Anti-Spam for Exchange server

Discussion in 'NOD32 version 2 Forum' started by bdmc, Jun 1, 2007.

Thread Status:
Not open for further replies.
  1. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    Hi Guys,

    We have NOD32 installed on our Exchange server, can anyone recommend any anti-spam solutions that will work well alongside NOD32?
     
  2. sasiki

    sasiki Registered Member

    Joined:
    Apr 24, 2007
    Posts:
    26
    What is your daily e-mail volume?

    I HIGHLY suggest some form of a Barracuda Spam Firewall appliance. The initial cost is between like $1,700 and $8,500 depending on which model you get. I have the spam firewall 300. Daily e-mail volume is 20,000.. it only allows between 500 to 700 of them through. The 'energize updates' run around $400 for 1 year, $750 for 2, and $1000 for 3 years.

    It's a great piece of equipment, but if you have low e-mail volume, I really don't see it worth the money. Ours is stored offsite in a data center. The spam e-mails never touch my network.

    As far as spam software goes, no clue really. Sorry =(
     
  3. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    Sorry, should have mentioned, there's only 10-15 users. Probably only a few hundred emails per day. That sounds like some pretty serious overkill :)

    I have always used spamassassin for mail on linux - is there an equivalent for exchange?
     
  4. sasiki

    sasiki Registered Member

    Joined:
    Apr 24, 2007
    Posts:
    26
    A quick search on Google netted this result. http://technet.microsoft.com/en-us/exchange/bb288484.aspx

    It may be way out in left field, but I do not have an exchange server, so I'm probably not the guy you want making suggestions! Our company still runs on sendmail for unix. I'm crossing my fingers for Exchange next year.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I don't like using 3rd party software solutions on Exchange servers. However..if you want one, Cloudmark is widely considered one of the best.
    http://www.cloudmark.com/

    I prefer to use hardware appliances, such as Barracuda, Juniper, Sonicwall.

    One device we've been having success with lately is Endian...it's a linux distro router that has fantastic transparent proxy features such as antivirus, antispam, antimalware features built into it. I've mentioned it often in the firewall forum...it's a great UTM (unified threat management) setup...you build your own router with it. You get features, and performance, that will rival enterprise grade devices that cost well over 5,000 dollars US.

    Have you tried the IMF that is native to Exchange with sp2 for Exchange? It really does work quite well. I've had success using that, with Endian appliance. Best of all...pretty much zero cost.

    A methodology that I like to use with my clients...I've partnered up with a web/bandwidth host....he runs the DNS, and sets up smart hosts for my clients. Not pop3 mailboxes, but he "qeues" up the mail...and forwards it to the Exchange servers I setup at clients. I set an ACL on the clients firewall...allowing port 25 to only be exposed to the webhosts IP address. This way...port 25 isn't exposed naked to the world...as 25 is a port to worry about. The webhost, while he qeues up the mail...scrubs it of spam and viruses. A great value-ad.
     
  7. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    GFi MailEssentials. Works beautifully, is extremely flexible and about $450 without maintenance for 25 mailboxes.

    I have roughly the same size organization you do, and we're blocking virtually all spam. We might be willing to put up with a few more false positives than most, mainly because of the system we have in place for dealing with them. I'd be happy to elaborate on that, if you want. However, in the past week, my users have reported a total of four missed spam and nine false positives out of an estimated 5,000 emails.

    Here's our basic strategy:

    On Exchange:

    1. Tar pitting
    2. Filter recipients who are not in the directory
    3. Filter sbl-xbl.spamhaus.org
    4. Filter bl.spamcop.net
    5. Filter dul.dnsbl.sorbs.net
    6. Filter dynablock.njabl.org

    In GFi MailEssentials:

    1. Phishing URI blocklist
    2. SPF fail and soft fail
    3. Whitelist: Populate automatically
    4. Bayesian: Automatically learn and retrieve updates
    5. DNSBL: sbl-xbl.spamhaus.org
    6. DNSBL: psbl.surriel.com
    7. DNSBL: list.dsbl.org
    8. DNSBL: pbl.spamhaus.org
    9: URI BL: multi.surbl.org
    10. URI BL: black.uribl.com
    11. Block *all* emails containing remote images
    12. Block specific stock symbols

    Virtually all of our false positives come from #11. It was a deliberate choice on our part. And, without a good method of handling false positives, I wouldn't use it. For #12, if a piece of spam makes it through and it includes a stock symbol in plain text, we blacklist the stock symbol. This doesn't happen often, but fast action here prevents a reasonable amount of spam. Although #2 has our second highest false positive rate, it blocks more phishing than #1.

    We use sbl-xbl.spamhaus.org both on Exchange and GFi, because Exchange only checks the sending mail server, whereas GFi checks every IP address in the message header. If any IP in the message header can be found on sbl-xbl there are very high odds that the message is spam. We'd rather block before the message is accepted, so that the sending mail server will generate an NDR, if necessary. However, where we can't, we'll block it with GFi.

    For the spam we catch by the various methods in GFi, here's the relative success and false positive rate (as a percentage of emails filtered by the given method):

    DNSBL: 45% / 0.2%
    Bayesian: 22% / 0.4%
    URIBL: 22% / 0.1%
    SPF: 6% / 2.7%
    Remote images: 3% / 43%
    Phish: 2% / 0%
    Keywords: 1% / 0%

    /jab

    P.S. Caveat: I'm not running NOD on Exchange. We're running Trend. However, I would be very surprised if NOD and GFi conflicted. GFi offers a free, fully functional demo in any case.
     
    Last edited: Jun 2, 2007
  8. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    Vamsoft ORF (http://www.vamsoft.com/) appears to work very well on my SBS 2003 installation running NOD32 alongside. Has tons of features but only costs $199 (£100) a year on a per-server basis. So in comparison with GFI's solution, you could have 50 mailboxes with ORF and it would cost you less than what GFI want.

    I've trialled all sorts, from GFI to MessageLabs, and of course ORF. I have to say ORF has blocked all the spam I receive over the course of a month. It uses DNS blacklists and even has the option to integrate with NOD32; but that aside, NOD32 works pretty well without the extra integration, which is really only useful for reports and logging into one central location.

    ORF doesn't quarantine any emails as it works off DNS blacklists and features GreyListing too. Although in my opinion it doesn't need to, as I have yet to see a false positive!

    ORF 3.x is available at the minute, but ORF 4.0 is being released soon which includes features such as MSSQL DB functions (to replace it's current MS Access DB functions) amongst other features too. Version 4.1 which is said to be released a few weeks later will support Exchange 2007 and 64-bit operating systems too, all for $199 a year!
     
  9. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    To clarify the GFi pricing, it was $450 for the license purchase, which is perpetual. Maintenance, which is optional, is $90 per year after the first three months. There is an optional feed of updates for the Bayesian and phishing filter at $85 per year, but I haven't found it to be particularly valuable in my installation.

    So, breakeven vs. Vamsoft ORF is 4.75 years, including the $90 per year maintenance.

    Regardless, I wouldn't let price in this range deter you from either product. Trial them both, if you are so inclined, and keep the one that works best.

    /jab
     
  10. espsgroup

    espsgroup Registered Member

    Joined:
    Jun 13, 2007
    Posts:
    2
    JAB, we have GFI front-ending Open-Xchange right now, and while I'm mostly happy with the setup, we do seem to get a lot of spam coming through. Our Open-Xchange box runs SpamAssassin and it catches one here or there that GFI should be getting. I just saw one come through with a URL from multi.surbl.org. GFI should have caught that since I'm pretty sure I have that site listed.

    We're migrating to Exchange this weekend, and I'm just going over my GFI stuff now. How did you implement GFI, on an Exchange server or just SMTP? I'm considering creating an additional Front-end Exchange server just to run GFI. My only problem would then be migrating my current GFI SMTP setup to another box. I don't know if you can just copy stuff and carry over the white-list, black-list, Bayesian database, etc.


    I'm running Avast for Exchange.


    Jeff
     
  11. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    Not sure what to tell you about the multi.surbl.org issue, except that I think GFi has some pretty stringent timeout limits on queries. If it doesn't get a result back quickly, it moves on to the next filter. This isn't usually a big problem, but it can explain oddities like what you saw. For this reason and for things like sbl-xbl and goodness in general, it's important to ensure that you have at least two DNS servers to query and that they each DNS server queries different (and preferably independent) forwarders when first attempting resolution.

    I have GFi running on Exchange. All I can suggest is trying the configuration I listed above without the remote image filter. Unless you receive a lot of email from residential ISP mail servers, the rest of the filters don't generate many false positives.

    I'm fairly well convinced that one of the keys to the good performance of our GFi setup is that we feed every piece of succesfully filtered spam back into the Bayesian training folder. This allows spam filtered through something like sbl-xbl to be caught by Bayesian if it's being sent by a non-blacklisted server. We also give every false positive back to the Bayesian filter as training.

    Finally, we whitelist every false positive. If the sender publishes an SPF record and the domain is only used by employees of the sender (i.e., don't whitelist hotmail.com :), we whitelist their domain. Otherwise, we just whitelist the sender.

    I believe you can carry the white list, black list and Bayesian over, but you may need some pointers from GFi on where the databases are located.

    /jab
     
  12. espsgroup

    espsgroup Registered Member

    Joined:
    Jun 13, 2007
    Posts:
    2
    Thanks for the info Jab. I think I will go ahead and migrate from SMTP to Active Directory/Exchange. I think it will integrate better with the user by sending spam directly to the Junk folder in Outlook, etc.

    Thanks for the information!
     
Thread Status:
Not open for further replies.