Barracuda Networks Spam Firewall
Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Thanks, Tom Claydon Dobson Telephone
On May 17, 2004, at 2:35 PM, Claydon, Tom wrote:
Doing evaluations on anti-spam, anti-virus solutions, and ran across this:
http://www.barracudanetworks.com/
Looks like a good box -- even won an Editor's Choice award from Network Computing recently.
Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc?
Tom, I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING! My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface. It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server. I was watching the message log one day and noticed a spam flood in action. 10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score > 20 It learned very fast. My Barracuda is currently blocking 500k+ messages/day current stats (installed 13 days) Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged : 31552 Allowed : 580876 Average Queue latency : 4 seconds Unique Recipients : 8245 I just signed up as a reseller and I'm building a managed mail solution around it. If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings) -Matt
Monday, May 17, 2004, 12:32:29 PM, you wrote: MC> My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running MC> Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ MC> spams/day, many of them not tagged at all MC> This setup would melt on a regular basis when spam floods would come in Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2. I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages. http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: jboyce@shasta.com
At 05:00 PM 17/05/2004, Joe Boyce wrote:
Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2.
I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages.
Also, use the various RBLs in the scoring. e.g. add 50% of the threshold score if its on spamcop and 25% for some of the other more aggressive RBLs. We have a very high and correct hit rate as a result. Our users can then add white lists for the handful of their contacts that get tagged as spam since they are using spam friendly ISPs. ---Mike
Hi!
Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2.
I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages.
http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box.
And if i may plug SURBL if you wanna do that, might help with performance also. For example if you run BigEvil you might gain a lot of performance by doing that via SURBL. http://www.surbl.org Bye, Raymond.
On 5/17/2004 4:00 PM, Joe Boyce wrote:
I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages.
http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box.
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 support for a generic lookup list of cidr blocks would get another 9% -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet.
if URL IP addr is in China then score=100
Where does this leave the 70% which would only match the rule; if URL IP addr is in FL,USA then score=42 ? Pete
support for a generic lookup list of cidr blocks would get another 9%
On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet.
if URL IP addr is in China then score=100
I beg to differ Eric A. Hall. According to statistics gathered by the Spamhaus Project (http://www.spamhaus.com) who most certainly have garnered my respect through their very satisfying services, (SBL, XBL, ROKSO) it is the Yankee's who are out of responsible for the majority of the internet's Spam. Lets have a look: Top 10 Spam Countries April 2004: --------------------------------- 1 United States 2 China 3 South Korea 4 Brazil 5 Taiwan 6 Argentina 7 Canada 8 Russia 9 Hong Kong 10 Italy Top 10 Worst Spam ISPs April 2004: ---------------------------------- 1 mci.com (United States) 2 savvis.net (United States) 3 kornet.net (Korea) 4 above.net (United States) 5 chinanet-gd (China) 6 chinanet-cq (China) 7 xo.com (United States) 8 interbusiness.it (Italy) 9 level3.net (United States) 10 pccw.com (China) Top 10 ROKSO Spammers April 2004: --------------------------------- 1 Alan Ralsky (United States) 2 Scott Richter - Wholesalebandwidth (United States) 3 Alexey Panov - ckync.com (Germany) 4 John Grandinetti / 321send.com (United States) 5 Anthony ''Tony'' M. Banks (United States) 6 Eric Reinertsen (United States) 7 lmihosting.com (United States) 8 Webfinity/Dynamic Pipe (Canada) 9 Scott Richter - OptInRealBig (United States) 10 Eddy Marin - Oneroute (United States) According to Spamhaus, 200 known Spam Operations are responsible for 90% of your spam. Of the list currently available on their site, 142 of the known spammers are from a little country called THE UNITED STATES. So contrary to what you said, perhaps I should just Null Route all email originating from the USA? ;) If you reall wish to stop spam, first we need to stop forgery. Then all the spammers will have to resort to more legitimate means for sending emails, but that being the case RHBL's become useful since because a spammer would no longer be forging, using domain based black lists will actually be useful. How to stop spam: #1 - Stop buying crap sold via spam!!! #2 - Stop SMTP forgery #3 - Raise the IQ of the average windows user/admin so they will be physically cable of patching their OS who contrary to popular belief isn't necessarily as crappy as everyone might think. Implementing those above three steps is a healthy start. Cheers, James -- James Couzens, Programmer ----------------------------------------------------------------- http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library ----------------------------------------------------------------- PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3
on Wed, May 19, 2004 at 03:12:29PM -0700, James Couzens wrote:
On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet.
if URL IP addr is in China then score=100 ^^^^^^^^^^^^^^^^^^^^^^^
I beg to differ Eric A. Hall.
<snip>
According to Spamhaus, 200 known Spam Operations are responsible for 90% of your spam. Of the list currently available on their site, 142 of the known spammers are from a little country called THE UNITED STATES.
That may be, and is probably quite true - but as Eric said, a majority of the /sites/ advertised in spam use China-based ISPs. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/
On Wed, 19 May 2004, James Couzens wrote:
On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 I beg to differ Eric A. Hall.
No Eric is quite correct. Read what he wrote again. Carefully. -Dan
On 5/19/2004 5:12 PM, James Couzens (jcouzens@6o4.ca) wrote:
On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet.
if URL IP addr is in China then score=100 ^^^
not connection address, not domain 'owner', but URL->Hostname->IP_ADDR What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Wed, 2004-05-19 at 15:28, Eric A. Hall wrote:
not connection address, not domain 'owner', but URL->Hostname->IP_ADDR
What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really.
Fair enough, my apologies on my misinterpretation. However, I am curious what source you have for your statistic. Going through the spam that I've got access to (and it is a substantial amount allbeit not in the millions of spam per day) I can't seem to associate the spam with chinese urls, and certainly not to the extent that you indicate (90%). Cheers, James -- James Couzens, Programmer ----------------------------------------------------------------- http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library ----------------------------------------------------------------- PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3
On 5/19/2004 6:19 PM, James Couzens wrote:
On Wed, 2004-05-19 at 15:28, Eric A. Hall wrote:
Going through the spam that I've got access to (and it is a substantial amount allbeit not in the millions of spam per day) I can't seem to associate the spam with chinese urls, and certainly not to the extent that you indicate (90%).
extract hostname from url, dig on hostname, whois on addr, and nine times out of ten the host is in a CN netblock. that's from the spam that gets into my mailbox. let me state AGAIN that what I really want is a plugin that allows for cidr match-lists so that I can also include the handful of non-enforcing hosters in Russia, New York, Florida, etc. One responder also suggested ASN matchlists but I'm not that mad. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Wed, 2004-05-19 at 16:24, Eric A. Hall wrote:
extract hostname from url, dig on hostname, whois on addr, and nine times out of ten the host is in a CN netblock. that's from the spam that gets into my mailbox.
Yes I understand that is what you meant. I just did this on 5 spam in my mail box, I got: Domain Name: AAFMALE.BIZ (www.aafmale.biz) Registrant Country: Canada Resolves to address: 218.232.109.220 (KRNIC-K) (Korea) Domain Name: PLANENEWS.COM Registrant Country: France Resolves to address: 216.92.194.65 (PAIRNET-BLK-3) (United States) Domain Name: MIRGOS.ORG Registrant Country: Russia Resolves to address: 211.198.200.208 (KRNIC-KR) (Korea) Domain Name: WINSPR.BIZ (iityvzbtpvw.winspr.biz) Registrant Country: New Zealand Resolves to address: 221.233.29.33 (CHINANET-HB-JZ7) (China) While it is only 5 mails, and certainly nothing to judge by, it does not seem to be 90%. Although Korea under APNIC it is not China.
let me state AGAIN that what I really want is a plugin that allows for cidr match-lists so that I can also include the handful of non-enforcing hosters in Russia, New York, Florida, etc. One responder also suggested ASN matchlists but I'm not that mad.
What sort of plugin? MTA? MUA? Going back to my previous e-mail, all of this effort I think is being placed in the wrong direction. Focus should be placed on preventing forgery, and educating users. If we spent the money we are dropping on hardware and software to stop spam (its in the BILLIONS) on educating users and pushing anti-forgery / sender authentication/verification methods forward, we'd have an easier time of all this. Cheers, James -- James Couzens, Programmer ----------------------------------------------------------------- http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library ----------------------------------------------------------------- PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Couzens wrote: | On Wed, 2004-05-19 at 16:24, Eric A. Hall wrote: | |>extract hostname from url, dig on hostname, whois on addr, and nine times |>out of ten the host is in a CN netblock. that's from the spam that gets |>into my mailbox. | | | Yes I understand that is what you meant. I just did this on 5 spam in | my mail box, I got: | | Domain Name: AAFMALE.BIZ (www.aafmale.biz) | Registrant Country: Canada | Resolves to address: 218.232.109.220 (KRNIC-K) (Korea) | | Domain Name: PLANENEWS.COM | Registrant Country: France | Resolves to address: 216.92.194.65 (PAIRNET-BLK-3) (United States) | | Domain Name: MIRGOS.ORG | Registrant Country: Russia | Resolves to address: 211.198.200.208 (KRNIC-KR) (Korea) | | Domain Name: WINSPR.BIZ (iityvzbtpvw.winspr.biz) | Registrant Country: New Zealand | Resolves to address: 221.233.29.33 (CHINANET-HB-JZ7) (China) | | While it is only 5 mails, and certainly nothing to judge by, it does not | seem to be 90%. Although Korea under APNIC it is not China. | | Similar results. Got 2 in the US, one in Brazil, one in Korea, and one in China. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAq/f4E1XcgMgrtyYRAhyJAKCrFKCYtQXJKaaqS52mQprWhIrb7gCgxvNY 0iH1BTcznV3Q1d2bFhI+mHo= =nIXz -----END PGP SIGNATURE-----
On 5/19/2004 7:06 PM, James Couzens wrote:
I just did this on 5 spam in my mail box, I got:
[domains ommitted--tripped my filters] my last 10 survivors are at http://www.ehsco.com/misc/last-10-spams.eml the relevant data for them in order of occurrance is below. eight are CN, one is KR, one is Geocities, and one is dead 219.129.20.244 inetnum: 219.128.0.0 - 219.137.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network [timeout] 221.233.29.78 inetnum: 221.233.0.0 - 221.233.47.255 netname: CHINANET-HB-JZ7 descr: The Chinanet network in Jinzhou ,Hubei province 202.104.242.133 inetnum: 202.104.0.0 - 202.104.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network 221.233.29.33 inetnum: 221.233.0.0 - 221.233.47.255 netname: CHINANET-HB-JZ7 descr: The Chinanet network in Jinzhou ,Hubei province [dupe host for CN] 219.148.126.47 inetnum: 219.148.0.0 - 219.148.159.255 netname: CHINATELECOM-he descr: CHINANET hebei province network 66.218.77.68 (geocities, heh) OrgName: Yahoo! City: Sunnyvale StateProv: CA [dupe host for CN] [dupe host for CN] 218.152.186.107 inetnum: 218.144.0.0 - 218.159.255.255 netname: KORNET descr: KOREA TELECOM -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
gosh! maybe someone should set up a mailing list to discuss spam, anti-spam, ...? you mean they have? well, then maybe a bunch of us network operators (as opposed to spam weenies) should go over there and talk about sdh, router configs, circuit provisioning, etc. get a clue, spam weenies!
On Wed, 2004-05-19 at 17:47, Randy Bush wrote:
gosh! maybe someone should set up a mailing list to discuss spam, anti-spam, ...?
you mean they have? well, then maybe a bunch of us network operators (as opposed to spam weenies) should go over there and talk about sdh, router configs, circuit provisioning, etc.
get a clue, spam weenies!
I've got a clue Randy Bush. Last time I checked SPAM has a serious impact on my network, and the network of others. The topic of SPAM is exceptionally relative to someone who operates a network. Now enough of the needless insults and forward with the discussion at hand. Cheers, James -- James Couzens, Programmer ----------------------------------------------------------------- http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library ----------------------------------------------------------------- PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3
Folks, If I may offer a humble opinion here before this gets out of hand. I see many (me included) trying to side step the issue that SMTP is a broken and insecure protocol for that of electronic messages(ing). I see folks blacklisting, RBLing, and other methods in an attempt to fix the issue, which frankly is a band-aid to the entire mess. We can sit here and do route statements like ip route 200.0.0.0 255.0.0.0 127.0.0.1 till were blue in the face and need a spread sheet to keep up with the muk, but its only a side step to the problem. Until either 1: SMTP/ESMTP is fixed so that spoofing cannot occur or 2: Another method/protocol of email/messaging is adopted we are only going to keep spinning our wheels so to speak. I hate just as much as the rest to pay for the garbage of spam, but until all the MS and AOL users start using another standard we'll have to keep bandaiding the problem to keep our customers and jobs. We can all agree its a problem, period. But as always, just my 2¢s Joe Blanchard ----- Original Message ----- From: "James Couzens" <jcns@6o4.ca> To: "Randy Bush" <ra@psg.com> Cc: <na@merit.edu> Sent: Wednesday, May 19, 2004 8:59 PM Subject: Re: Barracuda Networks Spam Firewall
Folks, let's stop this thread. We're getting into 'spam is really bad' comments, which aren't particularly enlightening to the list.
On Wed, 19 May 2004 22:54:55 EDT, joe <joej@rocknyou.com> said:
either 1: SMTP/ESMTP is fixed so that spoofing cannot occur or 2: Another method/protocol of email/messaging is adopted
3: We change the economics of spamming in some other fashion. I've been advocating taking up a collection - every ISP that has an inbound spam problem kicks in just $100 - if there's 4,000 ISP's in the US (including all those mom&pop sites with E-bay routers), that's a pretty chunk of change. We then hire a few representatives from <choose ethnic organized crime> to "explain our point of view" to a few of the aforementioned 200 big offenders... Unfortunately, there's these concepts of "legality" and "morality" involved... :)
On Wed, 19 May 2004, Eric A. Hall wrote:
my last 10 survivors are at http://www.ehsco.com/misc/last-10-spams.eml the relevant data for them in order of occurrance is below.
eight are CN, one is KR, one is Geocities, and one is dead
Different people get different spam, from different sources. For years I was under the impression that spammers must be blasting everybody, so everybody would get similar spam. I was surprised to find out that this isn't the case... Rik -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan
On 5/20/2004 2:30 PM, Rik van Riel wrote:
Different people get different spam, from different sources.
Yah, I've been advocating the use of a CIDR match-list from the beginning for this and other reasons. Actually what you'd want is per-entry weighting, so for me and my mailbox: CIDR 221.232.0.0/14 score = 3.0 CIDR 147.28.0.0/16 score = -3.0 The ASN matching has merit too, so maybe: ASN 4134 score = 3.0 CIDR <holes punched> = -3.0 etcetera -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On May 20, 3:30pm, Rik van Riel <riel@surriel.com> wrote:
Different people get different spam, from different sources.
For years I was under the impression that spammers must be blasting everybody, so everybody would get similar spam.
I was surprised to find out that this isn't the case...
This is very true. We're four people in the same company, and there is the odd overlapping spam, but generally not at all; not even over several days. There must be some undiscovered science in there. -- Per
Different people get different spam, from different sources. ...
This is very true. We're four people in the same company, and there is the odd overlapping spam, but generally not at all; not even over several days. There must be some undiscovered science in there.
according to <http://www.dcc-servers.net/dcc/graphs/>, most people get most of the same spam, even if this doesn't appear in local measurements. (note that these graphs are subtle and complex and wonderful, and deserve several minutes of careful study before you try to draw any conclusions.) -- Paul Vixie
Is anyone else on NANOG having problems with Barracuda today? I'm getting massive latency (3000+ seconds) and it seems as if their tech support has gone into meltdown. While on hold I was even connected to another customer with the same problem. -- Joe Hamelin Edmonds, WA, US
I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection. It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix. -- Joe Hamelin Edmonds, WA, US
My Series 400 seems to be doing fine today. Average queue latency 4 seconds which is about normal. Do you have any special config settings? -Matt On Jul 27, 2004, at 7:21 PM, Joe Hamelin wrote:
I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection.
It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix.
-- Joe Hamelin Edmonds, WA, US
It only seems to be a problem when I hit above about 16k messages an hour. I do wish they had better numerical historical logging. Maybe in V3.0. On Tue, 27 Jul 2004 20:03:08 -0400, Matthew Crocker <matthew@crocker.com> wrote:
My Series 400 seems to be doing fine today. Average queue latency 4 seconds which is about normal.
Do you have any special config settings?
-Matt
On Jul 27, 2004, at 7:21 PM, Joe Hamelin wrote:
I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection.
It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix.
-- Joe Hamelin Edmonds, WA, US
-- Joe Hamelin Edmonds, WA, US
Here's what I got today from Barracuda. I'll let you know if it did indeed fix my problems. Hi Joe, Your latency problem should be resolved. ======================================================= On July 27th a new stream of spam was introduced into the wild. This spam contained certain formatting aspects that were intentionally designed to cause Spam Assassin's Bayesian implementation to run at extremely slow speeds. Due to the way Spam Assassin handled the email, it was taking several minutes to process these messages and the Barracuda's internal processes would detect the potential problem and start queuing mail to prevent any mail loss. Unfortunately this precaution had the byproduct of further increasing the message latency on the system. Barracuda Networks' team of engineers created a patch for this Spam Assassin attack. The patch was released in version 1.6.733 of the spam definitions. If you were affected by the new spam, please make sure you are running this version or higher of the spam definitions (Advanced->Energize Updates in the web GUI). Also, if you had previously contacted tech support and were advised to disable Intention Analysis (Basic->Bayesian/Fingerprinting) as a way to attempt to reduce latency, you should be able to turn this feature back on without any issues. ======================================================= Let me know if you have any additional concerns. Heather Heather Russell Barracuda Networks 408.342.5447 Direct 408.342.1061 Fax hrussell@barracudanetworks.com www.barracudanetworks.com -- Joe Hamelin Edmonds, WA, US
Eric A. Hall wrote:
What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really.
Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA "patriots" ? Peter
What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA "patriots" ?
shut up or we'll bomb and torture you
On 5/20/2004 8:25 AM, Randy Bush wrote:
What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really.
Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA "patriots" ?
shut up or we'll bomb and torture you
resist the cycle of violence and hate -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On 19 May 2004 15:12:29 -0700 James Couzens <jcouzens@6o4.ca> wrote: |> if URL IP addr is in China then score=100 | I beg to differ Eric A. Hall. ... | | So contrary to what you said, perhaps I should just Null Route all | email originating from the USA? ;) While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. The physical source of the message - which is likely to be in the US or China - will most probably not be visible to the recipient due to the use of anonymising proxies and other "zombie" senders - those IPs are likely to be on "consumer" networks just about anywhere ... -- Richard Cox
On Wed, 19 May 2004, Richard Cox wrote:
While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam.
Altho this is probably not true if you're one of the billion or so people who live in or around China or are of Chinese origin.. Steve
On Thu, 20 May 2004, Stephen J. Wilcox wrote:
While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. Altho this is probably not true if you're one of the billion or so people who
On Wed, 19 May 2004, Richard Cox wrote: live in or around China or are of Chinese origin..
Actually mainland chinese non-spammers seem to prefer offshore hosting eg hk, taiwan, japan or north america. I guess all the mainland chinese webhosting is all taken up by spam operators or something. -Dan
perhaps this all belongs on alt.jingo.weenies? can we focus on network operations not network exclusionism? this is worse than spam.
On 5/19/2004 6:38 PM, Stephen J. Wilcox wrote:
Altho this is probably not true if you're one of the billion or so people who live in or around China or are of Chinese origin..
just check for charset=US-ASCII first. come to think of it, ASCII would probably give half the necessary weight alone. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 20 May 2004 00:38:50 +0100 (BST) "Stephen J. Wilcox" <steve@telecomplete.co.uk> wrote: | Altho this is probably not true if you're one of the billion or | so people who live in or around China or are of Chinese origin.. Which is exactly why I've just been on a visit to Beijing and Xi'an. The differentiator is in the character-set used. Add that test and the picture is then complete. -- Richard Cox
Matthew Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg < .5 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matthew Crocker wrote:
On May 17, 2004, at 2:35 PM, Claydon, Tom wrote:
Doing evaluations on anti-spam, anti-virus solutions, and ran across this:
http://www.barracudanetworks.com/
Looks like a good box -- even won an Editor's Choice award from Network Computing recently.
Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc?
Tom,
I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING!
My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in
My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit
My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface.
It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server.
I was watching the message log one day and noticed a spam flood in action.
10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score > 20
It learned very fast.
My Barracuda is currently blocking 500k+ messages/day
current stats (installed 13 days)
Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged : 31552 Allowed : 580876
Average Queue latency : 4 seconds Unique Recipients : 8245
I just signed up as a reseller and I'm building a managed mail solution around it.
If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings)
-Matt
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
All Sorry that should should be http://www.rulesemporium.com/ also worthwhile adding in the surbl.org plugin for SA, which adds alot less CPU time than the bigvil etc rules. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Martin Hepworth wrote:
Matthew
Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg < .5
-- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300
Matthew Crocker wrote:
On May 17, 2004, at 2:35 PM, Claydon, Tom wrote:
Doing evaluations on anti-spam, anti-virus solutions, and ran across this:
http://www.barracudanetworks.com/
Looks like a good box -- even won an Editor's Choice award from Network Computing recently.
Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc?
Tom,
I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING!
My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in
My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit
My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface.
It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server.
I was watching the message log one day and noticed a spam flood in action.
10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score > 20
It learned very fast.
My Barracuda is currently blocking 500k+ messages/day
current stats (installed 13 days)
Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged : 31552 Allowed : 580876
Average Queue latency : 4 seconds Unique Recipients : 8245
I just signed up as a reseller and I'm building a managed mail solution around it.
If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings)
-Matt
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean.
**********************************************************************
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
On May 18, 2004, at 4:13 AM, Martin Hepworth wrote:
Matthew
Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg < .5
I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server. Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution. -Matt
Matt
I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server.
Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution.
-Matt
I prob spend ay most a couple of hours per week tweeking the thing now.. depends on whether you can squease the 4k out of the bean counters up front...:-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
We are seeing many customers here probing port 5000 across the network. It appears to be some new worm or something but I've had no luck yet in figuring out what it is except to say norton AV detects nothing yet. Anyone have a clue? http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query the jump in traffic is obvious. Geo.
It is a worm: http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=20301309 Erik On Tue, 2004-05-18 at 15:15, Geo. wrote:
We are seeing many customers here probing port 5000 across the network. It appears to be some new worm or something but I've had no luck yet in figuring out what it is except to say norton AV detects nothing yet.
Anyone have a clue?
http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query
the jump in traffic is obvious.
Geo. --
Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we know if the source IP's are legit or spoofed? ====================================== Our Anti-spam solution works!! http://www.clickdoug.com/mailfilter.cfm For hosting solutions http://www.clickdoug.com http://www.forta.com/cf/isp/isp.cfm?isp_id=1069 ====================================== ----- Original Message ----- From: "Geo." <geoincidents@nls.net> To: <nanog@merit.edu> Sent: Tuesday, May 18, 2004 8:15 AM Subject: Port 5000 : : We are seeing many customers here probing port 5000 across the network. It : appears to be some new worm or something but I've had no luck yet in : figuring out what it is except to say norton AV detects nothing yet. : : Anyone have a clue? : : http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab : c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query : : the jump in traffic is obvious. : : Geo. : : :
Since it is completing a TCP handshake, the IP addresses are very likely to be the source of the scan. ISN generation on every modern OS is sufficiently random to prevent opportunistic TCP spoofing from something like a worm. While there are probably some exceptions to this statement, there are too few to be significant. On Tue, 18 May 2004, Doug White wrote: :Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we :know if the source IP's are legit or spoofed? : :====================================== :Our Anti-spam solution works!! :http://www.clickdoug.com/mailfilter.cfm :For hosting solutions http://www.clickdoug.com :http://www.forta.com/cf/isp/isp.cfm?isp_id=1069 :====================================== : : :----- Original Message ----- :From: "Geo." <geoincidents@nls.net> :To: <nanog@merit.edu> :Sent: Tuesday, May 18, 2004 8:15 AM :Subject: Port 5000 : : :: :: We are seeing many customers here probing port 5000 across the network. It :: appears to be some new worm or something but I've had no luck yet in :: figuring out what it is except to say norton AV detects nothing yet. :: :: Anyone have a clue? :: :: http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab :: c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query :: :: the jump in traffic is obvious. :: :: Geo. :: :: :: : -- James Reid, CISSP
participants (27)
-
Bruce Pinsky
-
Claydon, Tom
-
Dan Hollis
-
Doug White
-
Eric A. Hall
-
Erik Haagsman
-
Geo.
-
James Couzens
-
James Reid
-
joe
-
Joe Boyce
-
Joe Hamelin
-
Martin Hepworth
-
Matthew Crocker
-
Mike Tancsa
-
Paul Vixie
-
Per Gregers Bilse
-
Peter Galbavy
-
Petri Helenius
-
Randy Bush
-
Raymond Dijkxhoorn
-
Richard Cox
-
Rik van Riel
-
Stephen J. Wilcox
-
Steven Champeon
-
Susan Harris
-
Valdis.Kletnieks@vt.edu