The following question and answer thread is excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.
ITKE member TheVyrys posed this question:
"I work for a nonprofit organization. I am running Exchange 2003 and Win2k3 servers. We currently have only one Exchange Server that contains 150 mailboxes. Out of those, only about 90 have external messages coming in. It doesn't sound like a lot to handle, but we get a ton of spam – and want to stop it. What, in your opinion, is the best antispam software and why?"
ITKE member Steve86 advised:
"We use Sprint's spam filtering service as a first line of defense. Our mail exchange records route all inbound e-mail through Sprint, and we set our firewall to accept only inbound SMTP traffic from the Sprint server's IP addresses. Each message also goes through three virus scanners, which has almost eliminated infected messages. We've also had very few false positives with this system. It costs approximately $3 per month, per mailbox and requires minimal management. Sprint updates the spam and virus scanners, so I don't have to worry about it. A recent report showed that the Sprint filter blocked over 90% of the mail sent to our domain (messages that did not use our bandwidth or server resources.)
At the second line, we use GFI MailEssentials. This is more of a blacklist scan to fine-tune and catch things like newsletters that people's 'friends' signed them up for and messages that violate company policies (like adult-related spam). This software has an auto-white list feature that adds the addresses of outbound messages to the list to keep them from being blocked. I tend to be more hands-on with this filter and regularly watch for false positives. This system picks up another 3-5% of the spam before it hits people's mailboxes."
ITKE member Cherie advised:
"We're a medium-sized company with a small IT group, so we wanted a spam product that required as little time as possible to install, configure and manage. We chose FrontBridge's spam filtering service. We went from getting thousands of spam messages per week to as few as 50 (across our entire user base). And, if any messages get through, we can report them to FrontBridge for future blocking. Their management tool (Web interface) is easy to use. Users receive a weekly summary of their spam messages via e-mail, which they can ignore or check for false positives. The price is more than reasonable and their service is great. I highly recommend it if you're looking for a hands-off approach to spam filtering."
ITKE member Japeters advised:
"I recommend using an outside filtering method because the filtering takes place before the messages hit your Internet pipe. This not only provides additional security but it does not utilize your bandwith or throughput. However, these services can be costly, especially when you surpass 10-15 mailboxes. We use a spam/virus filtering service from hydranetwork.com. While you typically have to contact them by phone and the service doesn't offer the administrative controls supplied by other providers, it costs a third of the other services."
ITKE member Layer9 advised:
"I recommend not installing your AV and/or spam filtering software directly onto your Exchange Server. Instead, place a separate box on your DMZ to accept Webmail. This serves several purposes:
- You don't have to open your Exchange Server to the Web.
- You'll have a better defense against zero-day viruses and worms.
- Spam and mass mailings will not reach your Exchange Server, which can overload the queues.
- It protects your mail server against denial-of-service (DoS) attacks.
- If a hacker solicits a zero-day virus to execute its payload, the damage will be minimal. I would rather loose a sacrificial box on the edge that does nothing more than scan and hand off my e-mails than loose my entire mail database.
Remember, Exchange Servers that are open directly to the Web accept connections over TCP 25 from all systems on the Internet, which means anyone can telnet to your Exchange Server, throw commands at it and build bogus e-mails. Even if your server is closed to relay, hackers can still build internal messages that are routed to someone inside the network. These messages can be used to cause problems or glean sensitive company information. For example, a hacker can build a message from the CISO requesting someone's password. You can imagine the possibilities. Using a gateway appliance makes this more difficult to achieve because messages coming from the inside will have the same gateway as the originating server of the message, making internal bogus messages easier to spot. However, there are ways to block this. Installing an SMTP gateway to accept messages on your behalf is a step in the right direction. Never expose your Exchange Server to the Internet unless you have to."
ITKE member Hedgehog advised:
"I recommend integrating AV software into your e-mail server. This approach will catch any internal viruses that an external SMTP proxy cannot see. We use a two-tier spam and virus filtering approach. Our ISP filters the bulk of the junk, a Linux box on the DMZ filters spam (SpamAssassin, free of charge) and we use Kaspersky engine for AV. We haven't received a single virus in the last three years. We get some spam, but nothing significant. If you don't want the trouble of configuring SpamAssassin (or other antispam software) yourself, other appliances are worth looking at. A small company called, Copperfasten is giving Barracuda a run for their money. Another good appliance is BorderWare's MXtreme Mail Firewall, which uses their own antispam engine as well as Symantec Brightmail AntiSpam."
ITKE member Mintun advised:
"We use a tiered approach. First, the e-mail goes through the ORF (Open Relay Filter) by Vamsoft. This catches approximately 70-80% of our daily spam before it reaches our servers. ORF's rulebase allows you to block e-mail before, during and after receiving it. After ORF, the e-mail goes through GFI MailEssentials and MailSecurity to catch any stragglers, filter out certain attachments and keywords, and scan e-mail for viruses."