Raising the SBRS BLACKLIST range above the default?

Unanswered Question
Apr 5th, 2007

In a recent release, we (IronPort) set the default SBRS BLACKLIST range to go from -10 up to -4 when you choose the "Moderate" approach and up to -2 if you choose an "Aggressive" approach.

(This means mail senders whose Senderbase Reputation Score is lower than -4 are simply not allowed to send mail to your domain)

Which approach are you using? Moderate or Aggressive or Conservative. Has anyone tried raising the BLACKLIST above -2?

Thanks

Chris Haag
IronPort Support

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mpriess_ironport Thu, 04/05/2007 - 01:54

Name: BLACKLIST
Order: 4
Comment: Spammers are rejected
Policy: BLOCKED
SBRS (Optional): -10.0 to -1.0
DNS Lists (Optional): cbl.abuseat.org
Connecting Host DNS Verification: None Included


Just made this change today in addition to adding the cbl.abuseat.org....we were getting a lot of spoofed email masquerding as being sent from bbt.com; however, it was originating from many IP's in Amsterdam and Asia Pacific primarily. Some of the senderbase scores were in the -2 to -1 range so we needed to make the change as the volume of mail appeared to be affecting performance.

Haven't had any reports of valid email being blocked yet. But, it has been less than 6 hrs. :-)

jpcarna_ironport Wed, 04/11/2007 - 19:04

I guess we fall into the aggressive, but have not tried above 2.

Name: BLACKLIST
Order: 3
Comment: No Spam!
Policy: BLOCKED
SBRS (Optional): -10.0 to -2.0
DNS Lists (Optional): None
Connecting Host DNS Verification: None Included

Additionally we block all dynamic IPs using the following:

Name: SPAMHAUS_PBL
Order: 4
Comment: http://www.spamhaus.org/pbl/index.lasso
Policy: Dyna-Block
SBRS (Optional): Not in use
DNS Lists (Optional): pbl.spamhaus.org
Connecting Host DNS Verification: None Included

Really have not had any complaints with this configuration, the occasional customer with a spam/Trojan problem but once they resolve their issue SBRS increases and seems to resolve itself.

mpriess_ironport Wed, 04/18/2007 - 18:55

I had to adjust our blacklist policy based on SBRS back to -2. We had email coming from a small (but valid) company who had a -1.8 SBRS.

Bart_ironport Thu, 04/19/2007 - 20:27

I think -3 is a good default value. We have a couple systems with a more aggressive policy that are blocking up to -2, but nothing higher than that.

Personally I wouldn't go above -2 because I've seen senderbase scores drop quite low when systems were moved to other addresses.

I'm also using the spamhaus PBL to block mails from dynamic address pools. We were getting quite a lot of german spam messages that were not detected by IPAS. They all came from dynamic addresses with a sbrs of "None" or slightly below 0.

chhaag Fri, 04/20/2007 - 16:55

For those who may not know, that graph was created using spamtowho.exe, available on the Tools section of our Portal.

cheers,

Chris Haag

davidl_ironport Sun, 04/22/2007 - 21:16

well,
for my company, I jump into a very very agressive mode, and putted the default blacklist to 0 !! Since the begining our Ironport stop more than 98,5% threats, so in order to protect my users I have had to go beyond -2, manual blacklist a lot of domain that I am sure we have no communications at the moment (ie : .ru, .jp, .tr, etc...). I know it is quite incredible and even my ISP had some difficulties to believe me...

I also modified the spam threshold values for a list of sensible person (directors) : positively score to 70 and suspected to 25.

For mistakes sbrs scores I created a special hat entry and placed them into either a white list or threshold list.

I still have some spam incoming, but I created a lotus notes database to collect users complaints. I am very interested in an Ironport tool to directly submit spam from lotus notes client.

It is a little time consuming to monitor the systems...

paulstevens_ironport Wed, 05/02/2007 - 14:07

We've wound it up as high (low) as -0.5 at an ISP to see what the effect was. We typically run aggressive at -2.0 for POC and then start incrementing it up to -1.0 for production once the logs have been looked at and a pattern for sending domains is established and we're happy it'll work.

Rich Tillis Tue, 05/08/2007 - 18:28

We've been running ours at -10.0 to -1.0 since just about day 1. Have had to do a little tweaking here and there but no complaints from users so far.

bensil_ironport Fri, 05/11/2007 - 03:42

Yes, here running at -10.0 to -2.0 as well. We have once running with -10.0 to -1.0 when there are lots of attacks. There are some false-positive and thus we went back to -10.0 to -2.0 then. We also limits more on the throttled settings.

Actions

This Discussion