Re: System Administrator Spam Must Go :-(
- From: "Gregg Hill" <bogus@xxxxxxxxxxx>
- Date: Wed, 8 Nov 2006 11:58:31 -0800
I already have that set up. I think I did it after seeing one of your
previous posts. You da man!
Gregg Hill
"Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
wrote in message news:O2JUWz2AHHA.3396@xxxxxxxxxxxxxxxxxxxxxxx
You can configure performance monitoring for sbl-xbl block lists as well.
Same idea as IMF, but use the MSExchangeTransport Filter Sink
Block List DNS Queries Issued
Connections Rejected by Block List Providers
Connections Rejected by Deny List
Directory Lookups Issued
Messages Filtered due to Blank Sender
Recipients Rejected by Directory Lookups
Recipients Rejected by Recipient Filtering
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius
"Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
news:eFeTxIvAHHA.5060@xxxxxxxxxxxxxxxxxxxxxxx
Les,
I got several server usage reports that showed one user getting 5000+
emails in two weeks. I used the sbl-xbl list to drop known spammers or
open relays, recipient filtering was already on, I set IMF to archive at
6, and Trend CSM.
I turned on performance monitoring for three days, monitored the IMF
archive, and watched Trend. The user who used to get 5000+ emails got
only 640 in the last two weeks. He is a happy man!
My results were darn close to yours. Even at an SCL archive of 6, the
only valid email that got blocked was mail that the server would send to
itself from Veritas Backup Exec and from Trend (both reside on the SBS).
Once I trusted the server IP, that went away.
The sbl-xbl folks suggest using Spam Assassin or similar product to check
the body of messages for known-spam URLs and filter even more that way. I
have not done that yet.
Good suggestions overall!
Gregg Hill
"Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
wrote in message news:uBpv17uAHHA.4256@xxxxxxxxxxxxxxxxxxxxxxx
Exchange is also a pop and imap server if you want/need it to be, and
some listservers will use your own email domain name. When your little
company gets bigger, you may have more than one mail server sharing the
namespace ;-). But as I mentioned, not all will have a need for the
above.
Blocking incoming mail this way isn't a horrible idea, and it can always
be undone. But if the concern is the default distribution group of
company@xxxxxxxxxxx, then simply change the email address for the group.
AD filtering takes care of the rest. Many don't even use the company
name for the internal domain, so it's moot. I always shorten the company
name to about 3 letters, as it's just wears on the users (and the
Administrator) to have to use MyCompanyName when they could use MCN on
the lan ;-). So while the email domain is @mycompanyname.com, the
distribution group email is mcn@xxxxxxxxxxxxxxxxx, and it doesn't get
hit as hard.
Use all the filtering levels at your disposal.
1. A good block list (3rd party) configured in ESM will kill 7/10 UCE's
and save you a ton of resources.
2. AD filter will kill a lot of what gets past level 1, in my experience
9/10 that get past level 1 are stopped here.
3. IMF configured to reject at an SCL of 8,7 or 6 will kill 8/10 UCE's
that get this far.
4. Decent anti-spam/anti-phishing/content filtering like in Trend CSM
will kill or quarantine 2/3 UCE's that get past the first three. This is
your first real resource use, and there isn't much left at this level to
process (viruses included), so it's not very resource intensive.
Configure Performance Monitor so you can see how effective 1,2 and 3
are. (Trend has it's own reporting). You'll be amazed.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius
"Alan" <alan@xxxxxxxxx> wrote in message
news:%23x3WG1tAHHA.2140@xxxxxxxxxxxxxxxxxxxxxxx
"Les Connor [SBS Community Member - SBS MVP]" <les.connor@xxxxxxxxxxxx>
wrote in message news:Oi7MTksAHHA.4256@xxxxxxxxxxxxxxxxxxxxxxx
There are legitimate reasons for external email from your domain to be
allowed incoming, but perhaps not everyone uses/needs them.
Hi Les,
Out of interest, what would be a legitimate reason?
I don't want to shoot myself in the foot here!
Thanks,
Alan.
--
The views expressed are my own, and not those of my employer or anyone
else associated with me.
My current valid email address is:
1bupdvc02@xxxxxxxxxxxxxx
This is valid as is. It is not munged, or altered at all.
It will be valid for AT LEAST one month from the date of this post.
If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.
The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:
ewygchvboocno43vb674b6nq46tvb
.
- References:
- System Administrator Spam Must Go :-(
- From: irtheman
- RE: System Administrator Spam Must Go :-(
- From: Wallyb132
- Re: System Administrator Spam Must Go :-(
- From: irtheman
- Re: System Administrator Spam Must Go :-(
- From: Les Connor [SBS Community Member - SBS MVP]
- Re: System Administrator Spam Must Go :-(
- From: Les Connor [SBS Community Member - SBS MVP]
- Re: System Administrator Spam Must Go :-(
- From: Gregg Hill
- Re: System Administrator Spam Must Go :-(
- From: Les Connor [SBS Community Member - SBS MVP]
- System Administrator Spam Must Go :-(
- Prev by Date: Re: authentication through vpn
- Next by Date: Re: Can't Send Mail - SMTP Issues
- Previous by thread: Re: System Administrator Spam Must Go :-(
- Next by thread: Re: RSA SecurID for Microsoft Windows & RWW
- Index(es):
Relevant Pages
|
