Main Nav

We are looking at using Barracuda’s filtering appliance to do outbound spam filtering, but we’ve come across a few policy / procedure questions that we’re struggling with.  I’d be interested to hear any responses to:

 

What criteria do you use to filter outbound e-mail?

How do you handle NDR reports back to the senders?

Do you block outbound spam, or is there a quarantine box so potential messages can be flagged and later reviewed?

                If so, who does the reviewing, and what is the review process or policy?

Do you have any published policies related to your outbound spam filtering?

 

David Crim

Security Analyst

Information Technology

236 West Reade Avenue

Upland, Indiana 46989-0001

Office: 765-998-5167     Cell: 765-251-3370

Fax: 765-998-4640

 



The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt.
AttachmentSize
image001.jpg2.12 KB

Comments

> What criteria do you use to filter outbound e-mail?


Rate-limiting and antivirus at the edge SMTP server. With few exceptions, all outbound email is forced through this server. SpamAssassin content filtering for outbound webmail only.


> How do you handle NDR reports back to the senders?


For outbound webmail, content exceeding a very high score is silently dropped, with notice only to a mailbox I check rarely. Zimbra would retain the message for two weeks. I've never seen a message dropped in 5 years. The main reason it's scanned is that outbound email content contributes to bayes learning.


For rate-limiting and antivirus, NDRs are not applicable; milters send errors inline. I would not consider a two-pass system like the Barracuda's for my network. Carleton actually had a Barracuda once, but after it stopped forwarding mail (but continued to accept it) and Barracuda tech support bricked the system and lied about it, refusing to help us retrieve 13 hours' inbound email, I was able to void the warranty, extract the postfix queue, and return the hardware. They sent me a T-shirt.


Assuming that a Barracuda device is going to be used: provided that you terminate authenticated SMTP at the Barracuda or otherwise make it so that email is highly unlikely to be forged, I would support sending NDRs to your .edu only, for messages originating from your authenticated senders only. If you are unable to apply all of those constraints, please leave NDRs and "quarantine notifications" off. My users get a lot of "quarantine notifications" from low-end antispam devices (mostly not Barracudas) about obviously forged email. Don't contribute to the problem.


> Do you have any published policies related to your outbound spam filtering?


Terse notes on rate-limiting only.

https://wiki.carleton.edu/display/itskb/Email+Limits
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
One point worth noting: as spammers get more and more aggressive in an effort to keep getting their spam through, and spam filtering companies are under increasing pressure to keep even the most subtle of spams out, false positives ARE on the rise. Normally, user review of content that's been filtered, including content that's been accidentally misfiltered, will serve as "second set of eyes"/ check on this problem, but many users have just given up and have stopped checking their spam folder for potential false positives. That's really bad. If they do that, they may/will miss potentially critical communications. Worse yet, some sites may just silently drop blocked content, notifying neither the sender (while a connection is still in place) nor the recipient that a message isn't going to be accepted and delivered. This means that it's increasingly important to: -- stress to users that email is NOT an assured communication medium -- encourage your users to whitelist their routine collaborators, if that's an option -- if spam does get delivered to a spam folder at your site, train your users to actually CHECK that folder; mistakes DO get made, and if you don't routinely check your spam folder, you WILL often miss legitimate email -- if a legitimate message does get filtered, and if your spam filter provides an ability for you to provide feedback about that false positive, take the time to do so. Regards, Joe
On 01/05/2012 12:23 PM, Crim, David wrote: > What criteria do you use to filter outbound e-mail? Occasional false positives will occur, so we rate limit outbound spam instead of outright reject it. > How do you handle NDR reports back to the senders? We send NDR reports back to webmail users, and smtp users will get an error in their client. These users are always authenticated, so it doesn't cause a backscatter problem. Silently dropping submitted messages from authenticated users with no notification is a good way to cause your users to stop trusting your service. > Do you block outbound spam, or is there a quarantine box so potential > messages can be flagged and later reviewed? No. They have to fix their problem and re-send later. > If so, who does the reviewing, and what is the review process or policy? > > Do you have any published policies related to your outbound spam filtering? https://kb.wisc.edu/page.php?id=3998#authspam Jesse > *David Crim* > > Security Analyst > > Information Technology > > 236 West Reade Avenue > > Upland, Indiana 46989-0001 > > Office: 765-998-5167 Cell: 765-251-3370 > > Fax: 765-998-4640 > > Description: TaylorEmailNamePlate > > > > The information in this communication is intended solely for the > individual or entity to whom it is addressed. It may contain > confidential or legally privileged information. If you are not the > intended recipient, any disclosure, copying, distribution or reliance on > the contents of this information is strictly prohibited, and may be > unlawful. If you have received this communication in error, please > notify us immediately by responding to the sender of this email, and > then delete it from your system. Taylor University is not liable for the > inaccurate or improper transmission of the information contained in this > communication or for any delay in its receipt.
We use a Barracuda for outbound spam filtering.  One of our student, faculty, or staff webmail accounts will get compromised every so often, we use this to suppress the volume of spam a compromised account can send and block known viruses

Criteria:
  • We don't quarantine e-mail, but we set the threshold for blocking very high, 9 out of 10 on Barracuda's scale (default is 5).  We will tag e-mail with a 3.5 score or below, however, so that in case something like that gets through the recipient should at least be on their guard.  We change the tag a bit, however.  These thresholds were based on analyzing what our inbound Barracudas were blocking, tagging, and allowing through.  We wanted to err on the side of delivering the e-mail in most cases.
  • Virus scanning is of course enabled and virus-containing e-mail is blocked.
  • Rate-limiting is enabled but with a very high threshold. 
  • There is no quarantine, review, or notification of blocked e-mails
    • We set the threshold such that it has to be pretty egregious to get blocked
    • We don't have the staff to review e-mails on a timely basis
    • Notification just makes the problem worse when an account is compromised, now you might have tens of thousands of notifications going back to a compromised account.
    • We do periodically review logs of e-mails getting blocked or tagged to make sure we aren't blocking legitimate e-mail
    • We do not use the predefined credit card, SSN, privacy, or HIPAA filters - too many false positives in testing
  • listservs and certain addresses they may legitimately send e-mails to a large number of recipients explicitly whitelisted
  • When a phishing attack gets through the inbound firewalls comes through and we detect it or it is reported to us, we block the e-mail addresses associated with the attack
  • We also will block phrases associated with phishing attacks we have seen e.g. "VERIFY YOUR ACCOUNT NOW"
  • Every pattern or address we block has a ticket number in the comment field, the reason is documented in a ticket.  That way we never go back and end up scratching our heads wondering why we blocked something

Since you are also using a Barracuda, I'd be glad to share the details of our configuration with you.

Kevin







A few additional notes from our configuration

Enter the full DNS name of the firewall as a "blocked sender domain/subdomain" or it could inadvertently relay mail with that forged header. 

On 1/5/2012 12:23 PM, Crim, David wrote:

We are looking at using Barracuda’s filtering appliance to do outbound spam filtering, but we’ve come across a few policy / procedure questions that we’re struggling with.  I’d be interested to hear any responses to:

 

What criteria do you use to filter outbound e-mail?

How do you handle NDR reports back to the senders?

Do you block outbound spam, or is there a quarantine box so potential messages can be flagged and later reviewed?

                If so, who does the reviewing, and what is the review process or policy?

Do you have any published policies related to your outbound spam filtering?

 

David Crim

Security Analyst

Information Technology

236 West Reade Avenue

Upland, Indiana 46989-0001

Office: 765-998-5167     Cell: 765-251-3370

Fax: 765-998-4640

 



The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt.
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.