Slashdot Mirror
Spam Filtering For Small/Medium Business?
or_is_it writes "The company I work for has been growing dramatically and I've been charged with the task of being the gatekeeper for our GFI Spam filters. This involves manually inspecting the subject line/to/from for all caught messages in each filter rule folder. For a company of about 50 people, in one day the number of spam messages can exceed 2,000. Neglect it for a day and you end up with quite a task on your hands. I've made the rules lax enough so important messages can go through, along with a few stray spams, for which I get bitched at. Tighten the rules up and then maybe an important time-sensitive email never gets to its intended recipient, and I get bitched at. Manually reading through all those subject lines is supposed to prevent that, but I'm only human and genuine messages can easily get overlooked. How do larger organizations deal with the spam issue? I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution. Purchasing a different commercial mail filter product is a possibility, but I'd like to hear some anecdotal evidence before jumping ship."
To be honest, for somewhere of that size I'd be tempted to use some sort of client-based filtering (along the lines of spambayes [http://spambayes.sourceforge.net/]) which would put the power and responsibility in the hands of your users.
-- Gaxx
I purchased a Barracuda for my organization of about 120 employees, and it has been fantastic. I fine tuned a few options on the config and it has blocked about 200,000 emails in the almost two months i have deployed it. There are very few false positives, and very few that get through its filters. I actually get calls of gratitude from the end users about how happy they were not receiving any more SPAM messages. The hardest part was informing them the user base on the difference between the mailing lists they were on and SPAM. Barracudas support has been good as well.
Use MailScanner with the MailWatch GUI and after a few weeks or so of monitoring and tweaking, it will run on autopilot and you can sleep well. http://mailscanner.info I have it running on a number of small businesses and they are very happy with it.
> maybe an important time-sensitive email never gets to its intended recipient
When will users learn...
Email is not instant messaging - with bad greylisting / random connection reset / busy server, you can get >=2 hours delay. And it's normal.
I've had to send emails to recipients within the Australian Defence Force (specifically, the Army), and every email sent from a civilian must include a keyword within the subject line. The keyword is to do with whether or not the information is classified or unclassified. Sure, getting all the clients to send all their emails with [companyname] in the subject line is a little annoying, and may not be possible depending on your circumstances, but the chances of spam having that keyword within it is virtually impossible.
Set up an automated filter whereby anything that doesn't have the keyword in the subject gets dumped into a spam box to be sorted later. If the senders do the right thing, it assures their emails will be directed to the correct person.
This is just one example of active spam filtering as opposed to the passive spam filtering used in IT today.
You moved your mouse. Please restart Windows for changes to take effect.
Whatever solution you get, the simple answer is:
1) Set up the system to put junk mails in a folder the user can see
2) Train the end user to check their junk mails
3) Show the user how to set the spam triggers high or low and what the implications are
If user says they're too busy/important, advise them that due to your workload, their email box will be added to the "manually checked list" which gets done once per week. Point out the impact of losing a time-critical email wrongly flagged.
Most times they do it themselves. For those who are dead set on having someone else do it, hire a temp or arrange for an office junior to do it.
If you're in IT, you have better & more important things to do than check for real mail in a junk mail box...
I left my body to science, but I'm afraid they've turned it down...
I like the way spamassassin works - it can provide a rating for each message, which provides a mechanism for users to set the bar to their own preference, instead of having a single setting for the entire organization.
I'm not talking about using individual configurations for spamassassin, it's not realistic to expect most users to be able to deal with all the gory detail of spam filters.
Rather, spamassassin can set a header to indicate its confidence that a message is spam:It adds an asterisk for each "point" of spam score. Users should be able to create an email filter which picks off suspected spam and puts it into a separate folder based on a header like that. Maybe drop all 10+ messages centrally, and let users tweak a local filter to their liking, depending on whether they prefer false positives or negatives.
I use spamassassin as an example only because that's what I use. There are no doubt others which can provide something similar which users could filter on.
"National Security is the chief cause of national insecurity." - Celine's First Law
Postini's anti-spam service does wonders. We use it for about 200 accounts and people love it. It works, rarely gets things wrong and is simple. IT (me) loves it because spam is no longer my problem. For a fee that would be less than my effort and aggravation is worth, they take care of it. We are currently investigating expanding use to compliance filtering and archiving as well.
For the record, Google purchased Postini in the not to distant past.
Learning HOW to think is more important than learning WHAT to think.
How do larger organizations deal with the spam issue?
I used to work for a mining company you've heard of. Our department had responsibility for managing the email vendor, who used Spamshark to filter spam coming into the organisation. From my limited knowledge of the setup, Spamshark does basic blacklisting etc. but also does selective blacklisting on specific IPs when an email is flagged by a user. So Alice flags a message as spam, Spamshark figures out the message id, grabs the IP address it came from (it knows because it previously handled the email), and then blacklists that IP for a certain amount of time. Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.
Like I said we just handled vendor relations, and the above description might not be totally accurate, but this is what I gathered when we dealt with them. I also remember getting about 10 complaints of spam a month for an organisation with 10's of thousands of email addresses - so it was very effective.
"And then I visited Wikipedia
I've had excellent results with this particular product. Spamd uses blacklisting, greylisting, and tarpitting. It really is delightfully evil and still makes me smile because it includes a fake smtp daemon which sets the tcp rcv window to 1. This is a kick in the nuts to the spammer. I've used it with resounding success at a client who was recieving 2000 spam emails a day. Prior to implementing spamd, we were using just a Barracuda. When I combined spamd and the Barracuda, spamd caught about 1975 of the spam messages and the barracuda took over from there. No false positives and we've been running for three months. This link details how to set it up, http://www.linux.com/feature/61103.
I've been running this for quite some time with fantastic results. It's a VMWare appliance.
Inside, there is greylisting and MailScanner. Within MailScanner, there is SpamAssassin, some RBL, ClamAV and all sorts of things.
For my organization, I find that in addition to everything else "stock" I can safely filter out all countries but the U.S. since we don't do business outside of our state, let alone our country... so it's safe to assume that anything from outside the US will be spam.
It is extremely effective. I have helped to get the VM set up in environments with multiple domains and it works very well too.
One problem with it is that it is rapidly aging. The user community has made some effort to get the VM up to date in some ways, but the 2.0 version as far as anyone can tell is still in discussion and planning. The project creator and leader is a one-man-show and he seems to have a life outside of this project for some reason. The user community is frantic to get something to replace the aging 1.7.1.5 machine we all use as the reference point for our installs.
Meanwhile, here is some general guidance. First, do not waste your money on commercial products -- they're expensive, poorly-maintained, and in many cases (e.g. Barracuda) actually make the spam problem worse via backscatter. (There are now several thousand Barracudas on a communally-maintained blacklist, making it obvious to everyone working in this field that Barracuda is completely incompetent.) Second, do invest your money and time in open-source solutions: it is easy for anyone who possesses baseline competence in mail to craft their own, superior spam handling system using postfix or sendmail or another open-source MTA, DNSBLs, RHSBLs, judicious configuration, and other tools such as rbldnsd, mimedefang, SpamAssassin, ClamAV, and so on. Third, a little googling will reveal near-cookbook procedures for combining these pieces of software together into a useful system; which cookbook procedure is appropriate for you depends on your environment -- which brings me to the fourth point, which is that you need to perform log analysis in order to understand your particular mix of spam/not-spam. Everyone's is different, which is why one-size-fits-all solutions usually fail. Only after you have some clue about the size and shape of your problem will you be able to determine which approach(es) are likely to minimize both false negatives (FN) and false positives (FP).
As an aside, one set of highly effective anti-spam tactics involves enforcing RFC requirements that have been in place for many years: for example, all mail servers must have rDNS; that rDNS must resolve to a host which in turn resolves back to the IP; the domain of the host must exist; the host must HELO as a valid FQDN or bracketed-quad IP; the envelope-sender's domain must exist; the host must not HELO as you; the host must wait for the SMTP greeting before HELO'ing; the host must handle a multi-line SMTP greeting; the MX records for the host must point to valid IP space; and so on. Enforcement of these requirements yields differing rates of spam control (which is again why log analysis is crucial) but has the very valuable property that it can be done at low computational and bandwidth cost. Substantial experience with these suggests that enabling them and augmenting them with a few DNSBLs (especially the Spamhaus Zen zone) is enough to deal with the overwhelming majority of the spam problem at most sites, reducing what's left to a much smaller issue to be dealt with.
dnsbl/enhdnsbl is enabled for zen.spamhaus.org, bl.spamcop.net, combined.njabl.org, list.dsbl.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net and sbl-xbl.spamhaus.org. With all these enabled there are very few spam messages falling through.
Adding to this I am using Mozilla Thunderbird which has a very good intelligent junk mail filter. The only disadvantage is that the junk mail filter has to learn what's junk or not.
The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Why do people keep suggesting gmail as a viable option?
It's really not that good.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
I cast my vote for SpamAssassin.
When set-up with good rules and RBLs it blocks at least 99% spam with very low false positives (I've never had a false positive).
Send anything tagged as spam to another account such as spam@domain (I do this) then you can manually check for false positives to further reduce the chance of losing legit email. (or if a user complains that an email they expected never arrived)
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution
Actually, that strikes me as a good solution; it's certainly better than having other employees dealing with spam as part of their daily routine and losing 30 minutes/day for everybody in the company. And by centralizing it, you have the ability to pick the tools to make your work more efficient, as opposed to having 50 employees each fiddle with their own spam filters.
This is just a simple guide compiled from my experience:
:)
1. Do what you can on the server. I like to use SpamAssassin to add spam scores to beginning of subject lines, so they sort by score in my inbox (I use "/*_SCORE(0)_*/"). I also automatically delete anything over a score of 11, since the highest I've ever seen a legitimate email score has been "10.something". Realistically, anything above an 8 is the sender's fault and they need to do something about it and anything above an 11 you can safely blame the sender (you won't be the only spam filter deleting their emails).
2. Provide the tools on the client. ThunderBird's "spam marker" is a must, and because it learns from what you mark, you aren't just marking them in vain. Also, to deal with spam in real-time, instead of using the junk folder, I like using the "delete junk!" button from the "Buttons!" add-on. Incoming junk gets marked and marked as read, and after marking the spam the filter missed, I hit "delete junk". Very easy and quick. Pre-configure Thunderbird for everyone.
3. Educate and support. If you have 1 and 2 in place, then make sure everyone knows what you are doing and why you chose to do it. Write a short manual or something. Educate them about their tools. They also need to know NOT to publish their addresses.
The idea is to make spam highly visible, and to make it *quick and easy* to deal with. Knowing you've facilitated these two goals should be enough to impress your employer and earn the respect you deserve from everyone you serve
I spent a few days migrating 100,000 emails from Windows Mail, because it was horrible. Thunderbird is a godsend and the add-ons make all the difference. If there is something you dislike or want, chances are someone made an add-on for it.
btw 2000 messages is *not* a lot of spam. It will get far worse with time.
I'm not really "in the know" of what's good or bad when it comes to spam filtering packages, but in the years I've been using gmail, I'd estimate maybe less than 20 emails that have hit my inbox have been spam. It only happens to me once every couple of months and I get around 100 pieces of spam a day, so I'd say that's pretty good.
As for the "false positives", only the most dubious of mailing lists seems to get caught (I still regularly check my spam just in case) and when I report them as "not spam", they never get mistaken for spam again, so I can't really complain either.
I'm not disagreeing with you, I'm simply just curious as to what makes it bad? Have I just been fortunate enough to not have any major problems or is there something that it should (or shouldn't) do when it comes to corporate use?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I manage self-hosted email for several small-medium companies. ASSP is platform independent, low resource, and does a VERY good job. VERY very configurable, and free, open source, easy to modify, easy upkeep (almost zero action required beyond checking the logs to keep an eye on things) and free software.
In a company of about 75 email accounts it has blocked 4 million spams in a little over a year.
The false negative rate is so low it might as well be zero, and the false positive rate as well.
It uses among many other things whitelists,so your people never miss an email from an established contact, redlists, so a known spammer cannot ever be accidentally added to the whitelist, does spf checking, checks headers against spoofing, has an antivirus component, can forward a copy of all spam to a spamlover address and much much more.
and its free.
For a single sbs server, you can install it on the same box and zero out of pocket costs except for your time to install it (I would personally budget 20 hours for R&D for a first time administrator to install it).
Please email me if you want more detailed information on how it works for my clients. I can also put you in contact with end users at the executive level of these companies to ask how they like it (the final litmus test)
Good luck
Chuck
I was faced with exactly this problem myself around October/November last year.
You've basically got three options:
1. Go for a completely outsourced service.
Pros: It's someone else's problem to look after.
Cons: A company of 50 staff will never be terribly important to such a service provider. Unless they provide an extremely good control panel and logs, sooner or later someone's going to ask where an email is and your answer is going to be "er... let me get back to you on that.... er... I don't know".
2. Go for an appliance - either in the form of a prebuilt lump of tin like the Barracuda system mentioned elsewhere or in the form of a precooked Linux installation which is literally just a matter of "insert CD, boot, tell it what it's IP address is and what domain it's providing email for".
Pros: Dead easy to set up. Most also provide a nice web-based UI.
Cons: The decent ones are almost universally commercial and you have to pay licensing fees on a per-active-email-address basis, which can get very expensive - particularly when the vendor won't tell you how their system decides how many email addresses are regularly active and the first you know that you're exceeding the license is when suddenly all the spam filtering is disabled.
If you look closely, expect to find that many of them are architected around a number of single points of failure. And in the real world, nobody is likely to check a web-based UI on the offchance that they find an email misclassified as spam sat there.
3. Roll your own. If you take this route, I can strongly recommend rolling it around an existing framework rather than following a bunch of complicated instructions to configure Postfix that you have to re-learn every time anything needs tweaking. This is the route I took, and I based it around MailScanner. MailScanner provides a framework for plugging in spam and virus filters and allows you to divide spam according to its score. Delete high scoring spam, let low scoring spam through with a note in the subject line that it's suspected spam and let non-spam straight through.
Pros: You get to keep a close eye on all the configuration, can keep close track of the logs and respond quickly to any issues. Your users can easily set up filters for spam (for that matter, so can you) and their "potential-spam" where misclassified mail may wind up is in their email client rather than a separate web-based system.
Cons: You need to become intimately familiar with every aspect of your email system in order to manage it effectively. I would argue that any self-respecting sysadmin should be intimately familiar with his email system anyway, but YMMV.
Of course... It's not like google offers special special services for exactly that", either free or paid...
--- Hindsight is 20/20, but walking backwards is not the answer.
Well, it's a two-edged sword.
I run email for several of my domains through Google Apps for Your Domain - essentially, Gmail. On my largest account, I get several hundred legit emails and 200-1000 spam messages each day. The problem isn't Gmail's filtering of this - it's actually damn good, with maybe 2-3 false negatives a week and maybe one false positive. Better than almost anything else I've seen.
The problem is that Gmail gives me NO options - as a user or domain administrator - to sift through the spam box automagically, looking for those false positives. You CANNOT access the spam box in any way other than their web interface, looking manually through your spam, hoping to see the occasional legit message that confused the filters and was labeled spam. (Okay, if you go the full IMAP route, you can apparently see it, but that's cumbersome in the extreme if your users aren't doing IMAP in the normal course of things.)
This borders on perverse. How hard would it be to allow POP to the spam box, so that I could suck down the messages and run my own filters on them? And what's with the lack of user filtering options? "Um, Google, here's a hint: I don't read Chinese or Russian. If mail comes into the spam folder in one of those languages, you just delete it and not bother me with it, OK?".
Dunno, it feels like a case where someone's high up in Gmail's design group has a religious or aesthetic conviction about how spam should be handled ("no filters...no settings...no controls...no access") that blinds them to how badly this works for users and administrators in the real world.
Sure... if you want another company in possession of your company's email. How do you know the other company won't look at sensitive emails? Just because 'they shouldn't' or 'they say they won't', doesn't mean someone there won't. Heck, if people are looking up Obama's and others' passport info in the government, I would be willing to bet that someone at a third party email provider has looked at someones sensitive email. What if they get wind of a business deal on a subject they may have a business interest in? I think anyone who trusts their sensitive data to others with no real consequence to having that data leaked, is not thinking far enough ahead. It is the same reason I detest so much our data going to overseas servers.
-- I ignore anonymous replies to my comments and postings.
As you may know, it used to be that Postini was considered, by those of us in the anti-spam industry, something of a black hole, and not a service we would recommend.
However, having been in touch with their executive team in recent years, I had inside knowledge as to how that was changing - how they *wanted* that to change.
Recently, we decided to take our own spam filtering outside, to let someone else's servers do the heavy lifting. We tried several solutions, and finally, almost in desparation, I gave the 'ok' for us to try Postini (which of course is now owned by Google, but the exec team is still in place).
Let me tell you that we were *extremely* pleasantly surprised - the service really has been *very* good, it was relatively easy to set up (you do need to be familiar with how to set up your MX records, etc., but if you are already adminning a server, you should already be fairly comfortable with that).
The price is good, and the end user UI is excellent in that it's pretty easy for an end user to understand how to scan their "spam folder", how to get something delivered out of the spam folder, how to whitelist a sender, etc..
Honestly, it's one of the easiest-to-use of the offsite systems out there - and one bonus is that it gets the user support *off* internal admins.
And, the false positive rate is low, as is the false negative rate - which really is the bottom line test for spam filtering services.
We have a formal review for our corporate blog (http://www.TheInternetPatrol.com/) in the works, but in the meantime consider this an endorsement of Postini from the Institute for Spam and Internet Public Policy (http://www.isipp.com/)
Anne
Anne P. Mitchell, Esq
CEO/President
Institute for Spam and Internet Public Policy
Professor of Law, Lincoln Law School of SJ
Author, "The Email Deliverability Handbook"
The business I work would qualify as a middle-sized corporation.
We run into the EXACT same issue you're running into.
The dilemma is if we don't tighten the spam filter enough, we'll get complaints from employees (who are not shy about sending EVERY LAST PIECE OF SPAM THEY GET to us.)
However, if they tighten the filter too much, then important emails that may seem spam-like begin to get blocked, and we get just as much heat for that.
The answer - do your best to block what spam you can, and if you get complaints about some spam slipping through, tell them to delete it. We'll often add that we're working with the spam filter vendor to try and resolve the issue, but it's not that easily resolved.
And no - we don't go through each message looking for spam - it's not practical due to the number of employees we have. We DO give them the power block spam from specific addresses on their own, though. The benefit of this is the email is sent to a junk mail folder they can still access, which is useful should something legitimate end up there.)