04-05-2007 01:06 AM
In a recent release, we (IronPort) set the default SBRS BLACKLIST range to go from -10 up to -4 when you choose the "Moderate" approach and up to -2 if you choose an "Aggressive" approach.
(This means mail senders whose Senderbase Reputation Score is lower than -4 are simply not allowed to send mail to your domain)
Which approach are you using? Moderate or Aggressive or Conservative. Has anyone tried raising the BLACKLIST above -2?
Thanks
Chris Haag
IronPort Support
04-05-2007 01:54 AM
Name: BLACKLIST
Order: 4
Comment: Spammers are rejected
Policy: BLOCKED
SBRS (Optional): -10.0 to -1.0
DNS Lists (Optional): cbl.abuseat.org
Connecting Host DNS Verification: None Included
Just made this change today in addition to adding the cbl.abuseat.org....we were getting a lot of spoofed email masquerding as being sent from bbt.com; however, it was originating from many IP's in Amsterdam and Asia Pacific primarily. Some of the senderbase scores were in the -2 to -1 range so we needed to make the change as the volume of mail appeared to be affecting performance.
Haven't had any reports of valid email being blocked yet. But, it has been less than 6 hrs. :-)
04-11-2007 07:04 PM
I guess we fall into the aggressive, but have not tried above 2.
Name: BLACKLIST
Order: 3
Comment: No Spam!
Policy: BLOCKED
SBRS (Optional): -10.0 to -2.0
DNS Lists (Optional): None
Connecting Host DNS Verification: None Included
Additionally we block all dynamic IPs using the following:
Name: SPAMHAUS_PBL
Order: 4
Comment: http://www.spamhaus.org/pbl/index.lasso
Policy: Dyna-Block
SBRS (Optional): Not in use
DNS Lists (Optional): pbl.spamhaus.org
Connecting Host DNS Verification: None Included
Really have not had any complaints with this configuration, the occasional customer with a spam/Trojan problem but once they resolve their issue SBRS increases and seems to resolve itself.
04-18-2007 06:55 PM
I had to adjust our blacklist policy based on SBRS back to -2. We had email coming from a small (but valid) company who had a -1.8 SBRS.
04-19-2007 08:27 PM
I think -3 is a good default value. We have a couple systems with a more aggressive policy that are blocking up to -2, but nothing higher than that.
Personally I wouldn't go above -2 because I've seen senderbase scores drop quite low when systems were moved to other addresses.
I'm also using the spamhaus PBL to block mails from dynamic address pools. We were getting quite a lot of german spam messages that were not detected by IPAS. They all came from dynamic addresses with a sbrs of "None" or slightly below 0.
04-20-2007 10:40 AM
Currently we are blocking bellow -2 and it seems to be way too aggressive to get above it.
We haven't added pbl.spamhaus.org into blocking but we are looking for that option. Any more experiences from PBL ? Has it give many false positives?
Here is table of our spam positives catch by IPAS per SBRS
[img:f8d999e4e8]http://kotisivu.mtv3.fi/jariih/spam-positives.gif[/img:f8d999e4e8]
04-20-2007 04:55 PM
For those who may not know, that graph was created using spamtowho.exe, available on the Tools section of our Portal.
cheers,
Chris Haag
04-22-2007 09:16 PM
well,
for my company, I jump into a very very agressive mode, and putted the default blacklist to 0 !! Since the begining our Ironport stop more than 98,5% threats, so in order to protect my users I have had to go beyond -2, manual blacklist a lot of domain that I am sure we have no communications at the moment (ie : .ru, .jp, .tr, etc...). I know it is quite incredible and even my ISP had some difficulties to believe me...
I also modified the spam threshold values for a list of sensible person (directors) : positively score to 70 and suspected to 25.
For mistakes sbrs scores I created a special hat entry and placed them into either a white list or threshold list.
I still have some spam incoming, but I created a lotus notes database to collect users complaints. I am very interested in an Ironport tool to directly submit spam from lotus notes client.
It is a little time consuming to monitor the systems...
05-02-2007 02:07 PM
We've wound it up as high (low) as -0.5 at an ISP to see what the effect was. We typically run aggressive at -2.0 for POC and then start incrementing it up to -1.0 for production once the logs have been looked at and a pattern for sending domains is established and we're happy it'll work.
05-08-2007 06:28 PM
We've been running ours at -10.0 to -1.0 since just about day 1. Have had to do a little tweaking here and there but no complaints from users so far.
05-11-2007 03:42 AM
Yes, here running at -10.0 to -2.0 as well. We have once running with -10.0 to -1.0 when there are lots of attacks. There are some false-positive and thus we went back to -10.0 to -2.0 then. We also limits more on the throttled settings.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: