Spam Threshold Levels

Unanswered Question
Feb 27th, 2009
User Badges:

What do you guys have your levels set to? Ours are currently 75/35 (drop/quarantine for the actions), but we've just had to lower it again to 75/30 due to slightly increasing levels of spam getting through. This is getting rather close to the lower limit of 25, so I'm beginning to wonder what happens if we end up at 25 and we still get things through!

We submit everything that comes through to the [email protected]... address, but is there anything further we can do? The next thing I can think of is looking at headers and seeing if there's anything there (such as encodings..)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Wargot_ironport Fri, 02/27/2009 - 10:20
User Badges:

Do you apply the CASE engine to all Sender Groups or just the senders with a lower score?

We are seeing an increase, but upon investigation the magority are coming from Senders with a higher reputation and hence do not have the CASE engine applied against them.

AndrewR_ironport Fri, 02/27/2009 - 10:26
User Badges:

Good question! Just checked, but we're applying it to all the groups except one and from the header stamping we do, the junk isn't coming in as that group, thankfully.

Thinking further, I guess putting the junk through a trace would be a good idea too, as we could then see what the IP boxes think of it then..

ava-iron_ironport Tue, 03/03/2009 - 13:50
User Badges:

I think it's better to use several CASE policie's ( at least 2) with different scores and put spam recipients/sender into more strict policy (less scores). Have anyone an another ideas ?

Wargot_ironport Tue, 03/03/2009 - 14:18
User Badges:

If you are going to use different CASE Policies (with Different Scores) then you have to have multiple Mail Policies each with a different Anti-Spam Setting, and the complex way you would have to put the senders into the different policies (Email Address or LDAP group), is going to put an overhead on the appliances and be a pain to manage.

The best way we have found is to drop the messages from the senders with a low SBRS (Around the -2.5 mark is good). For us that drops about +80% of the message at the Gateway (and saves a hugh amount of overhead on the appliances).

At the other end of the scale we don't apply the CASE engine to the senders with a very good score.

This works very well for us and the 30 Million messages we process in a month. The false positive rate for the messages we drop is about 0.00002%.


This Discussion