Thanks everyone. Besides the RBLs I've added some TLDs in the Reverse DNS sections.
If anyone has a cuda, here's the bulk edit I made of all the suggestions here. I added a couple more, there's 72 I think. ends with,.accountant,Block, ends with,.af,Block, ends with,.ao,Block, ends with,.asia,Block, ends with,.ax,Block, ends with,.az,Block, ends with,.bar,Block, ends with,.be,Block, ends with,.bg,Block, ends with,.bid,Block, ends with,.biz,Block, ends with,.black,Block, ends with,.blue,Block, ends with,.bn,Block, ends with,.careers,Block, ends with,.casa,Block, ends with,.click,Block, ends with,.club,Block, ends with,.construction,Block, ends with,.cricket,Block, ends with,.date,Block, ends with,.democrat,Block, ends with,.download,Block, ends with,.ee,Block, ends with,.email,Block, ends with,.faith,Block, ends with,.fr,Block, ends with,.guru,Block, ends with,.help,Block, ends with,.in,Block, ends with,.info,Block, ends with,.invoice,Block, ends with,.juegos,Block, ends with,.link,Block, ends with,.lk,Block, ends with,.loan,Block, ends with,.lol,Block, ends with,.lt,Block, ends with,.mobi,Block, ends with,.ninja,Block, ends with,.party,Block, ends with,.photography,Block, ends with,.pl,Block, ends with,.porn,Block, ends with,.press,Block, ends with,.pw,Block, ends with,.racing,Block, ends with,.review,Block, ends with,.rocks,Block, ends with,.rs,Block, ends with,.science,Block, ends with,.site,Block, ends with,.solar,Block, ends with,.space,Block, ends with,.sucks,Block, ends with,.th,Block, ends with,.top,Block, ends with,.trade,Block, ends with,.training,Block, ends with,.tw,Block, ends with,.ua,Block, ends with,.uno,Block, ends with,.ve,Block, ends with,.wang,Block, ends with,.webcam,Block, ends with,.website,Block, ends with,.win,Block, ends with,.work,Block, ends with,.xxx,Block, ends with,.xyz,Block, ends with,.zm,Block, ends with,.zw,Block, Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com<http://www.ttcdas.com/> From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Mark Gottschalk Sent: Friday, December 18, 2015 12:50 PM To: ntsys...@lists.myitforum.com Subject: RE: [NTSysADM] Barracuda Spam fw appliance I just checked logs, and our filters have caught 13,366 spam in the past five days using the new top level domains alone (i.e. .mobi, .link, .xyz, .rocks, .click, etc). This includes filtering both the connection ptr name as well as the sender's address field(s). This is for a company with ~20 employees. From: Caleb <caleb.po...@outlook.com<mailto:caleb.po...@outlook.com>> To: <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>> Date: 12/18/2015 09:35 AM Subject: RE: [NTSysADM] Barracuda Spam fw appliance Sent by: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> ________________________________ I probably don't have the email volume that you receive, but I haven't seen that much additional spam. I do have the configuration tightly locked down, more so than you may be able to since we are not an international organization. I use with great success, bl.spamcop.net and zen.spamhaus.org as external RBLs with a block action. I also filter quite a few attachments and block anything I can't scan. I have a couple of content filters I created to help catch stuff that was missed. I do block *.br, *.cn, *ru but what really helped was blocking some of the new TLDs that have been released. *.pl *.zw *.lk *.mobi *.tw *.bg *.lt *.link *.asia *.top *.click *.in *.pw *.af *.ao *.ax *.az *.fr *.rocks *.ua *.ve *.xxx *.xyz *.sucks *.porn *.science *.guru *.ninja *.construction *.info *.work *.space *.ee *.be *.club *.webcam *.party *.wang *.win *.biz *.date *.faith *.website *.site *.uno *.review *.racing *.cricket *.help *.download *.bar *.bid *.careers *.email *.bn *.rs *.th *.blue *.black *.juegos *.photography *.solar *.zm This is a pretty cool website which details stats for the new TLDs. https://ntldstats.com/fraud -----Original Message----- From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Jake Gardner Sent: Friday, December 18, 2015 7:18 AM To: 'ntsys...@lists.myitforum.com' <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>> Subject: RE: [NTSysADM] Barracuda Spam fw appliance Thanks guys. I used to use them years ago and removed them for some reason. I don't remember the reason so I'll add them back. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com -----Original Message----- From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 18, 2015 11:07 AM To: ntsysadm Subject: Re: [NTSysADM] Barracuda Spam fw appliance +10 - rbls help massively. Kurt On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: > Take a look at adding some external RBL's to augment Cuda's. > > > > https://www.spamhaus.org/sbl/ and > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Jake Gardner > Sent: Friday, December 18, 2015 10:54 AM > To: 'ntsys...@lists.myitforum.com' > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > I guess my question was if anyone else is seeing this type of increase. > > > > Is there a list of common regex's that I could use? > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Todd Lemmiksoo > Sent: Friday, December 18, 2015 10:14 AM > To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > block .ru, .cn, .cz > > Ask your questions. > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin > <seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> wrote: > > We have a couple of 800s, but they're second tier behind ProofPoint, > so they don't see a lot of malicious traffic. What does slip through > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > - Sean > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner > <jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote: > > Does anyone here use one? We have a model 300 and lately we are > getting absolutely hammered with SPAM that the 'cuda just won't catch. > > > > I have opened a few tickets with them about the issue and all they say > is that my firewall is blocking the 'cuda from checking websites. > I've checked my firewall and I don't see any blocks and the 'cuda is > in a policy with no outbound restrictions. > > > > The only thing that seems to slow it down is rate control. I turned it down > to 20/30mins. In the last 9 hours it controlled 3700 and only outright > blocked 1450. We see about 17k messages a day on average. A couple > months again we were averaging 12k. > > > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > > > > > > > -- > > T. Todd Lemmiksoo > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you.
