Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Major increases in spam in recent months
  •  
jhtinc

Messages: 87
Karma: 8
Send a private message to this user
In the last month or so, spam loads are way up on my own server and at pretty much all the sites I support. I've added Barracuda blacklists to many of the servers in the hopes of stemming the tide, but it looks like there is spam flowing above and beyond the ability of blacklists to keep up.

The major thing it seems to my view is that the spam tech in Kerio isn't keeping up as fast as I see some of the other systems keeping up. I'd like this to be a focus area as best as possible in the next release of Connect (or even the next available minor release) - SpamAssassin itself just is getting easier and easier to defeat, it seems. Maybe it's time to plug in a new antispam engine.
  •  
sascha.feider

Messages: 12
Karma: 1
Send a private message to this user
same issue on our domains

spam traffic is getting worse, so we're testing several ways to improve our scanning process.

e.g. settings optimization from
http://forums.kerio.com/mv/msg/15018/0//

scanning rates are - roundabout 40% spam / 60% ham

-
(our last mailserver had 90% spam and 10% ham)
but kerio bayesian filter is still learning



  •  
jhtinc

Messages: 87
Karma: 8
Send a private message to this user
Yeah - I have pretty tight controls on most servers I run (tag at 3 typically, block at 5 or less, and add at least 3 points for each blacklist hit). I think part of it is that SpamAssassin seems to be pretty much a dead project, and there really haven't been updates over the last few years to deal with the newer spam techniques.

Until recently, between what SpamAssassin could still do and the other scoring methods, greylisting, and blacklist lookups, it was holding up - but the spammers have taken the lead in the arms race. My volumes of blocked mail are up as well.

Looking at my spam logs, though, nothing is really being scored effectively any more. All the spam catching is happening through the blacklists (usually either Spamhaus, Spamcop, or Barracuda).
  •  
McIrish

Messages: 234
Karma: 8
Send a private message to this user
I'm in agreement. Im getting a ton of complaints about the increase in spam we are seeing. I'm sure some of it is self-induced by poor web habits, but I feel I should be able to control it better. I think we are going to look at further screening on the firewall level next. It's an added cost, but I have to do something to get a handle on spam.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Allow me to add a 'me too.'
I'm sure I could configure things a little better. Even so, I find my efforts to stem the tide are less effective than in prior years.
We're seriously considering using a 3rd party service.
I've also considered subscribing to the Invaluement lists:
http://dnsbl.invaluement.com/ivmsip/
Whenever I do a blacklist lookup on fresh items in my spam folder, the IP is often already on their lists.
I also wouldn't mind seeing a weighted spam scoring system. If an incoming server has multiple blacklist hits, I like to have an option to curve the score higher than just the cumulative score assigned to each blacklist.

Cheers.
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
McIrish wrote on Wed, 16 October 2013 10:23
I'm in agreement. Im getting a ton of complaints about the increase in spam we are seeing. I'm sure some of it is self-induced by poor web habits, but I feel I should be able to control it better. I think we are going to look at further screening on the firewall level next. It's an added cost, but I have to do something to get a handle on spam.


Ditto!

I mentioned something about 2 months ago here: http://forums.kerio.com/m/105252/ and MarkK you will see gave me some great suggestions. I still have not implemented and still have a huge spam problem. Just thought I'd share his input for my scenario.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I still suggest spending sometime reading the spam headers and making rules for what you are receiving. (Thanks Machete for the mention in the previous reply.) It does take some time, and it can be frustrating, but it can yield much better catch results.

Spams are getting better at avoiding the filters though. So every once in awhile I have to go through and see if I can tweak scores some more. There are some spams that just don't hit enough rules though.

I find myself looking the Received: headers and creating custom rules that use substrings found in them. For instance, we were getting hit by 'Wells Fargo - here are some documents for you' spams. Though these emails were scoring high on the spam-o-meter, I had a custom rule that was allowing From: wellsfargo.com, but looking in the Received: headers it was obvious that the email was forged. Switching my Allow rule to look at Received: instead of From: has stopped those stupid spams.
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
We run a dedicated Spam filter (CanIT from Roaring Penguin) and it's made a world of difference. Plus we lock down our hosted Kerio servers to only accept email from the spam filter, thus cutting out a lot of direct spam.

We gave up on Kerio's built-in spam filter as it kept getting overwhelmed. We have users getting THOUSANDS of spam emails each day and they are down to maybe 1-2 now.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
sascha.feider

Messages: 12
Karma: 1
Send a private message to this user
Machete wrote on Wed, 16 October 2013 22:39

I mentioned something about 2 months ago here: http://forums.kerio.com/m/105252/ and MarkK you will see gave me some great suggestions. I still have not implemented and still have a huge spam problem. Just thought I'd share his input for my scenario.


I've just implemented theses suggestions, adding / modifying some rule according to our business specifics
Also we added some custom rules, scanning for typical spam subjects

we'll see
  •  
gbalbach

Messages: 72
Karma: 0
Send a private message to this user
Does anyone know how to setup Connect on Windows so it could use a list like the invaluement list that is only available via rsync?
  •  
gbalbach

Messages: 72
Karma: 0
Send a private message to this user
For something like the Invaluement lists - I see it only works via rsync - has anyone set that up with Kerio?

[Updated on: Mon, 18 November 2013 16:03]

  •  
gbalbach

Messages: 72
Karma: 0
Send a private message to this user
HoosierMac wrote on Thu, 17 October 2013 06:55
We run a dedicated Spam filter (CanIT from Roaring Penguin) and it's made a world of difference. Plus we lock down our hosted Kerio servers to only accept email from the spam filter, thus cutting out a lot of direct spam.

We gave up on Kerio's built-in spam filter as it kept getting overwhelmed. We have users getting THOUSANDS of spam emails each day and they are down to maybe 1-2 now.


Which Canit system did you go with?
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
gbalbach wrote on Mon, 18 November 2013 09:59
HoosierMac wrote on Thu, 17 October 2013 06:55
We run a dedicated Spam filter (CanIT from Roaring Penguin) and it's made a world of difference. Plus we lock down our hosted Kerio servers to only accept email from the spam filter, thus cutting out a lot of direct spam.

We gave up on Kerio's built-in spam filter as it kept getting overwhelmed. We have users getting THOUSANDS of spam emails each day and they are down to maybe 1-2 now.


Which Canit system did you go with?


We use the Pro appliance on SuperMicro hardware.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
invaluement

Messages: 5
Karma: 0
Send a private message to this user
POST HEAVILY REVISED ON 5/3/2015 DUE TO NEW INFO:
-------------------------------------------------
HUGE UPDATE FOR INVALUEMENT:

(1) there IS a direct query option for invaluement, as I had mentioned... AND... NEW INFO...

(2) now there isn't a need to add conditional forwarders to use invaluement (for the direct query access method, and if using our latest instructions)

(3) queries to our two IP-based blacklists (ivmSIP and ivmSIP/24) are 100% compatible with Kerio's "use DNSBL's server directly" feature--so that past compatibility issue is fixed

(4) And we published a new web site in late April 2015 that is MUCH easier to understand! Sorry for all the "growing pains" and past confusion!

[Updated on: Mon, 04 May 2015 03:19]

sascha.feider

Messages: 12
Karma: 1
Send a private message to this user
1 month after reconfiguring our spam filters:

- we're only kerio's builtin features

spam is down to nearly 10 messages per day, for 100 users. that means 1 message per 10 users.
one message ist filtered through several dns request, spam assassin and some custom rules, adding score by subject filters

the subject filters took about one week, by daily adjusting and manually checking already tagged mails
Previous Topic: Kerio Service Not Starting
Next Topic: kmsrestore returning Error Code 12
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jun 26 22:42:57 CEST 2017

Total time taken to generate the page: 0.00522 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.