Spam: how does your org handle it?

[groovin]

My organization gets flooded with spam. right now we use open source software such as spamassasin to deal with spam (linux pop3 qmail server), but I've noticed more and more slip by. The reason is probaly a combination of spammers getting more clever at evading detection and by brute force - 1 out of every 10-15 spam will slip by, so if we are not getting thousands of spam a day rather than hundreds, more are going to slip.

So, I am rethinking our spam defense a bit. I am not sure what commercial solutions are out there as well as open source. As usual, I am looking for somethign that is robust, somewhat economical, and above all works really well at killing spam!

Id like to hear how you guys out there handle your spam.

thanks

 

[MrScott81]

not an organization, but i use outlook 2003's spam filter, and have it set on high....install the office update which updates the spam filter....this works nearly flawlessly for me.....every once in a blue moon a good email will go to the junk email folder and vice versa, but this is definitely less than 1% of the time.

 

[spidey07]

all mail is scanned by frontbridge.com about 50 GB/day.

virus and spam filtered by three different engines for each.

spam STILL freakin' gets thru. If I get one more mail for "free meds" I think I'm going to scream.

 

[deadseasquirrel]

MCI just released a product to filter spam. They do it in their network. Forward your MX records over and they wash the mail before it gets to you. PM me and I can getcha more info after the weekend. The cost is something like $.50/user or so per month.

 

[mboy]

I have a buddy who runs the mail shop for a LARGE, well known organziation (about 17 sendmail servers). He implemented Iron mail by ciphertrust, about 8-10 appliances, says he cut his total mail volume by 50% with a 90+% rate. I think the boxes start somewhere around 10-15k each tho :-(.

 

[n0cmonkey]

Tarpitting is the neatest thing to come out of spam.

I'd use some heavy black lists though.

 

[HKSturboKID]

A company that i use to work for also uses ironmail to filter out mail. Damn spam still gets thru. I keep getting the stupid mortgage bs spam!!!

 

[VTEC01EX]

I'm stuck at the mercy of Pair Networks, who hosts our virtual mail server. Their spamassassin setup is worthless, a 50% detection rate at best on "high", and there's no option to delete it server side so the clients don't have to download it. Does anyone know if there's anything I could do to make it more effective (that might help out the original poster too?)

 

[Need4Speed]

dropped a debian box using postfix and Spamassassin into the network

 

[azkiwi]

My ISP switched from Postini (which I really liked) to Barracuda and it is currently about 95% effective (Bayesian). The good thing about it is I get virtually zero false positives.

I think the only spam getting through right now are a few low mortgage spams, and very few of them.

 

[jbritt1234]

We use Barracuda also, it works pretty well.

I personally like adverts for \/iaGr/\. Also the occasional porn advert with pics.

 

[Thor86]

See my sig.

 

[groovin]

thanks for the replies. keep them coming, im sure many others can benefit from any knowledge posted on this subject!

im sick of all the vi@gra ads and dont care about enlarging certain parts of my body. why cant people learn not to click on every damn link somoene sends them??

 

[Night201]

I just pm'd you.

I use postfix for my mail server. I use Spamassasin along with that and a virus scanner.

What I do on top of that (using Spamassasin) is go through my mail log and filter out the spam messages and block the ip addresses (or range of addresses) of the spammers. That has helped so much! This really helps with the spammers who change their email addresses. You can put their email addresses on a blacklist, but once they change it (which the frequently do), the messages will get through. When I block their IP addresses, the server just drops the connection and they don't even really see that I have a mail server, so it's less work on the server as well, since it doesn't have to filter and process bogus mail that I know will turn out to be spam.

I'm adding to my list everyday and I was actually going to post it. The ip addresses I'd post are more geared to me. I'm sure it would help others as well, but I can say that by adding just the 25 or so ip addresses to my firewall list, it probably stopped 80+% of the messages coming in. The ones that do still come in (from valid domains like yahoo.com or msn.com - you don't want to block their mailserver ip addresses) are usually marked as spam by spamassasin. I'd say that SPAM is down 90+% over the past week that I have been really cracking down.

Oh, I also use SPAMCOP's blacklist as well.

 

[loup garou]

The best experience for our clients with >25 users has been with an outsourced solution from MessageLabs. Setup was a little tricky and we had a few messages eaten, but since then it has been running smoothly for 3 clients (1 Notes based, 2 Exchange based). I don't remember the exact cost, but it was in the ballpark of the price quoted for the MCI service.

 

[Night201]

Originally posted by: werk
The best experience for our clients with >25 users has been with an outsourced solution from MessageLabs. Setup was a little tricky and we had a few messages eaten, but since then it has been running smoothly for 3 clients (1 Notes based, 2 Exchange based). I don't remember the exact cost, but it was in the ballpark of the price quoted for the MCI service.

I like having control of our mail.

 

[groovin]

i like having control of our email too but if a managed mail service was cheap/effective enough, i might actually think about it. speaking of cheap/effective, how much does this service typically run and how effective has it been?

 

[Night201]

Do they just filter or limit the size of the message as well? In other words, do they actually host your email or just run the messages through their filters?

 

[DrVos]

We use Groupwise over here and have found GWAVA to be pretty effective. I'm using a combination of blocking through RBL lists like spamhaus.org, word filters, and gwava's built in spam filters. I also have it setup to block particular attachments (.scr, .pif, .com, etc) I'd say that the setup is 90-95% effective.

 

[chuck2002]

thanks for the suggestions for messagelabs and related services. I got the details for the service and am seriously considering going with them.
As it was explained to me:
You point your DNS MX record to their servers which go through all the incoming mail and look for virus, spam and adult material. They take out all viruses (guaranteed @ 100%) and spam and adult material based on your settings for how agressive you want the scanning and then the mail is sent on to your email server. This saves your server resources, bandwidth, and your time messing with software to do the same thing.
It was quoted to me @ $2 per email user for the base of one of the 3 services and $1 for each additional service (Max of $4 per email box)
This was the price for our office, yours may be different. Well worth it in my mind...

 

[deadseasquirrel]

Originally posted by: chuck2002
thanks for the suggestions for messagelabs and related services. I got the details for the service and am seriously considering going with them. As it was explained to me...

Yep, you nailed it. That's exactly how it works. MCI, as I mentioned above, does this same service through MessageLabs now, with some additions.

Here's the skinny for those interested:

For Spam Filtering, they use the private databases from MessageLabs, etc as well as public databases likke Vipul's Razor Pyzor. There are 2000 detection rules using the Bayesian learning Theory (with dynamic heuristics to detect things like HTML Obfuscation, Header Forgeries, etc). This also includes the Porn Blocking using Image Composition Analysis.

The Anti Virus uses 3 commercial vendor products (McAfee, F-Secure, Vfind) as well as a proprietary engine called Skeptic. Virus databases are updated hourly. There is a 30 day quarantine if a virus is found, and a notification is sent to the sender, recipient, and admin. There is a 100% guarantee SLA.

You can log in from any web browser to see stats on Spam and Virus, as well as make adds/changes to the account.

Pricing is simple:

Anti-Virus only
25-1,000 users-- $1.80 per month, per user
1,001-5,000 users-- $1.15 per month, per user
5001+-- $0.98 per user, per month

Anti-Spam only
same as anti-virus

Both services
25-1000 users-- $2.70 per user per month
1001-5000-- $1.75
5001+-- $1.50

If anyone has any questions, lemme know. I'm a Technical Consultant for MCI, so I can't really help out with signing you up or anything, but I can point you in the right direction, and answer any technical questions you have about your network/internet/telecom.

 

[loup garou]

oops, forgot about this thread. I think Chuck2002 answered most of the questions posed about messagelabs.

deadseasquirrel, can you point me to an MCI site that describes their filtering service, I can't find anything about it on mci.com. I'm interested since it's almost half the cost of Messagelabs' service ($4/user/mo).

 

[groovin]

thanks for that info deadseasquirrel. my questions:

any yearly contracts involved?

is there any kind of evaluation available?

 

[deadseasquirrel]

werk & groovin:

I work in the Commercial Accounts group, typically customers that bill $10k+ per month, so anybody I deal with has always had some kind of contract/commitment level. But it may be different for small businesses.

Nobody has mentioned to me about any trial offers, but that doesn't mean it can't happen. Usually contracts are on a commitment amount (volume) instead of term, and I've seen volume commits as low as $500. So it varies. I'd also recommend looking at any other parts of your network as well, such as local phone service, LD, internet, MPLS, etc. Any other services could help drive down the price of all services, including this email product.

werk, I can't find anything on MCI.com either. I do have a powerpoint I threw together for the reps that I can shoot to a host if you know of one. It's a little over 2megs and describes the service well, though I did overview it pretty well in my post.

What particular questions did you have?

If you guys wanna PM me your company info (city/state, size, # of users, other info you deem important), I can try to get you to the right place.

 

[skyking]

I use spamassassin and dnsbl's . the dnsbl's take down a ton of stuff before it ever gets in, which reduces server load a great deal.
I'll post the blacklist org's I use, and a list of yesterday's rejected mail hosts, if you don't mind a long post
http://www.njabl.org/
http://www.spamhaus.org/
http://www.spamcop.net/

and a list of one day's rejected mail hosts................

-----------------------------------------------------------------------------------------------------------

8 [81.91.227.3]
1 w082.z066088242.nyc-ny.dsl.cnc.net
1 uslink-66.173.94-212.uslink.net
1 static24-72-49-74.reverse.accesscomm.ca
1 ppp245.rtzi.ru
1 ppp-67-64-24-93.dsl.wchtks.swbell.net
1 pf122.gorzow.sdi.tpnet.pl
1 pcp08538893pcs.liztwn01.ky.comcast.net
1 pcp03948590pcs.sarast01.fl.comcast.net
1 pD9FF8272.dip.t-dialin.net
1 optinemailing.biz
1 modemcable073.41-70-69.mc.videotron.ca
1 michelet-7-82-224-21-2.fbx.proxad.net
1 mail6.upperwebsside.com
1 mail5.upper-web-side.com
1 m123.net195-132-112.noos.fr
1 ip139.176.1211M-CUD12K-02.ish.de
1 ip-wv-24-158-93-087.charterwv.net
1 host14-71.pool80181.interbusiness.it
1 geaps.net
1 e188009.upc-e.chello.nl
1 dC8549E22.dslam-04-7-2-02-01-02.cmr.dsl.cantv.net
1 d66-183-189-134.bchsia.telus.net
1 cm193030.red.mundo-r.com
1 chello062178200200.5.15.vie.surfer.at
1 cable-133-127.inter.net.il
1 c-66-177-32-227.se.client2.attbi.com
1 c-24-15-195-101.client.comcast.net
1 adsl-68-248-37-216.dsl.sfldmi.ameritech.net
1 adsl-67-38-242-243.dsl.bcvloh.ameritech.net
1 adsl-67-127-183-170.dsl.pltn13.pacbell.net
1 adsl-67-127-167-160.dsl.irvnca.pacbell.net
1 adsl-67-122-174-74.dsl.lsan03.pacbell.net
1 adsl-66-72-97-125.dsl.chcgil.ameritech.net
1 adsl-66-72-104-78.dsl.chcgil.ameritech.net
1 adsl-66-143-158-219.dsl.stlsmo.swbell.net
1 adsl-66-136-21-150.dsl.hstntx.swbell.net
1 adsl-66-120-247-80.dsl.lsan03.pacbell.net
1 adsl-131.158.140.info.com.ph
1 [80.90.4.197]
1 [68.189.247.208]
1 [65.198.212.28]
1 [62.90.145.150]
1 [61.72.148.205]
1 [61.173.53.174]
1 [24.69.236.183]
1 [220.95.6.4]
1 [220.74.13.101]
1 [219.238.146.36]
1 [218.69.255.50]
1 [218.62.0.46]
1 [218.19.136.59]
1 [218.12.34.234]
1 [217.129.7.38]
1 [217.129.203.198]
1 [213.136.125.246]
1 [211.158.67.203]
1 [210.109.75.69]
1 [210.103.4.231]
1 [200.5.90.203]
1 [200.238.79.130]
1 82-168-41-7-bbxl.xdsl.tiscali.nl
1 81-196-12-234.rdsnet.ro
1 69-84-204-33.shlbyvlle.buslnk.cintelecom.com
1 66-205-151-175.ftth.surewest.net
1 218-35-44-177.cm.apol.com.tw
1 203-165-192-241.home.ne.jp
1 200-207-4-99.speedyterra.com.br
1 200-180-185-020.paemt7003.dsl.brasiltelecom.net.br
1 200-171-45-148.speedyterra.com.br

----------------------------------------------------------------------------------------------------------------