Spam Filtering For Small/Medium Business?

or_is_it writes "The company I work for has been growing dramatically and I've been charged with the task of being the gatekeeper for our GFI Spam filters. This involves manually inspecting the subject line/to/from for all caught messages in each filter rule folder. For a company of about 50 people, in one day the number of spam messages can exceed 2,000. Neglect it for a day and you end up with quite a task on your hands. I've made the rules lax enough so important messages can go through, along with a few stray spams, for which I get bitched at. Tighten the rules up and then maybe an important time-sensitive email never gets to its intended recipient, and I get bitched at. Manually reading through all those subject lines is supposed to prevent that, but I'm only human and genuine messages can easily get overlooked. How do larger organizations deal with the spam issue? I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution. Purchasing a different commercial mail filter product is a possibility, but I'd like to hear some anecdotal evidence before jumping ship."

Client-based?

[Gaxx]

To be honest, for somewhere of that size I'd be tempted to use some sort of client-based filtering (along the lines of spambayes [http://spambayes.sourceforge.net/]) which would put the power and responsibility in the hands of your users.

Combined effort is necessary

[Z00L00K]

I have a setup where I use a configuration of Sendmail as first line protection and I use several sources for spam filtering.

dnsbl/enhdnsbl is enabled for zen.spamhaus.org, bl.spamcop.net, combined.njabl.org, list.dsbl.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net and sbl-xbl.spamhaus.org. With all these enabled there are very few spam messages falling through.

Adding to this I am using Mozilla Thunderbird which has a very good intelligent junk mail filter. The only disadvantage is that the junk mail filter has to learn what's junk or not.

The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.

Re:

[Wolfkin]

zen.spamhaus.org IS sbl-xbl.spamhaus.org , per their website.

Re:Combined effort is necessary

[entrigant]

The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.

Do you generate a bounce, or do you reject with a 500 error and a proper message at spam time? You should not generate a bounce to remote mail. Ever. This is the cause of e-mail backscatter and is a significant problem. Always reject at SMTP time with a 500 error.

Re:

[Z00L00K]

It is a reject that in turn generates a bounce in the sending mailer, but if it's a stupid spam mailer it doesn't bounce.

Re:Combined effort is necessary

[Sleepy]

Wow. You need to review your config!

From experience: you only need Spamhaus Zen and SpamCop for connection checking.
If you parse DATA before you accept it, you should incorporate URIBL.COM it's very good, and helps catch Yahoo and Gmail spam (which will get past Spamhaus and Spamcop all the time) because it scans bodies for naughty links

dsbl.org is REDUNDANT -- incorporated in Spamhaus Xen.
Spamhaus SBL-XBL -- incorporated in Spamhaus Xen.
NJABL.org is dead and a mirror of the CBL, I believe (-- incorporated in Spamhaus Xen also)

Never send bounce notices for spam. What notices leave your server are likely going to forged From: addresses....

Re:

[TheCodeFoundry]

I've used a client based solution in the past, Cloudmark. It was a very good solution, but required user intervention and wasn't really cost effective for small-medium sized businesses.

My company switched to using MXLogic and we absolutely love it. Previously, I was receiving 100 spam emails a day; one spam email now leaks through maybe a month. It is probably the best spam solution we have used. We have tried Baracuda, Postini and others, but MXLogic was the best solution.

(No, I do not work for them.

Re:

[gravyface]

Postini does this and all, for ~30 bucks a year per user. Plus, you're not using your cycles and bandwidth to do the dirty work: it's all done upstream before it even hits your network. Users can maintain their own white/blacklists, plus, they get a quarantine email sent daily that lists all the spam that was trapped over the last 24 hours, with an option to click "deliver" to send to their inbox immediately should a false positive be spotted.
Another plus is outbound filtering: we route all our outbound m

Re:Client-based?

[Eggplant62]

I've seen Postini-filtered mailboxes. Don't bother.

Only solution that I know works is my own: Postfix with amavisd-new, spamassassin, clamav, postgrey, along with FuzzyOCR on smaller installs, though setting that up on a separate system to filter through might cover a large organization. Don't forget to include things like Spamhaus' Zen list, any of the *.countries.dk.net blocklists to filter out any geographical areas from which you don't expect legitimate mail, and also helo filtering--if the connecting mail server can't say helo/ehlo with something that resolves in DNS, it can just bugger right off.

Tell your boss that expecting not to lose email with spam filters in place is unreasonable, and that tasking one human to eyeball all the rejects is a serious misapplication of time and money.

Best of all, you should educate your boss to realize that email is not a reliable messaging system. There are far too many points of failure that could cause a message to be lost, most of them being outside of your own or your company's control. There exist many better ways to send time-sensitive material, like fax, overnight mail, and telephone calls. If a severe amount of money is to be lost because an email didn't make it on time or made it not at all, then the message should have been sent over a more reliable medium in addition to being emailed.

Only the severely clueless would rely on a system like the one you have set up. You have to allow for a certain failure rate in any system. That's a basic principle of quality control methods that have been in use for decades.

Re:Client-based?

[holophrastic]

Pardon me, but I just don't see the "size". I personally (and professionally) receive well over 3'000 spam e-mails each and every day. I take about three to five minutes to run through them. For 6'000 in two days, I take four to seven minutes.

I do it without a spam filter of any kind. I have only two technique.

First, simple rule-based filters throw clients and friends into their own folders by from: line alone. That covers everyone I know in advance.

The second set of rules simply looks for my full name, my company name, my e-mail signature, my telephone number, or my mailing address. These into the "it's damn likely a legitimate e-mail" folder. This folder gets about 2 spam e-mails per week.

The remaining I simply run through, in outlook express of all clients. Sorting wins the day. The greatest trick? Sort by the to: field. It doesn't take long to see that 75 messages went to moocow@mydomain.com, 75sevens@mydomain.com, or some other horribly malformed address to that doesn't exist. Sorting by subject does similar things -- like give you "70% off . . ." which get selected and deleted in a block of one hundred at a time.

Your spam has very simple patterns to look for. Sort by them, click the first, shift-click the last, and hit delete.

Last year, I was contracted by Viagra's H.R. department to do some quick work, I made it through unscathed.

Re:

[holophrastic]

There's no way that I'll ever configure my server for any anti-spam technology based on the destination server requiring more of the source server after successful receipt.

If I mail a letter to you, and you don't like the return address on the back of the envelope, you can do with it whatever you please, but it's not my responsibility to ensure that you'll open your mail. It is my responsibilty to deliver your mail. If you don't like the colour of the envelope, that's your problem.

I have a lot of clients

You just can't win.

[Lunarsight]

The business I work would qualify as a middle-sized corporation.

We run into the EXACT same issue you're running into.

The dilemma is if we don't tighten the spam filter enough, we'll get complaints from employees (who are not shy about sending EVERY LAST PIECE OF SPAM THEY GET to us.)

However, if they tighten the filter too much, then important emails that may seem spam-like begin to get blocked, and we get just as much heat for that.

The answer - do your best to block what spam you can, and if you get complai

Barracuda SPAM filter

[spacepimp]

I purchased a Barracuda for my organization of about 120 employees, and it has been fantastic. I fine tuned a few options on the config and it has blocked about 200,000 emails in the almost two months i have deployed it. There are very few false positives, and very few that get through its filters. I actually get calls of gratitude from the end users about how happy they were not receiving any more SPAM messages. The hardest part was informing them the user base on the difference between the mailing lists they were on and SPAM. Barracudas support has been good as well.

Re:

[B00yah]

Ya, i rolled a baracuda out in a similar environment back in 04, and the users couldn't stop singing the praises compared to the filtering our mx offered + my manual filtering. I strongly recommend baracuda for this size roll-out.

Re:

[ewwhite]

I'd also have to recommend the Barracuda. We moved to a Barracuda Spam FIlter 300 from Symantec's software product for Exchange. Although we didn't have an issue with Symantec's offering, the Barracuda was cheaper over the long-term and much more configurable. The logging is also a benefit. I think the OP's firm can get by with a Spam Filter 200.

Re:

[SlamMan]

Seconded. We've since outsourced our mail, but back in '06 we purchased a Barracuda for my 200 users, and had nothing but praise. A little spam still made it through (with a spam/ham ratio of 18 to 1, its impossible to let not a little through), but almost no false positives.

Re:Barracuda SPAM filter

[Lershac]

Gah they are so expensive. And to keep them up to date is ridiculously expensive. I prefer free with ASSP.

Additionally I have a serious problem with the backscatter they cause. They should reject mail at SMTP time and not bounce them.

But Barracuda support is very very good. Very responsive and timely and overall a good people orgaization which can make the difference for wanting to deal with them.

Re:

[Lershac]

Ah but that just addresses the symptom and not the fundamental problem. You should NEVER accept and email and then not deliver it without a bounce. If a message is spam, decide so at transaction time and terminate the transaction with a failure code.

Email systems that do not do this, yet do not send a bounce message "break" email. Possible to get a false positive and block a legit email with no error message back to sender. This is never a desired operation. If the message get a spam designation and th

Re:Barracuda SPAM filter

[Arrogant-Bastard]

There are multiple, very serious problems with Barracuda appliances. I've already commented on their propensity to generate backscatter elsewhere in this thread. They're also poorly supported, have systemic security issues, may have privacy implications (since Barracuda personnel have unauditable access to your mail stream), are expensive, use community resources such as DNSBLs in ways contrary to those resources' policies, and do not use current best practices in spam control. (This last is unsurprising given that Barracuda personnel do not participate in the discussions and consensus-building which generates those BCPs.)

Consider as well that the Barracuda appliances consist of (a) an open-source operating system (b) an open-source MTA (c) an open-source web server (d) an open-source spam scanner (e) an open-source virus scanner (f) other pieces of open-source software and (g) use community-mintained DNSBLs and RHSBLs. This is all held together with proprietary (closed-source) code, mostly for the purpose of providing a poorly-designed GUI interface. Any competent email system administrator should be able to create their own near-equivalent in an afternoon; it's not difficult. Such homebrewed creations have repeatedly been shown to vastly outperform Barracudas on multiple metrics, including cost, scalability, customization, security, and perhaps most importantly -- adaptability to new spammer techniques. (Barracuda is years behind the times and falling further back.)

It's very tempting to "just buy an appliance" and consider the problem solved, but it doesn't work. There's no substitute for expertise -- and given that much of that expertise is available for free, for the asking, on lists such as spam-l and spamtools and so on, it's difficult to understand why anyone would choose not to avail themselves of it.

Re:

[mortonda]

I'm a little biased, but Maia Mailguard is a great way to focus that expertise, and we've had many people prefer us over Baracuda.

Maia's greatest strength is user based quarantine caches to help spread the load of watching for those few misclassifications (very few) and because it's all open source, you can use the very best of the spamassasin modules, and MTA level checks such as policyd, greylisting, RBL's....

It's the ultimate in configurability, and scales from my own personal mail server up to fortune 5

Re:

[ewwhite]

What's your time worth? Of course the Barracuda utilizes open-source solutions and *could* be better.... However, the time involved in maintaining and managing those solutions may not be worth it. For me, following the initial configuration and bayesian setup, the Barracuda hasn't required much in the way of administration.

Re:

[oglueck]

Thanks for this post. I didn't even know what Barracude is until today. But I know that I have had the following header check in my postfix for a long time:
/^From: Barracuda Spam Firewall/ REJECT Stop bouncing spam to faked sender addresses, you idiots

Re:

[atamido]

I'll just add another "Me too." We purchased a Barracuda Spam Filter, and it's been working quite well. You also have the option of integrating with LDAP/Active Directory and letting users check their own spam lists if they think they missed something. I believe there is even an Outlook integration client, but I haven't used it.

Another nice thing is that it has a virus filter which is an excellent first line of defense. It means those virus emails don't create an extra load on the Exchange server by mak

Re:Barracuda google Apps is better

[kurt555gs]

Sorry, but now that I have been using Google Apps for email, if you have up to several hundred people, you are just plain nuts to do your own email.

Why would you even want to?

Do not discount what Google Aps does before you try it.

I used to have my own email servers, .... no more, no way.

Re:

[theshowmecanuck]

Sure... if you want another company in possession of your company's email. How do you know the other company won't look at sensitive emails? Just because 'they shouldn't' or 'they say they won't', doesn't mean someone there won't. Heck, if people are looking up Obama's and others' passport info in the government, I would be willing to bet that someone at a third party email provider has looked at someones sensitive email. What if they get wind of a business deal on a subject they may have a business int

Re:

[TheLink]

We use them the company I work for, and:

1) They don't seem much better than the usual OSS antispam stuff
2) They seem to generate bounces
3) I've had a false positives to _work_ _related_ stuff I sent from home to office. I do NOT write like a spammer (if spambayes can tell and barracuda can't, it's a waste of money).

Example of 2) + 3):
Your message to: <redacted>@<redacted> was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: Contract of

Re:

[Nethead]

I installed four Barracudas for a large real estate firm (10k+ users) and they were wonderful. This was for users that like to advertise their email addresses as much as possible and for whom the subject line "mortgage" is quite valid. The 'cudas have some good clustering features too which allow you to deal with load and failures. The report screens and emails make the bosses happy. A good admin could build all the tools in a Barracuda but they have already done that well and have packaged it together

dajones70

[Anonymous Coward]

Use MailScanner with the MailWatch GUI and after a few weeks or so of monitoring and tweaking, it will run on autopilot and you can sleep well. http://mailscanner.info I have it running on a number of small businesses and they are very happy with it.

Re:

[Linker3000]

Absolutely MailScanner - thread over!

http://www.mailscanner.info/ [mailscanner.info]

Our organisation runs 5 Linux Servers around the UK for mail services and they are all using MailScanner + Postfix + SpamAssassin + ClamAV + Bitdefender.

Great installation instructions (all-but bitdefender) here: http://www.hughesjr.com/content/view/14/ [hughesjr.com]

The mailing list for MailScanner is very well supported by the users and the devs.

email != IM

[Viraptor]

> maybe an important time-sensitive email never gets to its intended recipient

When will users learn...
Email is not instant messaging - with bad greylisting / random connection reset / busy server, you can get >=2 hours delay. And it's normal.

Re:email != IM

[cfulmer]

Your assessment of the current state of email is correct. But, blaming users for using it to fill a need when there is no realistic alternative is silly.

email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else?

Re:email != IM

[SCHecklerX]

Businesses shouldn't be using those for internal communications anyway. Set up a jabber or irc server internally for that.

Re:

[phoenixwade]

Your assessment of the current state of email is correct. But, blaming users for using it to fill a need when there is no realistic alternative is silly.

email is ubiquitous and easy. 99.5% of the time, it's nearly instantaneous. Should I really have to get an IM account on google, yahoo, aim, microsoft, etc.... so I can deal with time-critical messages? And, for that matter, should everybody else?

if it's time critical, pick up the phone or send a fax, and IM, a text message, or use features in one of the groupware offerings, there are viable alternatives in the wild, using old and new technology.

The simple fact of life is that if you depend on eMail for time critical message transfer, then you will, sooner or later, get burned.

Re:

[BenoitRen]

I argued yesterday with someone I know on the Internet about exactly this. Said person always leaves his computer on with AIM open to "collect messages". When told this is what e-mail is for, the reply was that e-mail isn't always instantaneous. This is not true unless you're on Hotmail.

To paraphrase: "What if my girlfriend wants to tell me she will be a bit later, and her cell phone's battery is dead?".

He isn't the only one. I used to know someone else with the exact same excuse.

They don't have an AIM acco

Re:

[TheLink]

1) If you're not always on that computer, I don't see the difference in "isn't always instantaneous". Most sane email service isn't that slow.
2) You don't have to leave your IM on all the time to collect IM messages if you use Yahoo Messenger- you can receive offline messages. When you re-login, you get those messages.

Nowadays, in _theory_ MSN's IM (or whatever they are calling it this week) allows you to do that, but in my experience(I use both), they are a lot more unreliable than yahoo.

Re:

[BenoitRen]

That's a good point, thanks. I remember getting an offline message from a buddy on AIM upon signing in months ago, actually.

Re:

[wvmarle]

My business communication is largely done via e-mail. I use a little IM thought Skype (actually don't like it as it requires instant attention). E-mail is fantastic as it's asynchronous; you can read/reply very efficiently that way.
But when time is critical: I always will try to call that person. If that doesn't work, send an e-mail, and continue trying to call. When time is critical e-mail just doesn't do the job, not just because of the possible delays, but because you never know when the person on the o

Re:

[Dan541]

Email isn't intended to be used as instant messaging but it is instant in most case's I've tested my email in the past againsed MSN Messenger and sometimes it's faster.

So it's easy to understand why user's assume that the email is instant (Altho their still wrong to assume so), most email delays I've gotten have been with large amounts of attachments

Force keywords in the subject line

[therufus]

I've had to send emails to recipients within the Australian Defence Force (specifically, the Army), and every email sent from a civilian must include a keyword within the subject line. The keyword is to do with whether or not the information is classified or unclassified. Sure, getting all the clients to send all their emails with [companyname] in the subject line is a little annoying, and may not be possible depending on your circumstances, but the chances of spam having that keyword within it is virtually impossible.

Set up an automated filter whereby anything that doesn't have the keyword in the subject gets dumped into a spam box to be sorted later. If the senders do the right thing, it assures their emails will be directed to the correct person.

This is just one example of active spam filtering as opposed to the passive spam filtering used in IT today.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[wvmarle]

My filter keeps a list of known senders (those who are present in my saved e-mails), e-mails from those senders are delivered without filtering. Goes fine as most spam uses some random from: address these days, never had problems with that.
Then mails with a SpamAssassin score of 5-13 go into a spam box for manual sorting. That results in about 10% of my daily spam, or about 30-40 mails.
Anything with a score greater than that is sure enough to be spam, and gets ditched.
In rare cases (once a month or less)

Power to the people :)

[grantdh]

Whatever solution you get, the simple answer is:

1) Set up the system to put junk mails in a folder the user can see

2) Train the end user to check their junk mails

3) Show the user how to set the spam triggers high or low and what the implications are

If user says they're too busy/important, advise them that due to your workload, their email box will be added to the "manually checked list" which gets done once per week. Point out the impact of losing a time-critical email wrongly flagged.

Most times they do it themselves. For those who are dead set on having someone else do it, hire a temp or arrange for an office junior to do it.

If you're in IT, you have better & more important things to do than check for real mail in a junk mail box...

Re:

[paganizer]

BOFH, is that you?
Up until 2006 (I retired) I ran a in-house mail server (well, in-basement, actually) with about 250 users; when the SPAM started hitting the 200+ mark per day I figured the bandwidth savings alone would be a good reason to stop it as much as possible at the server.
I used ORBS, blocked all of asia-pacific net, and ran ASSP (Anti-Spam SMTP Proxy). After around 5 days of training I had SPAM down to maybe 3-5 a day per mailbox; I never could beat that number.

Re:

[phoenixwade]

I used ORBS, blocked all of asia-pacific net, and ran ASSP (Anti-Spam SMTP Proxy). After around 5 days of training I had SPAM down to maybe 3-5 a day per mailbox; I never could beat that number.

I'm managing a little better than that with Spamassassin, a few SARE rules and some tweaks to the scoring (mostly upping the scores on the RBL's) We seem to be averaging around 2/day/act for around 3000 user accounts.

The sacrifice is 2 or 3 false positives a month.

If I can get an acceptable handle on the backscatter problem we're currently dealing with, we can improve this, I believe.

Nothing's perfect...

[msauve]

As you've found, an automated system can be tuned, but you'll always have false positives/negatives.

I like the way spamassassin [apache.org] works - it can provide a rating for each message, which provides a mechanism for users to set the bar to their own preference, instead of having a single setting for the entire organization.

I'm not talking about using individual configurations for spamassassin, it's not realistic to expect most users to be able to deal with all the gory detail of spam filters.

Rather, spamassassin can set a header to indicate its confidence that a message is spam:

X-Spam-Level: ****

It adds an asterisk for each "point" of spam score. Users should be able to create an email filter which picks off suspected spam and puts it into a separate folder based on a header like that. Maybe drop all 10+ messages centrally, and let users tweak a local filter to their liking, depending on whether they prefer false positives or negatives.

I use spamassassin as an example only because that's what I use. There are no doubt others which can provide something similar which users could filter on.

Re:

[frisket]

My university uses SpamAssassin to rate all incoming mail for 18,000 student accounts and 3,000 staff/faculty, and prepend "***SPAM???" to the Subject header of all potential spam. Spam for student accounts is dropped on the floor; spam for staff/faculty is forwarded to their mailbox, and they have a local filter rule to put it into Junk or Trash or somewhere where *they* can check it.

I haven't had a false positive for over a year, and only a handful of false negs. The systems guys do a great job of keeping

Commercial Services

[Secrity]

You might want to consider using a commercial email filtering service, such as messagelabs.com.

MessageLabs sucks.

[khasim]

I had a problem with spam from one of their clients and they kept claiming that even though it came from one of their servers, it was not "from" them so they could not do anything about it.

Their tech support people really knew nothing of SMTP. Even when I mailed the headers to them, they still couldn't understand it. I had to spell it out for them.

Any legitimate "email provider" must have some way to handle complaints about their customers sending spam. MessageLabs did not.

Re:

[travisd]

Since messagelabs doesn't require that you relay your outbound thru them, it's entirely possible that they could, in fact, do nothing about the spam you were receiving. In SMTP, your inbound and outbound do not have to be the same path.

Re:

[travisd]

+1 on this. Let someone else deal with it. They have a whole lot of aggregate data to use to create their filtering, and it's what they do. Also, by having someone else do the filtering you don't end up paying for bandwidth and storage for the spam.

Postini

[chill]

Postini's anti-spam service does wonders. We use it for about 200 accounts and people love it. It works, rarely gets things wrong and is simple. IT (me) loves it because spam is no longer my problem. For a fee that would be less than my effort and aggravation is worth, they take care of it. We are currently investigating expanding use to compliance filtering and archiving as well.

For the record, Google purchased Postini in the not to distant past.

Re:

[SkyDude]

Postini's anti-spam service does wonders.

I would second that. My former employer went with Postini in 2003 and the management of spam became a piece of cake. I used to see about 2-3 false positives in my email each month, but it usually was due to the sender creating newsletters that were "spammy", in other words, had many spam characteristics. After several attempts to get them to test their emails on a testing site, they finally did and never got caught in the Postini filters again.

We had used SpamAssasin from 2000 until 2003 and while it w

Frontbridge Spamshark

[_Hellfire_]

How do larger organizations deal with the spam issue?

I used to work for a mining company you've heard of. Our department had responsibility for managing the email vendor, who used Spamshark to filter spam coming into the organisation. From my limited knowledge of the setup, Spamshark does basic blacklisting etc. but also does selective blacklisting on specific IPs when an email is flagged by a user. So Alice flags a message as spam, Spamshark figures out the message id, grabs the IP address it came from (it knows because it previously handled the email), and then blacklists that IP for a certain amount of time. Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.

Like I said we just handled vendor relations, and the above description might not be totally accurate, but this is what I gathered when we dealt with them. I also remember getting about 10 complaints of spam a month for an organisation with 10's of thousands of email addresses - so it was very effective.

Re:

[badger.foo]

> Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.

And more false posistives than you would actually like to have. I've been at the business end of one of Frontbridge's blacklists. One of the domains I admin got blacklisted a full three weeks after the hosting company screwed up and let phishers set up a paypal scam site as the "test1" user to live for all of 22 hours. Three weeks later, one of

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[_Hellfire_]

I don't know if it would be as simplistic as 1) get email 2) check for spam 3) if spam then blacklist host. If I was creating a spam firewall for use by large corps I'd employ some sort of hit counter and other funky mathematics to determine heuristically if the connecting server is an open relay; or if it is a closed relay relaying one or two dodgy messages.

Re:

[mrbooze]

Friends of mine in various retail businesses say it is *very* common for a few customers who actually requested to join their mailing list to report them as spam later. They have to deal with being blacklisted for their opt-in only mailing list 2-3 times a month.

Time to ditch GFI

[RichMeatyTaste]

The lack of OCR image scanning is reason enough to ditch GFI. My previous employer sold GFI for years but as it became less reliable we switched to SonicWall Mail Security appliances. They are less expensive than Barracuda, but the accuracy rate has been out of this world. A little secret: the devices don't enforce their license limits. No matter what size you buy (among the smaller units) the devices are the same. I've found that the device works fine as is, but if your company gets a lot of spam (say 200

Re:

[nguy]

Why not reject all messages containing images? Images in E-mail are almost always either for tracking, for spam, or for viruses.

OpenBSD spamd

[DaMattster]

I've had excellent results with this particular product. Spamd uses blacklisting, greylisting, and tarpitting. It really is delightfully evil and still makes me smile because it includes a fake smtp daemon which sets the tcp rcv window to 1. This is a kick in the nuts to the spammer. I've used it with resounding success at a client who was recieving 2000 spam emails a day. Prior to implementing spamd, we were using just a Barracuda. When I combined spamd and the Barracuda, spamd caught about 1975 of the spam messages and the barracuda took over from there. No false positives and we've been running for three months. This link details how to set it up, http://www.linux.com/feature/61103 [linux.com].

Subscription based anti-spam solution

[LinuxDon]

IMHO, in the long run a subscription based anti-spam solution is the only way to go. Spam is mutating every day and having to keep up with it yourself is an exhausting task. So you'll have to treat the spam problem as you do with viruses: purchase a subscription product that is updated daily.

We're using Astaro Mail Security (www.astaro.com), which works great. Spam is down to a minimum, and it delivers much better results than open source solution I had in place before that.
FYI: I receive about 300 spam mes

Re:

[SerpentMage]

>IMHO, in the long run a subscription based anti-spam solution is the only way to go. Spam is mutating every day and having to keep up with it yourself is an exhausting task. So you'll have to treat the spam problem as you do with viruses: purchase a subscription product that is updated daily.

I came to that conclusion about a month ago. I simply became too tired with all of the SPAM. I decided to go the route of hosted domain Google Email.

>In my personal experience, while I'm a big fan of open source,

ESVA all day long

[erroneus]

I've been running this for quite some time with fantastic results. It's a VMWare appliance.

Inside, there is greylisting and MailScanner. Within MailScanner, there is SpamAssassin, some RBL, ClamAV and all sorts of things.

For my organization, I find that in addition to everything else "stock" I can safely filter out all countries but the U.S. since we don't do business outside of our state, let alone our country... so it's safe to assume that anything from outside the US will be spam.

It is extremely effective. I have helped to get the VM set up in environments with multiple domains and it works very well too.

One problem with it is that it is rapidly aging. The user community has made some effort to get the VM up to date in some ways, but the 2.0 version as far as anyone can tell is still in discussion and planning. The project creator and leader is a one-man-show and he seems to have a life outside of this project for some reason. The user community is frantic to get something to replace the aging 1.7.1.5 machine we all use as the reference point for our installs.

This is largely a known-solved problem

[Arrogant-Bastard]

The place to ask this question isn't here, it's on the "spam-l" mailing list, which arguably has the highest concentration of the world's most experienced anti-spam researchers and developers. Simple techniques for tackling this have been repeatedly covered there over a period of many years, and their behavior is well-understood and predictable, making them viable choices for production systems. So I would suggest that you subscribe to that list (via listserv@peach.ease.lsoft.com) and repeat your question there, along with some indication of your MTA environment.

Meanwhile, here is some general guidance. First, do not waste your money on commercial products -- they're expensive, poorly-maintained, and in many cases (e.g. Barracuda) actually make the spam problem worse via backscatter. (There are now several thousand Barracudas on a communally-maintained blacklist, making it obvious to everyone working in this field that Barracuda is completely incompetent.) Second, do invest your money and time in open-source solutions: it is easy for anyone who possesses baseline competence in mail to craft their own, superior spam handling system using postfix or sendmail or another open-source MTA, DNSBLs, RHSBLs, judicious configuration, and other tools such as rbldnsd, mimedefang, SpamAssassin, ClamAV, and so on. Third, a little googling will reveal near-cookbook procedures for combining these pieces of software together into a useful system; which cookbook procedure is appropriate for you depends on your environment -- which brings me to the fourth point, which is that you need to perform log analysis in order to understand your particular mix of spam/not-spam. Everyone's is different, which is why one-size-fits-all solutions usually fail. Only after you have some clue about the size and shape of your problem will you be able to determine which approach(es) are likely to minimize both false negatives (FN) and false positives (FP).

As an aside, one set of highly effective anti-spam tactics involves enforcing RFC requirements that have been in place for many years: for example, all mail servers must have rDNS; that rDNS must resolve to a host which in turn resolves back to the IP; the domain of the host must exist; the host must HELO as a valid FQDN or bracketed-quad IP; the envelope-sender's domain must exist; the host must not HELO as you; the host must wait for the SMTP greeting before HELO'ing; the host must handle a multi-line SMTP greeting; the MX records for the host must point to valid IP space; and so on. Enforcement of these requirements yields differing rates of spam control (which is again why log analysis is crucial) but has the very valuable property that it can be done at low computational and bandwidth cost. Substantial experience with these suggests that enabling them and augmenting them with a few DNSBLs (especially the Spamhaus Zen zone) is enough to deal with the overwhelming majority of the spam problem at most sites, reducing what's left to a much smaller issue to be dealt with.

Re:

[SlamMan]

Barracudas have a checkbox to disable sending backscatter. Their documentation even recommends checking it.

Re:

[Arrogant-Bastard]

We know. We've known for years, and in fact it is the advocacy of the professional members of the anti-spam community which directly led to Barracuda's reluctant decision to change the default state of that checkbox. The problem is that this should not even be an option because -- as we are painfully well aware -- many people who do not fully understand the consequences of that checkbox will set it to the incorrect state, promptly begin spewing spam, and soon after get themselves blacklisted.

This is by

Re:

[Arrogant-Bastard]

I think "an hour a day" on average is entirely reasonable. I don't think an hour a day, every day, is.

The reason I take this stance is that shifts in spammer tactics and strategies require measurement and evaluation so that appropriate countermeasures can be deployed. As one trivial example: if a domain you handle mail for is the target of a concentrated backscatter attack, you may have to adjust SMTP connection acceptance rates or throttle back SMTP clients attempting delivery to many nonexistent addr

sender IP

[stabiesoft]

I've found filtering on sender IP to be very effective. Greylist IP's that don't match sender domain name, blacklist all unknown sender IP's and all dynamically assigned IP's. (Real companies don't use an ADSL or cable dynamic IP address). My latest tweak (and I'm not excited about adding it) is to do a check of the nameserver for the domain. If it is domaincontrol.com, I dump it. I guess the spammer's have figured out some of the registrar's will collude with the spammers for the 10 bucks per domain. After

Kind of obvious

[SCHecklerX]

Use whatever you want for your internal mail server, but use sendmail with miltering for your internet facing relays.

With sendmail, use mimedefang, spamassassin, and milter-greylist (actually that last can be implemented yourself in mimedefang, I just never had the time).

The nice thing about this solution is that it does not require you to pay some third party a huge amount of money each month, while doing exactly what they do (actually better), and it is fully customizable to fit into your environment (wan

that's actually a good solution

[nguy]

I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution

Actually, that strikes me as a good solution; it's certainly better than having other employees dealing with spam as part of their daily routine and losing 30 minutes/day for everybody in the company. And by centralizing it, you have the ability to pick the tools to make your work more efficient, as opposed to having 50 employees each fiddle with their own spam filters.

ASSP

[chipperdog]

I've found ASSP [asspsmtp.org] to be very effective in our organization of 150 mailboxes. Supports Greylisting, Bayesian filtering, SPF, RBL, REGEX, and more...It is a two-way filter, so recipients of mail sent from your organization will be whitelisted for a period of time, and SPAM is stopped at the SMTP level (resulting in a SMTP failure), so no messages should be lost...end users can submit spam messages by simply forwarding them to a specific address (e.g. asspspam@domain). All spam can also be sent to a specific ema

3 Steps

[v(*_*)vvvv]

This is just a simple guide compiled from my experience:

1. Do what you can on the server. I like to use SpamAssassin to add spam scores to beginning of subject lines, so they sort by score in my inbox (I use "/*_SCORE(0)_*/"). I also automatically delete anything over a score of 11, since the highest I've ever seen a legitimate email score has been "10.something". Realistically, anything above an 8 is the sender's fault and they need to do something about it and anything above an 11 you can safely blame the sender (you won't be the only spam filter deleting their emails).

2. Provide the tools on the client. ThunderBird's "spam marker" is a must, and because it learns from what you mark, you aren't just marking them in vain. Also, to deal with spam in real-time, instead of using the junk folder, I like using the "delete junk!" button from the "Buttons!" add-on. Incoming junk gets marked and marked as read, and after marking the spam the filter missed, I hit "delete junk". Very easy and quick. Pre-configure Thunderbird for everyone.

3. Educate and support. If you have 1 and 2 in place, then make sure everyone knows what you are doing and why you chose to do it. Write a short manual or something. Educate them about their tools. They also need to know NOT to publish their addresses.

The idea is to make spam highly visible, and to make it *quick and easy* to deal with. Knowing you've facilitated these two goals should be enough to impress your employer and earn the respect you deserve from everyone you serve :)

I spent a few days migrating 100,000 emails from Windows Mail, because it was horrible. Thunderbird is a godsend and the add-ons make all the difference. If there is something you dislike or want, chances are someone made an add-on for it.

btw 2000 messages is *not* a lot of spam. It will get far worse with time.

MessageLabs vs Google Apps

[nevali]

We use both MessageLabs and Google Apps for different domains.

Personally, I find the two pretty comparable in terms of spam filtering (Google lets less through, but has the odd false-positive, in MessageLabs' case, I-as an end-user-don't even SEE potential false-positives, which means ultimately I prefer Google).

PS. When is Slashdot going to fix UTF-8 handling of this poxy in-line comment box? Why can't I use â(TM) (apostrophe) or â" (em-dash)?

Spamassassin for dummies (nospamtoday)

[transporter_ii]

In a small business wanting to not devote a lot of time to this issue, we are using nospamtoday. There isn't anything perfect, and it isn't either, but it does a good job, is fairly priced, and is server side. Basically it is a front-end for spamassassin, with some RBLs and other measures used as well. Yeah, you could install spamassassin for free, but this gives you an easy installer and at least someone to e-mail if you have issues. And it is a one time fee, as there are no monthly or yearly subscription

Spamassassin

[Idimmu Xul]

We catch about 12,000 spam emails daily for our customers using just spamassassin, it took a bit of setting up but works fine and it's as accurate as my gmail account

SpamAssassin!

[tyldis]

I have made a virtual appliance I deploy to my customers, mainly in the 10-100 employee range.
It has Ubuntu server LTS-release, postfix, amavisd-new, postfix-policy-dæmon, clamav and spamassassin. It works really great, and I have have Postfix insert Exchange-compatible headers so that the users can use the features included in Outlook/Exchange.

Fully integrated, no quarantine management (other than the 'junk'-folder) and from what I can tell: no false positives and extremely low rate for false negative

Well, I can tell you about my decision. YMMV.

[jimicus]

I was faced with exactly this problem myself around October/November last year.

You've basically got three options:

1. Go for a completely outsourced service.

Pros: It's someone else's problem to look after.

Cons: A company of 50 staff will never be terribly important to such a service provider. Unless they provide an extremely good control panel and logs, sooner or later someone's going to ask where an email is and your answer is going to be "er... let me get back to you on that.... er... I don't know".

2. Go for an appliance - either in the form of a prebuilt lump of tin like the Barracuda system mentioned elsewhere or in the form of a precooked Linux installation which is literally just a matter of "insert CD, boot, tell it what it's IP address is and what domain it's providing email for".

Pros: Dead easy to set up. Most also provide a nice web-based UI.

Cons: The decent ones are almost universally commercial and you have to pay licensing fees on a per-active-email-address basis, which can get very expensive - particularly when the vendor won't tell you how their system decides how many email addresses are regularly active and the first you know that you're exceeding the license is when suddenly all the spam filtering is disabled.

If you look closely, expect to find that many of them are architected around a number of single points of failure. And in the real world, nobody is likely to check a web-based UI on the offchance that they find an email misclassified as spam sat there.

3. Roll your own. If you take this route, I can strongly recommend rolling it around an existing framework rather than following a bunch of complicated instructions to configure Postfix that you have to re-learn every time anything needs tweaking. This is the route I took, and I based it around MailScanner. MailScanner provides a framework for plugging in spam and virus filters and allows you to divide spam according to its score. Delete high scoring spam, let low scoring spam through with a note in the subject line that it's suspected spam and let non-spam straight through.

Pros: You get to keep a close eye on all the configuration, can keep close track of the logs and respond quickly to any issues. Your users can easily set up filters for spam (for that matter, so can you) and their "potential-spam" where misclassified mail may wind up is in their email client rather than a separate web-based system.

Cons: You need to become intimately familiar with every aspect of your email system in order to manage it effectively. I would argue that any self-respecting sysadmin should be intimately familiar with his email system anyway, but YMMV.

Manually inspecting?

[ocbwilg]

Are you freaking serious? You're manually inspecting messages tagged as spam looking for legitimate messages? Do you have to wipe people's asses for them too?

Most companies who have effectively dealt with the spam solution have implemented a product that can do filtering based on multiple criteria, and they don't worry about sifting through what was caught by the filters. There are many, many good products out there, but one of my favorites is called XWall. You can get it from www.dataenter.au. The t

Spamassasin? untangle?

[yorugua]

I'm using spamassassin + exim on mail relay gateways of a 2000+ email installation. It works great.

You need to add the dccproc ( http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html [rhyolite.com] ) and razor ( http://en.wikipedia.org/wiki/Vipul's_Razor [wikipedia.org] ) plugins in order to use those "reputation" services, turn on bayes filtering, wait for 200 messages to be "marked" and there you go. If you have enough load, you might need to switch from the DB database backend to mysql. One thing you might be interested in is

Have you considered outsourcing?

[dlur]

I run a shop with around 50 users and growing. I looked at various options and did TCO estimates for them and looked at feature sets and easy of management. In the end I chose to outsource our SPAM filtering to a 3rd party, namely MX Logic [mxlogic.com].

The reasons for choosing outsourced filtering/MX Logic over an inhouse solution:

1) Cost: Less expensive than choosing a commercial inhouse solution that requires annual maintenance for our size of userbase (cost would have favored inhouse solution after around 150 us

Reasonable expectations

[rueger]

Fora small operation you really need to teach people to have reasonable expectations. Ten spam per day in your in box? Fifty? One Hundred?

Figure out what's a reasonable number and teach people that it's just one of those things that they'll need to deal with. No-one should expect that they'll never see any spam, or that no false positives will ever happen.

Whatever solution you choose make sure that there's a fast and easy way to search the filtered mail. At one point my former webhost switched spam

Use a service like MXLogic?

[walterbyrd]

A commercial service will probably do a better job of filtering spam than any in-house solution. Commercial services use very high-level processes, techniques, and software. Commercial services constantly update virus filters and the like. Such services are not that expensive.

Postini (Google)

[terminal.dk]

At work we scrapped the commercial product we were running ourself, and switched to Postini/ScanSafe/Google some months ago.

The results are way better than most I have seen. It is way better than ClearSwift MIMESweeper for SMTP, and at a lower yearly cost. It also beats the free software out there.

Only disadvantage: Since we do send outgoing through them as well, we not have any definitive log of delivery. But this can be provided by Postini when needed.

Whine, whine

[pclminion]

It's part of your job to get "bitched at." Try sucking it up and being a professional. These are complaints, not idiots bitching you out.

Postini

[222]

Nuff said. An org your size would have minimal expense, and its all pretty hassle free.

Re:Despite other issues

[Dan541]

Why do people keep suggesting gmail as a viable option?

It's really not that good.

Re:

[neokushan]

I'm not really "in the know" of what's good or bad when it comes to spam filtering packages, but in the years I've been using gmail, I'd estimate maybe less than 20 emails that have hit my inbox have been spam. It only happens to me once every couple of months and I get around 100 pieces of spam a day, so I'd say that's pretty good.
As for the "false positives", only the most dubious of mailing lists seems to get caught (I still regularly check my spam just in case) and when I report them as "not spam", they

Re:

[jelle]

"You can't just set up gmail accounts for everyone and call that a solution."

Of course... It's not like google offers special special services for exactly that" [google.com], either free or paid [google.com]...

Re:

[SerpentMage]

I have the option of running my own email server, or using Google hosting... It really is not that much anymore a matter of cost (reasonable). The reality is that SPAM is a ROYAL PAIN IN THE ASS!

GMail actually does a really good job. I am very impressed. So what I did was move our domain to hosted Google Apps. That gives you the benefit of your own domain, while still getting the look and feel of Gmail.

Besides their search business, this single feature of Google I find very compelling. Google REALLY knows h

My REAL problem with Gmail/Google Apps

[thatseattleguy]

Well, it's a two-edged sword.

I run email for several of my domains through Google Apps for Your Domain - essentially, Gmail. On my largest account, I get several hundred legit emails and 200-1000 spam messages each day. The problem isn't Gmail's filtering of this - it's actually damn good, with maybe 2-3 false negatives a week and maybe one false positive. Better than almost anything else I've seen.

The problem is that Gmail gives me NO options - as a user or domain administrator - to sift through the spam

Re:

[Dan541]

Someone's never heard of personal opinion I see.

ASSP is your answer

[Lershac]

I manage self-hosted email for several small-medium companies. ASSP is platform independent, low resource, and does a VERY good job. VERY very configurable, and free, open source, easy to modify, easy upkeep (almost zero action required beyond checking the logs to keep an eye on things) and free software.

In a company of about 75 email accounts it has blocked 4 million spams in a little over a year.

The false negative rate is so low it might as well be zero, and the false positive rate as well.

It uses among

Re:SpamAssassin

[Dan541]

I cast my vote for SpamAssassin.

When set-up with good rules and RBLs it blocks at least 99% spam with very low false positives (I've never had a false positive).

Send anything tagged as spam to another account such as spam@domain (I do this) then you can manually check for false positives to further reduce the chance of losing legit email. (or if a user complains that an email they expected never arrived)

Re:

[pclminion]

(I've never had a false positive).

How would you know?

Re:

[Dan541]

Why do RBLs suck?

You can't get on them unless your server sends spam.
Why would you take a client who has been blacklisted?

Re:

[RiotingPacifist]

Thats just apple sucking, while spam filtering sucks if your working on a whitelist you should get no-spam in your inbox but lots of emails in your spam box.
Last spam filtering i used was turning up false positives too often, although its been a while since i botherd with an automated system, i just relly on social engeniering now (dont give out my email to strangers, and use a webmail(yahoo as i had one lying about) for any signups.

Re:

[SCHecklerX]

As a sender, yeah. I'm sorry but unless you actually want mail from me, you're not going to make me jump through hoops to send it. This is a broken design. Not to mention all of the automated emails from online business transactions you would lose. Not a good idea.

Re:

[TheLink]

You sure your reject_non_fqdn_XXX causes no false positives?

I won't personally be that sure.

You have to do a bit more checking - e.g. try sending an email to a nonexistent user in some other company and see if you still receive bounces after your changes.

Imagine if your users make a typo and don't realize it till a week later, because they never got the bounce.

Re:

[amliebsch]

Second this! And I'm surprised nobody else has mentioned it. I've deployed this to several locations, and it works great. It's a very nice pre-built linux distro that includes all the network tools you'd need (it uses SpamAssassin with optional quarantines for spam filtering.) Best part is setup is a breeze. Just grab decent machine with two NICs, pop in the CD and boot. Easiest method is to put it between your WAN and your LAN, and set it to transparent bridging mode - zero network configuration and yo

Re:

[gmuslera]

Greylisting alone proved to be great... until Srizbi started to generate sizable percent of spam [marshal.com] (spambot very widely deployed, and that can handle greylisting rejects and retry).

Considering that 80+% of all spam is generated by botnets mostly in desktop PCs, not servers, using a blacklist that targets specifically personal pcs (home dsl, dynamic connections, etc, whatever NOT meant to be a mail server) like i.e. Spamhaus's pbl or zen (adds known/real servers used to send spam, closes the other hole in th