Re: Recommendations on Email Filtering System

[Ben Spencer <ben.spencer () MOODY EDU>]

We also are using a homegrown solution (I will include the details below for
those who care). The solution which works best for you will depend on what
you are comfortable with. We come from largely a UNIX background, so GUIs
are optional for us and we know how to parse logs to generate reports.



There really are some nice solutions out there. Christopher (Webber) pointed
out that they use Ironport as a lot of educational places seem to. One of
their selling point, is no/little administration. People seem happy with
them (at the same time, we didn't go with them).



Note that 500 email boxes (using 1 to 1 ratio of desktops to email accounts)
isn't always telling of how much load you will see. It has been noted that a
lot appliances and services charge per mailbox though.



Overview of what we use: Grey Listing (whoohoo), ClamAV and SpamAssassin
(and a few others listed below). Our configuration comfortably supports
250K-300K delivery attempts per day going to an unknown number of email
addresses (valid addresses; never valid addresses; once upon a time valid
addresses).



More details:

First line of defense is Grey Listing. Love it. It has definitely cut down
on the number of system resources which are used further in the process.
(allows about 25% of the delivery attempts in for further processing with
few false positives)



Next are a milter which checks the HTTP links in the body against black
lists (denies another 41% of the 25% with some false positives/disagreement
on specific sites)



Next are SPF checks. (which denies about 10% of whatever remains. Some false
positives/poorly configured sites)



-- At this point, we are left with about 13% of the original email delivery
attempts. --



Next this goes through ClamAV (hey, where are my stats for that? Oops.)



And finally the messages are marked by SpamAssassin.



There is a small portion of administration/maintenance to this (Updates,
tracking down messages which didn't make it which should have). Most systems
(except IronPort?) will require such maintenance and administration.



Benji

---
Benji Spencer
System Administrator
Ph: 312-329-2288

  _____

From: Anthony "Tony" Quigg [mailto:quiggt () TAMUG EDU]
Sent: Monday, December 10, 2007 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Recommendations on Email Filtering System



We are currently looking to replace our email spam/virus filter and would
like to hear what systems other people are using. After initial
investigation the price range for appliances and managed services varies
greatly so it is hard to determine what you are getting for your money. We
have around 500 desktops on campus.



One of the important factors (apart from stopping the spam and viruses) is
to be able to get decent reporting information such as the number and name
of quarantined viruses on a monthly basis. I have found that most
manufacturers do not have a lot of information about what reports are
available.



Feel free to email me directly if you don't want to inundate the list.



Any recommendations, good or bad experiences greatly appreciated.



Regards,

Tony Quigg
Computer Systems Manager
Texas A&M University at Galveston
200 Seawolf Parkway
Galveston, Texas 77553
(409) 740-4961

Attachment: smime.p7s
Description: