automagically, looking for those false positives. You CANNOT access the spam box in any way other than their web interface, looking manually through your spam, hoping to see the occasional legit message that confused the filters and was labeled spam. (Okay, if you go the full IMAP route, you can apparently see it, but that's cumbersome in the extreme if your users aren't doing IMAP in the normal course of things.)

This borders on perverse. How hard would it be to allow POP to the spam box, so that I could suck down the messages and run my own filters on them? And what's with the lack of user filtering options? "Um, Google, here's a hint: I don't read Chinese or Russian. If mail comes into the spam folder in one of those languages, you just delete it and not bother me with it, OK?".

Dunno, it feels like a case where someone's high up in Gmail's design group has a religious or aesthetic conviction about how spam should be handled ("no filters...no settings...no controls...no access") that blinds them to how badly this works for users and administrators in the real world.

Re:My REAL problem with Gmail/Google Apps

[Moridineas]

What about IMAP? It allows you access to the spam folder.

Postini (Google)

[terminal.dk]

At work we scrapped the commercial product we were running ourself, and switched to Postini/ScanSafe/Google some months ago.

The results are way better than most I have seen. It is way better than ClearSwift MIMESweeper for SMTP, and at a lower yearly cost. It also beats the free software out there.

Only disadvantage: Since we do send outgoing through them as well, we not have any definitive log of delivery. But this can be provided by Postini when needed.

Exchange 2003 / IMF

I set my company up to use Exchange 2003 servers (four of them, in different sites) up with the built-in antispam component, "Intelligent Message Filter". It's configured to reject messages that are certainly spam, and send to the users' Junk Mail folders any messages that just might be spam.

There are also configurable whitelists and blacklists per user, which helps too.

Works pretty well, we rarely have any false positives.

Re:Barracuda google Apps is better

[theshowmecanuck]

Sure... if you want another company in possession of your company's email. How do you know the other company won't look at sensitive emails? Just because 'they shouldn't' or 'they say they won't', doesn't mean someone there won't. Heck, if people are looking up Obama's and others' passport info in the government, I would be willing to bet that someone at a third party email provider has looked at someones sensitive email. What if they get wind of a business deal on a subject they may have a business interest in? I think anyone who trusts their sensitive data to others with no real consequence to having that data leaked, is not thinking far enough ahead. It is the same reason I detest so much our data going to overseas servers.

SPAM filter

[pbegley]

If you have to manually vet the contents of your SPAM filters, something is wrong.

Buy a filter that allows end users to scan filtered mail and manage their own queues. Barracuda Networks is one we have used for SMB's and it does quite a good job. I think Symantec's tool can work in a similar fashion.

-Paul

Whine, whine

[pclminion]

It's part of your job to get "bitched at." Try sucking it up and being a professional. These are complaints, not idiots bitching you out.

Postini

[222]

Nuff said. An org your size would have minimal expense, and its all pretty hassle free.

send a spam log

My university, UCDavis, filters spam but sends a spam log at the end of the week (or day). Messages can be retrieved if they aren't spam. With this method you could tighten you filters a bit, while allowing people to check for themselves.

Two things...

[capn0jack]

Two things...first use some kind of web interface that the users can check themselves whenever they feel it's necessary. Second, consider outsourcing the spam filtering to someone like Postini. They do an excellent job and all the bells and whistles are there, plus, you can send outbound mail through them, too. Thanks, Chaz

This works for us

[rolfc]

You shouldn't have to review all spam, check it at smtp-time instead and reject. Mark the uncertain as Spam and send to the enduser.
We use exim with a config from http://www.jcdigita.com/eximconfig/ It works very good, most of it is automated and we use about two hours a month for administration, We have 450 users, and it is a wellknown domain since 1995.

The catch is that you need a good understanding for what spam is.

MessageLabs sucks.

[khasim]

No, you did not understand. The headers from the spam showed that it came from their server. MessageLabs' servers. Those were the servers connecting to my server and sending the spam to me.

I had to break out the headers to specifically show them that. I had to do that because they seemed incapable of reading the headers themselves.

MessageLabs sucks.

digestive approach

[kmkz]

I go to Johns Hopkins University and they have a pretty effective way of dealing with the whole spam situation. Firstly, users can opt-in to the spam filtering system, which means that each user knows if they should expect emails to randomly disappear. Now, if they do opt-in, all "spam" is sent to an isolated quarantine inbox (as one might expect) by analyzing TO:, FROM:, Subject:, etc fields. The interesting part (which I think would solve your problem), is that if a user's spam inbox contains any messages, the spam daemon will send the user a digest email, containing a brief description about how it caught __ number of emails, etc. and will provide the subject headings for each email, along with a link to see the entire message. The user can then specify how often he/she wants these digests, which essentially guarantees that in a given period, the user will only have to consider spam emails once. Finally, the spam daemon automatically kills any emails left in the box after a certain amount of time. This also has an added security benefit: emails classified as spam are never sent to the user (unless they explicitly request it), which means that if the message were to contain malicious attachments, unwanted images, etc, they are not at risk. Anyway, just might be something you want to think about.

Outsource it.

[IGnatius+T+Foobar]

Just outsource it. There are plenty of services that will do the job for you, and they're very affordable, especially compared to the cost of your own time. Postini for example is fantastic; we've been using them since before Google bought the company, and they're quite effective with very few false positives. At about a dollar per mailbox per month, you almost can't afford not to do it.

SpamAssassin

[counterexample]

I've found a combination of SpamAssassin running with Postfix particularly effective. Set it up to autolearn. I use Exchange/Outlook so I set up Outlook rules to move everything with the [SPAM] subject tag into a subfolder, so users always have a copy of the spam that was caught. I also have a Spam public folder that people drop their false negatives into and I use Fetchmail to grab the messages daily and manually learn from that corpus. Set up Postfix to enforce SPF records. Having this on a different server than your mail server gives you the extra benefit of indefinitely spooling mail if your Exchange server goes down, or going directly through if the spam filter goes down. Here's a great article on setting it up: http://advosys.ca/papers/postfix-filtering.html Alternatively, MX Logic does quite a good job if you're OK outsourcing your filtering

An industry endorsement for Postini

[Anne+P.+Mitchell+Esq]

First, let me qualify - I have been involved in the anti-spam effort since it first came into existence. I was in-house legal counsel for MAPS, back when the original RBL was first getting sued by spammers. I currently run an Internet public policy institute, and I helped to author part of CAN-SPAM (in fact the only part of CAN-SPAM which has any teeth - not because I helped to write it, but because the rest is so anemic).

As you may know, it used to be that Postini was considered, by those of us in the anti-spam industry, something of a black hole, and not a service we would recommend.

However, having been in touch with their executive team in recent years, I had inside knowledge as to how that was changing - how they *wanted* that to change.

Recently, we decided to take our own spam filtering outside, to let someone else's servers do the heavy lifting. We tried several solutions, and finally, almost in desparation, I gave the 'ok' for us to try Postini (which of course is now owned by Google, but the exec team is still in place).

Let me tell you that we were *extremely* pleasantly surprised - the service really has been *very* good, it was relatively easy to set up (you do need to be familiar with how to set up your MX records, etc., but if you are already adminning a server, you should already be fairly comfortable with that).

The price is good, and the end user UI is excellent in that it's pretty easy for an end user to understand how to scan their "spam folder", how to get something delivered out of the spam folder, how to whitelist a sender, etc..

Honestly, it's one of the easiest-to-use of the offsite systems out there - and one bonus is that it gets the user support *off* internal admins.

And, the false positive rate is low, as is the false negative rate - which really is the bottom line test for spam filtering services.

We have a formal review for our corporate blog (http://www.TheInternetPatrol.com/) in the works, but in the meantime consider this an endorsement of Postini from the Institute for Spam and Internet Public Policy (http://www.isipp.com/)

Anne

Anne P. Mitchell, Esq
CEO/President
Institute for Spam and Internet Public Policy
Professor of Law, Lincoln Law School of SJ
Author, "The Email Deliverability Handbook"

Re:An industry endorsement for Postini

[Lershac]

I would be really interested to hear what you think of projects like assp and specifically assp.

Highly Recommended Solution

[Ynazar1]

I've built this: http://www.gentoo.org/doc/en/mailfilter-guide.xml, when i was tasked with setting up mailfilter. It works great and is also scalable with some LVS if you really need it. There's always GMail for business (former Postini) mailfilter (which is pretty cheap) or a ton of similar solutions out there that will do it for you.

SpamTitan

[BrimstoneEdm]

We have been using a SpamTitan (http://www.spamtitan.com) virtual machine for approximately a year now and it works very well. I bought the license for up to 100 users, downloaded the VMware virtual machine image and converted it to run on ESX server. Highlights:
* The interface is very impressive and setup was quite straight forward - no reading of the manual required.
* Uses two anti-virus engines: Kaspersky and ClamAV
* Uses OCR to detect image-spam
* Multi-layer anti-spam approach - scoring from several algorithms is compiled to provide a single spam score.
* The product checks for valid recipients (including aliases) against my Exchange server.
* Logging and reporting are excellent.
* There have been some false positives and initially it didn't block as much spam as I had hoped but as the Bayesian analysis has improved so have the detection rates.
* Afraid of false positives, I initially monitored the quarantine and white listed many of the the domains belonging to suppliers and clients.
* I am not yet sending outgoing mail through my SpamTitan but this would improve the filters as well using what they call "PenPal bonus".
* After a version upgrade, the ClamAV definitions were no longer being updated. I contacted support and they connected from remote (via a tunnel I opened) and fixed the problem. An excellent support experience.
* The users control their own experience - I have configured it to send each user a daily digest of mail that has been quarantined since the previous report. Each user then manages their own quarantine, white list, etc. Training has been minimal and response has been very positive. I was surprised to find that we are averaging only approximately 12% legitimate mail.

I really like MailCleaner

[cshabazian]

I work for a fortune 100, and we have some great spam filtering. When I wanted something similar for my personal server, I found all the features I wanted in MailCleaner:

* smtp relay, so if it's overloaded or down, mail can keep flowing to your mail server based on mx record priority in your DNS
* allows whitelisting at both the user and domain level
* users can log onto the web interface to force a message to be released from the quarantine in case they know someone sent them something they didn't get
* a daily log is sent to the users (if requested) that contains all of the quarantined emails, along with a link that the user just needs to click on to have that message released from the quarantine and forwarded

I set this up in a VM, and it handles about 30 mailboxes which used to get upwards of 100+ spams a day each. Now I get one or two spams a day.

There is both a free and purchased version of MailCleaner. I highly recommend you pay for the commercial version to support their efforts. Of course, you can try the free version first to make sure it works for you.
http://www.mailcleaner.org/
http://www.mailcleaner.net/

Red Condor

Red Condor. 'nuff said.

ASSP to the rescue

[elvar]

http://assp.sourceforge.net/

I've used a number of spam filters and none of them have been as effective as ASSP has. I highly recommend it.

Re:ASSP to the rescue

I run assp - its absolutely brilliant - its a transparant smtp proxy, sits infront of your mail server and presto all solved - there is also a very nice auto installer.

Postfix+RBLs+sqlgrey+SA = perfect (right now)

I am looking after the mailservers of a hosting company, providing services to about 100 smaller companies. As we are hosting ourselves on the same servers as the customers spam has always been a primary concern.
To keep costs down most of the stuff we use (apart from the virus scanner) is OSS.
1st layer of defense are RFC checks run by postfix before accepting the mail (mentioned earlier)
2nd layer is several RBLs (about 11)
3rd layer is SQLgrey greylisting, did magic for us and lowered the spam messages processed on the server by about 70%
4th layer spamassassin with Razor, DCC and F-Secure antivirus plugin.

This does a pretty good job, I still get about 1-2 spam messages per week (instead of about 100 a day that attempt to be delivered).

Check their junk mails???

[flyingfsck]

Why? The whole point of junk mail filters is so that people DON'T have to look at junk mail. I get about 10,000 junk messages per hour. I cannot look at them even if I wanted to. My junk filters are 99.999% effective, so only about one of those crap message slip through to my inbox per hour and I still find that annoying.

Millions of human eyeballs work best. Here's how:

[nuckfuts]

I've faced the exact problems you describe, have tried the oft-touted solutions, and (since you're not averse to a commercial solution) I can tell you the answer:

http://www.cloudmark.com/businesses/

I love it because (a) it eliminates a very high percentage of SPAM, (b) it has an extremely low false positive rate, and (c) it requires no fiddling - one easy installation and then forget it aside from occasional updates.

A big part of what makes Cloudmark Server Edition effective is human feedback. When a user flags a message as SPAM this sends information back to Cloudmark which helps identify SPAM for other users. Votes from users with a proven track record of accurately identifying SPAM are weighted accordingly. Due to to the large number of CSE users the system works amazingly well. It is by FAR the best solution I've tested. Bayesian filters, for example, require endless tuning and are subject to poisoning attacks. Greylisting is helpful, but it works on the assumption that spammers will never attempt delivery twice. I don't know how valid that assumption still is.

The Cloudmark website talks only about Microsoft Exchange, but there are versions of CSE that work with other types of mail servers.

I'm blocking thousands of junk messages every day on several servers with almost zero time spent on administration. Do yourself a favour and check it out.

spamd - Barracuda - SpamAssassin - whitelist

I use spamd -> Barracude -> SpamAssassin -> whitelist

I haven't gotten an e-mail in 8 months.

I like Maia Mailguard

[Culture20]

A sysadmin I know runs maia mailguard (with spamassassin, clam-av[?]) on his small-midsize network, and since the users train it, and also get to see all their spam (if they want), they get to feel in control. Of course getting users to train it is a social issue. http://www.maiamailguard.com/

For me, Barracuda worked much better than alts.

[VoxBoston]

I run IT at a small, mostly mac-based outfit. We tried client-side filtering (SpamAssassin), and the Mail.app plugin was OK, but - required constant training by the users to get good results - until spammers attack methods changed... then we waited for the plugin to be updated, etc. This was not a good solution - we have a 'few, very productive employees' setup rather than an OfficeSpace / lots of drones setup, so any lost time is bad news. I then tried using Spamphibian (setup as a dedicated filter on a spare box). Total failure - LOTS of stuff got through, bad support from the parent company, slow filter updates. Terrible. Then I tried Barracuda. WHAT a difference. Easy to setup, very very effective filtering, user-level training if desired, user level quarrantine-of-might-be-spam - so I the Admin don't have to review EVERYBODY'S junk folder for false positives. Sure, the product could be improved, and I totally agree with the back-scatter critique. But - if your time is valuable and you want your spam problem 99% solved, just install this thing. I love it. No, this isn't astroturf - I just like this tool very much.

ASSP

[moxitek]

I personally love ASSP (anti spam server proxy) for my clients.

It has a great deal of flexibility and since the highest false positives are flagged by the bayesian engine, you can set that specific filter to use "testing" mode which flags those messages with a subject line like [SPAM]. Couple that with a client side rule to deposit messages with that subject line into the junk mail folder, you then can allow employees to go through their own messages to look for their missing mail.

ASSP also has a feature to allow for users to contribute to the filtering rules, so the filter gets more accurate over time. They can send messages that get marked false positive to an internal address that modifies the bayesian database so that messages of that type make it through next time. That feature also white-lists the sender's address along with simply sending that recipient a message.

By far, it is the most flexible and powerful spam filter I've ever encountered and would highly recommend it for any small to medium sized business.

I'm using GWAVA - but I have a larger system

[Degrees]

If I were in the 50 user range, I would definitely look at MX Logic, Postini, AppRiver, Katharion, Mailwise or some other hosted solution.

What you want is for the hosting company to send you (each user) a digest on a schedule of your choosing. That digest will list all the items waiting in quarantine for you. You look at the items in quarantine, and release the good mail.

The product should learn to pass the items you release. That's something I'd ask. GWAVA does it, and I'm sure other systems do too.

If the product doesn't learn, and instead wants you to manually configure your exceptions list - I'd pass on that product.

You want to keep the crap out of your mail system - so make sure the quarantine is the providers problem, not yours.

Layers

[Meorah]

Use at least a 2-tier system, 3-tier if you include end-user filters. I use a CSC-SSM (with a plus license for anti-spam and some web content blocks) that uses Trend Micro tech in an ASA 5510 to block a large chunk of malware at the firewall level. Spam that passes through that then has to travel through a Symantec SMTP gateway which includes my content violation rules, such as any subject line ending with an exclamation point is rejected, a few dictionaries for various sexual words, some 3rd party DNSBL and DNSWL sites, and a user directory sync that rejects all external mail that doesn't include an existing user in the to/cc/bcc fields instead of forwarding all that crap to my catch-all address.

Then if users miss any critical mail, I have them submit a ticket about the address in question, and either whitelist the specific address at both tiers if its a personal address, or whitelist the domain at both tiers if its a legit business contact. The rare spam that gets past and people complain about I usually just have them block the address from their client, though sometimes the spam jumps out at me as an easy rule to create on the content scanner smtp gateway level.

And of course, I send myself daily reports about spam trends from both systems to check on trends instead of logging into my MTAs every day. This is for a company about 80 employees strong.

Re:Layers

[Lershac]

dear lord, it sounds like you are spending a ton of time and effort on that. Probably money too.

I set up ASSP on a company's server in about an hour, and rarely touch it ever again.

Seriously, no offense or insult intended, check it out.

15-150 users is my target demographic for doing sys admin work and that sounds like what you work with.

Calyptix Security

[drachenstern]

As a happy end-user, I'll throw my two cents in for www.calyptix.com. We've started using their AE500 series for our office (Granted we're small, but the product is solid) and I have had only bulk-mails getting blocked at the onset (such as noreply@tigerdirect... etc)

Combine that with something like spambayes and properly configured, and within a few months, your users will not have hardly any spam in their inbox. Want a 3gb pst of pure unadulterated spam to start your filter? ha!

What about outsourcing?

Depending on the organization's size and how vigilant they wish to be about what gets through, why not consider outsourcing mail scanning to an off-site 3rd party like MessageLabs, Postini (Google) or similar? Mail scanning is not our core business, so it doesn't make much sense to dedicate many resources to it. Sure, some companies may have rules about who is allowed to view their mail, store it, blah blah, but having worked with MessageLabs in the past, they've got a slick product that provided good admin and end-user interfaces, and was priced decently per-user.

Spamsoap

[maverick762]

I'm a computer consultant for small to mid sized businesses. All of our clients are in the same position of having 15-75 users and needing some sort of spam filtering.

We have found that outsourcing the issue to SpamSoap (spamsoap.com) to be an ideal solution. They use MX Logic's technology, which is very good. The pricing is geared towards small to mid sized companies.

Each user gets a spam quarantine report email they can use to manage their spam directly from the email. And all spam gets filtered before it reaches your network.

I implemented assp as well

[goldcd]

Nice simple basic install, then (as I was running on windows) a bit of tweaking to get it running as a service - and it's been pretty much faultless from then on. Currently setup so 'spam' is subject flagged by assp, mail server chuck spam flagged mail in separate folder on user machine, so it doesn't end up in inbox (but can be checked for false positives). Spam/Ham can be reported by end users just forwarding to a couple of mail addresses on the server - and if that's too hard for them to remember, then can just add some buttons to their mail gui.

UTM Software

I use a product called Untangle, available at http://www.untangle.com. It uses Spamd, is pre-configured and is easy to setup. You can use an old piece of hardware with it and it does a fantastic job for our organization.

Give it a try. It blocks out about 2400 e-mails daily that get through our SMTP relay using MailSecurity.

Some suggestions

[dcam]

AFAIK, most good spam systems involve defense in depth. My suggestions are:

greylisting, which will cause some messages to be delayed, but is a fantastic weapon against spam when used with...

RBLs (see other comments). Pick one that suits. The reason this is so good when combined with greylisting is that messages that have been delayed may well now have their originating IP address one of you RBLs.

Optionals at this point are SPF (requires other mail servers to have the appropriate dns records), checking that emails sent are valid (there are other comments here about this).

Up to this point, you have spent very little bandwidth. All messages that are considered spammy have been dropped. You have also spent very little CPU time.

Next line of defence is something like spam assasin. This can perform bayesian filtering on the email. This is configurable, but generally the best option is to set a header in the messsage, so that client side email applications can filter them out. This then leaves it up to the users to check their own spam folders.

Lastly you could add something on the client, but it might be a little overkill.

All this can be done on a standalone server sitting between your current mailserver and your router. There should be plenty of guides out there for this. Eg this or this.

Really Re:that's actually a good solution

[swordfishBob]

1 persons vs everyone losing 30 minutes per day? Far out.. there are alternatives.

We use SpamSentinel (a Lotus-Domino-only product). It's centralised and self-serve at the same time. SS has multiple engines; anything tagged by more than one engine is immediately dumped (now rejected at SMTP). The "maybe"s get quarantined, and users get a daily list of their quarantined items with hotlinks directly to the quarantined messages. From there it's only 1 click to release, or to whitelist the sender.

I say self-serve is great. It takes me about 5 seconds to scan my daily list (of 20-50 "maybes"), and I've got a better chance of recognising my own legitimate mail than someone else does.

Surely there's something like this for non-Domino folk.. surely..

1999 called

...they want their post office back.

Greylisting to reduce what you need to sort

[evought]

When in a similar situation administering multiple domains, I found that grey-listing gave the most bang-for-the-buck by eliminating roughly 90% of the SPAM before it got to the heuristic-based filters. It also reduced the CPU/IO load on the mail server since it requires very little on the server end to just tempfail a message and stick it in a hash. There were no false positives reported from the grey-listing.

For those who do not know, I am referring to temp-failing messages from senders who are not already white-listed. If the user's client or upstream mail server does not bother to retry, it is almost certainly a mass-mailing program. For the small number of mass-mailers that handle grey-listing, it still naturally throttles their traffic and the SPAMmer still has to get through the rest of the SPAM filters. By letting grey-listing have a crack first, by the time you sit down to examine the quarantined mail by hand, there isn't anywhere near as much. It requires no interaction by the sender and, if you do hit a false positive, they get a normal bounce report and know to try again or give you a call.

My setup is simple...

[XmasterX]

www.mailscanner.info

Google Apps

[Swampash]

End of story.

There is so much you can do...

[ArrayIndexOutOfBound]

Ok, first for 50 people you may be in a good place to take up managed filtering. Check out Postini, MessageLabs and Email Systems to name a few. These are professional top quality managed filtering services. This is $2-4 per user per month and includes anti-virus, anti-phishing and such. This is also extremely easy to set up and remember, somebody else is running it for you. This is utter bliss really.

I am personally using my own mail server and I did the simplest possible thing - every incoming connection is checked against dnsbls: sorbs, spamhaus and spamcop (all three allow you to look up addresses for free). This blocks nearly all spam and after nearly a year I've never had a false positive.

If you are into setting up and running something yourself, you can use spamassasin (free oss). This is not terribly hard to set up, but worried about false positives I never really used it. I am filtering for a small number of savvy people using Thunderbird...

Speaking of which, thunderbird has a reasonably decent filtering feature. It takes a while to 'learn' but it has been quite useful in filtering out the few leaking spam messages from dnsbls.

There are countless commercial packages and I bet somebody else will cover that. Hope this helps

AppRiver

[511pf]

Appriver's spam filtering service (AppRiver.com) is your best friend. A couple reasons it's great:
* AppRiver's spam filtering is extremely accurate - in the very high 90's.
* AppRiver is a hosted service, so there is nothing to install, maintain or upgrade on your mail servers. As I recall, they went down for a total of an hour in two years of using them.
* AppRiver pushes the spam message reading from you to the users. Every day, each user gets a single message from AppRiver listing all the spam it's caught in he last 24 hours. If the users find a good message, they click a resend link in the message and it's resent to their mailbox. They also have the option of requesting (with your approval) that all mail from a recipient be allowed through.

I worked with a 40 user company with e-mail addresses published on the web and I spent less than an hour a month working on spam filtering. I don't remember specific pricing, but I want to say it was $20 per user per year or less.

I'm not affiliated with them - just a happy customer.

Abaca Gateway

You could try using the Abaca Email Protection Gateway. They claim a 99% accuracy rate and there's an option for a 30 day free trial on their site.

I've never used it but I've heard good things about it.

You just can't win.

[Lunarsight]

The business I work would qualify as a middle-sized corporation.

We run into the EXACT same issue you're running into.

The dilemma is if we don't tighten the spam filter enough, we'll get complaints from employees (who are not shy about sending EVERY LAST PIECE OF SPAM THEY GET to us.)

However, if they tighten the filter too much, then important emails that may seem spam-like begin to get blocked, and we get just as much heat for that.

The answer - do your best to block what spam you can, and if you get complaints about some spam slipping through, tell them to delete it. We'll often add that we're working with the spam filter vendor to try and resolve the issue, but it's not that easily resolved.

And no - we don't go through each message looking for spam - it's not practical due to the number of employees we have. We DO give them the power block spam from specific addresses on their own, though. The benefit of this is the email is sent to a junk mail folder they can still access, which is useful should something legitimate end up there.)

Google + postini mail filtering for $3/user?

[guyinblacktshirt]

How about Google's offerings?

How does the service work? You change your MX records to point your email traffic through our Postini-powered data centers. To fully protect your organization, Google recommends that all customers configure their gateway to accept email traffic (port 25) only for the Google IP range. After activation, you can add users through the Administration Console and configure your filtering policies.

More FAQ

I've been using it for two months now and it has been very effective and flexible.

Mail Filtering for 100k users

Learn the RFCs (2821, etc). Use the RFCs against the spammers.

Most botnets are effectively blocked simply by intelligent use of DNS MX records. Make the first MX record go to an IP with a firewall against port 25. Subsequent MX records go to IPs with normal MTA listeners.

Use a DNSBL (like Spamhaus ZEN).

Use GreetPause (delays for a second before issuing the greeting; if sender has activity during this delay, reject the connection).

Use Greylisting.

Get aggressive, and filter on SPF failures (if the IP is not authorized by the purported domain, reject the connection). Yes, certain list-serves will fail SPF checks for certain sending domains, but list-serves can be modified to work properly with SPF records.

Get aggressive, and filter on DKIM failures (if the DKIM signature is not authorized, or is wrong according to the current content, reject the message).

Mark emails that fail custom content filters, and pass to the customer. Have the customer implement a client-side rule to file all emails with the "SPAM" mark into a Suspected-Spam folder. Educate the customers to monitor and clean this folder periodically.

Provide a simple feedback mechanism for customers to send you the email source code for spam that slipped through all the filters.

DKIM-sign all your outbound emails, so others can pick your legitimate emails out from the forgeries.

Publish appropriate SPF records for your domain, so others can identify correct relays purporting to send from your domain.

Support TLS (Transport Layer Security) on Internet connections.
Enforce TLS for select important contact domains.

Coordinated TLS partners can be exempted on the 1st-MX firewall, to circumvent your anti-spam measures (but virus-scan ALL email, still!).

Using the above connection-centric filtering methods will minimize your need for transient custom content filters.

Re:Mail Filtering for 100k users

[Kalriath]

Learn the RFCs (2821, etc). Use the RFCs against the spammers.

Most botnets are effectively blocked simply by intelligent use of DNS MX records. Make the first MX record go to an IP with a firewall against port 25. Subsequent MX records go to IPs with normal MTA listeners. Actually, most of them aren't any more. All too many of the big botnets now go straight to the secondary MX assuming that the primary is some sort of front end filtering server and the secondary is your company's actual real Edge server for fallback if the third party fails.

CanIT

I have been using CanIT from roaring penguin software for about six months... and it has been fantastic. I highly recommend it to anyone that needs to manage their spam.

SPAM/VIRUS SOLUTION - ONLINE SPAM SOLUTIONS

[zimmy6996]

I just have to make a comment for an amazing fix for users in the 1-200 user range. There is in outfit in Chicago, IL called ONLINE SPAM SOLUTIONS. ONLINE SPAM SOLUTIONS - WE STOP YOUR SPAM, YOU DO NOTHING! http://www.onlinespamsolutions.com/ They provide an amazing value for Spam/Virus filtering. Prices start at $9.95/mo. I found them through Google, and it has been the most amazing find ever. We run an Exchange server with 25 users. We used to see over 200,000 messages per day hitting our server. This of course caused delays in the SMTP engine, and generally bogged down our server. We now see less than 1500 message per day hitting our box, and NO SPAM! These guys have excellent customer service, and are easy to setup. I highly recommend them as a solution! Particualarly in your case for 50 users.

anti-spam howto for sysadmins

[keeboo]

1. - Use this (Postfix):
                reject_non_fqdn_recipient,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,

2. - Use those black lists:
                safe.dnsbl.sorbs.net,
                zen.spamhaus.org,
                bl.spamcop.net,
                db.wpbl.info,
                dnsbl.njabl.org,
                psbl.surriel.com,
                list.dsbl.org,

3. - Add manual filtering in order to block things like:
                3.1 - Mail from HTTP client (MSN webmail, yahoo etc) from certain countries (in our specific case, several IP ranges from Africa).
                3.2 - Mail from detected spam-servers (self-called advertising services).
                3.3 - Etc you like.

4. - Create a bunch of scripts to generate statistics on connections-per-host etc.
Check those stats from time to time (at least once a week).
This way you may easily find offenders.

It works for our server, rarely we do have false positives.

Our server blocks >20.000 spams a day (> 500.000 a month).

GMail

[foxylad]

I get about 1 spam message a week on my Gmail account, despite several wild-carded domains pointing to it. I noticed this a couple of years ago, when I was struggling with greylisting, spam assassin and spambayes. So as a test, I set up a Gmail account for a real-estate agent customer, who has a very problematic message profile (lots of real messages with "mortgage" and "loan"). I set Gmail to forward messages straight on to a second mailbox on my mail server, from where the customer picked up his mail. The results were fantastic - he gets hardly any spam, and hasn't had a single false positive (that he knows about). Plus he's worked out he can access his mail away from his computer. And all this with no training, which customers hate doing.

So if your company can handle the idea of all their emails going through Google, Gmail is a great no-cost solution - you need to set up a Gmail account and two mailboxes for each user, but Google does all the hard stuff, saving you from buying meaty hardware for all that spam number-crunching.

Canning Spam from user's inboxes

[buss_error]

First, use "smart" greylisting. That will temp fail (4xx) messages from domains/ip allocation combinations you do not know to be "good". After that, use the other kind of grey listing that rejects messages if there are any pre-chat commands from the sending system. That stops an incredible amount of viruses without having to virus scan. (But not all!)

Second, use TLS with important/large customers. These emails should completely bypass any spam filtering, but never virus filtering.

Third, insted of hard bounces (5xx), accept the message but quarantine it. Allow the end users to see their quarantine queue and review the message, and gate it in if good. I'm not aware of any open source that does that for you, we hacked up our own using MailScanner.info as a base (and it is pretty ugly, otherwise I'd submit it). Many commercial products have that built in. MXLogic for one. There are lots of others.

Lastly, it shouldn't be just one person on the spam queue.

Dspam

Dspam has been running at our site for about 2 years with results nearing 99.9% accuracy.

From their site:-
DSPAM's philosophy is based on the belief that machine-learning (basic artificial intelligence) can, in and of itself, solve the spam problem without the need for human-maintained rules, inaccurate blacklists, or any hodge-podge of solutions for that matter. DSPAM's one central spam detection function incorporates advanced, concept-based statistical analysis. This has resulted in levels of accuracy up to ten times that of a human, with very few false positives. DSPAM breaks down each email into its colloquial components, analyzes the historical data for each component, and determines the most interesting characteristics to judge an email by. While DSPAM supports many pre-filters, post-filters, and additional layers of analysis, its central function lies solely in adaptive learning and language analysis. This alone has yielded levels of accuracy peaking at 99.991%.

Here's a consultant's take on this issue

I have resold, installed, supported more than one anti-spam solution for my customers. The #1 feature that saves the sysadmins from having to skim through the quarantine on a daily basis is the spam reports.

You see, most commercial solutions (and even MailScanner, a SpamAssassin addon) allow for configuring email reports that are sent on a daily basis to users. These email reports list the content of the user's quarantine, and usually feature one-click release capabilities, so that users may easily release any false positives. This transfers the quarantine management responsibility to each user, and admins rarely need to get much move involved than the occasional explanation of the report's function.

This type of feature is indispensable in larger corporations, and since it does not require the user to login to their quarantine through some form of web portal (they just have to read the report in their email), it does not result in a very involved process for the users.

I have seen Symantec, Vircom, Fortinet's Fortimail, and others make use of spam reports. Do some research and you will likely find the feature on most commercial offerings.

gmail for your domain

The commercialized gmail offering comes with spam filtering, the gmail user interface, and remote access from anything with a browser. Is it critically important that you manage your own mail servers in house? For most people, not really.

In any case, reading subject lines of the whole company's trapped spam is insane and a losing battle. I would neither want nor be able to keep up with my own mail that way, much less the mail of myself and 49 other people. Your time would probably be much better spent doing something else. In gmail, by the way, users can check on their own trapped spam if they want, or just ignore it (which takes the responsibility off of you and means you wouldn't get bitched at).

GFI Training

Have you been using the public folders that GFI makes available to designate e-mail messages as SPAM or legitimate? Have you been using the auto-whitelist feature? These work wonders for the 50-person companies that I work with. Some of my GFI installs are going on 4 years, and I haven't really had any false positives in 3.5 years.

Any e-mail user these days needs to understand what their junk mail folder is and that they need to check it occasionally. The most computer illiterate owners/CEOs of companies get this and would never presume to make someone else do it for them. If they think e-mail is critical to their business and they're not big assholes, they understand that options are 5000 spam messages in their inbox a day or the possibility of a false positive.

You should be so luckey

Luckey you.... I get about 8000 spams a day, and that's just ONE account. Spammers hate me... I wonder if that had to do with the fact that a while ago, I was responsible for "nuking" more then a million infected hosts a while back... Sheesh, it's like swatting flies...

I deply a two tier filtering system. HTML Formetted text and misspelled words immediately get hosed. Next, my Bazian filter gets it... by the time it gets it, almost all words are correctly spelled english.

Next, I spend about 10 mins "manually scanning" the spam by displaying the messages in a way that makes "good mail" stand out easier. If my filters are good, no good mail winds up in there. The best way to do that is if you displayed only the from and body of the message (in a rather long line). Good mail really stands out, as most is in HTML formatted or other garbage.

Every week, I have to go through and customize the flter to make up for changes in spammers methods as they continue to change their tactics. I run the spam through a processor (which takes a long time) that analyses the words used in the spam messages and pulls out the largest number of occurrances which is used in the "pre-filtering" part.

If I had my way, all private corporate Emails would be "white listed", but some people don't like that. For me, "white lists" rule... :-)

k

www.untangle.com

save yourself some time and just go with untangle

Maia Mailguard

[CallMeNipple]

I'm surprised that nobody has mentioned "Maia Mailguard." http://www.maiamailguard.com/ I've never used it and would love to hear about it from folks who have. I was planning on getting around to test it one of these days...

Untangle is open source and has support a-la-carte

[ThinkTwice]

Untangle has 20-30 of the best open source security apps with an easy to use GUI. It also has optional VPN, remote access portal and a couple commercial apps. You can download it or get it as a per-built appliance. It's simpler and much more elegant than a DYI solution. It's free or a lot cheaper than other appliances with less features, if you buy the subscription.

ASSP

[bradjs]

It's free open source, you can integrate anti-virus with it (ClamAV). It WORKS!!!! And it beats the bejesus out of Trend Micro Interscan Viruswall- which was what we were using previously on so many levels it isn't funny! For example: System requirements: Trend Micro: 150Mb RAM + 1Gb disk. ASSP: 80Mb RAM + 50Mb Disk. I've gone from a system that downloads all mail to process it (an enormous waste of resources) to a system that rejects about 90% of connections and cans another 5% based on content. Not only that, I got rid of Trend Micro Officescan and replaced it with ClamWin. The only thing Clamwin doesn't do (Yet!) is on access scanning. So if you download a file which you suspect, right-click to manually scan. Again, significant savings in terms of disk, client and server resources at the disadvantage of no central logging. I'm not missing it though...

MailFoundry

[menelaus]

My company will be installing MailFoundry in the next month. It has shown to catch more spam than IronPort and ProofPoint in our internal testing. It was also a lot faster than the other two. We have been having issues with Postini catching false positives and not allowing us to filter our outbound mail.

MailFoundry offered great kill rates, faster throughput and outbound filtering for a cheap price.

They're definitely worth a look.

Re:smeserver.org

Small business Server . The linux way. http://www.smeserver.org includes spamaassassin and a whole host of sensible defaults.

Deep6 DS-200

[yukio]

i was in the same boat.... or close to one.

we were (and are) running exchange. we were using NEMX for spam filtering. it's not that it's a bad product, but it required too much hand-holding and reviewing the contents of the Junk Mail folder for false positives. like the original poster, i would get complaints if the filtering was too loose, or too tight.

then, i read about the deep6 ds-200 in windows secrets. like many other appliances, it's another embedded linux box. basic interface is just that - basic.

but i decided to get one.

that was 18 months ago.

false positives are rare. barracuda-type bouncebacks are nonexistent.

as you can tell from the different postings above - there are a lot of great solutions out there. this one worked for me.

best of luck to you.

Ferris Research recommends Google

[CurtMonash]

Ferris Research is one of the leading analyst firms covering email. They outsourced their OWN email to Google Apps, and I followed their example.

DDOS attacks are now a thing of the past for me. The spam filter has JUST enough false positives I sadly have to scan manually, but in fact I've never been greatly inconvenienced by one. The false negatives are fairly mild.

There is no such thing as anti-spam with 100% accuracy both ways.

And by the way, challenge/response is a TERRIBLE idea -- it causes huge amounts of backscatter spam pollution, and it also inconveniences potential customers trying to reach you.

CAM

Re:

[clint999]

Ironic that in a story about spam, you are spamming about an anti-spam solution. Personally, I avoid any company that uses spam-vertising like yours (and if you think we believe you aren't affiliated with them like you claim in your other post when your onl

googleapps is selective

(i'm a different AC than the one you're responding to) I can say that we have had outside engineering firms send us emails with development builds of software attached (as zip file) and have had a TON of trouble in the past with googapps just blackholing these emails. it made us look REALLY STUPID when it first happened, as it appeared (to the firm) our email server was poorly configured, and we went through a round of "no, we use google, it's your server.." before finally getting them to try .rarring it and problem was solved (sidenote: i was very amused to talk to an embedded systems designer.. systems that use linux.. that wasn't familiar with rar, but i guess he doesn't do software as much as PCB heh). a searchbox query (from my googapps email interface) of "filename:zip" leads to about a dozen emails that HAVE come through, the oldest from 2/20/07.. so I can't say wtf is up :(

searching on google did find this Google Apps Administrator Help page. So it looks like because the .zip file contained an .exe, that is what did it. I guess googapps either can't parse, or chooses not to, .rar files. Relevant quote below:

How do you protect me against spam, viruses and phishing attacks?
Google has one of the best spam blockers in the business, and it's integrated into Google Apps. Spam is purged every 30 days. We have built in virus checking, and we enforce checking of documents before allowing a user to download any message. Most computer viruses are contained in executable files, so standard virus detectors scan messages for executable files that appear to be viruses. Google blocks viruses in the most direct possible way: by not allowing users to receive executable files (such as files ending in .exe) that could contain damaging executable code; even if they are sent in a compressed (.zip, .tar, .tgz, .taz, .z, .gz) format.

Solution: user generated filters

[Wayne247]

Granted I don't run a site as large as you ask, but in my case, the solution to spam was simply to start off with a good system (debian, spamassassin, and subscribe to some filter list).

Then each user's spam is moved into a folder within that user's mailbox. I instruct my users that spam messages are put there by the server for 7 days. If they want to find a false-positive, it'll be there.

After 7 days, my mail server eats those emails and feeds them though the Bayesian filter learning tool of spam assassin. At the same time, the learner scans the user's general inbox for HAM.

This system, after being deployed, took about 2 weeks to learn our mail. After that, it went to practically zero false positive and zero false negative. I'm not even the MTA, so I can't run any blacklists, but still this simple user-generated decisions of spam has proven to be extremely flexible and efficient.

As soon as one of my user starts to receive a new type of spam, it will be quickly learned and apply for the company.

So finally, I rid myself of the task of checking the spam boxes, by handing it over to my users.

ASSP

[defsdoor]

I've been using ASSP for some years now - it gets better and better and, because it's a proxy, doesn't involved hacking and patching your MTA to implement. http://www.asspsmtp.org/

Really?

[bollob]

Do you really manually check spam for more than just yourself? I am sorry, but that is insane! A mail admin I once nearly worked with, had a nervous breakdown because he was manaully checking the processing in the queues all day. Your solution sounds no better than that. I am sure you are being paid for it, but I think you could probably get compensation for having to do such a thing.

In today's modern world, you are probably not left with enough time to look for a new job, and you need a job to pay the bills right? Well, not so long ago, slaves were able to plan and make escapes. If I was in your shoes, I would be looking rather enviously at the concept of slavery!

So, what do you do?

First step is really easy, and it will buy you time for the subsequent planning. Get your boss to give you an old (but not too old) PC. Get as much RAM for it as possible (scavenge other PCs). Build a linux install (take your pick, but SuSE and Mandrake are good for beginners, if advanced, go for whatever you like).

Load this up with the basic MTA (if SuSE it will be postfix, but sendmail and a few others are also excellent. Don't use qmail).

Configure it to use spamassassin to filter all the mail (using a milter) and to relay all the non-spam mail for your domain to the internal gateway.

This will block >90% of the spam (may be more, dependent on spamassassin configuration, mine hits >99.5%).

Now you will find some time to recover your sanity and make phase 2. This should be either, find a new job (recommended) or find a better anti-spam solution.

If you architect it properly, with open source solutions (standard interfaces and nothing specifically "clever") you can easily build a "postini" like service for nothing except a bit of effort. You will of course have maintenance, and trouble shooting tasks, but compared to your current daily work load, that should seem like a holiday.

ASSP for spam

I'll toss in a vote for ASSP

http://assp.sourceforge.net/

greylisting

[stasike]

Hi. I have implemented greylisting (package postgrey for debian) on our company server (cca 120 accounts). The level of cpam dropped significantly and I have not received *single* complaint about it.

Outsource it.

[Rickybee]

I am a systems admin for an accounting firm of about the size of yours, and I used to use GFI's mail filtering software plus others to try and filter spam onsite. It quickly became apparent that it costs more in my time to care of this, monitoring and tweaking, than it does to outsource. I came across a firm called Inbox Genius, which is part of MailFoundry who are different in that they only charge for email addresses they filter. Out of our 50 employees only about 20 actually have a problem, so we filter those only. The first 10 are free so it costs us less than $10/mo. Therefore, if you are spending more than a half an hour a month messing with this then it is wasting the firms time and money.

freespamfilter.org

Have a look at the walkthroughs at FreeSpamFilter - they have how-tos for most flavours of Linux as well as OpenBSD and FreeBSD.

If you follow their instructions you will end up with a spam filter appliance based on Postfix and SpamAssassin. If you add Webmin you get something fairly similar to a Barracuda (without the privacy concerns, backscatter problems and blacklist abuse) for the price of a commodity box.

Mail Filtering Service

[mmclendon]

My company has used email filtering services from MXLogic for years. I am sure that there are other equally competent service companies that you can compare if interested. This service allows staff to perform revenue - generating work and not fool around with managing spam and so it is very cost effective for us. The service gives each user a console to manage filtering, malware detection and so on. The licensing is by user. Good luck with your research.

IMail Server Plus

Our company uses IMail Server Plus. It is our email server which comes with carrier-grade spam filters built in. So, we do not have someone manning a terminal manually eliminating possible spam. The irony of this is that your company pays for a full-time employee to manage spam when in reality they could make a minimal investment that requires minimal time to setup and maintain to be virtually spam-free. Odd. What type of business is this? Would they pay me to make sure the lights stay on in the building? You know...walk around all day and ensure that the switches are in the up position? Sounds like you've got a cush job...don't let your employers learn about the Google. They MAY just think to type in "anti-spam" and then off goes your job.

spam filter using Astaro

[jerichod]

use http://www.astaro.com/
  - either the appliance (i have not used the appliance yet) or download the software (version 7 has the best features) and use it on a spare computer. i use it at home and work and love it.
specifically re: spam -
I agree with philosophy of earlier poster - gotta take a multi-layer approach, a good firewall / proxy like astaro is just one link.

astaro lets you set up pop and smtp proxies so you can check with their rules and filters (updated daily) and or your own, plus users get a daily quarantine digest so if something is being held they will know and it can be released (but only by and administrator - so you get to be in the loop if they want the email) - plus you can filter outgoing so as not not propagate if you get infected, plus you can do white and blacklist, plus AV scanning, plus... (you get the idea)

can try it out for free as well. (no, i dont work for astaro - it just has been very useful to me).
r.

35000 seats - our solution

[Lokatana]

Up until a few months ago, I managed the email department for an enterprise of 35,000 seats. We implemented "Ironport" anti-spam appliances and have been very happy with them.

We're presently blocking between 750,000,000 and 1,000,000,000 spam messages per month, and allowing in about 1,500,000 "good" messages (which includes spam that defeats our defenses) in that same time period. 99% of all email that hits our perimeter is blocked, and our analysis of the "good" email indicates the actual success rate is about 99.9% of spam that targets us is blocked, which is a very high ratio.

Since we put in this solution, we get almost zero complaints from our user base. The typical user receives no spam, and we have a very small number of users who see up to 2-3 a day, which we find acceptable. We might see a false positive once or twice per month, which, across 35,000 users, is very acceptable. It's flexibility and rule processing has also llowed us to address a number of business requirements for message routing & processing. I highly recommend this product if you are looking at a commercial solution. They do have products for a medium sized business, as well as enterprise class environments.

-Lokatana

No one has mentioned messagelabs

Well no one has mentioned messagelabs.com and been modded high enough for me to see their comment.

We use them. I don't rightly know how they do it, but their false positive and negative rates are as close to 0 as you'll see anywhere. If you're going to spend money on a spam solution they're the ones to get.

Of course that's a big if. And for another big if, if you're willing to put up with a non-zero error rate, then many of the free solutions are great. Just remember that blacklists are Baaaaaaaaaaaaaaaaad

SpamSentinel for Lotus Notes and Domino

[notes+rules]

Most of the users are SMBs, between 50 and 500 users. The subscription does most of the work, and the users have self-service to the quarantine, which takes the load off of the administrators. Any product that you pick should really only require 15 minutes or so each day to check that it is running, and have a self-service component, otherwise you will spend all day managing spam. http://maysoft.com/

Use Untangle

Use Untangle (www.untangle.com)

MXLogic

I'm the IT manager for a company of about 40 people. We've used MXLogic (3rd party SaaS solution) for about 2 years now and I've been really happy with it. It is rare for spam to get through and equally rare for a legitimate email to get blocked. It can be configured to send a daily spam report to a user's inbox, so even if something does get blocked, they have an easy way to identify and release it.

Aside from the quality of the spam blocking itself, it also does AV scanning and offers all sorts of policy-based content filtering.

For a small company this has been a great solution. It was easy to set up, requires very little care and feeding, and it only costs us $60 per month. $60 a month to basically never have to think about spam is well worth the price IMO.

Can't tell mailng lists from spams

[yuna49]

I host listservers for a national nonprofit organization. My server got blacklisted by AOL for a while because a few subscribers didn't realize they had joined a list. Instead of asking to be removed, they simply tagged the messages as spam at AOL. It didn't take long before we were suddenly considered a spamming server.

Dealing with AOL over this was one of the more annoying problems I faced last year. Now the messages still get reported as spam, but because I've registered my server with AOL, they now ignore these reports.

Users really have little understanding of the nature of modern e-mail traffic. If they sit behind a decent filtering system, they see so little spam that they think most mail is legitimate. When I tell most people that spam constitutes well over 90% of all mail traffic, their jaws drop.

A couple of words of advice for the OP. Set up a system to funnel spams to individual spam folders. (I set global rules in /etc/procmailrc for this.) If you're using SpamAssassin to filter, ignore most anything over 12. If you can, just send these to /dev/null or a quarantine mailbox.

If you want to improve the visibility of your spam filtering operations, and perhaps get some recognition for, or help with, coping with spam, announce a "filtering holiday" in your organization. My recommendation would be to disable filtering over a weekend when most traffic is spam. When everyone arrives on Monday morning, it won't take more than a minute or two for them to realize what the spam problem is really like.

That suggestion is only partly made in jest.

Get a CanIt SMB Appliance

[macdaddy]

I've been a big fan of the CanIt spam filter for years. It's underpinnings are OSS and you get full source code when you buy the product. Their support is excellent. At an ISP I run I installed it from source and it worked flawlessly. I would recommend the CanIt-SMB appliance for your needs unless you think you'll grow beyond 100 users soon. You won't be sorry.

Implement gray listing to eliminate most spam

[slashname3]

Just implement gray listing. This will eliminate most spam. Then setup spamassassin to catch the few that do get through.

I set this combination up several years ago for a small company. The owner was about to abandon email entirely because of the amount of spam that was coming through. Once this combination had been implemented he has had no real problems with spam since.

When I first looked at the problem he was getting thousands of spam messages a day. Now there is just a handful that get through the gray listing and spamassassin does a great job of dealing with those.

user based rules

[jriding]

I understand that this might not be a suitable suggestion for some organizations but many spam filter apps / appliances, will let an email (send regular schedule or as it comes in) to the users saying these emails were caught in the spam filter. would you like to release or delete. This would let you limit the time you spend on these emails and enable the user to access the spam filter only for themselves and allow the correct emails.

Looks Like A User Error

[No-Cool-Nickname]

Having deployed GFI at multiple locations, I suspect the problem is in your deployment. GFI provides learns spam patterns based on your inbound and outbound traffic, updates itself via downloaded lists, and allows users to report an item as spam to block further receipt of that message. Additionally, GFI's support has always been very responsive. Once client was using GFI MailEssentials when the PDF spam started being a problem. They had a patch a full week before the other vendors which I support. I suggest that you look at your GFI deployment and call their tech support to assist you in fixing it.

General Suggestions

[artgeeq]

A third-party provider would typically be best for a small business, such as Postini. Appliances would be my second choice, such as Ironport or Ironmail on the high end. Whatever you choose, make sure that you integrate anti-virus and anti-spam in the same system.

I think you tend to get what you pay for. The open source solutions can work in some situations, but for one IT guy in a 50-person company, the maintenance could be a bit much. If you go this route, prepare to spend some time leaning to confugure the MTA and some trial and error.

Service or Personel

You can present it to management from the perspective of, do we want to pay someone (you, in this case)to manage this full time, or do we want purchase a service from a spam filtering company, ironport, ironmail, barracuda, etc. who can do it for us. I love open source, but if you are spending all of your time working with spam. (which is terribly unrewarding) you only screwing yourself.

+1 Informative. Wish I had mod points...

[Rabid+Cougar]

I couldn't agree more about ESVA. It is working like a champ for us. We don't get false positives, and spam is such a rare occurrence that when one of our users actually gets a spam every few months or so, they kind of panic and don't know what to do.

Like many others, I am concerned about the age of ESVA and the delays in getting 2.0 out the door. I am nearly at the point where I am going to start looking elsewhere. Perhaps IPCop and Copfilter on a dedicated firewall/anti-spam box.

Go with Barracuda

This post sounds EXACTLY like my experience all the way to GFI sucking and letting through around 38% of spam mail. My company of 50 people gets around 15,000 messages a day and about a thousand of those are legit. I bought a Barracuda Spam Firewall 300 and in the first day I got users stopping by and thanking me (some people were getting 2-3k spam messages every day).
I've had it running for 26 days and after close to 400k messages and 25k legitimate it has blocked EVERY spam message. WELL WORTH THE PRICE!!!!!

Give Users Control

[kabeatty]

Alt-N Technologies recently launched SecurityGateway for Exchange/SMTP Servers and it offers a feature that sends users a daily email identifying each message that has been qurantined. The user can then decide what needs to be done with the message and free you to manage more important areas of the network. You can watch a demo and download a free trial at http://www.altn.com/Products/SecurityGateway-Email-Firewall/. If you replace your current solution, I'll give you an introductory discount. You can contact me at kevin.beatty@altn.com

Great luck with Spamsoap

[eKahuna]

We've used Spamsoap for well over a year and have only good things to say about it. We route our mail feed to their servers and receive only fresh and spam-free email stream on our network. Sitting in the middle of thousands of customers' email feeds, they are in a better place to judge a message's spamminess than a local appliance or end-user application. Can't say enough about this service. We just signed the contract, wrote a reasonably-sized check, made a DNS change, and we no longer have a spam problem. No set up, no maintenance, no I am not an employee, stock-holder, or friend of their... just someone who likes the rare situation these days when something works exactly right.

Symantec actually gets this right...

[bitrot42]

I have no great love for Symantec, especially their retail products, but their Mail Security for Exchange (SMSE) has been fantastic for us. I believe it's based on the BrightMail engine they bought a few years ago, and they don't seem to have screwed it up yet.

After a Spamhaus RBL check, we still get ~20,000 spam messages a month (quite a bit for an office of 25 people.) I used to have a manually-maintained keyword / regexp list, which caught about 75% of this without much maintenance effort. After using SMSE for a few months I gave it up, since SMSE caught all of them but maybe 2-3 a day.

The detection rate is excellent, and I have yet to see a false positive that wasn't pretty close to spam anyway (legit hotel/airline offers and such.)

Your mileage will certainly vary (and will probably be less), but spam gives us very little trouble at this point. It's made my job easier, or at least allowed me to make better use of my time elsewhere.

I can't believe I just wrote glowing praise for a Symantec product, but there it is.

Look at Untangle - It's like Open Source Baracuda

[atrimtab]

www.untangle.com

Untangle is essentially a GPL'd open source Linux distribution that acts as a perimeter firewall/spam filter.

Download the CD image and boot it an older system. This will give you a system at least as good as Baracuda (actually its a lot better) for FREE!

Gmail and Postini are not good solutions. Been there done that.

Messagelabs!

Give them a free trial try. They manage it all for you, take the stress out of the spam filtering.

Can't recommend them enough!

Spam Filtering For Small/Medium Business?

[cyb3r50u1]

I'm also using gfi's mailessentials to handle the spam of my 100 users, and it does seem to be doing pretty well.

I have enabled the autowhitelist which has reduced the amount of false positives from my system. Only emails coming from 'unknown' senders are scanned by gfi after I did this. This also allows me to tighten the rules a bit more without having the boss running after because of a lost deal.

I have currently enabled sbl-xbl.spamhaus.org and bl.spamcop.net, both of which seem to be doing a very good job.

Finally, I have configured all the anti-spam features to move the spam emails to folders in the users' mailboxes. I think this was my best move, considering the amount of spam we receive. :)

Re: Spam - consider Messagelabs

The route I took was to sign up for MessageLabs.

Previously the co I consulted for had half a dozen Exchange servers all running GFI mail scanning products. The Messagelabs solution (although its not free) saved a load of time, was reliable and reasonably (IMO) priced.

Might be worth a look.

Xwall - 350 users, ~10k blocked emails/day

[InvaderSevlow]

(former Novell/M$ shop converted to pure M$ ~1 year ago)
We are currently using a combination of Postini, and Xwall. We're about ready to drop Postini as its really not doing much for us. Instead the Forefront stuff is looking interesting.

But Xwall has been a gem running as our edge roll server for the past 6 years.We have been very impressed with its light weight, power and extensive feature set. Its currently filtering against spamhaus and spamcop, but it also catches a LOT of virus emails that get through Postini. Since setting it to discard all emails to addresses outside our valid ones (aka- email addresses for employees that have left), the processing time has decreased significantly. Worth a look IMHO.

Try SpamFilter from Logsat

[gbrayut]

That is what I do for a small company with about a dozen email addresses. We setup SpamFilter from http://www.logsat.com/sfi-spam-filter.asp and I manually go in an clear out the quarantine items once a week. Sort by subject, and you can burn through a large queue very fast.

I'd recommend SpamFilter to anyone interested in a low cost solution with many advanced features. There is a free fully functional trial (no time limit) and it costs $600 for a one time server license. Works great, blocked 178,121 emails and forwarded 20,460 in the last 3 years.

SpamFilter Features:

DB - SpamFilter Distributed Blacklist
MAPS DNS RBL Filters
SURBL Filters
SPF - Sender Policy Framework
Bayesian Statistical Filtering
Image Scanning / Filtering
Blacklist IPs
Blacklist Domains
Blacklisted FROM Emails
Blacklisted TO Emails
Blacklist by Country
Honeypot Capabilities
Attachment Blocking
Keywords Filter
Reverse DNS validation
MX Record validation
Reject if "Mail From" = "Mail To"
Reject if "From Domain" = "To Domain"
Whitelist Domains / IPs
Deliver specific emails without filtering
Whitelist FROM Emails
List of "Authorized TO Emails"
SMTP User Authentication with SSL support

google apps?

[andyKucharski]

Why hasn't anyone suggested an outsourced solution like the gmail implementation of Google Apps for your domain? I don't work for google or own shares (ok, i own two) but think they have created a great solution for small business users. We've wrestled with spam filters, servers and email outages. It was a nightmare and very costly from sysadmin time every month. Finally I decided to throw in the towel to the fight to create an in house solution. It's been smooth sailing ever since. dont look back - let someone else take care of it.

Just drop the IPs

If you're small/medium sized, and don't do a lot of email overseas, drop the IPs for Asia at your edge firewall.

Dropping the IPs for Eastern Bloc countries and Asia dropped my baseline spam from 400/day to about 80.

Try this option

I manage email for 2600 users and after working my butt off for a few years trying to learn enough about spam and anti-spam... I finally learned that others are better at it than I, and that I have other work I like better.
so - my point...
try MX Logic - monthly billing based on the number of users in-house, EASY to begin using (simple DNS change) and if you find a better solution or spam really does go away... you're not invested so heavily that you feel bad about a change. They do a solid job. and I DON'T have to touch spam now.
Try it...

Re:Barracuda google Apps is better

[jon3k]

How do you know your ISP isn't doing the same thing? For the same reason people trust google -- you have a contract with them that says they won't.

You can put up your tinfoil hat, FUD like that doesn't fly here.

Simple multi-level spam filtering

I manage a relatively simple solution for our small company of ~25 mailboxes (about a 2-3 spam/minute). We implement four layers of spam filtering, as follows:

1. We use an external filtering system that hooks in via DNS and prepends [SPAM] to the subject line of mails detected as spam.

2. We have a central whitelist of customer domains/emails that are allowed through.

3. Each user may use a web interface to implement more specific filtering that prevents the spams from reaching their desktop inbox.

4. Finally, each user has the option of desktop spam filtering, either within the mail application or through a desktop security system, such as Norton 360.

Not perfect, but it seem to catch 80-90% of spam before it reaches the users inbox.

James

Another vote for ESVA from me.

[WoTG]

The lack of updates has me concerned as well. ESVA just doesn't have the developer community working for it... hopefully it gets going again.