[c-nsp] OT: How do you fight spam in your enterprise? I need help

Jason Gurtz jasongurtz at npumail.com
Fri Dec 28 14:35:18 EST 2007


> I should be glad that you share with me on how you manage and fight
> spam in your corporate networks.

For a small on topic addition I will start by saying this:  On any Cisco
device between your smtp gateway and the Internet, be sure to save "no
fixup smtp" to your config.  fixup smtp is buggy and will cause heartache
at some point

Wow, I can't believe how many people are recommending the 'cuda!
Definitely do some additional research into this company's quality of
support and especially their technical competence, etc... before going
with this one!  'nuff said  ;)  Hint: search the SPAM-L archives...

Speaking of SPAM-L, it would be a good idea to join and lurk over there.
You'll learn a lot and hey, your question would even be On Topic there.

Control who accesses your SMTP infrastructure:
1. Use the BOGON list in your edge gateway/firewall device.

2. Selectively block IP ranges mentioned on SPAM-L as above

3. Use the Spamhaus ZEN RBL and 5xx reject anything matching at your
public mail exchanger

4. Consider greylisting...although the Ironport will not do this as of
yet, people report that it is still quite effective when properly
implemented.

5. Get rid of any backup mail exchangers you might have.

You will probably be rejecting close to 98-99% of spam just by doing the
above 5 things with virtually no false positives.  Content filtering on
the remaining sludge will eliminate almost all the rest.

Appliance type devices:
I can personally vouch for the Ironport.  We have found it to be extremely
effective both in terms of %spam caught and low false positives.  Once
setup it requires very little administration.  Unfortunately, it is also
extremely expensive (starts somewhere around $7K USD with support) so may
not be an option for many smaller shops.

At the old plaice (where the budget was small to the point of being almost
non-existent) I had rigged up an open source solution consisting of
sendmail and a milter known as MIMEDefang which ran ClamAV and
SpamAssassin and filtered SMTP according to certain rules.  It was
similarly effective to the Ironport here, but took a whole lot more admin
hours to manage.  The Coup de Gras of the mess was MIMEDefang.
Unfortunately, like many powerful tools, it requires an extensive
knowledge (in this case Perl, Sendmail, and SMTP, and the many delicate
interactions in between) in order to get the best use out of it.  I hear
that some people now run MIMEDefang under Postfix, which must certainly be
higher performance.

The developer of MIMEDefang has a commercial product you may want to look
at called CanIT Pro.  Highly recommended and the company clue factor is
high.  The appliance version pricing is competitive with the bargain
basement 'cuda.

No matter what solution you choose, make sure it is capable of doing LDAP
lookups into your active directory in order to 5xx reject (NOT NDR
bounce!!!) mail to invalid users.  The latter 3 solutions can all do that;
I've no clue if the 'cuda can, though most don't. :(

Politics:
We here do not quarantine or drop spam.  Instead we tag the subject line
and have rules setup in the MUAs to filter the spam out of the Inbox.
This way the user is responsible for purging the spam.  Also, this way,
false positives if any are found more often than not w/o a help desk call.
As such, our primary I.T. burden with external mail is LARTing the
"innocent" yet generally clueless senders out there who wish to
communicate with us.  We try to be friendly :)

Finally:
If you don't understand mail, retain the services of someone who does.

~JasonG

-- 


More information about the cisco-nsp mailing list