Spamhaus ...

Matthew Black black at csulb.edu
Thu Feb 18 08:53:04 UTC 2010


On Wed, 17 Feb 2010 18:33:00 -0700
  Joel M Snyder <Joel.Snyder at Opus1.COM> wrote:
> I second the assertion that others have already made that this is worth 
>the money.  We do spam testing, and I can more-or-less guarantee that 
>Spamhaus beats all of the free reputation services (and a number of the 
>for-pay ones) hands-down in its ability to block spam and the incredibly 
>low number of false positives.

We ADDED Spamhaus to our IronPort because it was inexpensive. I recall using 
MAPS RBL many years earlier with a lot of false positives and angry 
companies trying to reach our users.

  
> John Levine wrote:
> 
> > > We no longer use Spamhaus, relying instead upon Sender Base Reputation
> > >Scores (IronPort).
> 
> >How does the price compare?
> 
> Well, depending on how you look at it, either horribly or beautifully. You 
>can't buy SenderBase by itself; you get it with an Ironport anti-spam 
>appliance.  So if you were going to buy Ironport anyway, the price is 
>"free" which makes it cheaper than Spamhaus.  On the other hand, if you 
>just want SenderBase, it'd be a very expensive way to get only the 
>reputation filtering.
> 
> In general, like many of the big-name anti-spam products, the reputation 
>service is part-and-parcel of the product and can't really be separated 
>out.  In fact, with Ironport, they use the reputation service in two ways: 
>one is to block connections in the first place, and the second way is to 
>bias results of their content filter for connections which are accepted. 
> Since their scores are -10 to +10, there's considerable leeway to use the 
>information as part of their anti-spam cocktail beyond simple "go/no-go" of 
>a typical reputation service.
> 
> jms
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719


SenderBase blocks about 90% of incoming connections. 3-part TCP/IP 
handshake, send them an error, then disconnect. For some egregious senders, 
we simply refuse the TCP/IP connection. You don't have to scan refused 
messages or connections for viruses or spam, a very costly process.

When IronPort first released their own anti-spam product to replace 
Brightmail, it had many false positives. We were a beta tester. They do much 
better now and false positives are almost non-existent.

We still encounter the occasional user wondering why their connection gets 
blocked by SenderBase. For our users, we remind them to configure SMTP AUTH 
when working from off campus because so many DSL addesses have low SBRS 
values. SMTP AUTH lets them bypass the SenderBase.

One of the coolest IronPort features is virtual gateways. Besides all the 
reputation filtering and anti-spam, anti-virus features, IronPort lets you 
create virtual gateways so outbound e-mail can be classed to use a different 
outbound source IP address. Very helpful so that our bulk mailers don't 
affect individual users should we get black or graylisted.

Cheers.

matthew black
e-mail postmaster
california state university, long beach




More information about the NANOG mailing list