I administer a Windows Server 2003 with Exchange 2003 as well as GFI installed. I am watching the GFI dashboard and every third email is spam. Not only that it goes to a non existent address then the [email protected] sends out an NDR to the sender.
Should I be worried about this? I know it is directory harvesting but we have directory harvesting turned on in GFI and I do see it is working but obviously doesn't work for emails that don't exist. My issue is I would turn off NDR but then people who legitimately mistype and email address to our domain will never know their email did not get to the recipient.
What do others do to combat spam?
Is 3 times the amount of spam to ham normal?
We filter out 90% of the spam but some does get into the users inbox.
Thanks for the suggestions and advice!
Welcome to the internet my friend, would you like some spam? :)
In my experience 3:1 (or higher) Spam:Ham ratio isn't unusual -- My company gets on the order of 3.75:1 & my personal box is around 2:1. If you want email you just have to cope with the fact that you will get a bunch of spam along with it.
Definitely don't disable
NDRs5xx permanent failure messages -- It is expected and proper that your server return these, and as you said people who legitimately mistype an address need to be told they made a typo (the number of angry users from turning off NDRs is in my experience far greater than the benefit of disabling them as a spam-fighting measure. (ETA: If your system is sending out an email of its own you don't need to do that: The sending SMTP server should notify the sender)Re: other ways to fight the flood (in the order I apply them):
This is a firewall rule in my case: If I think you're that terrible you're not even going to talk to my SMTP server.
You can layer a few different filtering technologies here if you really want to.
You can also consider greylisting but I've found that to be of limited value personally (and it annoys me in general: It creates double the traffic/workload for legit emails).
I had the same problem with the NDR issues. What I did to resolve the issue was to set up greylisting using JEPS
3:1 spam:ham ratio sounds about right. There is a ridiculous amount of spam out there.
I've never used GFI before. We run a dual-spam filtering system, first level is Postini which then sends mail to our servers. Second level is Spamassassin/Amavis running locally, before forwarding it to our exchange server, which doesn't have anything running. That seems to catch the stuff that Postini lets through. About 1 spam every few days gets through and false positives seem low.
If you are only catching 90% of spam that is a horrible catch rate. I'll give the GFI product the benefit of the doubt and say that something is misconfigured. Make sure you have gone through the settings to ensure everything is done right. You should have at least one RBL enabled - I recommend spamcop.
I would disable NDR for non-existing accounts. You are right, that if someone mistypes an address that it won't bounce. However, the many, many spam messages that are sent from 'fake' from addresses to invalid accounts creates a condition where your server is basically spamming other mail servers with its NDR. NDR should be disabled in most situations.