Jump to content

Best practices for exchange antispam


Recommended Posts

I am in the process of evaluating ESET and after installing the AntiSpam app on my exchange 2007. Since then spam has taken a turn for the worst.

Before ESET I was using VIPRE antispam. All users would get maybe one spam a week and most of it would be blocked and we would never know how much spam is actually being blocked. We also had very rarely a false positives that would get blocked (none that come to mind now)

On ESET I personally got over 40 spam emails in my Junk email folder and 5 spam emails in the Inbox. All in just 12 hours. Other users are getting spammed as well. This change requires a lot of adjusting from my users as they are used to having almost no spam and suddenly they are getting a lot of it.

So I figured I must have some settings not running on their optimal level or something.

 

So my questions are:

1. When looking into and comparing to what I had in VIPRE I saw that by default ESET does not use RBL. Is there a reason? I tried registering at barracuda RBL but I have no idea what score to give it on the ESET settings. Any assistance in there would be appreciated (What RBL to use, How to set it up, etc).

2. Is there a way to change the subject of the Maybe Spam emails in my inbox to include [sPAM?]. Just so users will know to be suspicious about these emails.

3. What is the recommended approach and pros/cons of using quarantine mailbox instead of the retain in the mailbox option? For one thing it will keep it much more quiet for my users as most spam will be in that mailbox but what are the other considerations/best practices here?

4. Any other settings I should set to have it filter spam? I am looking for real life settings/best practices and not some theoretical ideas. 

 

Thanks

 

 

 

Link to comment
Share on other sites

  • ESET Moderators

While we wait for EMSX users to offer their "real life settings/best practices," I wanted to point out a Knowledgebase article that may help:

 

How does Antispam scoring and email filtering work in ESET products? 

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3459

 

For EMSX specifically, see the bottom of that article and also the ESMX User Guide

Link to comment
Share on other sites

  • ESET Moderators
I was able to extract some information from an ESET support agent. 
  1. You are correct that ESET doesn't set specific RBLs by default. Reason: we don't want to flood those RBLs because most are for personal use only.
  2. No, the "maybe spam" (which is a score between 50 and 90, by default) cannot be tagged. Action is only take on actual spam (90 and over).
  3. We don't specifically encourage or discourage using a quarantine mailbox. However, using a quarantine mailbox requires much more intensive admin overview.
You should also make sure that you're familiar with all the settings explained in the EMSX User Guide. Specific section of interest for you is probably:
 
Section 3.3 Antispam protection (pages 31 -54)
 
DNSBL is discussed throughout and this is functionally similar to RBLs.

 

To specify an additional DNSBL in EMSX (User Guide page 46):

  1. Open ESET Mail Security by clicking Start -> All Programs -> ESET -> ESET Mail Security -> ESET Mail Security.
  2. Press F5 on your keyboard to open Setup.
  3. Expand Antispam protection, click Antispam engine and then click Setup.
  4. Click Verification -> DNSBL.
  5. On the right-hand side of the window, click "Setup".
  6. Click "Add".
Link to comment
Share on other sites

The manual with all due respect is pretty much useless. If you look on what is explained on RBL it says I can add a new RBL server and I am able to set the server address, response and score. No explanation about the score, no samples, nothing useful. The manual simply tells me what I am seeing on the screen.

Link to comment
Share on other sites

 

I was able to extract some information from an ESET support agent. 
  1. You are correct that ESET doesn't set specific RBLs by default. Reason: we don't want to flood those RBLs because most are for personal use only.
  2. No, the "maybe spam" (which is a score between 50 and 90, by default) cannot be tagged. Action is only take on actual spam (90 and over).
  3. We don't specifically encourage or discourage using a quarantine mailbox. However, using a quarantine mailbox requires much more intensive admin overview.
You should also make sure that you're familiar with all the settings explained in the EMSX User Guide. Specific section of interest for you is probably:
 
Section 3.3 Antispam protection (pages 31 -54)
 
DNSBL is discussed throughout and this is functionally similar to RBLs.

 

To specify an additional DNSBL in EMSX (User Guide page 46):

  1. Open ESET Mail Security by clicking Start -> All Programs -> ESET -> ESET Mail Security -> ESET Mail Security.
  2. Press F5 on your keyboard to open Setup.
  3. Expand Antispam protection, click Antispam engine and then click Setup.
  4. Click Verification -> DNSBL.
  5. On the right-hand side of the window, click "Setup".
  6. Click "Add".

 

 

I am pretty much in the same boat as DanAvni.  The manual does not explain how to properly populate these fields.  For example SpamHaus has multiple return codes..  both in the 127.0.0.x range and in the 127.0.1.x range.  Am I supposed to create an entry for each of these codes??

 

How do I know if ESET is querying the DNSBL correctly?  For Example I see an email was flagged as "Retained" but if I query SpamHaus, it is found on the DNSBL..  So why was the email retrain if it was on the RBL??

 

I have opened many requests via ESET's online ticketing system.  Then wondering why I never get a response I look at my eset logs, and the ESET responses are getting flagged as spam via ESET..  

 

The Worse part of this whole thing..  Is as I am typing this..  I just watched an email from XXX domain get flagged as "ON DNSBL (100%)" then 6 rows up in the log, the SAME email, to another person in the company gets retained as "Generic Spam Indicator (57%)" "Retained"..  So 3 of the 4 recipients did not get the email, because it was on a DNSBL, but yet the 4th recipient did get the email, because ESET "Retained" it..  I don't understand why..

 

As I am typing I am watching "URL XXXX is on DNSBL (55%)" and then the next logged item, same domain "URL XXXX is on DNSBL (67%)"  why would the same domain show two different scores??

 

How can I get more detailed logging as to why some emails from domain X are getting flagged as "on DNSBL" and the same domain's are getting set to "Generic Spam Indicator" and being retained??

Link to comment
Share on other sites

  • 1 month later...

I am in the same boat. The manual is useless when it comes to configuring RBL, DNSBL etc, but these settings are important to be able to bring down the spam volumes. A bit more help or suggestions would be appreciated. For example, the RBL section mentions:

Please refer to the RBL section in this document for further information.

but there is no other 'RBL section' in the document.

 

so is this infinite loop a typo, or should there be another section explaining more in-depth how to configure this?

 

Before using ESET Mail Security I used GFI MailEssentials, which worked really well and provided a lot of information on the configuration options, as well as the results (good log file viewing, graphical display of effectiveness, etc). On the antivirus front I am happy with ESET but maybe I need to go back to GFI for the mail server antispam, if this doesn't improve.

 

Is anyone from ESET able to offer additional insight?

Link to comment
Share on other sites

Interestingly, the product (v4.5) by default detects and blocks spam based on a DNSBL source, as the journal shows mails being blocked because URLs are in DNSBL, but this is nowhere to be found in the configuration.

How is this controlled and configured?

The documentation only mentions the earlier referenced settings that can be configured for RBL, LBL and DNSBL, but these are empty for now.

Edited by JaapHoetmer
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...