Antispam advice from your peers

The following question and answer thread is excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.

ITKE member TheVyrys posed this question:
"I work for a nonprofit organization. I am running Exchange 2003 and Win2k3 servers. We currently have only one Exchange Server that contains 150 mailboxes. Out of those, only about 90 have external messages coming in. It doesn't sound like a lot to handle, but we get a ton of spam – and want to stop it. What, in your opinion, is the best antispam software and why?"

ITKE member Steve86 advised:
"We use Sprint's spam filtering service as a first line of defense. Our mail exchange records route all inbound e-mail through Sprint, and we set our firewall to accept only inbound SMTP traffic from the Sprint server's IP addresses. Each message also goes through three virus scanners, which has almost eliminated infected messages. We've also had very few false positives with this system. It costs approximately $3 per month, per mailbox and requires minimal management. Sprint updates the spam and virus scanners, so I don't have to worry about it. A recent report showed that the Sprint filter blocked over 90% of the mail sent to our domain (messages that did not use our bandwidth or server resources.)

More Information Attend E-mail Security School and learn tactics for securing your e-mail systems. Learn tactics enterprises can use to maintain an effective and secure e-mail system. Join the ITKnowledge Exchange to troubleshoot problems with your peers and colleagues.

At the second line, we use GFI MailEssentials. This is more of a blacklist scan to fine-tune and catch things like newsletters that people's 'friends' signed them up for and messages that violate company policies (like adult-related spam). This software has an auto-white list feature that adds the addresses of outbound messages to the list to keep them from being blocked. I tend to be more hands-on with this filter and regularly watch for false positives. This system picks up another 3-5% of the spam before it hits people's mailboxes."

ITKE member Cherie advised:
"We're a medium-sized company with a small IT group, so we wanted a spam product that required as little time as possible to install, configure and manage. We chose FrontBridge's spam filtering service. We went from getting thousands of spam messages per week to as few as 50 (across our entire user base). And, if any messages get through, we can report them to FrontBridge for future blocking. Their management tool (Web interface) is easy to use. Users receive a weekly summary of their spam messages via e-mail, which they can ignore or check for false positives. The price is more than reasonable and their service is great. I highly recommend it if you're looking for a hands-off approach to spam filtering."

ITKE member Japeters advised:
"I recommend using an outside filtering method because the filtering takes place before the messages hit your Internet pipe. This not only provides additional security but it does not utilize your bandwith or throughput. However, these services can be costly, especially when you surpass 10-15 mailboxes. We use a spam/virus filtering service from hydranetwork.com. While you typically have to contact them by phone and the service doesn't offer the administrative controls supplied by other providers, it costs a third of the other services."

ITKE member Layer9 advised:
"I recommend not installing your AV and/or spam filtering software directly onto your Exchange Server. Instead, place a separate box on your DMZ to accept Webmail. This serves several purposes:

1. You don't have to open your Exchange Server to the Web.
2. You'll have a better defense against zero-day viruses and worms.
3. Spam and mass mailings will not reach your Exchange Server, which can overload the queues.
4. It protects your mail server against denial-of-service (DoS) attacks.
5. If a hacker solicits a zero-day virus to execute its payload, the damage will be minimal. I would rather loose a sacrificial box on the edge that does nothing more than scan and hand off my e-mails than loose my entire mail database.

Remember, Exchange Servers that are open directly to the Web accept connections over TCP 25 from all systems on the Internet, which means anyone can telnet to your Exchange Server, throw commands at it and build bogus e-mails. Even if your server is closed to relay, hackers can still build internal messages that are routed to someone inside the network. These messages can be used to cause problems or glean sensitive company information. For example, a hacker can build a message from the CISO requesting someone's password. You can imagine the possibilities. Using a gateway appliance makes this more difficult to achieve because messages coming from the inside will have the same gateway as the originating server of the message, making internal bogus messages easier to spot. However, there are ways to block this. Installing an SMTP gateway to accept messages on your behalf is a step in the right direction. Never expose your Exchange Server to the Internet unless you have to."

ITKE member Hedgehog advised:
"I recommend integrating AV software into your e-mail server. This approach will catch any internal viruses that an external SMTP proxy cannot see. We use a two-tier spam and virus filtering approach. Our ISP filters the bulk of the junk, a Linux box on the DMZ filters spam (SpamAssassin, free of charge) and we use Kaspersky engine for AV. We haven't received a single virus in the last three years. We get some spam, but nothing significant. If you don't want the trouble of configuring SpamAssassin (or other antispam software) yourself, other appliances are worth looking at. A small company called, Copperfasten is giving Barracuda a run for their money. Another good appliance is BorderWare's MXtreme Mail Firewall, which uses their own antispam engine as well as Symantec Brightmail AntiSpam."

ITKE member Mintun advised:
"We use a tiered approach. First, the e-mail goes through the ORF (Open Relay Filter) by Vamsoft. This catches approximately 70-80% of our daily spam before it reaches our servers. ORF's rulebase allows you to block e-mail before, during and after receiving it. After ORF, the e-mail goes through GFI MailEssentials and MailSecurity to catch any stragglers, filter out certain attachments and keywords, and scan e-mail for viruses."

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Email and Messaging Threats (spam, phishing, instant messaging) Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.