TL;DR anti-junkmail systems that use a larger sample size win over what you can do in your email client, or in a single standalone email system. Most of the appliance/server/cloud products that incorporate a wider view than just your domain(s) seem quite comparable and pretty good.
... I think we've all been learning the same things, perhaps by different routes... Content analysis (including Bayesian) will only get you so far, unless you have a really big sample set. Reputation systems, for better or worse, seem to be the major "winners" for email filtering, but you need a "wide telescope" (AKA lots of participants) to do a good job. Obviously there's some contextual analysis going on behind the scenes, along with other techniques, but the sample sizes available to the reputation systems are on a completely different scale than what a person, or even large business can do themselves. Years ago I "outsourced" several of my email addresses to Google, just because I was tired of maintaining a hodgepodge of anti-SPAM tools all cobbled together. Its gotten MUCH easier to do this now; almost all the tools play together much better and all install/integrate much easier, but I've got more interesting things to do than maintain anti-spam systems for my 5 home users :-( The reputation systems built into Barracuda are pretty good. Most of the people I've spoken to who are small-mid sized seem to like them. I know of a .EDU that deployed a bunch of Barracudas to protect their individual departmental mail servers and were very happy with them for a few years. For larger enterprises, IronPort seems to be popular. We've run them here for years to protect (at one time) about 5000 mailboxes. This might have been doable on Barracuda, but was quite easy on IronPort. The last time I looked (last year?), we were rejecting about 95+% of inbound connections at TCP SYN time due to the IP level reputation filters. I was seeing about 1 SPAM/month on that system. I believe that IronPort makes part of their reputation system publicly available? If so, that's an RBL I should add to my home system :-) Google's reputation system is well hidden but seems to have done a good job of crowdsourcing SPAM detection to the users :-) I've seen emails show up in the header list that were obviously spam, which I didn't open. I went back anywhere from 15 minutes to 2 hours later, and the SPAM messages had vanished. Obviously enough people clicked "SPAM" on those messages to train the Google system which went and retroactively cleaned the mailbox. That used to happen about 2-3 times per month, I haven't seen that happen in the past 6 months. Microsoft's cloud solution seems to do pretty well. We use it for fronting Exchange, and we usually see about the same amount of SPAM/malware as the other solutions. There's the issue that you're sending all your email via Microsoft to do content analysis, which might matter to some. But that's going to happen with all the cloud based systems. We have a group that is currently using MessageLabs, anecdotally, they see the same kinds of defense "quality". Every once in a while the SPAMers will spin up a new botnet, and we'll see a spate of SPAM get through the MS and the IronPort solutions for a few hours or days. I think we've seen this about 1 a year, for about 2 hours-2 days, depending... It always seems to coincide with media reports of "SPAMMERS HAVE CREATED A NEW 100K SKYNET BOTNET TO DELIVER SPAM!!! OMG!! RUN!! MAILPACOLYPSE!!". Aaaand a day or two later, we're back to normal. So, from my limited perspective, anti-SPAM is like anti-virus: it's become a commodity, there are several good products that will have (mostly) comparable quality. Like AV, there's really not much need to roll your own, unless you need an open source (free) product, in which case it's gotten easier. Sorry for the long-winded answer, hope it was helpful. On Mon, Oct 27, 2014 at 4:24 AM, Edmund White <ewwh...@mac.com> wrote: > There isn’t too much to it. These days, spam filtering should be pretty > hands-off, and some of the old-school approaches are outdated. > > I’ve been selling and deploying Barracuda Spam filter appliances to my > customers since 2007, and using their Cloud filtering solution for the past > 18 months. It’s all works very well and is transparent to the users. I’m > happy with Barracuda’s RBL, which is the core of the product. > Inbound/outbound, spooling, LDAP and multiple domains are all supported. The > usual content, source/destination switches are in place. Analyzing headers > is easy, and the interface of both the appliance and cloud solution is > intuitive enough for me to hand over to customers to self-manage. > > Barracuda Cloud: https://www.barracuda.com/products/emailsecurityservice > Barracuda Spam Firewall: https://www.barracuda.com/products/spamfirewall > > The approach to training the spam filter and initial deployment is different > these days. I used to spend hours training the filter to discern SPAM from > HAM and engage the Bayesian database to influence scoring on the Barracuda > appliances. Nowadays, Barracuda recommends that Bayesian filtering be left > off. The RBL (BRBL) has gotten that good. False-positives are infrequent. > The Barracuda “Intent Analysis” feature handles the phishing and suspicious > URL and header scanning. See: http://www.barracudacentral.org, as they > leverage their Web filter URL classification data for the spam filters. > > Right now, the Barracuda appliances are still in the $3k+ range for the Spam > firewall. It’s high and the licensing policy and reliance on cheap-ish > hardware isn’t worth it. I’ve let most of my appliance’s contracts lapse and > moved filtering to the Barracuda cloud solution. This also cuts down on mail > bandwidth; a perfect application for a cloud service. My cost has been > around $8/user/year, billed in blocks of 100 mailboxes, but I think it’s > negotiable. Far less expensive than the appliance if your business is okay > with offsite. Retention is 30 days, I believe. I’ve had one short 4-hour > outage of the service in the past 1.5 years. > > I manage mail systems for 35 companies. I probably look at the spam filters > 1-2 times per week; usually to whitelist a vendor sending mail from a > residential broadband line. It’s interesting to deal with other > organizations and their filtering solutions. I’ve learned what NOT to use > based on that. Otherwise, my decision process has been based on mindshare, > mail volume and ease of use/management. Barracuda deals with a lot of mail. > Google deals with a LOT of mail. Microsoft’s servers deal with a ton of > mail. I’ve had problems with some firms who are on the Microsoft side. Very > few issues delivering to gmail and Google Apps types. Lots of problems with > people who rely on bad RBLs or have misconfigured mail servers. > > -- > Edmund White > e...@ewwhite.net > > From: "Edward Ned Harvey (lopser)" <lop...@nedharvey.com> > Date: Monday, October 27, 2014 at 5:56 AM > To: "tech@lists.lopsa.org" <tech@lists.lopsa.org> > Subject: Re: [lopsa-tech] How to choose Junk Filter? > > No response? > > > > Surely people here must be using junk filter products? How do you go about > choosing what product to deploy? > > > > > > > > From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On > Behalf Of Edward Ned Harvey (lopser) > Sent: Friday, October 24, 2014 10:14 PM > To: tech@lists.lopsa.org > Subject: [lopsa-tech] How to choose Junk Filter? > > > > Do you perceive a quality difference between various junk filtering > products? > > > > Whether you do or don't notice the difference, do you think there's room for > improvement? > > > > How do you choose what to deploy? > > > > I am looking at these guys - http://www.astraid.com/phishingguardian/ > > Although our existing spam filters are pretty good with MS and Google, I > *do* think there's room for improvement, and in particular, these guys are > security-centric and claim to be better for preventing Phishing and Social > Engineering Attacks. > > > > Even if they are better, even if I personally come to believe they are > better... How do you go about making your decisions about this sort of > thing? > > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
