Re: Anti AV/Spam solution

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Jason,

I am not going to get in the discussion which filter is better or worst. But
you are arguing that one should not use SMTP protocol level filters!!!!

The reason you give is that one should not reject an email before knowing
100% what it contains.

1. Be aware that filters integrating with the SMTP protocol do have access
to the ENTIRE email content. One example is IMF! IMF can reject emails
despite the fact that it processes the email content.

2. An SMTP reject is much more light weight than an NDR.

3. If a legitimate email is filtered out with an SMTP Reject the sending end
will normally know that the email is rejected since an NDR would typically
be generated by the sending server (not receiving) to inform the original
sender. Hence the sender is given the opportunity to use another means to
connect the end recipient or modify his email to avoid rejection.

4. Many users do NOT review their junk email folder!! So the arguments in
favor of the Junk Email folder is very questionable.

If you want to know more you can read the following articles:
http://www.exchangeinbox.com/articles/003/junkemail.htm
http://www.exchangeinbox.com/articles/000/hardeningantispam.htm

cheers,

Alexander Zammit
Software Development Consultant
Check out, ExchangeInbox.com the new MS Exchange Resource site at
http://www.exchangeinbox.com/




"JasonMeyer" <jason.meyer@xxxxxxxxxxxxxxxxx> wrote in message
news:OhCtz0IYFHA.3280@xxxxxxxxxxxxxxxxxxxxxxx
> Peter Lawton wrote:
>> Yes, I've tried GFI's solution but to be honest I don't like it at all,
>> firstly because I found Bayesian filtering doesn't work very well at an
>> enterprise level, although it's very good for individual users.
>>
>> The main thing I have against GFI Mail Essentials though is that they
>> seem to have missed the whole point about rejecting spam at the border
>> before it's received, they've even missed this out of their SPF
>> implementation.
>>
> Well you have the choice of installing ME on your exchange box or on a
> perimeter server. Typically most users of GFI products install their
> MailSecurity product at the gateway with the freeware version of ME(spf
> works in the free version). Then their lisenced version of ME directly on
> the exchange server so they can take advantage of some of the very nicer
> features like creating JunkMail folders and moving spam there.
>
>> To prevent blowback and false bounce messages I feel spam etc should be
>> rejected before the SMTP conversation is completed, that way you never
>> have to send an NDR (false or otherwise), GFI seems to only process
>> messages after arrival and then either send an NDR message, which is
>> often to a false address, or delete the message altogether which breaks
>> RFCs.
>>
> Since there will never be a 100% accurate Spam filter i feel it is unwise
> to treat spam in this manner. Deleting email before you know what it is
> 100% for sure is just asking for trouble. Whats to say that the CEO(or
> some other important person in any org) is expecting something that gets
> weeded out as Spam for some reason and you just drop the connection and no
> NDR is sent. I bet your CEO isn't going to be to happy about that, I would
> rather have the ability to say, "Have you checked your JunkMail folder?"
> when he calls up wondering why this email hasn't shown up yet, than asking
> him for the senders address then pouring over log files to find out that
> it was sent to /dev/null because the spam filter thought it was spam.
>
> By the way even an SMTP connection that can't be completed should be
> sending out NDRs....550 unacceptable content....or how is the sender to
> know they are being seen as a spammer or an a blacklist or what ever other
> reason there could be for a SMTP comm failure?
>
>> Since I started using ORF we haven't had to send a single NDR and about
>> 75% of all email we receive is spam and ORF blocks over 99% of that. ORF
>> is also a lot cheaper than GFI and Vamsoft's support is the best I've
>> come across from any company.
>>
>> Peter Lawton
>>
> Personally I think that since the techiques used by spammers changes so
> rapidly spam filters will never be perfect and that there is always going
> to be a need for some level of human intervention to really classify an
> email as unwanted or not.
>
> Jason


.

Relevant Pages

  • TCPIP Services: SMTP receiver suggestions
    ... Have been going through the paces to solidify my smtp receiver since it is ... consulted to filter messages, and a message is blocked on the second filter, ... "postmaster" would get tons of spam). ... The receiver definitely needs improved logging. ...
    (comp.os.vms)
  • Re: HELP - Exchange & Cisco 1700 Lockdown from SPAM
    ... third-party SPAM scanning company called SpamSoap. ... I think you are asking how to ACL off SMTP from everywhere except the ... filter and nothing else. ...
    (comp.dcom.sys.cisco)
  • Re: NDRs sent by postmaster@xxxxxxx
    ... It is a shame that there is not a way to allow NDR just once or twice to the ... you still need to enable the filter. ... > Server, Protocols, SMTP, Default SMTP Virtual Server properties). ...
    (microsoft.public.exchange.admin)
  • Re: Reverse NDR attack?
    ... SMTP tarpitting to slow down the connection rate but it won't completely stop this type of traffic. ... there is nothing like the domain shown in the NDR. ... A spam email is attached to some of these NDRs. ... completely sure this is spam and that we are not acting as a spam server. ...
    (microsoft.public.exchange2000.admin)
  • Re: Administrator account hijacked?
    ... What gets past that - AD filter and IMF prevents incorrectly addressed email and IMF tagged spam from entering, and it's up to the *sender's* server to provide the NDR. ...
    (microsoft.public.windows.server.sbs)