How to enable access to public blacklists from ME 14.1 ?
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
How to enable access to public blacklists from ME 14.1 ? - 8.Oct.2009 3:08:44 PM
|
|
|
Marcela_Admin
Posts: 6
Joined: 8.Oct.2009
Status: offline
|
Hi all, I'm a new poster and slowly learning about spam. We have problems in this area.
My company receives mail to a Unix Sendmail relay box inside a DMZ. The mail comes into the LAN (dedicated Windows cluster hosting only Mail Security and Mail Essentials - latest build for both). Spam is tagged and forwarded to our Exchange 2003 environment and sent to the user. We have plans to move to 2007. We ask the users to create Outlook rules to redirect [SPAM] to another folder.
The Rules Manager sucks so had to ask users to do this.
Multiple issues to deal with. We have undetected Spams and we're hoping to change company policy to block / delete detected Spams but that will only happen when the number of false positives is tiny.
In ME the blocklists (sbl-xbl.spamhaus.org etc) are inactive because the BL components want to resolve the domain names. The isn't possible because the internal root DNS doesn't refer to the internet DNS for security reasons. This means I need to install DNS on the GFI gateways and have conditional forwarding for the addresses like sbl-xbl.spamhaus.org to the internet. That also means opening inner and outer firewall port 53 udp/tcp for the gateway GFI servers and permitting access to the resolved addresses.
Our network and security people say No Way. Against all rules. And that this is normal enterprise practice to block direct links from inside zone to internet.
I opened two tickets with GFI asking how other other customers resolve this. Response: more or less you are on your own: open ports. It seems to me that GFI being a security company shouldn't ask customers to compromise their own security to make the product work.
One of the reasons we now evaluate other vendors products.
Questions
How much of a difference to the public BLs make ? I suspect a lot.
How do you do it ?
Marcela
-
< Message edited by Marcela_Admin -- 8.Oct.2009 3:12:39 PM >
|
|
|
|
RE: How to enable access to public blacklists from ME 1... - 8.Oct.2009 10:44:20 PM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Hi Marcela
The blacklists are one of the most effective anti-spam systems available. The fact that you're not using them will probably impact very highly on how well you perceive ME is doing. Indeed, in most, if not all, installations I have, the blacklists block more than any other module with the exception of directory harvesting, but that is generally undeliverable anyway.
Having said that, I believe that Spamrazer utilises some blacklists, but you have no control over which blacklists are utilised, and Spamrazer is not a real-time query. Configuring Spamrazer to download updates more often for a more-real-time experience will have a negative impact on your available bandwidth.
I have only once had an issue with the Rule Manager, and that was not an ME issue. The only caveat is that a process needs to be put into place to run the Rule Manager against each new mailbox - this should be part of your "new user" process. Why do you say it "sucks"?
Personally, I think your network guys are being over zealous. I also think that your comment "It seems to me that GFI being a security company shouldn't ask customers to compromise their own security to make the product work." is unfair, as every on-premise solution utilising user-configured blacklists must DNS query the blacklist; I cannot see an alternative for real-time blacklist checking.
I presume that you've written this post on a machine from your enterprise network. This being the case, then you must have at least one machine that queries an external DNS server. It's possible that you're using a provider's proxy server, in which case, that server must be able to query an external DNS, but even so, it would be remiss to address that proxy server by IP address and not name, as it could change IP address and your provider is not bound to tell you. Similarly, it is usual to deliver email to external recipients by querying DNS and routing email direct to the responsible server for that domain. You may be using a smarthost to route emails, but in the same way as above, addressing the smarthost directly by IP is asking for trouble.
If indeed you have no method for querying an external DNS server and you wish to utilise ME to its fullest, then you must either set up a DNS server and allow that to query an external DNS or allow queries from your ME cluster to a suitable external DNS. Either way, this would mean opening tcp/udp 53 OUTBOUND. You do not open for inbound traffic. Note that there is provision within ME to direct only its queries to a specific DNS server. Your normal network card's DNS settings do not have to be changed. The DNS server that accepts the requests from the ME cluster could be restricted to the address of the cluster, probably by firewall rules. This does not prevent a rogue process on the cluster from utilising this DNS server, but if you've got a rogue process, you've got bigger things to worry about anyway.
There are a couple of DNS client exploits that I know of, but so far, the only drawback I can see from this would be the possible mis-determination of spam. Yes, there may be a more serious exploit in the future, but the likelihood of compromise is remote compared to, say, the likelihood of a browser exploit compromising your network: It would be possible if, for example, a buffer overrun in the DNS client allowed execution of code AND the blacklist's DNS servers were poisoned. *edit* On reflection, if you configure ME to query a specific DNS server, then it may not use the Microsoft DNS Client, in which case an exploit is even more unlikely. GFI may confirm/deny this.
The alternative is to ditch ME and use a hosted solution (See news item). The issue you might have with a hosted solution is manageability - you may not have the control that an on-premise solution has. Only you can weigh the pros and cons for your organisation.
By the way, if you do go down the blacklist route, I find zen.spamhaus.org is more effective than sbl-xbl.spamhaus.org as it encompasses more hosts. Also note that if your email traffic numbers are high (as suggested by your description of your setup - it sounds like a large organisation), you may need to purchase a "Professional Use Data Feed" from Spamhaus, or risk being cut-off anyway.
Hope this helps! Let me know if it was useful.
< Message edited by RSP -- 9.Oct.2009 2:16:51 AM >
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: How to enable access to public blacklists from ME 1... - 18.Oct.2009 9:14:37 AM
|
|
|
Marcela_Admin
Posts: 6
Joined: 8.Oct.2009
Status: offline
|
RSP ........ fantastic reply. Thank you.
Appreciate it very much indeed. Slow reply as I've been working my butt off this week trying to get things moving in the right direction.
I'll reply properly in the next day or two.
In the meantime: Rules Manager does suck (for us in our environment - we've had several support calls) as we have GFI products on a dedicated box. So we copy the Rules Manager binaries to a mail server. Just being able to start it was tricky but we got there.
Then there is no way to see what rules have been deployed.
There is no reporting
There is no visibility on the client so horrible for desktop support teams to troubleshooting missing mail.
We have 5000 users and they aren't listed alphabetically. No idea how they are listed.
No search.
Don't even know if a rule has been applied to a user.
If we want several rules applied according to user role ... not possible to view which user has what.
Marcela.
|
|
|
|
|
RE: How to enable access to public blacklists from ME 1... - 18.Oct.2009 2:26:40 PM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
quote:
ORIGINAL: Marcela_Admin
RSP ........ fantastic reply. Thank you.
Appreciate it very much indeed. Slow reply as I've been working my butt off this week trying to get things moving in the right direction.
I'll reply properly in the next day or two.
In the meantime: Rules Manager does suck (for us in our environment - we've had several support calls) as we have GFI products on a dedicated box. So we copy the Rules Manager binaries to a mail server. Just being able to start it was tricky but we got there.
Then there is no way to see what rules have been deployed.True, but if you tag all your spam with a common tag - I use [SPAM-SR], [SPAM-HC] etc - you can create a single rule which moves "[SPAM-" into the junk email folder.
There is no reporting - I can't think what you would want to report on?
There is no visibility on the client so horrible for desktop support teams to troubleshooting missing mail. If rules are working on your exchange server, then you can be sure it's firing. No "horrible" support issues in my opinion.
We have 5000 users and they aren't listed alphabetically. No idea how they are listed. I think it's listed in SID order.
No search. Why would you want to search?
Don't even know if a rule has been applied to a user. If they're in black (I think, no test server to check with), then a rule is applied. If it's blue, then it isn't.
If we want several rules applied according to user role ... not possible to view which user has what. If you use common tags like above, and have a policy to only move into Junk E-mail (or whatever), then you won't need separate rules.
Marcela.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
