subject:"RE\: \[NTSysADM\] Barracuda Spam fw appliance"

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Jake Gardner

We’ve had ours for about 7+ years.   It’s the last few months that has me 
pulling my hair out.   Our Fortigate has been good to block viruses before they 
get to the cuda.I don’t think our config is all that far from defaults.

I have all levels of Intent Analysis enabled.
Image analysis is on
Bayesian was not in use but I have been working on training it the last couple 
of weeks.
Rate Control is actually 15/30 (I forgot I turned it down further yesterday.)
I have some blocked domains but the new campaigns are changing the domains by 
the  hour.  There has been 8 different bursts in the last hour.
I’ve started to add some of the subject lines but not heavy with patterns.I 
know I need to up my game with this part.
rDNS blocks may not be suitable as we do business internationally.

I just enabled blocking of no PTR records.  Hopefully this helps.




Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com<http://www.ttcdas.com/>

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Friday, December 18, 2015 9:52 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

I have one that does a pretty good job with everything but friggin' macro 
viruses in Office documents.  We have had one in place for about 11 years, so 
it is highly tuned for our environment.  I also do a lot to block .ru, .cn, 
.in, etc straight out of the gate before the Barracuda's inspection even begins.

Shoot some specific questions about configuration settings to the list if you 
like, and I can check how I've got mine setup.

Also, primarily for the macro virus issue, we're adding Proofpoint to the mix 
in the next few weeks.  I'm still going to keep the Barracuda, but everything 
inbound will go through Proofpoint first.


On Fri, Dec 18, 2015 at 9:37 AM, Jake Gardner 
<jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote:
Does anyone here use one?  We have a model 300 and lately we are getting 
absolutely hammered with SPAM that the ‘cuda just won’t catch.

I have opened a few tickets with them about the issue and all they say is that 
my firewall is blocking the ‘cuda from checking websites.  I’ve checked my 
firewall and I don’t see any blocks and the ‘cuda is in a policy with no  
outbound restrictions.

The only thing that seems to slow it down is rate control.  I turned it down to 
20/30mins.   In the last 9 hours it controlled 3700 and only outright blocked 
1450.We see about 17k messages a day on average.  A couple months again we 
were averaging 12k.


Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246>
www.ttcdas.com<http://www.ttcdas.com/>



***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any 
copies.

Thank you.

***
  


Teletronics Technology Corporation
This e-mail is confidential and may also be privileged.  If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.  

Thank you.

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Kennedy, Jim

Take a look at adding some external RBL’s to augment Cuda’s.

https://www.spamhaus.org/sbl/  and 
https://www.spamcop.net/fom-serve/cache/290.html



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jake Gardner
Sent: Friday, December 18, 2015 10:54 AM
To: 'ntsys...@lists.myitforum.com'
Subject: RE: [NTSysADM] Barracuda Spam fw appliance

I guess my question was if anyone else is seeing this type of increase.

Is there a list of common regex’s that I could use?

Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com<http://www.ttcdas.com/>

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Todd Lemmiksoo
Sent: Friday, December 18, 2015 10:14 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

I have a physical 400 and a virtual 300 in a cluster config. I also block .ru, 
.cn, .cz
Ask your questions.

On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin 
<seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> wrote:
We have a couple of 800s, but they're second tier behind ProofPoint, so they 
don't see a lot of malicious traffic. What does slip through ProofPoint does 
appear to get caught by the Barracuda's in most cases.

- Sean

On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner 
<jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote:
Does anyone here use one?  We have a model 300 and lately we are getting 
absolutely hammered with SPAM that the ‘cuda just won’t catch.

I have opened a few tickets with them about the issue and all they say is that 
my firewall is blocking the ‘cuda from checking websites.  I’ve checked my 
firewall and I don’t see any blocks and the ‘cuda is in a policy with no  
outbound restrictions.

The only thing that seems to slow it down is rate control.  I turned it down to 
20/30mins.   In the last 9 hours it controlled 3700 and only outright blocked 
1450.We see about 17k messages a day on average.  A couple months again we 
were averaging 12k.


Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246>
www.ttcdas.com<http://www.ttcdas.com/>



***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any 
copies.

Thank you.

***
  




--
T. Todd Lemmiksoo


***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.

Thank you.

***

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Jake Gardner

I guess my question was if anyone else is seeing this type of increase.

Is there a list of common regex’s that I could use?

Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com<http://www.ttcdas.com/>

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Todd Lemmiksoo
Sent: Friday, December 18, 2015 10:14 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

I have a physical 400 and a virtual 300 in a cluster config. I also block .ru, 
.cn, .cz
Ask your questions.

On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin 
<seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> wrote:
We have a couple of 800s, but they're second tier behind ProofPoint, so they 
don't see a lot of malicious traffic. What does slip through ProofPoint does 
appear to get caught by the Barracuda's in most cases.

- Sean

On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner 
<jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote:
Does anyone here use one?  We have a model 300 and lately we are getting 
absolutely hammered with SPAM that the ‘cuda just won’t catch.

I have opened a few tickets with them about the issue and all they say is that 
my firewall is blocking the ‘cuda from checking websites.  I’ve checked my 
firewall and I don’t see any blocks and the ‘cuda is in a policy with no  
outbound restrictions.

The only thing that seems to slow it down is rate control.  I turned it down to 
20/30mins.   In the last 9 hours it controlled 3700 and only outright blocked 
1450.We see about 17k messages a day on average.  A couple months again we 
were averaging 12k.


Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246>
www.ttcdas.com<http://www.ttcdas.com/>



***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any 
copies.

Thank you.

***
  




--
T. Todd Lemmiksoo

Teletronics Technology Corporation
This e-mail is confidential and may also be privileged.  If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.  

Thank you.

Re: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Richard Stovall

I have one that does a pretty good job with everything but friggin' macro
viruses in Office documents.  We have had one in place for about 11 years,
so it is highly tuned for our environment.  I also do a lot to block .ru,
.cn, .in, etc straight out of the gate before the Barracuda's inspection
even begins.

Shoot some specific questions about configuration settings to the list if
you like, and I can check how I've got mine setup.

Also, primarily for the macro virus issue, we're adding Proofpoint to the
mix in the next few weeks.  I'm still going to keep the Barracuda, but
everything inbound will go through Proofpoint first.

On Fri, Dec 18, 2015 at 9:37 AM, Jake Gardner  wrote:

> Does anyone here use one?  We have a model 300 and lately we are getting
> absolutely hammered with SPAM that the ‘cuda just won’t catch.
>
>
>
> I have opened a few tickets with them about the issue and all they say is
> that my firewall is blocking the ‘cuda from checking websites.  I’ve
> checked my firewall and I don’t see any blocks and the ‘cuda is in a policy
> with no  outbound restrictions.
>
>
>
> The only thing that seems to slow it down is rate control.  I turned it
> down to 20/30mins.   In the last 9 hours it controlled 3700 and only
> outright blocked 1450.We see about 17k messages a day on average.  A
> couple months again we were averaging 12k.
>
>
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
> ***Teletronics Technology Corporation***
> This e-mail is confidential and may also be privileged. If you are not the
> addressee or authorized by the addressee to receive this e-mail, you may
> not disclose, copy, distribute, or use this e-mail. If you have received
> this e-mail in error, please notify the sender immediately by reply e-mail
> or by telephone at 267-352-2020 and destroy this message and any copies.
>
> Thank you.
>
> ***
>   
>

Re: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Richard Stovall

I am using the following:

BRBL - Block
Zen.spamhaus.org - Quarantine
bl.spamcop.net - Tag

On Fri, Dec 18, 2015 at 11:18 AM, Jake Gardner <jgard...@ttcdas.com> wrote:

> Thanks guys.  I used to use them years ago and removed them for some
> reason.  I don't remember the reason so I'll add them back.
>
>
> Thanks,
>
> Jake Gardner
> IT Administrator
> 267-352-2020 Ext. 246
> www.ttcdas.com
>
>
> -Original Message-
> From: listsadmin@lists.myitforum.com [mailto:
> listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
> Sent: Friday, December 18, 2015 11:07 AM
> To: ntsysadm
> Subject: Re: [NTSysADM] Barracuda Spam fw appliance
>
> +10 - rbls help massively.
>
> Kurt
>
> On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > Take a look at adding some external RBL’s to augment Cuda’s.
> >
> >
> >
> > https://www.spamhaus.org/sbl/  and
> > https://www.spamcop.net/fom-serve/cache/290.html
> >
> >
> >
> >
> >
> >
> >
> > From: listsadmin@lists.myitforum.com
> > [mailto:listsadmin@lists.myitforum.com]
> > On Behalf Of Jake Gardner
> > Sent: Friday, December 18, 2015 10:54 AM
> > To: 'ntsys...@lists.myitforum.com'
> > Subject: RE: [NTSysADM] Barracuda Spam fw appliance
> >
> >
> >
> > I guess my question was if anyone else is seeing this type of increase.
> >
> >
> >
> > Is there a list of common regex’s that I could use?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Jake Gardner
> >
> > IT Administrator
> >
> > 267-352-2020 Ext. 246
> >
> > www.ttcdas.com
> >
> >
> >
> > From: listsadmin@lists.myitforum.com
> > [mailto:listsadmin@lists.myitforum.com]
> > On Behalf Of Todd Lemmiksoo
> > Sent: Friday, December 18, 2015 10:14 AM
> > To: ntsys...@lists.myitforum.com
> > Subject: Re: [NTSysADM] Barracuda Spam fw appliance
> >
> >
> >
> > I have a physical 400 and a virtual 300 in a cluster config. I also
> > block .ru, .cn, .cz
> >
> > Ask your questions.
> >
> >
> >
> > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com>
> wrote:
> >
> > We have a couple of 800s, but they're second tier behind ProofPoint,
> > so they don't see a lot of malicious traffic. What does slip through
> > ProofPoint does appear to get caught by the Barracuda's in most cases.
> >
> >
> >
> > - Sean
> >
> >
> >
> > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com>
> wrote:
> >
> > Does anyone here use one?  We have a model 300 and lately we are
> > getting absolutely hammered with SPAM that the ‘cuda just won’t catch.
> >
> >
> >
> > I have opened a few tickets with them about the issue and all they say
> > is that my firewall is blocking the ‘cuda from checking websites.
> > I’ve checked my firewall and I don’t see any blocks and the ‘cuda is
> > in a policy with no outbound restrictions.
> >
> >
> >
> > The only thing that seems to slow it down is rate control.  I turned it
> down
> > to 20/30mins.   In the last 9 hours it controlled 3700 and only outright
> > blocked 1450.We see about 17k messages a day on average.  A couple
> > months again we were averaging 12k.
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Jake Gardner
> >
> > IT Administrator
> >
> > 267-352-2020 Ext. 246
> >
> > www.ttcdas.com
> >
> >
> >
> >
> >
> > ***Teletronics Technology Corporation*** This e-mail is confidential
> > and may also be privileged. If you are not the addressee or authorized
> > by the addressee to receive this e-mail, you may not disclose, copy,
> > distribute, or use this e-mail. If you have received this e-mail in
> > error, please notify the sender immediately by reply e-mail or by
> > telephone at 267-352-2020 and destroy this message and any copies.
> >
> > Thank you.
> >
> > ***
> >
> >   
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > T. Todd Lemmiksoo
> >
> >
> >
> > ***Teletronics Technology Corporation*** This e-mail is confidential
> > and may also be privileged. If you are not the addressee or authorized
> > by the addressee to receive this e-mail, you may not disclose, copy,
> > distribute, or use this e-mail. If you have received this e-mail in
> > error, please notify the sender immediately by reply e-mail or by
> > telephone at 267-352-2020 and destroy this message and any copies.
> >
> > Thank you.
> >
> > ***
> >
> >   
>
>
>
> Teletronics Technology Corporation
> This e-mail is confidential and may also be privileged.  If you are not
> the addressee or authorized by the addressee to receive this e-mail, you
> may not disclose, copy, distribute, or use this e-mail. If you have
> received this e-mail in error, please notify the sender immediately by
> reply e-mail or by telephone at 267-352-2020 and destroy this message and
> any copies.
>
> Thank you.
>
>

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Jake Gardner

Thanks guys.  I used to use them years ago and removed them for some reason.  I 
don't remember the reason so I'll add them back.

 
Thanks,
 
Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Friday, December 18, 2015 11:07 AM
To: ntsysadm
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

+10 - rbls help massively.

Kurt

On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> Take a look at adding some external RBL’s to augment Cuda’s.
>
>
>
> https://www.spamhaus.org/sbl/  and
> https://www.spamcop.net/fom-serve/cache/290.html
>
>
>
>
>
>
>
> From: listsadmin@lists.myitforum.com 
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Jake Gardner
> Sent: Friday, December 18, 2015 10:54 AM
> To: 'ntsys...@lists.myitforum.com'
> Subject: RE: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I guess my question was if anyone else is seeing this type of increase.
>
>
>
> Is there a list of common regex’s that I could use?
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
> From: listsadmin@lists.myitforum.com 
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Todd Lemmiksoo
> Sent: Friday, December 18, 2015 10:14 AM
> To: ntsys...@lists.myitforum.com
> Subject: Re: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I have a physical 400 and a virtual 300 in a cluster config. I also 
> block .ru, .cn, .cz
>
> Ask your questions.
>
>
>
> On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> wrote:
>
> We have a couple of 800s, but they're second tier behind ProofPoint, 
> so they don't see a lot of malicious traffic. What does slip through 
> ProofPoint does appear to get caught by the Barracuda's in most cases.
>
>
>
> - Sean
>
>
>
> On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> wrote:
>
> Does anyone here use one?  We have a model 300 and lately we are 
> getting absolutely hammered with SPAM that the ‘cuda just won’t catch.
>
>
>
> I have opened a few tickets with them about the issue and all they say 
> is that my firewall is blocking the ‘cuda from checking websites.  
> I’ve checked my firewall and I don’t see any blocks and the ‘cuda is 
> in a policy with no outbound restrictions.
>
>
>
> The only thing that seems to slow it down is rate control.  I turned it down
> to 20/30mins.   In the last 9 hours it controlled 3700 and only outright
> blocked 1450.We see about 17k messages a day on average.  A couple
> months again we were averaging 12k.
>
>
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
>
>
> ***Teletronics Technology Corporation*** This e-mail is confidential 
> and may also be privileged. If you are not the addressee or authorized 
> by the addressee to receive this e-mail, you may not disclose, copy, 
> distribute, or use this e-mail. If you have received this e-mail in 
> error, please notify the sender immediately by reply e-mail or by 
> telephone at 267-352-2020 and destroy this message and any copies.
>
> Thank you.
>
> ***
>
>   
>
>
>
>
>
>
>
> --
>
> T. Todd Lemmiksoo
>
>
>
> ***Teletronics Technology Corporation*** This e-mail is confidential 
> and may also be privileged. If you are not the addressee or authorized 
> by the addressee to receive this e-mail, you may not disclose, copy, 
> distribute, or use this e-mail. If you have received this e-mail in 
> error, please notify the sender immediately by reply e-mail or by 
> telephone at 267-352-2020 and destroy this message and any copies.
>
> Thank you.
>
> ***
>
>   



Teletronics Technology Corporation
This e-mail is confidential and may also be privileged.  If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.  

Thank you.

Re: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Joey Smith

On Fri, 18 Dec 2015, Richard Stovall wrote:

> I am using the following:
> 
> BRBL - Block
> Zen.spamhaus.org - Quarantine
> bl.spamcop.net - Tag

I'm a MailScanner/Spamassasin/Sendmail guy on most of my spam/virus/email
hosts (exim on another and moving that way) but here are the rbl's that
I'm using right now straight out of one of my Sendmail.mc configs.. I'm
testing others (there are TONS of them out there now)  and I tend to
shuffle hit sequence on these frequently just to help with traffic demands
on the rbls..  I block most of China and Russia and a few other countries
verbatim via iptables..

FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `b.barracudacentral.org', `"Spam blocked see:
http://barracudacentral.org/"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `psbl.surriel.com', `"Spam blocked see:
http://psbl.org/"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see:
http://www.spamhaus.org/zen/;', `t')dnl
FEATURE(`enhdnsbl', `bl.nszones.com', `"554 Spam blocked " $&{client_addr}
" found in bl.nszones.com"', `t')dnl

Here is the wikipedia listing with some removed/crossed out..  

https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Mark Gottschalk

Spamhaus and Spamcop are both good and safe (with regards to false 
positives) RBLs. I actually use a hierarchy of half a dozen RBLs with 
those two at the top with a high level of trust, and others that only mark 
subject lines with a message such as "(possible spam)" which can then be 
filtered further as needed.

I use the site listed below to check specific IPs if we're getting 
hammered by something to see what RBLs are catching it, and I've adjusted 
my RBL list many times over the years as necessary:
http://multirbl.valli.org/lookup/23.104.53.131.html

The Invalument RBL service out of Georgia is extremely good and very fast 
at responding and updating their list on the fly.  But unlike the other 
RBLs listed here they are not free (I have no relationship with them). You 
can also RSYNC their list and run the queries locally if you have a 
subscription:
http://www.invaluement.com/

I block .ru, .cz, etc as well.  But only a small fraction of the spam from 
IPs in these countries has the country indicators on their ptr names.  So 
these don't help much.  What I've started blocking are many of the new top 
level domains (TLDs) released that are a godsend to spammers and used for 
100% spam, so far as I can tell.  I have the following filtered:

*.accountant
*.asia
*.bid
*.click
*.club
*.cricket
*.date
*.democrat
*.download
*.faith
*.help
*.invoice
*.link
*.loan
*.lol
*.mobi
*.ninja
*.party
*.press
*.racing
*.review
*.rocks
*.science
*.space
*.top
*.trade
*.uno
*.wang
*.webcam
*.website
*.win
*.work
*.xyz 

Check your connection logs and you'll find a not insignificant percentage 
of your current spam has connections with pointer names using TLDs. As new 
ones come online, the spammers move to them up immediately.  So I've had 
to expand the list slowly over time.  These bozo TLDs are a scam, a 
horrible decision to implement.  Legitimate corporations can no longer 
defend their name and these garbage domains will forever be havens for 
shady organizations, fraud and spammers.  A topic for another time.

-- Mark

From:   Jake Gardner <jgard...@ttcdas.com>
To: "'ntsys...@lists.myitforum.com'" <ntsys...@lists.myitforum.com>
Date:   12/18/2015 08:18 AM
Subject:    RE: [NTSysADM] Barracuda Spam fw appliance
Sent by:listsadmin@lists.myitforum.com

Thanks guys.  I used to use them years ago and removed them for some 
reason.  I don't remember the reason so I'll add them back.

Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com

-Original Message-
From: listsadmin@lists.myitforum.com [
mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Friday, December 18, 2015 11:07 AM
To: ntsysadm
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

+10 - rbls help massively.

Kurt

On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org> wrote:
> Take a look at adding some external RBL?s to augment Cuda?s.
>
>
>
> https://www.spamhaus.org/sbl/  and
> https://www.spamcop.net/fom-serve/cache/290.html
>
>
>
>
>
>
>
> From: listsadmin@lists.myitforum.com 
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Jake Gardner
> Sent: Friday, December 18, 2015 10:54 AM
> To: 'ntsys...@lists.myitforum.com'
> Subject: RE: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I guess my question was if anyone else is seeing this type of increase.
>
>
>
> Is there a list of common regex?s that I could use?
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
> From: listsadmin@lists.myitforum.com 
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Todd Lemmiksoo
> Sent: Friday, December 18, 2015 10:14 AM
> To: ntsys...@lists.myitforum.com
> Subject: Re: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I have a physical 400 and a virtual 300 in a cluster config. I also 
> block .ru, .cn, .cz
>
> Ask your questions.
>
>
>
> On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> 
wrote:
>
> We have a couple of 800s, but they're second tier behind ProofPoint, 
> so they don't see a lot of malicious traffic. What does slip through 
> ProofPoint does appear to get caught by the Barracuda's in most cases.
>
>
>
> - Sean
>
>
>
> On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> 
wrote:
>
> Does anyone here use one?  We have a model 300 and lately we are 
> getting absolutely hammered with SPAM that the ?cuda just won?t catch.
>
>
>
> I have opened a few tickets with them about the issue and all they say 
> is that my firewall is blocking the ?cuda from checking websites. 
> I?ve checked my firewall and I don?t see any blocks and the ?cuda is 
> in a policy wi

RE: [NTSysADM] Barracuda Spam fw appliance

2015-12-18 Thread Mark Gottschalk

I just checked logs, and our filters have caught 13,366 spam in the past 
five days using the new top level domains alone (i.e. .mobi, .link, .xyz, 
.rocks, .click, etc).  This includes filtering both the connection ptr 
name as well as the sender's address field(s).  This is for a company with 
~20 employees.




From:   Caleb <caleb.po...@outlook.com>
To: <ntsys...@lists.myitforum.com>
Date:   12/18/2015 09:35 AM
Subject:    RE: [NTSysADM] Barracuda Spam fw appliance
Sent by:listsadmin@lists.myitforum.com



I probably don't have the email volume that you receive, but I haven't 
seen that much additional spam. I do have the configuration tightly locked 
down, more so than you may be able to since we are not an international 
organization. I use with great success, bl.spamcop.net and 
zen.spamhaus.org as external RBLs with a block action.

I also filter quite a few attachments and block anything I can't scan. I 
have a couple of content filters I created to help catch stuff that was 
missed. I do block *.br, *.cn, *ru but what really helped was blocking 
some of the new TLDs that have been released.

*.pl
*.zw
*.lk
*.mobi
*.tw
*.bg
*.lt
*.link
*.asia
*.top
*.click
*.in
*.pw
*.af
*.ao
*.ax
*.az
*.fr
*.rocks
*.ua
*.ve
*.xxx
*.xyz
*.sucks
*.porn
*.science
*.guru
*.ninja
*.construction
*.info
*.work
*.space
*.ee
*.be
*.club
*.webcam
*.party
*.wang
*.win
*.biz
*.date
*.faith
*.website
*.site
*.uno
*.review
*.racing
*.cricket
*.help
*.download
*.bar
*.bid
*.careers
*.email
*.bn
*.rs
*.th
*.blue
*.black
*.juegos
*.photography
*.solar
*.zm

This is a pretty cool website which details stats for the new TLDs. 
https://ntldstats.com/fraud


-Original Message-
From: listsadmin@lists.myitforum.com [
mailto:listsadmin@lists.myitforum.com] On Behalf Of Jake Gardner
Sent: Friday, December 18, 2015 7:18 AM
To: 'ntsys...@lists.myitforum.com' <ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] Barracuda Spam fw appliance

Thanks guys.  I used to use them years ago and removed them for some 
reason.  I don't remember the reason so I'll add them back.

 
Thanks,
 
Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com


-Original Message-
From: listsadmin@lists.myitforum.com [
mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Friday, December 18, 2015 11:07 AM
To: ntsysadm
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

+10 - rbls help massively.

Kurt

On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org> wrote:
> Take a look at adding some external RBL?s to augment Cuda?s.
>
>
>
> https://www.spamhaus.org/sbl/  and
> https://www.spamcop.net/fom-serve/cache/290.html
>
>
>
>
>
>
>
> From: listsadmin@lists.myitforum.com
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Jake Gardner
> Sent: Friday, December 18, 2015 10:54 AM
> To: 'ntsys...@lists.myitforum.com'
> Subject: RE: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I guess my question was if anyone else is seeing this type of increase.
>
>
>
> Is there a list of common regex?s that I could use?
>
>
>
> Thanks,
>
>
>
> Jake Gardner
>
> IT Administrator
>
> 267-352-2020 Ext. 246
>
> www.ttcdas.com
>
>
>
> From: listsadmin@lists.myitforum.com
> [mailto:listsadmin@lists.myitforum.com]
> On Behalf Of Todd Lemmiksoo
> Sent: Friday, December 18, 2015 10:14 AM
> To: ntsys...@lists.myitforum.com
> Subject: Re: [NTSysADM] Barracuda Spam fw appliance
>
>
>
> I have a physical 400 and a virtual 300 in a cluster config. I also 
> block .ru, .cn, .cz
>
> Ask your questions.
>
>
>
> On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> 
wrote:
>
> We have a couple of 800s, but they're second tier behind ProofPoint, 
> so they don't see a lot of malicious traffic. What does slip through 
> ProofPoint does appear to get caught by the Barracuda's in most cases.
>
>
>
> - Sean
>
>
>
> On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> 
wrote:
>
> Does anyone here use one?  We have a model 300 and lately we are 
> getting absolutely hammered with SPAM that the ?cuda just won?t catch.
>
>
>
> I have opened a few tickets with them about the issue and all they say 
> is that my firewall is blocking the ?cuda from checking websites.
> I?ve checked my firewall and I don?t see any blocks and the ?cuda is 
> in a policy with no outbound restrictions.
>
>
>
> The only thing that seems to slow it down is rate control.  I turned it 
down
> to 20/30mins.   In the last 9 hours it controlled 3700 and only outright
> blocked 1450.We see about 17k messages a day on average.  A couple
> months again we were averaging 12k.
>
>
>
>
>
> Thanks,
>

RE: [NTSysADM] Barracuda Spam fw appliance

RE: [NTSysADM] Barracuda Spam fw appliance

RE: [NTSysADM] Barracuda Spam fw appliance

Re: [NTSysADM] Barracuda Spam fw appliance

Re: [NTSysADM] Barracuda Spam fw appliance

RE: [NTSysADM] Barracuda Spam fw appliance

Re: [NTSysADM] Barracuda Spam fw appliance

RE: [NTSysADM] Barracuda Spam fw appliance

RE: [NTSysADM] Barracuda Spam fw appliance

9 matches

Site Navigation

Mail list logo

Footer information