I guess we fall into the aggressive, but have not tried above 2.

Name: BLACKLIST
Order: 3
Comment: No Spam!
Policy: BLOCKED
SBRS (Optional): -10.0 to -2.0
DNS Lists (Optional): None
Connecting Host DNS Verification: None Included

Additionally we block all dynamic IPs using the following:

Name: SPAMHAUS_PBL
Order: 4
Comment: http://www.spamhaus.org/pbl/index.lasso
Policy: Dyna-Block
SBRS (Optional): Not in use
DNS Lists (Optional): pbl.spamhaus.org
Connecting Host DNS Verification: None Included

Really have not had any complaints with this configuration, the occasional customer with a spam/Trojan problem but once they resolve their issue SBRS increases and seems to resolve itself.

I had to adjust our blacklist policy based on SBRS back to -2. We had email coming from a small (but valid) company who had a -1.8 SBRS.

I think -3 is a good default value. We have a couple systems with a more aggressive policy that are blocking up to -2, but nothing higher than that.

Personally I wouldn't go above -2 because I've seen senderbase scores drop quite low when systems were moved to other addresses.

I'm also using the spamhaus PBL to block mails from dynamic address pools. We were getting quite a lot of german spam messages that were not detected by IPAS. They all came from dynamic addresses with a sbrs of "None" or slightly below 0.

Currently we are blocking bellow -2 and it seems to be way too aggressive to get above it.

We haven't added pbl.spamhaus.org into blocking but we are looking for that option. Any more experiences from PBL ? Has it give many false positives?

Here is table of our spam positives catch by IPAS per SBRS

[img:f8d999e4e8]http://kotisivu.mtv3.fi/jariih/spam-positives.gif[/img:f8d999e4e8]

For those who may not know, that graph was created using spamtowho.exe, available on the Tools section of our Portal.

cheers,

Chris Haag

well,
for my company, I jump into a very very agressive mode, and putted the default blacklist to 0 !! Since the begining our Ironport stop more than 98,5% threats, so in order to protect my users I have had to go beyond -2, manual blacklist a lot of domain that I am sure we have no communications at the moment (ie : .ru, .jp, .tr, etc...). I know it is quite incredible and even my ISP had some difficulties to believe me...

I also modified the spam threshold values for a list of sensible person (directors) : positively score to 70 and suspected to 25.

For mistakes sbrs scores I created a special hat entry and placed them into either a white list or threshold list.

I still have some spam incoming, but I created a lotus notes database to collect users complaints. I am very interested in an Ironport tool to directly submit spam from lotus notes client.

It is a little time consuming to monitor the systems...

We've wound it up as high (low) as -0.5 at an ISP to see what the effect was. We typically run aggressive at -2.0 for POC and then start incrementing it up to -1.0 for production once the logs have been looked at and a pattern for sending domains is established and we're happy it'll work.

We've been running ours at -10.0 to -1.0 since just about day 1. Have had to do a little tweaking here and there but no complaints from users so far.

Yes, here running at -10.0 to -2.0 as well. We have once running with -10.0 to -1.0 when there are lots of attacks. There are some false-positive and thus we went back to -10.0 to -2.0 then. We also limits more on the throttled settings.