Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

IPAS vs Brightmail...your experiences.

With IP going to IPAS only soon, I wanted to know what you thought of the effectiveness of IPAS vs Brightmail.

For the past month I have done a production trial on IPAS (turned off BM and turned on IPAS). While I find that it has eliminated Image Spam, we are now receiving more SPAM. Furthermore, this past weekend our users received an exceptional amount of SPAM.

I am concerned at this point if:
- IPAS as it is now is my only choice when my BM subscription is up in July
- IPAS is not as nimble as BM in identifying SPAM (which is what I assume happened this past weeked).

I have faith that IP will get the IPAS filter right....eventually. However, in the meantime, I cannot tolerate a step back in SPAM detection while they are trying to figure it out.

I was hoping to have the ability in 5.0 to use IPAS and BM. As of now this would be a strong 1-2 punch.

-MattG

12 REPLIES
New Member

Re: IPAS vs Brightmail...your experiences.

We use IronPort anti-spam only and are very happy with the 'out of the box' results. Like all anti-spam solutions you will need to eventually tweak the filters to suit your exact issues. The major problem though with the IPAS is the fact that you cannot get to see the Anti-spam score that is calculated for each message to enable you to tweak your settings - damn annoying!!

New Member

Re: IPAS vs Brightmail...your experiences.

What tweaks are you referring to?

-Matt

New Member

Re: IPAS vs Brightmail...your experiences.

we switched to IPAS - to try and nail the image spams.

Mostly it has been comparable - although we did experience a burst of image spam on the weekend.

I found that BM had poor reaction to repeat spam - stuff that we could obviously see was repetitive spam which was being sent to Symantec via the plugin, via probes we setup with them and via the email submission address. Attempting to follow this up was frustrating as we had to go via Ironport and a week later you may or may not get a response from Symantec via IP.

Likewise - I have seen a few examples where IPAS has not reacted either - we have Spamcop probes but I'm not sure how much of this gets into IPAS, we also use the IP plugin and the submission address. We also followed this up with IP customercare.

Is anyone using BM 6.04 engine (latest AsyncOS) and found that it does better image spam detection than 6.03? Symantec told us that 6.04 "would solve our image spam problems"...

New Member

Brightmail vs IPAS

We are in the process of evaluating IPAS vs. BM. At this point, we have the luxury of running two boxes in an attempt to do an apples to apples comparison.

We have two C60s with equally weighted MX records.

*One is running Brightmail with suspected SPAM threshold of 45, utilizing the Symantec Open Proxy and Safe list.

*The other is running IPAS with all defaults.

We have been gathering statistics, but I have not had much time to evaluate. At this point, Brightmail does appear to be catching a higher precentage by volume. HOWEVER, we have not modified the the IPAS SPAM Thresholds. They are currently set to 90/50.

My next steps include:

*Setting up a quarantine for false positives so that I can tweak the default IPAS settings.
*I will also be swaping IPAS and BM on the C60s. The one that currently runs BM will run IPAS, and the one that currently runs IPAS will run BM.
*We will then gather additional statistics and do a more comprehensive eval.

-James

New Member

Re: IPAS vs Brightmail...your experiences.

In my find evaluation, IPAS default setting of 90 is more conservative than Brightmail's default settings and become more comparable with IPAS set in the 80-85 range.

Erich

Cisco Employee

Re: IPAS vs Brightmail...your experiences.

I would expect a better IPAS catch rate with these settings:
positive spam threshold: 80
suspect spam threshold: 40

New Member

Re: IPAS vs Brightmail...your experiences.

I would agree, set the positive to 80 and suspect to 40, we are using this in our production environment.

We have found that iPAS generates less false positive to Brightmail over the past 8 months.

New Member

Convert any BM probes to IronPort spam traps

Apologies for the late post on this thread. One thing to note that sometimes gets overlooked when customers convert from BM to IPAS is spam traps. If you had email probe accounts with BM, these typically use real email addresses which obviously get both real and spam mail. IronPorts spam traps require 100% spam feeds and therefore need to be email addresses that have never and will never be used for real mail. In addition the traps are fed to a different email address than the BM probes.

New Member

Cloudmark as an alternative?

What about Cloudmark Antispam - has anyone tried running this on Ironport Appliances yet?

New Member

running BM and IPAS

in Asyncos 5.1 you can run both at the same time and the same message

New Member

Brightmail => IPAS

:?:
Hi folks,
our Brightmail license will expiry by the end of the next year and we are going to test the IPAS.
Can we use the Brightmail Quarantine server (BMCC) to quarantine spam?
I mean, during this evaluation we want to configure 2 C-Series boxes, one with BM and the other one with IPAS, and send the SPAM crop to the BMCC.
Should the BMCC be configured as an Ironport External Quarantine server on the box where we will activate the IPAS?
Or the way the BM spam filter and IPAS filter send the SPAM to the BMCC is different?

Thanks
Bob

New Member

Re: IPAS vs Brightmail...your experiences.

You can send IPAS spam to Brightmail Quarantine - you just need to select "Deliver" under apply action to message and set the alernate host to be your Brightmail quarantine. You may also have to make other changes depending on where messages are sent when users release them from their quarantine to stop them being rescanned by Ironport (ie. does you Brightmail quarantine server deliver released emails back to the Ironport for delivery). You shouldn't look to continue using Brightmail quarantine long term though because I think the Brightmail quarantine license expires with your Brightmail Antispam license - you should use either on-box Ironport spam quarantine or buy an M-Series.

405
Views
0
Helpful
12
Replies