04-07-2008 07:24 AM
Hello,
We are currently migrating 60 or email domains to our ironport appliances.
We initially had migrated 55 or so of the lesser used domains when we became aware of a network configuration issue that caused us to move the domains back to our existing antispam solution.
Since moving the domains back, we have noticed a significant increase in the amount of spam being delivered to those domains that were migrated to the ironports for a week or so - to the point that we are receiving complaints from users about it.
Obviously we want to implement the ironports but has anyone else experienced this? Its as if the ironports are spam magnets! ;-)
Cheers,
Chris
04-07-2008 11:09 AM
depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.
As soon as the domains are shifted back those IP addresses could offload their queued spam at full steam.
Just a theory...
04-08-2008 05:49 PM
depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.
04-09-2008 10:15 AM
depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.
Are spammers actually queueing undeliverable mail now? They didn't used to, which is why greylisting would work. Last I heard (a couple of months or so ago), greylisting was still effective.
04-09-2008 03:32 PM
Ironport greylisting ? Don't know
04-09-2008 05:44 PM
Are spammers actually queueing undeliverable mail now? They didn't used to, which is why greylisting would work. Last I heard (a couple of months or so ago), greylisting was still effective.
04-09-2008 06:13 PM
For the most part the spammers still are re-trying on 400 errors
Greylisting was only ever going to be a stop-gap measure
04-10-2008 01:13 AM
For the most part the spammers still are re-trying on 400 errors
I presume you meant to say "...the spammers still are not re-trying on 400 errors."
04-10-2008 04:54 AM
At our Org we had users receiving low levels of SPAM. We moved behind an Ironport C350. We stayed that way for 1 week.
Due to an error with our Infrastructure (not the Ironport device) we had to move off the Ironport back to the original mail flow device.
Those same users then received 100+ SPAM messages per day for the next week while we sort out the issue and then moved them back onto the Ironport.
The question is "Why did we see such an increase in SPAM by moving to (and then off) the Ironport?". Is it related at all? Suspect ...
We also see moderate connection numbers to the existing email infrastructure. The Ironport however (according to its own stats) receives 170,000+ connection attempts per day!
The big stats on the Ironport look amazing, but when you start to think "I don't think we ever saw those sort of levels before" you wonder. Are the numbers real? Is it attracting more connections? Is it advertised somewhere?
Just wondering ...
04-10-2008 02:44 PM
These sorts of observations make me wonder is spammers are monitoring the performance of their tools and adjusting when they start encountering resistance. They wouldn't know about message drops, but they would know about connection refusals and rate limiting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: