Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32
  1. #1
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default Spam blocker and Phish blocker not catching much - Improvements coming?

    We currently have Untangle deployed in several locations performing various duties. In this one case, we are using Untangle as our anti-spam appliance. It currently runs: Virus Blocker, Virus Blocker Lite, Spam Blocker, Phish Blocker and Reports. We have been using Untangle since version 9, and have most recently upgraded to 11.x. Since deployment, these are my observations (individuals mileage will vary):
    - Virus Blocker and Virus Blocker Lite catch minimal viruses. -- This I can't get too upset about as fighting viruses in general is an "arms race". I can't count the number of times I've submitted something to VirusTotal only to see 3 out of 55 virus scanners catching something. I can say they have definitely caught things our other antivirus packages have not.
    - Phish Blocker - This has been almost completely useless. We receive phishing emails almost daily & it detects maybe "one in a million".
    -Spam Blocker - My note here is similar to anti virus. There are several different ways to fight spam, each with its pros/cons. When we first put Untangle online it was doing an incredible job. Now, more and more spam is getting through. The main issue I have with the Spam Blocker is I can only adjust a score. There's no way to train/retain the system when spam gets through or ham gets blocked. You do have methods for dealing with these issues (global white lists, user white lists, etc) but these are manual.

    My question is: Are there plans to improve the Spam and Phish blocker? Add functionality? Make it more customizable than the darkness control on my toaster? You have a very solid product, I just wish I was delivering a little more... "oomph".

    Thanks!

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,129

    Default

    You need to make sure the thing is actually working.

    http://wiki.untangle.com/index.php/S...k_DNSBL_Access

    That patch runs a series of tests against the black lists Untangle uses. You can run it yourself via SSH or have UT support do it. Spam Blocker is VERY sensitive to those DNS lists malfunctioning. And I'm having increasing difficulty with ISP DNS servers not being able to use some of these lists. If this is happening to you, you'll have to deploy your own DNS resolver. After that what I do is use the domain override feature of Untangle's DNS to push the problem black lists to the DNS server that works.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    As far as I can tell, it is. Output:

    Testing dnsmasq ...
    [127.0.0.1] : DNS passed
    [127.0.0.1] : SORBS passed
    [127.0.0.1] : SpamCop passed
    [127.0.0.1] : SpamHaus passed
    [127.0.0.1] : SURBL passed
    [127.0.0.1] : URIBL passed
    [127.0.0.1] : URIBL passed
    [127.0.0.1] : DNSWL passed
    [127.0.0.1] : DNSWL passed
    [127.0.0.1] : IADB passed

    Testing DNS_SERVER_IP ...
    [DNS_SERVER_IP] : DNS passed
    [DNS_SERVER_IP] : SORBS passed
    [DNS_SERVER_IP] : SpamCop passed
    [DNS_SERVER_IP] : SpamHaus passed
    [DNS_SERVER_IP] : SURBL passed
    [DNS_SERVER_IP] : URIBL passed
    [DNS_SERVER_IP] : URIBL passed
    [DNS_SERVER_IP] : DNSWL passed
    [DNS_SERVER_IP] : DNSWL passed
    [DNS_SERVER_IP] : IADB passed

    Analyzing mail.log ...
    Results: passed (15058 results)
    RAZOR: passed (2856 results)
    BAYES: passed (15056 results)
    AWL: passed (2 hits)

    We currently run our own DNS server, and we aren't using Google, or OpenDNS or anything like that for our upstream DNS. We're definitely catching things in our quarantine but too much is getting past. The biggest issue is the Phishing Blocker. It doesn't even appear to be doing anything.

    Now here is a question: Our Untangle box is set up in "Bridge mode", and the mail flow is essentially: Exchange <--> Postfix <--> Untangle <--> Internet . We are doing almost no content filtering on the Postfix box, but are doing technical restrictions (clients must greet with HELO/ELHO, etc.). Is there anything about this configuration that could be tripping up the blockers?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,671

    Default

    Since you have a paid subscription I would open a support ticket so Untangle support can look at your specific deployment.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,129

    Default

    Yeah, opening a ticket is a solid idea. However, if you have two mail servers, and one of them has access from the world that isn't filtered, spam can be leaking.

    Another thing, if either of those servers allow TLS over SMTP for unauthenticated servers, Untangle can't scan that, it's encrypted. Spammers use encryption to bypass filters, so that can be something that's going on too.

    Finally, if your egress smtp is also going through Untangle, take a look at your outgoing mail and see if you notice any anomalies. I had two separate servers this year start getting wads of spam, and the spam was being sent via an authenticated smtp session on TCP 465 because the spammer managed to get an account on the box. They were also using my smtp servers to send more spam.

    Let support help you verify Untangle is working properly first, but be aware that this sort of thing can be a much larger issue than a deficient spam filter.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    Oh I'm aware it's a complex issue. And as I said, when we started out with version 9 it was amazing. What I think has happened is the spammers have just gotten too smart. My argument is I don't need to be able to adjust a threshold, I need a more intelligent scanner. I'm not opposed to opening a ticket & might just do that. I have a feeling though that it's not configuration related.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,129

    Default

    The funny part is, I left Untangle 9 because the spam blocker was worthless there. Untangle when it went to 10 switched the Spam Blocker from Comtouch to BitDefender, and that helped but it didn't really fix much. Then I think it was with 11, the Spam Blocker got swapped again to something else. Sorry the name escapes me at the moment.

    And while, that new product isn't perfect, it's returned by Untangle spam experience to what I remember of the golden days before 9.x was outmoded.

    However, you really should open that ticket because it is a complex issue, and there are some things that can go wrong within Untangle that causes it to make poor decisions. These things are usually pretty easy to fix once identified. In my case I had bad DNS wrecking the bayes database.

    Amyway, open a ticket, find some samples and work with support. They should have you sorted out in a few days.
    Last edited by sky-knight; 10-08-2015 at 12:20 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    There are no improvements coming. Not because we don't want them, but just because we don't know what they would be.
    Its hard to imagine it working at a higher level and even if it did that the difference would be perceivable. As it is I hardly ever get spam. Of all the anti-spam solutions we've ever tested or used, none score higher than our current provider.
    (Also note that improvements would hardly benefit you anyway, as you currently are getting subpar results anyway).

    My recommendations:

    I would make sure you are running the most recent version of 11.2. I don't know what '11.xx' means. There are many different 11.x versions.

    Phish Blocker is just clam with special signatures. If you want it to work better you can get involved in the phishing clam signature community.
    I wouldn't expect it to stop all phish. In reality Spam Blocker blocks way more phish that Phish Blocker.

    Debugging antispam performance is all about asking the right question.
    Questions that are likely to lead no where:
    * Are improvements to spam blocker coming? The performance is bad.
    * Why is spam blocker letting so much spam through?
    * Why is spam blocker missing so much obvious spam?

    Questions that are likely to lead somewhere:
    * Here are 5 .eml file samples and their scan results pulled from the event log that I consider to be spam. Why were the scored as ham?
    * Here is a screenshot of the spam events. Why have the highlighted entries scored so low?

    Having watched this movie many many many times. The questions for the first group will likely lead to an unproductive conversation.
    The questions in the second group are concrete and provide a foundation to have a discussion.

    Anyway, open a ticket. We'll get it figured out.
    Last edited by dmorris; 10-08-2015 at 12:55 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    dmorris: I've submitted a ticket as users have recommended. As far as your points, you do have valid ones.

    Your system assigns a score. Period. A spam message makes it in. Why can't I send it back into Untangle and have it reprocess the mail with the known outcome its spam? If all the system will do is come out with the same score, then I don't see how it can get any better.

    My Postfix server is deflecting a bunch of spam as is on a technical basis.

    If I were to ask the two more targeted questions you made would I submit them here or via a support ticket?

  10. #10
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by Steve.Cena View Post
    dmorris: I've submitted a ticket as users have recommended. As far as your points, you do have valid ones.

    Your system assigns a score. Period. A spam message makes it in. Why can't I send it back into Untangle and have it reprocess the mail with the known outcome its spam? If all the system will do is come out with the same score, then I don't see how it can get any better.

    My Postfix server is deflecting a bunch of spam as is on a technical basis.

    If I were to ask the two more targeted questions you made would I submit them here or via a support ticket?
    To the first question. We don't do that because it wouldn't improve the spam detection rate. It would make the user feel better, but in reality it just won't help.
    They bayes already trains itself automatically.

    Yes, but realize your postfix server may run many spam checks *before* Untangle. Untangle scans the message as it is transmitted to postfix.
    If postfix decides that its spam before Untangle scans it and kills the transmission then Untangle never scans it. This doesn't mean spam blocker missed it. It means it didn't even scan it. This can be unintuitive. This is why checking the events/scores is important.

    edit:
    I would submit the samples and screenshots to your support ticket.
    They'll likely give you the same advice anyway. They can't really debug without specifics.
    Last edited by dmorris; 10-08-2015 at 01:11 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2