Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Untanglit
    Join Date
    Jan 2010
    Posts
    24

    Default Not all emails are getting scanned

    Currently we are running a barracuda box to do our spam filtering. I would like to do away with it and use Untangle for Spam filtering. So to test if Untangle could filter spam as well as barracuda I setup untangle like this:
    Router---Untangle---switch-----barracuda--------Exchange email server

    (Barracuda and exchange are not directly linked but in the same switch...i just couldnt draw it)

    Normall all email is sent to barracuda which then forwards to our exchange box. Putting untangle where i have it should filter email before it gets to the barracuda box. I have the spam filtering turned on high. It shows that its scanning some and quaratining some. I can now login to the barracuda box and see what the untangle box has missed. Not only is there massive amounts of spam getting through....like 20-30 messages a minute....there is way more email messages passing to barracuda then what untangle says that its scanned. I have set the concurrent scans to 100 to see if that would help. Also I turned on the phishing filter and it scans many more messages then does the spam filter. Shouldn't those be the same?

    Is there anything I can do to check and see whats going on? All email is SMTP coming in.

  2. #2
    Untanglit
    Join Date
    Jan 2010
    Posts
    24

    Default

    I wanted to add some numbers to this for you. My phishing filter has passed over 80,000 messages in the SAME amount of time that my spam filter has passed 1,655. SPAM has only q'd 427. Just seems like the SPAM filter is not looking at everything. I mean...not even close.....

  3. #3
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    If the load (cpu) is too high (under the spam module, smtp, more options) (think it is set to 7 by default), it will either default to "close" or "open", so it will either pass the messages it can not scan due to being overwhelmed, or reject for the same reason. Not sure what your load is during this time?

  4. #4
    Untanglit
    Join Date
    Jan 2010
    Posts
    24

    Default

    Yes, I meant to mention that. My load is only around 4 or 5 at the most and I am running a 4 core setup. I also set the load threshold to 10 just in case that was it. That doesnt appear to be the problem.

  5. #5
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    You have enable tarpit filter in Untangle?

  6. #6
    Untanglit
    Join Date
    Jan 2010
    Posts
    24

    Default

    Have I enabled tarpit? No, I have not.

    Do I need to?

  7. #7
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Jajajaja, try it , and share here the results please, i ever like to compare spamassain with barracuda and ironport, but never have the choice.

  8. #8
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    PS: with tarpit enabled, i have more than 97% off spam rejected.

  9. #9
    Master Untangler JEllingson's Avatar
    Join Date
    Jan 2008
    Location
    Warner Robins, GA
    Posts
    342

    Default

    Untangle doesn't do that well on catching spam right out of the box. It takes it a while to catch up on rule updates and such. Also, I *highly* recommend the CommTouch add-on. It will dramatically improve the spam catching. Then, if you want to go a step further, and don't mind playing with the "internals" of Untangle, then look at the _unsupported_ J&J Script. It enables DCC and other features that Untangle cannot enable themselves due to licensing issues. (Not illegal to add and enable yourself... just illegal for Untangle to add and enable it for you).

    Also, you will see different numbers betweens scanners because of what they scan and in what order they do so. For example, phishing also scans HTTP requests as well as SMTP requests... hence why its number is so much higher.

    Again, add CommTouch (free trial) and wait a couple of days. Then re-evaluate. If you still need more, look into using J&J Script.

  10. #10
    Untanglit
    Join Date
    Jan 2010
    Posts
    24

    Default

    I did enable tarpitting and it didnt seem to make that much difference. If anything there was just more dropped messages.

    Jellingson,
    I have phishing set to only scan SMTP, i turned the others off.
    The main point I need to bring out here is this: blocking the SPAM isnt really the issue. It blocks the SPAM that it scans just fine. It just doesnt seem to be scanning all the email. If I add the passed, quarantined, and dropped together I should get a total amount of email messages that was scanned. That total is like 2000 for an 8 hour period. It should be 2000 for like a 10 minute period. If what you said is correct and it just takes some time for UT to 'learn' SPAM, then I would expect to see a tremendous amount of passed messages.

    Since my phishing filter is only scanning smtp messages I would expect the SPAM filter and Phishing filter numbers to be atleast close. There is a difference in about 200,000 messages. And that number sounds about right for SMTP.

    Is there any documentation on using that J&J Script?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2