RE: [NTSysADM] Barracuda Spam fw appliance
We’ve had ours for about 7+ years. It’s the last few months that has me pulling my hair out. Our Fortigate has been good to block viruses before they get to the cuda.I don’t think our config is all that far from defaults. I have all levels of Intent Analysis enabled. Image analysis is on Bayesian was not in use but I have been working on training it the last couple of weeks. Rate Control is actually 15/30 (I forgot I turned it down further yesterday.) I have some blocked domains but the new campaigns are changing the domains by the hour. There has been 8 different bursts in the last hour. I’ve started to add some of the subject lines but not heavy with patterns.I know I need to up my game with this part. rDNS blocks may not be suitable as we do business internationally. I just enabled blocking of no PTR records. Hopefully this helps. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com<http://www.ttcdas.com/> From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Richard Stovall Sent: Friday, December 18, 2015 9:52 AM To: ntsys...@lists.myitforum.com Subject: Re: [NTSysADM] Barracuda Spam fw appliance I have one that does a pretty good job with everything but friggin' macro viruses in Office documents. We have had one in place for about 11 years, so it is highly tuned for our environment. I also do a lot to block .ru, .cn, .in, etc straight out of the gate before the Barracuda's inspection even begins. Shoot some specific questions about configuration settings to the list if you like, and I can check how I've got mine setup. Also, primarily for the macro virus issue, we're adding Proofpoint to the mix in the next few weeks. I'm still going to keep the Barracuda, but everything inbound will go through Proofpoint first. On Fri, Dec 18, 2015 at 9:37 AM, Jake Gardner <jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote: Does anyone here use one? We have a model 300 and lately we are getting absolutely hammered with SPAM that the ‘cuda just won’t catch. I have opened a few tickets with them about the issue and all they say is that my firewall is blocking the ‘cuda from checking websites. I’ve checked my firewall and I don’t see any blocks and the ‘cuda is in a policy with no outbound restrictions. The only thing that seems to slow it down is rate control. I turned it down to 20/30mins. In the last 9 hours it controlled 3700 and only outright blocked 1450.We see about 17k messages a day on average. A couple months again we were averaging 12k. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246> www.ttcdas.com<http://www.ttcdas.com/> ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you.
RE: [NTSysADM] Barracuda Spam fw appliance
Take a look at adding some external RBL’s to augment Cuda’s. https://www.spamhaus.org/sbl/ and https://www.spamcop.net/fom-serve/cache/290.html From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Jake Gardner Sent: Friday, December 18, 2015 10:54 AM To: 'ntsys...@lists.myitforum.com' Subject: RE: [NTSysADM] Barracuda Spam fw appliance I guess my question was if anyone else is seeing this type of increase. Is there a list of common regex’s that I could use? Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com<http://www.ttcdas.com/> From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Todd Lemmiksoo Sent: Friday, December 18, 2015 10:14 AM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: Re: [NTSysADM] Barracuda Spam fw appliance I have a physical 400 and a virtual 300 in a cluster config. I also block .ru, .cn, .cz Ask your questions. On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> wrote: We have a couple of 800s, but they're second tier behind ProofPoint, so they don't see a lot of malicious traffic. What does slip through ProofPoint does appear to get caught by the Barracuda's in most cases. - Sean On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote: Does anyone here use one? We have a model 300 and lately we are getting absolutely hammered with SPAM that the ‘cuda just won’t catch. I have opened a few tickets with them about the issue and all they say is that my firewall is blocking the ‘cuda from checking websites. I’ve checked my firewall and I don’t see any blocks and the ‘cuda is in a policy with no outbound restrictions. The only thing that seems to slow it down is rate control. I turned it down to 20/30mins. In the last 9 hours it controlled 3700 and only outright blocked 1450.We see about 17k messages a day on average. A couple months again we were averaging 12k. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246> www.ttcdas.com<http://www.ttcdas.com/> ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- T. Todd Lemmiksoo ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ***
RE: [NTSysADM] Barracuda Spam fw appliance
I guess my question was if anyone else is seeing this type of increase. Is there a list of common regex’s that I could use? Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com<http://www.ttcdas.com/> From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Todd Lemmiksoo Sent: Friday, December 18, 2015 10:14 AM To: ntsys...@lists.myitforum.com Subject: Re: [NTSysADM] Barracuda Spam fw appliance I have a physical 400 and a virtual 300 in a cluster config. I also block .ru, .cn, .cz Ask your questions. On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> wrote: We have a couple of 800s, but they're second tier behind ProofPoint, so they don't see a lot of malicious traffic. What does slip through ProofPoint does appear to get caught by the Barracuda's in most cases. - Sean On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com<mailto:jgard...@ttcdas.com>> wrote: Does anyone here use one? We have a model 300 and lately we are getting absolutely hammered with SPAM that the ‘cuda just won’t catch. I have opened a few tickets with them about the issue and all they say is that my firewall is blocking the ‘cuda from checking websites. I’ve checked my firewall and I don’t see any blocks and the ‘cuda is in a policy with no outbound restrictions. The only thing that seems to slow it down is rate control. I turned it down to 20/30mins. In the last 9 hours it controlled 3700 and only outright blocked 1450.We see about 17k messages a day on average. A couple months again we were averaging 12k. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246<tel:267-352-2020%20Ext.%20246> www.ttcdas.com<http://www.ttcdas.com/> ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- T. Todd Lemmiksoo Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you.
Re: [NTSysADM] Barracuda Spam fw appliance
I have one that does a pretty good job with everything but friggin' macro viruses in Office documents. We have had one in place for about 11 years, so it is highly tuned for our environment. I also do a lot to block .ru, .cn, .in, etc straight out of the gate before the Barracuda's inspection even begins. Shoot some specific questions about configuration settings to the list if you like, and I can check how I've got mine setup. Also, primarily for the macro virus issue, we're adding Proofpoint to the mix in the next few weeks. I'm still going to keep the Barracuda, but everything inbound will go through Proofpoint first. On Fri, Dec 18, 2015 at 9:37 AM, Jake Gardnerwrote: > Does anyone here use one? We have a model 300 and lately we are getting > absolutely hammered with SPAM that the ‘cuda just won’t catch. > > > > I have opened a few tickets with them about the issue and all they say is > that my firewall is blocking the ‘cuda from checking websites. I’ve > checked my firewall and I don’t see any blocks and the ‘cuda is in a policy > with no outbound restrictions. > > > > The only thing that seems to slow it down is rate control. I turned it > down to 20/30mins. In the last 9 hours it controlled 3700 and only > outright blocked 1450.We see about 17k messages a day on average. A > couple months again we were averaging 12k. > > > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > ***Teletronics Technology Corporation*** > This e-mail is confidential and may also be privileged. If you are not the > addressee or authorized by the addressee to receive this e-mail, you may > not disclose, copy, distribute, or use this e-mail. If you have received > this e-mail in error, please notify the sender immediately by reply e-mail > or by telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > *** > >
Re: [NTSysADM] Barracuda Spam fw appliance
I am using the following: BRBL - Block Zen.spamhaus.org - Quarantine bl.spamcop.net - Tag On Fri, Dec 18, 2015 at 11:18 AM, Jake Gardner <jgard...@ttcdas.com> wrote: > Thanks guys. I used to use them years ago and removed them for some > reason. I don't remember the reason so I'll add them back. > > > Thanks, > > Jake Gardner > IT Administrator > 267-352-2020 Ext. 246 > www.ttcdas.com > > > -Original Message- > From: listsadmin@lists.myitforum.com [mailto: > listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Friday, December 18, 2015 11:07 AM > To: ntsysadm > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > +10 - rbls help massively. > > Kurt > > On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim < > kennedy...@elyriaschools.org> wrote: > > Take a look at adding some external RBL’s to augment Cuda’s. > > > > > > > > https://www.spamhaus.org/sbl/ and > > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > > > > > > > > > From: listsadmin@lists.myitforum.com > > [mailto:listsadmin@lists.myitforum.com] > > On Behalf Of Jake Gardner > > Sent: Friday, December 18, 2015 10:54 AM > > To: 'ntsys...@lists.myitforum.com' > > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > > > > > I guess my question was if anyone else is seeing this type of increase. > > > > > > > > Is there a list of common regex’s that I could use? > > > > > > > > Thanks, > > > > > > > > Jake Gardner > > > > IT Administrator > > > > 267-352-2020 Ext. 246 > > > > www.ttcdas.com > > > > > > > > From: listsadmin@lists.myitforum.com > > [mailto:listsadmin@lists.myitforum.com] > > On Behalf Of Todd Lemmiksoo > > Sent: Friday, December 18, 2015 10:14 AM > > To: ntsys...@lists.myitforum.com > > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > > block .ru, .cn, .cz > > > > Ask your questions. > > > > > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> > wrote: > > > > We have a couple of 800s, but they're second tier behind ProofPoint, > > so they don't see a lot of malicious traffic. What does slip through > > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > > > > > - Sean > > > > > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> > wrote: > > > > Does anyone here use one? We have a model 300 and lately we are > > getting absolutely hammered with SPAM that the ‘cuda just won’t catch. > > > > > > > > I have opened a few tickets with them about the issue and all they say > > is that my firewall is blocking the ‘cuda from checking websites. > > I’ve checked my firewall and I don’t see any blocks and the ‘cuda is > > in a policy with no outbound restrictions. > > > > > > > > The only thing that seems to slow it down is rate control. I turned it > down > > to 20/30mins. In the last 9 hours it controlled 3700 and only outright > > blocked 1450.We see about 17k messages a day on average. A couple > > months again we were averaging 12k. > > > > > > > > > > > > Thanks, > > > > > > > > Jake Gardner > > > > IT Administrator > > > > 267-352-2020 Ext. 246 > > > > www.ttcdas.com > > > > > > > > > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > > and may also be privileged. If you are not the addressee or authorized > > by the addressee to receive this e-mail, you may not disclose, copy, > > distribute, or use this e-mail. If you have received this e-mail in > > error, please notify the sender immediately by reply e-mail or by > > telephone at 267-352-2020 and destroy this message and any copies. > > > > Thank you. > > > > *** > > > > > > > > > > > > > > > > > > > > -- > > > > T. Todd Lemmiksoo > > > > > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > > and may also be privileged. If you are not the addressee or authorized > > by the addressee to receive this e-mail, you may not disclose, copy, > > distribute, or use this e-mail. If you have received this e-mail in > > error, please notify the sender immediately by reply e-mail or by > > telephone at 267-352-2020 and destroy this message and any copies. > > > > Thank you. > > > > *** > > > > > > > > Teletronics Technology Corporation > This e-mail is confidential and may also be privileged. If you are not > the addressee or authorized by the addressee to receive this e-mail, you > may not disclose, copy, distribute, or use this e-mail. If you have > received this e-mail in error, please notify the sender immediately by > reply e-mail or by telephone at 267-352-2020 and destroy this message and > any copies. > > Thank you. > >
RE: [NTSysADM] Barracuda Spam fw appliance
Thanks guys. I used to use them years ago and removed them for some reason. I don't remember the reason so I'll add them back. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com -Original Message- From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 18, 2015 11:07 AM To: ntsysadm Subject: Re: [NTSysADM] Barracuda Spam fw appliance +10 - rbls help massively. Kurt On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Take a look at adding some external RBL’s to augment Cuda’s. > > > > https://www.spamhaus.org/sbl/ and > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Jake Gardner > Sent: Friday, December 18, 2015 10:54 AM > To: 'ntsys...@lists.myitforum.com' > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > I guess my question was if anyone else is seeing this type of increase. > > > > Is there a list of common regex’s that I could use? > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Todd Lemmiksoo > Sent: Friday, December 18, 2015 10:14 AM > To: ntsys...@lists.myitforum.com > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > block .ru, .cn, .cz > > Ask your questions. > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> wrote: > > We have a couple of 800s, but they're second tier behind ProofPoint, > so they don't see a lot of malicious traffic. What does slip through > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > - Sean > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> wrote: > > Does anyone here use one? We have a model 300 and lately we are > getting absolutely hammered with SPAM that the ‘cuda just won’t catch. > > > > I have opened a few tickets with them about the issue and all they say > is that my firewall is blocking the ‘cuda from checking websites. > I’ve checked my firewall and I don’t see any blocks and the ‘cuda is > in a policy with no outbound restrictions. > > > > The only thing that seems to slow it down is rate control. I turned it down > to 20/30mins. In the last 9 hours it controlled 3700 and only outright > blocked 1450.We see about 17k messages a day on average. A couple > months again we were averaging 12k. > > > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > *** > > > > > > > > > > -- > > T. Todd Lemmiksoo > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > *** > > Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you.
Re: [NTSysADM] Barracuda Spam fw appliance
On Fri, 18 Dec 2015, Richard Stovall wrote: > I am using the following: > > BRBL - Block > Zen.spamhaus.org - Quarantine > bl.spamcop.net - Tag I'm a MailScanner/Spamassasin/Sendmail guy on most of my spam/virus/email hosts (exim on another and moving that way) but here are the rbl's that I'm using right now straight out of one of my Sendmail.mc configs.. I'm testing others (there are TONS of them out there now) and I tend to shuffle hit sequence on these frequently just to help with traffic demands on the rbls.. I block most of China and Russia and a few other countries verbatim via iptables.. FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl', `b.barracudacentral.org', `"Spam blocked see: http://barracudacentral.org/"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl', `psbl.surriel.com', `"Spam blocked see: http://psbl.org/"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see: http://www.spamhaus.org/zen/;', `t')dnl FEATURE(`enhdnsbl', `bl.nszones.com', `"554 Spam blocked " $&{client_addr} " found in bl.nszones.com"', `t')dnl Here is the wikipedia listing with some removed/crossed out.. https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
RE: [NTSysADM] Barracuda Spam fw appliance
Spamhaus and Spamcop are both good and safe (with regards to false positives) RBLs. I actually use a hierarchy of half a dozen RBLs with those two at the top with a high level of trust, and others that only mark subject lines with a message such as "(possible spam)" which can then be filtered further as needed. I use the site listed below to check specific IPs if we're getting hammered by something to see what RBLs are catching it, and I've adjusted my RBL list many times over the years as necessary: http://multirbl.valli.org/lookup/23.104.53.131.html The Invalument RBL service out of Georgia is extremely good and very fast at responding and updating their list on the fly. But unlike the other RBLs listed here they are not free (I have no relationship with them). You can also RSYNC their list and run the queries locally if you have a subscription: http://www.invaluement.com/ I block .ru, .cz, etc as well. But only a small fraction of the spam from IPs in these countries has the country indicators on their ptr names. So these don't help much. What I've started blocking are many of the new top level domains (TLDs) released that are a godsend to spammers and used for 100% spam, so far as I can tell. I have the following filtered: *.accountant *.asia *.bid *.click *.club *.cricket *.date *.democrat *.download *.faith *.help *.invoice *.link *.loan *.lol *.mobi *.ninja *.party *.press *.racing *.review *.rocks *.science *.space *.top *.trade *.uno *.wang *.webcam *.website *.win *.work *.xyz Check your connection logs and you'll find a not insignificant percentage of your current spam has connections with pointer names using TLDs. As new ones come online, the spammers move to them up immediately. So I've had to expand the list slowly over time. These bozo TLDs are a scam, a horrible decision to implement. Legitimate corporations can no longer defend their name and these garbage domains will forever be havens for shady organizations, fraud and spammers. A topic for another time. -- Mark From: Jake Gardner <jgard...@ttcdas.com> To: "'ntsys...@lists.myitforum.com'" <ntsys...@lists.myitforum.com> Date: 12/18/2015 08:18 AM Subject: RE: [NTSysADM] Barracuda Spam fw appliance Sent by:listsadmin@lists.myitforum.com Thanks guys. I used to use them years ago and removed them for some reason. I don't remember the reason so I'll add them back. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com -Original Message- From: listsadmin@lists.myitforum.com [ mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 18, 2015 11:07 AM To: ntsysadm Subject: Re: [NTSysADM] Barracuda Spam fw appliance +10 - rbls help massively. Kurt On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Take a look at adding some external RBL?s to augment Cuda?s. > > > > https://www.spamhaus.org/sbl/ and > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Jake Gardner > Sent: Friday, December 18, 2015 10:54 AM > To: 'ntsys...@lists.myitforum.com' > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > I guess my question was if anyone else is seeing this type of increase. > > > > Is there a list of common regex?s that I could use? > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Todd Lemmiksoo > Sent: Friday, December 18, 2015 10:14 AM > To: ntsys...@lists.myitforum.com > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > block .ru, .cn, .cz > > Ask your questions. > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> wrote: > > We have a couple of 800s, but they're second tier behind ProofPoint, > so they don't see a lot of malicious traffic. What does slip through > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > - Sean > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> wrote: > > Does anyone here use one? We have a model 300 and lately we are > getting absolutely hammered with SPAM that the ?cuda just won?t catch. > > > > I have opened a few tickets with them about the issue and all they say > is that my firewall is blocking the ?cuda from checking websites. > I?ve checked my firewall and I don?t see any blocks and the ?cuda is > in a policy wi
RE: [NTSysADM] Barracuda Spam fw appliance
I just checked logs, and our filters have caught 13,366 spam in the past five days using the new top level domains alone (i.e. .mobi, .link, .xyz, .rocks, .click, etc). This includes filtering both the connection ptr name as well as the sender's address field(s). This is for a company with ~20 employees. From: Caleb <caleb.po...@outlook.com> To: <ntsys...@lists.myitforum.com> Date: 12/18/2015 09:35 AM Subject: RE: [NTSysADM] Barracuda Spam fw appliance Sent by:listsadmin@lists.myitforum.com I probably don't have the email volume that you receive, but I haven't seen that much additional spam. I do have the configuration tightly locked down, more so than you may be able to since we are not an international organization. I use with great success, bl.spamcop.net and zen.spamhaus.org as external RBLs with a block action. I also filter quite a few attachments and block anything I can't scan. I have a couple of content filters I created to help catch stuff that was missed. I do block *.br, *.cn, *ru but what really helped was blocking some of the new TLDs that have been released. *.pl *.zw *.lk *.mobi *.tw *.bg *.lt *.link *.asia *.top *.click *.in *.pw *.af *.ao *.ax *.az *.fr *.rocks *.ua *.ve *.xxx *.xyz *.sucks *.porn *.science *.guru *.ninja *.construction *.info *.work *.space *.ee *.be *.club *.webcam *.party *.wang *.win *.biz *.date *.faith *.website *.site *.uno *.review *.racing *.cricket *.help *.download *.bar *.bid *.careers *.email *.bn *.rs *.th *.blue *.black *.juegos *.photography *.solar *.zm This is a pretty cool website which details stats for the new TLDs. https://ntldstats.com/fraud -Original Message- From: listsadmin@lists.myitforum.com [ mailto:listsadmin@lists.myitforum.com] On Behalf Of Jake Gardner Sent: Friday, December 18, 2015 7:18 AM To: 'ntsys...@lists.myitforum.com' <ntsys...@lists.myitforum.com> Subject: RE: [NTSysADM] Barracuda Spam fw appliance Thanks guys. I used to use them years ago and removed them for some reason. I don't remember the reason so I'll add them back. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com -Original Message- From: listsadmin@lists.myitforum.com [ mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 18, 2015 11:07 AM To: ntsysadm Subject: Re: [NTSysADM] Barracuda Spam fw appliance +10 - rbls help massively. Kurt On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Take a look at adding some external RBL?s to augment Cuda?s. > > > > https://www.spamhaus.org/sbl/ and > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Jake Gardner > Sent: Friday, December 18, 2015 10:54 AM > To: 'ntsys...@lists.myitforum.com' > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > I guess my question was if anyone else is seeing this type of increase. > > > > Is there a list of common regex?s that I could use? > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Todd Lemmiksoo > Sent: Friday, December 18, 2015 10:14 AM > To: ntsys...@lists.myitforum.com > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > block .ru, .cn, .cz > > Ask your questions. > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> wrote: > > We have a couple of 800s, but they're second tier behind ProofPoint, > so they don't see a lot of malicious traffic. What does slip through > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > - Sean > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> wrote: > > Does anyone here use one? We have a model 300 and lately we are > getting absolutely hammered with SPAM that the ?cuda just won?t catch. > > > > I have opened a few tickets with them about the issue and all they say > is that my firewall is blocking the ?cuda from checking websites. > I?ve checked my firewall and I don?t see any blocks and the ?cuda is > in a policy with no outbound restrictions. > > > > The only thing that seems to slow it down is rate control. I turned it down > to 20/30mins. In the last 9 hours it controlled 3700 and only outright > blocked 1450.We see about 17k messages a day on average. A couple > months again we were averaging 12k. > > > > > > Thanks, >