Sorry about the OT here, but I feel compelled to add just a
little
follow up on the topic of pre-scanning and Alligate.
Alligate is IMO definitely the way to go. As Paul pointed
out,
greylisting everything (i.e. ORF) has drawbacks and I
wouldn't use a
solution that greylisted everything. I worked with Brian
Milburn of
Alligate for months to help him create a method of providing
selective
greylisting so that most legitimate E-mail is not
greylisted. I also
helped him create a method of storing triplicates for use
with
greylisting that only track base domains and not the full
sender and
recipient, thus substantially reducing what needs to be
greylisted if it
does trigger selective greylisting. I received nothing in
return except
for a very capable product that benefited my system greatly.
Brian is
also a lot like Pete and R. Scott Perry.
Setting things up optimally is not going to be an out of the
box type of
experience. I have both offered some free assistance in
private and
public to those that are dealing with Alligate, and Brian
can also
provide some support for new setups. There is of course a
limit to my
time for things like this. I have also occasionally
consulted on such
things at the request of others.
So while it can be a hard nut to crack, especially if one is
not
familiar with the architecture or concepts of a pre-scanning
gateway,
there is help out there, and it is definitely worth while.
I formerly
used ORF for tarpitting and address validation, but going to
Alligate
for this was the best move that I have made since picking up
Declude and
Sniffer.
Note that Alligate Gateway is not a replacement for Sniffer,
Declude or
any other deep scanning solution, it is merely a tool for
handling
validation and some blocking of the most obvious and easiest
to detect
spam, primarily with passive means of blocking (greylisting
and
tarpitting), and without needing to throw a lot of CPU at
it. I handle
over 1 million connections per day and Alligate averages
about 5% CPU at
peak times. Only 7% of the connections result in delivery
of a message
to my deep-scanning layer using a configuration that is not
aggressive.
There is only one zombie spammer at present that will
survive greylisting.
Matt
Dave Marchette wrote:
> I agree with the pre-scanning concept. IMgate, ORF and
Alligate are all
> good, but it just depends upon your level of comfort
with each type of
> environment these run in. Each takes several days of
fine tuning and
> log babysitting (even though the vendors tell you it is
plug and play-
> it's not). We've tested all three and prefer Alligate
(thanks Matt!)
> but any way you look at it, if you are running even
moderate volume then
> pre-scanning is the next step in the evolution of
protection.
>
> -----Original Message-----
> From: Message Sniffer Community [mailto:sniffer sortmonster.com] On
> Behalf Of Technical Support
> Sent: Monday, October 23, 2006 7:28 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: SPAM Problems
>
>
> We also use ORF by VamSoft on IIS to pre-process.
>
> We do not use the grey listing. We tried it, and it is
great at
> eliminating
> spam, but it can delay mail for hours, which is a
problems for most
> email
> users.
>
> Instead of grey listing, we have found ORF's
tar-pitting very effective.
>
>
> We set some tests at the ORF level, but don't block on
them (because
> there
> is no "weighting"). We also have some spam
trap email addresses. Fail a
> test
> or hit a spam trap and we tar-pit. Instead of sending
us 100 spams a
> minute
> they can only send one per minute.
>
> We can pick up x-records with Declude and not have to
re-run the tests
> on
> the iMail server, still using Declude to score the
messages based on the
> prior tests.
>
> ORF even has a built-in interface for sniffer.
>
> It is simpler and preferable to process everything on
the iMail server,
> but
> when you want to off-load processing to stretch your
iMail / Declude
> investment, this arrangement can do the trick.
>
> Paul Fuhrmeister
> PaulCommerceStreet.com
>
>
> -----Original Message-----
> From: Message Sniffer Community [mailto:sniffersortmonster.com] On
> Behalf
> Of David Waller
> Sent: Monday, October 23, 2006 5:15 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: SPAM Problems
>
> Filippo,
>
> We had a similar problem. Due to the huge volumes of
spam we found our
> mail
> server becoming less able to deal with email.
Imail/Declude/Sniffer is
> expensive in processor terms when processing email and
we found the best
> was
> to pre-process mail filtering using Greylisting (we
used Vamsoft in IIS
> SMTP
> but others exist). This has dramatically reduced the
load on our server
> and
> seems to stop the bulk of spammers and mail harvesters
>
> Hope this helps.
>
> David
>
>
>
>
############################################################
#
> This message is sent to you because you are subscribed
to
> the mailing list <sniffersortmonster.com>.
> To unsubscribe, E-mail to: <sniffer-offsortmonster.com>
> To switch to the DIGEST mode, E-mail to
<sniffer-digestsortmonster.com>
> To switch to the INDEX mode, E-mail to
<sniffer-indexsortmonster.com>
> Send administrative queries to <sniffer-requestsortmonster.com>
>
>
>
>
############################################################
#
> This message is sent to you because you are subscribed
to
> the mailing list <sniffersortmonster.com>.
> To unsubscribe, E-mail to: <sniffer-offsortmonster.com>
> To switch to the DIGEST mode, E-mail to
<sniffer-digestsortmonster.com>
> To switch to the INDEX mode, E-mail to
<sniffer-indexsortmonster.com>
> Send administrative queries to <sniffer-requestsortmonster.com>
>
>
>
>
############################################################
#
This message is sent to you because you are subscribed to
the mailing list <sniffersortmonster.com>.
To unsubscribe, E-mail to: <sniffer-offsortmonster.com>
To switch to the DIGEST mode, E-mail to
<sniffer-digestsortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-indexsortmonster.com>
Send administrative queries to <sniffer-requestsortmonster.com>
|