[c-nsp] OT: How do you fight spam in your enterprise? I needhelp

Ted Mittelstaedt tedm at toybox.placo.com
Thu Dec 20 06:02:57 EST 2007 


> -----Original Message-----
> From: Andy Dills [mailto:andy at xecu.net]
> Sent: Thursday, December 20, 2007 2:37 AM
> To: Ted Mittelstaedt
> Cc: Pablo Almido; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] OT: How do you fight spam in your enterprise? I
> needhelp
>
>
> On Thu, 20 Dec 2007, Ted Mittelstaedt wrote:
>
> > The expensive commercial spamfiltering solutions only make sense
> > for mid-tier ISPs, that is, the ISPs that have networks too big
> > for a single admin to do everything, but are not large enough to
> > be capitalized to the extent that they can hire a programming team
> > to just chase spam.  They have enough money to pay a commercial
> > firm to do it, but not enough money to hire a warm body and
> > put them on staff to do it.
>
> Our solution: FreeBSD boxes running postfix interfacing with amavisd-new,
> which scans the mail with ClamAV (with the additional 3rd party dbs), and
> also with spamassassin (with DCC, RAZOR, FuzzyOCR). L4 switch on the
> front, MySQL and NFS on the back...private DCC as well as DNS
> mirroring of
> the RBLs. Custom web interface for the customers to enable individual
> management of filter settings and white/black lists. Tools to monitor the
> queue sizes. I would consider this a very commonly used solution,
> it's not
> like we're doing anything special.
>

You can also use mailscanner instead of amavisd-new, and you can use
sendmail
instead of postfix

Another option is dspam.

I've run all of these.

You did forgot one piece though - the hookup to have the BSD box
query the exchange server via ldap to see if an incoming recipient
actually exists on the exchange server, and bounce it if the userID
doesen't.

> While installing, configuring, and tweaking everything from scratch does
> take every bit of 5 hours, perhaps several days if you aren't familiar
> with the process, implementing additional servers to accomodate the
> increasing load takes us less than 30 minutes, as they are implemented by
> booting the FreeBSD install disk, going into a fixit shell, mounting a
> fileserver, and restoring from a dump (changing a couple of
> config files).
> Takes about 30 minutes total, most of which is waiting for the restore to
> complete.
>

Until a new version of FreeBSD comes out in which case you have to
spend the 5 hours again loading everything to create your image server.

You also need to use identical hardware for your servers.

The Windows people do this with Symantec ghost.  Novell also used to
have a utility that imaged disks.  You can just use dd you don't
need to use restore.

Yes, there's lots of ways to skin the cat.

> I don't think the amount of time required to manage the actual mail
> infrastructure (the abuse mail being a seperate issue) scales
> with volume,
> unless you implement a solution that doesn't scale.
>
> I would assume most of the companies using a commercial mail product are
> companies without technical talent.
>

I don't agree.  I think most of them have technical talent but they
are regarding mail as a nuisance.  Their talents are in other areas.
For sure, cable providers (comcast, etc.) are like this.  Their
main money is selling TV shows.  The Internet is a sideline they run
to get people hooked on the TV content.  If they have the technical
talent in the ISP side they might use it, but I would guess when
they are hiring, they are looking for technical people that know how
to deliver television shows first, Internet last.

We definitely make far more money building, installing and selling
mailservers to corporations, than selling mailboxes to ISP customers.
If we didn't have revenue coming in for building corporate mailservers,
I cannot imagine how it would be possible to justify spending money
on decent technical talent for ISP mail.  The economic return on it
just stinks.

Ted

More information about the cisco-nsp mailing list