Re: Barracuda Spam Filter

[CAROLE CARMODY <Carole_Carmody () BLOOMFIELD EDU>]

Why do you say that it is safe to assume that I misspoke and that I
meant to say that it is rejecting 90% of inbound mail as spam?  That is
not what I said not what I intended to say. The Director of
Telecommunications at the College has said that (after looking at the
logs) he believes that of the spam that arrives at the College through
the e-mail system, only about 10% of all spam gets through as a result
of using the Barracuda.  Why is catching 90% of the spam pointless?  If
we don't catch 100% of the spam is this solution failing?





-----Original Message-----
From: Hall, Rand [mailto:rand () MERRIMACK EDU] 
Sent: Monday, July 25, 2005 2:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Barracuda Spam Filter

I think it's safe to assume that Carole misspoke and really meant to say
that the Barracuda is rejecting 90% of inbound mail as spam.

Indeed, only catching 90% of spam would be pointless.

Cheers,
Rand


-----Original Message-----
From: Information Security [mailto:infosecurity () UTPA EDU] 
Sent: Monday, July 25, 2005 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Barracuda Spam Filter

CAROLE CARMODY wrote:

> We absolutely love the Barracuda.  We have been using it since March
and
> it has blocked about 90% of the spam coming in.  We would never give it
> up!
>  
We had (well, still have actually) a very effective content-based spam 
filter
that was tagging >99% of spam accurately with a tiny false positive 
rate, but
we scarcely receive any spam for it to tag any more since we added
greylisting to our repertoire.  The greylisting is rejecting almost all
the
spam before it hits our mail server, reliably, and we're lucky if we get
one spam a day in our boxes now.  (But when we do, it is correctly
tagged by the content-based filter, which is primarily based on
SpamProbe,
but which also uses a combination of spamassassin and several dead
accounts (spam traps) for self-training the Bayesian recogniser.)

We're using OpenBSD + spamd for greylisting, but there are lots of
other solutions as well.  We just chose that one because it was
transparent and could be implemented independently of our existing
solution without too much disruption.  Turned out what was intended
as a trial was so successful that we just left it in place.

When you get into the 100's of spams per day level (per person),
you'll find that a filter that is only 90% effective is not really 
acceptable.

Anyway, we don't have a spam problem any more.  I cannot recommend
greylisting as a technique highly enough.  We made some small
adjustments
during the first week, and it's been working great on autopilot ever
since.  We had been worried we might lose some legit mail but it has
not been an issue.

Incidentally the spam filter also checks for viruses at the same time,
using two independent virus checkers (uvscan and clamav).

With the exception of uvscan, which we happened to get anyway with
our desktop AV contract, what we're doing is all open source.  Biggest
cost has been hardware to run it on.  If we'd done the greylisting
first,
though, we would not have needed as beefy hardware as we actually
bought.  Rejecting connections before they hit the spam filter has
dropped our load averages considerably - probably extending the
future capacity of the machines by a couple of years.


Graham