Jim
Wed Mar 26 06:09:23 PDT 2008
Spam is like traffic lights and people talking on the cell phone. It
is something you have to deal with. I do have one account that bought
an anti-spam device that sits in front of the Exchange server. He
reports no spam and few false positives.
I like anything I can do to present statistics. Real world numbers
from one account. 345,738 attempted connections to Exchange. 276,915
connections rejected by block list providers. 155 connections dropped
because of blank sender. 15,415 connections rejected by directory
lookup. So after all that first level stuff the messages get tossed to
IMF. 55,438 are scanned for UCE. 5,848 are tagged as UCE. Then they go
off to Trend.
Trend reports that it has been running since Feb.. 13. It scanned
497,822 messages. It saw 46 virus messages. It saw 20,698 spam. Note
that when you do IMF definition updates your imfperfmon counters get
reset. That is why Trend reports so many more messages that my
imfperfmon.
So now you do some math. Either you present raw numbers or percentage.
80% of the connection attempts are rejected by RBL. Of the 20% that
gets through 5% are rejected as not in AD. 10.5% are marked as spam by
IMF. So right off the bat 86.29% of the email coming in is crud before
Trend looks at anything. Trend sees about 4% crud.
When I factor in the Trend 4% crud, only 13% of all connections are
actually good email. You can play with statistics many ways. It helps
when end users complain about too much spam when you can show them
that right now you are blocking 87% of all email now as crud. Note
that not all accounts have so much spam. Another account has 35% RBL
rejection. But that second account has 97% UCE filtered by IMF. Only a
tiny percent Trend gets because IMF is turned up higher than at the
other account.
Passive things you can do. Do not use Trend's End User Quarantine.
Often a bad idea because you then have to sift through all that crud.
Better to empower the end user. The EUQ by default empties messages
older than 14 days. It may be possible that if your business allows
for greater than 2 week vacations that you may need to adjust the self
cleaning time to longer.
I really do not have much complaining I hear about once I do the
statistics thing. But I have not migrated from Thunderbird to Outlook
so I have not fought that battle. Where does Thunderbird place its
spam?
The Outlook Junk mail folder will not get populated by Exchange if you
have the settings the same in Exchange. Possibly Outlook might see
something but I doubt it as Trend is going to wash it before it is
delivered to the user's mailbox. So the only way the user junk mail
folder might get stuff is if Trend misses something. That is not too
likely. It is something I have not obsessed over. I will check in at a
few accounts to see what they think of the junk mail folder.
On Tue, 25 Mar 2008 20:24:37 -0700 (PDT), Ryan <mindflux98@gmail.com>
wrote:
>I've already got 3 users all of which I migrated away from POP via
>Thunderbird (which handles junk mail very well) griping about the junk
>they are getting in their inbox (pre TM CSM). I know that they'll
>gripe about having to sift through both Junk Mail and Spam boxes for
>false hits.
>
>I have my IMF and JMF both set at 7 currently (I read about setting
>them equal earlier in the day) and then set the CSM Spam module to
>'high'. I've seen a few things slip through already though. But I
>guess nothing is perfect.
>
>So I've got the zen spamhouse rbl, the spamcop rbl, IMF/JMF at 7 and
>TM CSM on "high". When I go in tomorrow I'll disable the actual Junk
>Mail filter on Outlook 2003 for the clients, since that could possibly
>conflict with CSM.
>
>
>Is there anything else I can do to further give my users an easier
>time of things?
>
>
>On Mar 25, 10:07 pm, Jim Behning SBS MVP
><jimbehn...@doesthisblockpork.mindspring.com> wrote:
>> Some people set the IMF at 7 or so. The junk mail option to do nothing
>> (same number as IMF). Then you just let Trend grab what is left. I
>> like to have IMF do as much as it can and let Trend catch what is
>> left. But I do not get all that much spam at work. Your users may not
>> mind sifting through all the junk that the IMF is catching. You could
>> just do the IMFPERFMON I mentioned just too see how much more crud the
>> end users will have to sift through if they did not have the IMF
>> turned on. No one has a gun to your head. You can let Trend take care
>> of everything your RBL does not block.
>>
>> On Tue, 25 Mar 2008 17:17:23 -0700 (PDT), Ryan <mindflu...@gmail.com>
>> wrote:
>>
>>
>>
>> >Jim,
>> > Yes I have done that.
>>
>> >I'm having a hard time imagining why I need both IMF (for the SCL and
>> >JMF) AND Trend Micro's Spam filter. It seems tedious to have my users
>> >check a junk folder and then TM's spam folder.
>>
>> > Have you (or anyone else) any suggestions there? Can I disable IMF
>> >and the JMF and just allow Trend Micro to do it's thing?
>>
>> >On Mar 25, 5:18 pm, Jim Behning SBS MVP
>> ><jimbehn...@doesthisblockpork.mindspring.com> wrote:
>> >> On Tue, 25 Mar 2008 12:11:38 -0700 (PDT), Ryan <mindflu...@gmail.com>
>> >> wrote:
>>
>> >> >Also,
>> >> > My Trend Micro alerts keep ending up in the Outlook Junk folder. So
>> >> >they aren't even passing Exchanges IMF.
>>
>> >> Be aware that your Outlook client has junk mail definitions. Have run
>> >> added the key dword ContentFilterState with a value of 1 so your
>> >> Exchange gets updates?
>> >> See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
>> >> Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx
>>
>> See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
>> Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx
See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx