GFI MailEssentials 12

July 21, 2008 · 175 comments

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The product also allows you to set a custom non-delivery report (NDR) which we use to guard against false-positives. Nothing worse than having your CEO complain about a missing E-mail that was blocked and sitting in a Junk E-mail folder or quarantine mailbox. Our custom NDR looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?xml version="1.0"?>
<!--
	Tags:
		smtp_sender: sender of the original email
		machine_name: returns names in the format: foo.bar.com 
		machine_name_dns: returns names in the format: bar.com
		machine_name_host: returns names in the format: foo
-->
<email>
	<header>
		<header name="to" value="[smtp_recipient]" />
		<header name="from" value="&#x22;Postmaster&#x22; &#x3C;postmaster@nelemod.com&#x3E;" />
		<header name="sender" value="&#x22;Postmaster&#x22; &#x3C;postmaster@nelemod.com&#x3E;" />
		<header name="subject" value="Undeliverable: [subject]" />
	</header>
 
	<body>
 
Attention: [smtp_recipient]
 
In an effort to eliminate junk E-mail, Your message:
 
      To: [smtp_sender]
      Subject: [subject]
      Sent:	[date]
was blocked from reaching the following recipient(s)[cr]on [date][cr][cr]
	</body>
 
	<per-recipient>
      [smtp_recipient]
      [cr][cr]      If you believe that this should not have been blocked or if you
      require additional information about this message, please contact
      postmaster@esilicon.com.  Please be aware that a lot of junk mail
      is sent using someone else's address, so if you don't know why you
      received this, it's possible that someone tried to junk mail a user
      on our servers using your address.[cr]
      &#x3C;mail.nelemod.com #5.1.1&#x3E;[cr][cr][cr]
	</per-recipient>
</email>

Here is our module order list and a little bit about each one of them.

  • Directory Harvesting – This is first because it catches about 90% of the junk hitting the front door of our mail systems. Since we are on the gateway and have multiple domains within our AD forest, we cannot use the native Active Directory lookups. However, we can use the LDAP lookups and point it at our Global Catalog using port 3268 or 626 for SSL. Again, because of our environment, we set the Base DN to be a single blank character (0x20). This is required since we want the GC to search the entire catalog for users in any OU and in any domain. Leaving the Base DN empty will not work. No NDRs are sent out.
  • IP Whitelist – We were forced to use IP whitelists because of a serious bug in the product that GFI has simply refused to fix. The product incorrectly parses some sender policy framework (SPF) records and we were blocking a number of customers and clients from sending us E-mail. The only solution was to whitelist their IP blocks and prioritize this module ahead of the SFP module.
  • Sender Policy Framework – As noted above, this has bugs in parsing some records, but for simple configurations it does the job.
  • Email/Domain Whitelist (incl. Auto Whitelist) – These are a necessary evil. When you have to get business critical messages to the users, you don’t have time to sit around and customize the system and experiment. Try keeping it to a minimum if possible. It takes time to process this. We have a policy of not using the Auto Whitelist just in case a virus or malware gets inside our environment and sends out SPAM.
  • Keyword Whitelist – We don’t use this and I see little use for it.
  • Custom Blacklist – We protect certain distribution lists, like everyone@ourcompany.com and mailboxes that are for internal processing purposes only. No NDRs are sent out.
  • DNS Blacklists – This has evolved over time and we have found problems with some of the supplied lists. We use “zen.spamhaus.org”, “bl.smapcop.net” and “sbl-xbl.spamhaus.org.”
  • Phishing URL Blacklist – We turn this on and use the default settinngs. NDRs are sent out.
  • Spam URI Realtime Blocklists – Here, we only use multi-subl.org since it encompasses a lot of the others. NDRs are sent out.
  • Header Checking – Customize this one. We have found that the “Marks emails with different SMTP TO: and MIME TO: fields in the email addresses as SPAM” option is impossible to use. This will stop all kinds of legitimate mail. We also set the maximum number of numbers in a MIME to be 10 since we send/receive a lot of messages from cell phones. NDRs are sent because this can catch a lot of false positives at times.
  • Keyword Checking – Turn this off in the general page, but leave it on for Subjects. It is just too difficult to set this in a way that won’t get false positives. Just checking for a word or phrase is too generic and too much trouble. We have had to tweak the subject filters at times, but it works well. NDRs are sent as a way to handle false positives.
  • Bayesian Analysis – Here is where we ran into a really complicated problem. This module is configured to “learn” from outgoing mail as HAM (legitimate mail) that will enhance and modify the pre-existing database over time. In that way, a customer in the real estate industry will train their installation that the word “mortgage” is not SPAM, but it will be SPAM to a computer hardware manufacturer. While the algorithm is not based on numbers of E-mail messages per-se, the product tells the administrator how many messages make up the current database. We had been seeing a rise in the number of false-positive messages generated by this module, so we decided we would reset the Bayesian database and start new. According to GFI, and our own experience, this should take about 2 weeks of learning from the outgoing mail during which time the module should be disabled. However, within 1-2 hours of the installation, we saw a dramatic reduction in the size of the Bayesian database and the reported number of messages in the HAM and SPAM categories. This continued in a very fast progression and continued throughout the two week learning process. Even if we turned off learning, this was occurring. When we finally enabled the module, it was less than 35% of its original size and message count. Our fears were realized as we soon discovered that HAM was being blocked by MailEssentials at an unacceptable level — far more than we ever was with all previous versions of the product. We quickly contacted GFI and at first they wanted Troubleshooters and we simply asked them to duplicate our results in their lab (see item #1 in Technical Support section). We provided the data, even though it was useless, and we went around with them for weeks about this. My bosses were getting pissed about the missing messages and we had to run our entire staff 7×24 watching for blocked legitimate mail and forwarding them to the users. After two weeks of that nonsense, we had no choice but to disable this module which had the effect of letting hundreds of SPAM messages get through to our users. As you can guess, they are very unhappy about receiving all that garbage. Through all of this, we worked with GFI trying to get them to escalate the problem and help us resolve the database issues and what was going on. After two months, they finally told us that this was probably normal and that we should have it “learn” for awhile longer. Even though we were totally frustrated at this point, we decided that our past experience was so good that we would give it a shot. After 4 months of “learning”, we rearmed th emodule. We logged all occurrences and checked the log about 30 minutes later. We found that the false-positive rate was an alarming 50% and it was obvious that this module was useless. GFI was never willing to work with us and verify databases, information or escalate to management even though we requested it on several occasions.

Pages: 1 2 3 4

Article by Steve Van Domelen

Steve has written 47 awesome articles.

2 Pingbacks/Trackbacks

  • You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!

  • I just like the helpful information you provide in your articles

  • This is really interesting, You’re a very skilled blogger. I’ve joined your feed and look forward to seeking more of your magnificent post. Also, I’ve shared your site in my social networks!

  • For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents about extra virgin olive oil EVOO.

  • I am truly thankful to the owner of this web site who has shared this fantastic piece of writing about smoke point of olive oil at this place.

  • Pretty! This has been a really wonderful post, many thanks for providing details of Hollywood Smile.

  • 53BcFHVroHB

  • naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

  • I just like the helpful information you provide in your articles about Liberica Coffee.

  • ucx9OuA5FiI

  • Good post! We will be linking to this particularly great post on our site. Keep up the great writing

  • LDPE Pipes in Iraq Elite Pipe Factory in Iraq offers a comprehensive range of LDPE pipes, which are valued for their flexibility, lightweight nature, and resistance to various chemicals. Our LDPE pipes are engineered to meet high standards of quality, ensuring reliable performance across various applications. Recognized as one of the best and most reliable pipe manufacturers in Iraq, Elite Pipe Factory is committed to delivering products that combine durability with performance. For more information on our LDPE pipes, visit elitepipeiraq.com.

  • yyNe1siAjOv

  • rFdRMoAYRbB

  • naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

  • Hi there to all, for the reason that I am genuinely keen of reading this website’s post to be updated on a regular basis. It carries pleasant stuff.

  • Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated

  • شركة Bwer هي أحد الموردين الرئيسيين لموازين الشاحنات ذات الجسور في العراق، حيث تقدم مجموعة كاملة من الحلول لقياس حمولة المركبات بدقة. وتغطي خدماتها كل جانب من جوانب موازين الشاحنات، من تركيب وصيانة موازين الشاحنات إلى المعايرة والإصلاح. تقدم شركة Bwer موازين شاحنات تجارية وموازين شاحنات صناعية وأنظمة موازين جسور محورية، مصممة لتلبية متطلبات التطبيقات الثقيلة. تتضمن موازين الشاحنات الإلكترونية وموازين الشاحنات الرقمية من شركة Bwer تقنية متقدمة، مما يضمن قياسات دقيقة وموثوقة. تم تصميم موازين الشاحنات الثقيلة الخاصة بهم للبيئات الوعرة، مما يجعلها مناسبة للصناعات مثل الخدمات اللوجستية والزراعة والبناء. سواء كنت تبحث عن موازين شاحنات للبيع أو الإيجار أو التأجير، توفر شركة Bwer خيارات مرنة لتناسب احتياجاتك، بما في ذلك أجزاء موازين الشاحنات والملحقات والبرامج لتحسين الأداء. بصفتها شركة مصنعة موثوقة لموازين الشاحنات، تقدم شركة Bwer خدمات معايرة موازين الشاحنات المعتمدة، مما يضمن الامتثال لمعايير الصناعة. تشمل خدماتها فحص موازين الشاحنات والشهادات وخدمات الإصلاح، مما يدعم موثوقية أنظمة موازين الشاحنات الخاصة بك على المدى الطويل. بفضل فريق من الخبراء، تضمن شركة Bwer تركيب وصيانة موازين الشاحنات بسلاسة، مما يحافظ على سير عملياتك بسلاسة. لمزيد من المعلومات حول أسعار موازين الشاحنات، وتكاليف التركيب، أو لمعرفة المزيد عن مجموعة موازين الشاحنات ذات الجسور وغيرها من المنتجات، تفضل بزيارة موقع شركة Bwer على الإنترنت على bwerpipes.com

  • Your blog is always a highlight of my day

  • For those interested in UK IPTV, this service provides a great free trial and quality channels.

  • I do not even understand how I ended up here, but I assumed this publish used to be great

Next post: