Doing evaluations on anti-spam, anti-virus solutions, and ran across
this:
http://www.barracudanetworks.com/
Looks like a good box -- even won an Editor's Choice award from Network
Computing recently.
Does anyone on list have any experience with these boxes? If so, how are
they with false positives, quarantine capabilities, etc?
Thanks,
Tom Claydon
Dobson Telephone
Tom,
I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING!
My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all
This setup would melt on a regular basis when spam floods would come in
My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined.
This setup has been able to handle everything thrown at it so far with no noticeable performance hit
My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface.
It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server.
I was watching the message log one day and noticed a spam flood in action.
10 messages came in and went to customers tagged about 0.5 or so
10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so
10 messages came in and went to quarantine with a score of 5.5 or so
a bazillion messages were blocked with a score > 20
It learned very fast.
My Barracuda is currently blocking 500k+ messages/day
current stats (installed 13 days)
Blocked (SPAM) :7453215
Blocked (Virus) : 24600
Quarantined : 82170
Tagged : 31552
Allowed : 580876
Average Queue latency : 4 seconds
Unique Recipients : 8245
I just signed up as a reseller and I'm building a managed mail solution around it.
If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings)
-Matt
We have done an eval of this same product (model 400). It is very cool in virtually every regard except one: performance. We were facing 1+ hour mail delays (!) through the device when pumping less than 1,000,000 messages per day through it. Given that they claim it can handle ten times that much, I am left wondering what happened. Very disappointing in that regard; the eval unit is being shipped back as a result. -- Jared
Monday, May 17, 2004, 12:32:29 PM, you wrote:
My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running
Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+
spams/day, many of them not tagged at all
This setup would melt on a regular basis when spam floods would come in
Not to thread jack or anything, but when I first moved our cluster to
Spam Assassin, I was disappointed at the amount of messages that would
get past Spam Assassin at even a low threshold of 2.
I Googled around and found a bunch of rulesets that once installed,
started tagging those hard to get messages.
http://www.rulesemporium.com/ is a good place to start if anybody else
is running Spam Assassin straight out of the box.
Regards,
Joe Boyce
Also, use the various RBLs in the scoring. e.g. add 50% of the threshold score if its on spamcop and 25% for some of the other more aggressive RBLs. We have a very high and correct hit rate as a result. Our users can then add white lists for the handful of their contacts that get tagged as spam since they are using spam friendly ISPs.
---Mike
Hi!
Not to thread jack or anything, but when I first moved our cluster to
Spam Assassin, I was disappointed at the amount of messages that would
get past Spam Assassin at even a low threshold of 2.I Googled around and found a bunch of rulesets that once installed,
started tagging those hard to get messages.http://www.rulesemporium.com/ is a good place to start if anybody else
is running Spam Assassin straight out of the box.
And if i may plug SURBL if you wanna do that, might help with performance
also. For example if you run BigEvil you might gain a lot of performance
by doing that via SURBL.
Bye,
Raymond.
Matthew
Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg < .5
All
Sorry that should should be http://www.rulesemporium.com/
also worthwhile adding in the surbl.org plugin for SA, which adds alot less CPU time than the bigvil etc rules.
I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server.
Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution.
-Matt
Matt
I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server.
Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution.
-Matt
I prob spend ay most a couple of hours per week tweeking the thing now..
depends on whether you can squease the 4k out of the bean counters up front...
We are seeing many customers here probing port 5000 across the network. It
appears to be some new worm or something but I've had no luck yet in
figuring out what it is except to say norton AV detects nothing yet.
Anyone have a clue?
http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab
c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query
the jump in traffic is obvious.
Geo.
Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we
know if the source IP's are legit or spoofed?
Since it is completing a TCP handshake, the IP addresses are
very likely to be the source of the scan. ISN generation on
every modern OS is sufficiently random to prevent opportunistic
TCP spoofing from something like a worm.
While there are probably some exceptions to this statement,
there are too few to be significant.
There's one rule that will wipe out ~90% of spam, but nobody seems to have
written it yet.
if URL IP addr is in China then score=100
support for a generic lookup list of cidr blocks would get another 9%
Eric A. Hall wrote:
There's one rule that will wipe out ~90% of spam, but nobody seems to have
written it yet.if URL IP addr is in China then score=100
Where does this leave the 70% which would only match the rule;
if URL IP addr is in FL,USA then score=42
?
Pete
I beg to differ Eric A. Hall.
According to statistics gathered by the Spamhaus Project
(http://www.spamhaus.com) who most certainly have garnered my respect
through their very satisfying services, (SBL, XBL, ROKSO) it is the
Yankee's who are out of responsible for the majority of the internet's
Spam. Lets have a look:
Top 10 Spam Countries April 2004:
> There's one rule that will wipe out ~90% of spam, but nobody seems to have
> written it yet.
>
> if URL IP addr is in China then score=100
^^^^^^^^^^^^^^^^^^^^^^^
I beg to differ Eric A. Hall.
<snip>
According to Spamhaus, 200 known Spam Operations are responsible for 90%
of your spam. Of the list currently available on their site, 142 of the
known spammers are from a little country called THE UNITED STATES.
That may be, and is probably quite true - but as Eric said, a majority
of the /sites/ advertised in spam use China-based ISPs.
No Eric is quite correct. Read what he wrote again. Carefully.
-Dan
^^^
not connection address, not domain 'owner', but URL->Hostname->IP_ADDR
What's most interesting about the half-dozen accusations of xenophobia
I've received (off-list and on) is that they've almost all come from
foreigners. I promise not to read anything into that. Really.