Sorry about the OT here, but I feel compelled to add just a little
follow up on the topic of pre-scanning and Alligate.
Alligate is IMO definitely the way to go. As Paul pointed out,
greylisting everything (i.e. ORF) has drawbacks and I wouldn't use a
solution that greylisted everything. I worked with Brian Milburn of
Alligate for months to help him create a method of providing selective
greylisting so that most legitimate E-mail is not greylisted. I also
helped him create a method of storing triplicates for use with
greylisting that only track base domains and not the full sender and
recipient, thus substantially reducing what needs to be greylisted if it
does trigger selective greylisting. I received nothing in return except
for a very capable product that benefited my system greatly. Brian is
also a lot like Pete and R. Scott Perry.
Setting things up optimally is not going to be an out of the box type of
experience. I have both offered some free assistance in private and
public to those that are dealing with Alligate, and Brian can also
provide some support for new setups. There is of course a limit to my
time for things like this. I have also occasionally consulted on such
things at the request of others.
So while it can be a hard nut to crack, especially if one is not
familiar with the architecture or concepts of a pre-scanning gateway,
there is help out there, and it is definitely worth while. I formerly
used ORF for tarpitting and address validation, but going to Alligate
for this was the best move that I have made since picking up Declude and
Sniffer.
Note that Alligate Gateway is not a replacement for Sniffer, Declude or
any other deep scanning solution, it is merely a tool for handling
validation and some blocking of the most obvious and easiest to detect
spam, primarily with passive means of blocking (greylisting and
tarpitting), and without needing to throw a lot of CPU at it. I handle
over 1 million connections per day and Alligate averages about 5% CPU at
peak times. Only 7% of the connections result in delivery of a message
to my deep-scanning layer using a configuration that is not aggressive.
There is only one zombie spammer at present that will survive greylisting.
Matt
Dave Marchette wrote:
I agree with the pre-scanning concept. IMgate, ORF and Alligate are all
good, but it just depends upon your level of comfort with each type of
environment these run in. Each takes several days of fine tuning and
log babysitting (even though the vendors tell you it is plug and play-
it's not). We've tested all three and prefer Alligate (thanks Matt!)
but any way you look at it, if you are running even moderate volume then
pre-scanning is the next step in the evolution of protection.
-----Original Message-----
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Technical Support
Sent: Monday, October 23, 2006 7:28 AM
To: Message Sniffer Community
Subject: [sniffer] Re: SPAM Problems
We also use ORF by VamSoft on IIS to pre-process.
We do not use the grey listing. We tried it, and it is great at
eliminating
spam, but it can delay mail for hours, which is a problems for most
email
users.
Instead of grey listing, we have found ORF's tar-pitting very effective.
We set some tests at the ORF level, but don't block on them (because
there
is no "weighting"). We also have some spam trap email addresses. Fail a
test
or hit a spam trap and we tar-pit. Instead of sending us 100 spams a
minute
they can only send one per minute.
We can pick up x-records with Declude and not have to re-run the tests
on
the iMail server, still using Declude to score the messages based on the
prior tests.
ORF even has a built-in interface for sniffer.
It is simpler and preferable to process everything on the iMail server,
but
when you want to off-load processing to stretch your iMail / Declude
investment, this arrangement can do the trick.
Paul Fuhrmeister
[EMAIL PROTECTED]
-----Original Message-----
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf
Of David Waller
Sent: Monday, October 23, 2006 5:15 AM
To: Message Sniffer Community
Subject: [sniffer] Re: SPAM Problems
Filippo,
We had a similar problem. Due to the huge volumes of spam we found our
mail
server becoming less able to deal with email. Imail/Declude/Sniffer is
expensive in processor terms when processing email and we found the best
was
to pre-process mail filtering using Greylisting (we used Vamsoft in IIS
SMTP
but others exist). This has dramatically reduced the load on our server
and
seems to stop the bulk of spammers and mail harvesters
Hope this helps.
David
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
