Re: IMF Recommended Settings

"GT" <DSS4u@+++nospam+++HOTMAIL.COM> wrote:


"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ucqd42h4sisu5dsuraietu1gs323jfqhf9@xxxxxxxxxx
"GT" <DSS4u@+++nospam+++HOTMAIL.COM> wrote:

[ snip ]

I don't think luck has much to do with it,

Becasue you have no control over the contents of the mail that arrives
at your server, and no idea what the IMF is using to determine the
spamminess of a mesage, it _is_ luck.

Just because I have no idea what they use to determine spaminess does not
make it luck. All spam filters can result in false positives.

Yes, they can. Good ones can be adjusted to suit the message content
*you* receive and reduce, or eliminate, false positives.

I think it has more to do with
how you deploy it and what you expect it to do for you. Its options and
manageability are low, as you've pointed out.

There's not much to deploying the IMF.

Agreed, and that's part of the beauty of it. Most places could have it
tested and deployed within a few days. If you're not blocking at the
gateway it is a virtually no management required for the product, and it
doesn't normally require any additional hardware.

Well, we can argue about beauty some other time. The IMF may be easy
to put into operation, but beautiful it ain't.

[ snip ]

RBL's are about 40% effective against all spam. They can be 100%
effective at blocking all non-spam.

I'm not sure what point you're trying to make, but ok ...

Spam isn't about *where* a message comes from. It's either about
permission or content. A RBL deals only with the origin of the
message, therefore it doesn't block spam it blocks connections.

I'm sure you realize that the vast majority of spam is sent from open-relays

That used to be true. It's not any more.

or compromised hosts,

Define "hosts". Most spam today comes either from bulk mailers or from
zombie networks.

and these are the ones that end up on the RBLs.

By the time a RBL finds a zombie it'll be idle and not used for
spamming. Zombies are used for, maybe, four days. Most are used for
three or less.

Therefore blocking messages that come from high-risk hosts is as valid as
looking at content. Do you have any experience working with RBLs?

Unfortunately, yes. Do you?

If you use DNS RBL's as a sort of poor-man's reputation server then
you'll do better, but using a DNS RBL as a binary decision to accept
or reject a message is sure to produce high numbers of false
positives.

That hasn't been our experience. We are a large university with staff &
students on Exchange.

Since you'll never see any of the ham that's blocked by the use of
RBLs how would you know?

We would know because users would complain

Complain about what? Not receiving mail they didn't know was sent to
them?

- that was my point of telling
you we are a large university. We have over 50,000 email accounts, if the
RBLs were blocking a lot of legit email our help desk would hear complaints
from the users (who would have people telling them thay can't send email to
them).

That's hardly a good way to measure false positives, is it?

We have had some complaints, but it is a very small number and
certainly acceptable. The RBLs are blocking far more spam than our other
anti-spam systems (we have another product other than IMF), and taking a
load off our mail servers.

Then continue doing what you're doing. Good luck with it.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • Re: IMF Recommended Settings
    ... All spam filters can result in false positives. ... There's not much to deploying the IMF. ... effective at blocking all non-spam. ... Do you have any experience working with RBLs? ...
    (microsoft.public.exchange.admin)
  • Re: Exchange Intelligent Message Filtering values
    ... MailMarshal generally does a better job at blocking spam than IMF does. ... months) have noticed that a lot of the current spam is getting a lower SCL. ...
    (microsoft.public.exchange.admin)
  • Re: IMF and UceArchive folder
    ... The IMF has been running over the weekend at a level of 5. ... checking through every piece of archived email, and have no false positives. ... Some of the spam has been given a rating of 1 or 2, ... These guys are quoting MCP magazine. ...
    (microsoft.public.exchange.admin)
  • Re: IMF and UceArchive folder
    ... could not get it to do what I needed, and decided to give the IMF a try. ... > 138 got a score of 1-3, making them almost certainly not spam. ... > potential false positives in the SCL range of 4-7." ... > It says you're a "Software Development Consultant" in your sig. ...
    (microsoft.public.exchange.admin)
  • Re: Using IMF in conjunction with Trend CSM
    ... They have been put in the list manually over the past year or so before IMF ... Did Trend also tag them as spam ... JMF in outlook work. ... Use the JMF folder in Outlook *only* for spam or unwanted email that ...
    (microsoft.public.windows.server.sbs)
Loading