PureMessage for UNIX: dealing with an increase in spam

  • Article ID: 36617
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 13 Dec 2008

Problem:

Your organization is experiencing increased spam volume.

What to do:

To ensure that you have the highest possible catch rate, it is recommended that you follow these best practices:

1. Forward spam to "is-spam@labs.sophos.com" for SophosLabs analysts to test. The best results are attained when you submit samples as described in How to submit spam, and false-positive spam samples to SophosLabs.

2. Ensure that you are using the most recent version of PureMessage for UNIX, and the latest anti-spam engine. To check your current versions, go to the Support tab of the PureMessage Manager, and, from the sidebar menu, select View Installed Packages.

3. Ensure that you have the latest anti-spam and IP Blocker Data. These should be updating several times an hour.

4. Ensure that all PureMessage servers in a multi-server deployment are using the same version of the product, and the same anti-spam data.

5. Make sure that you have not overridden any of the default anti-spam rules. These values are set by SophosLabs to maximize your spam protection and reduce the risk of false positives. Overridden rules can be checked from the Anti-Spam Rules page on the Policy tab of the PureMessage Manager.

6.  On the Anti-Spam Options page of the Policy tab, ensure that the Disable non-relay checks option is set to YES. This causes the milter to check only the last untrusted relay instead of every relay in the header, resulting in higher spam scores for messages that match. To make these checks effective, you must populate your trusted relays list. It should contain the IP addresses of any trusted relays in front of your PureMessage server(s).

7. Make sure that your DNS is performing well. Check the message_log, located under /<PMX install dir>/var/log/, for the occurrence of "_TIMEOUT". These indicate a timeout on a DSNBL look-up, usually an indication of slow DNS look-ups, and will result in lower spam scores. A local caching DNS Server and a properly configured resolv.conf are also recommended.

8. Run the IP Blocker service at the MTA level. If your server is not on the edge, or if you are not using an MTA bundled with PureMessage, then IP blocking can be implemented as a policy rule.

9. On the Support tab, enable the option to Share data with Sophos. When this option is enabled, statistical reports are sent to Sophos every five minutes. These reports contain information about the status of your system, the PureMessage version, and key mail traffic statistics. These reports, which are based upon log file data, do not contain actual message content, or content that identifies specific mail users. The data allows SophosLabs to react promptly to spam campaigns.

Further information on upgrading and managing PureMessage is available in the product documentation and the Sophos Knowledgebase.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments