[unisog] SP*M Detection Methods & Processes

Michael Grinnell grinnell at american.edu
Tue Sep 26 14:15:04 GMT 2006

General notes.  We use a minimal block, tag and pass strategy for  
email.  Viruses and persistent spam sources are quarantined/blocked,  
while all other email gets passed to the user.  Email that is > 50 %  
spammy gets tagged with a header and a score.  Our corporate email  
client (Notes) has an agent that can be configured by the user to  
delete or quarantine spam based on the header and the spam score.

We've been happy with PureMessage as well.  Anecdotally, I generally  
don't get more than 1 or 2 pieces of spam a day (for 3 email  
addresses).  PureMessage seems to be as configurable as you want or  
you can just plug it in and leave it alone.  We also use the IP  
blocker service from PM, which seems to do a good job of culling  
incoming email from known spam/virus sources.  The majority of the  
spam that we receive at this point seems to be from consumer dynamic  
IP space, and we have discussed trying to bump up the spam score of  
email coming from these hosts to catch 0-day spam and viruses more  
effectively, but we haven't done so yet.

I've done some spot checks using Cam's snort rule for image spam, and  
it seems like PM is catching all of it.

We have supplemented PureMessage with milter-sender (http:// 
www.snertsoft.com/sendmail/milter-sender/), which we are very happy  
with, and are considering implementing other milters by SnertSoft.   
We currently don't use all of the features that milter-sender  
provides, but we may at some point.  Currently we are using some  
basic tests, e.g. invalid domain name, sender claims to be us, etc.

For some other thoughts on spam filtering/blocking, I would also  
recommend taking a look at this article (http://acme.com/ 
mail_filtering/) from acme.com, which claims to receive the most spam  
in the world.

Michael Grinnell
Network Security Administrator
The American University

On Sep 25, 2006, at 10:40 PM, Mark Borrie wrote:

> A few years ago we went the commercial way with spam management. At
> that time we were finding that staff costs in tweaking SA was  
> significant and
> didn't appear to be getting less. We went with Sophos PureMessage even
> though its costs has gone up significantly after Sophos took it  
> over from
> Active State. (It seems to be easier to capital funding that  
> personel).
> Sophos claim a detection rate of 97% or better. I have no reason to  
> suspect
> that this is not true.
> PureMessage is configured to update every 5 minutes.  This means that
> often a message that has gotten through overnight is detectable by  
> the time
> I get in in the morning. Most spam emails don't even get onto  
> campus due
> to the IP blocker service. (To date we have only had 2 complaints  
> that we
> have not accepted legit email. We pointed out that they had
> misconfigured/hacked systems that needed fixing and they were happy).
> Over the past week I have had 11 spam messages that got through. 5 are
> now classified as spam. None are image spams. The last image spam  
> that I
> can see was on Sept 10.
> Hope that answer's Russell's question.
> On 26 Sep 2006 at 12:00, Russell Fulton wrote:
>> Spammers have now taken things to a new level and SA is not coping  
>> well.
>> One  question I have (and it is one some of our managers are asking):
>> Are commercial products doing any better?  If you have an army of  
>> people
>>  tweaking things on a hour by hour basis (like we now do with AV) you
>> may be able to make some progress but it is going to be very  
>> expensive
>> and in the end (I believe futile).
>> Anyway, I'd be interested in hearing from anyone who is using  
>> commercial
>>  products as to how they are coping with the current wave of image  
>> spam.
>> We are playing with fuzzyocr plugin but have not put it into  
>> production
>> yet.  I view this as a short term stop gap as we have already seen
>> images with obscured fonts...
>> Cheers, Russell
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> http://lists.dshield.org/mailman/listinfo/unisog
> -- 
> Mark Borrie
> Information Security Manager,
> Information Technology Services, University of Otago,
> Dunedin, N.Z.
> Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list