Drew Community  

Go Back   Drew Community > General Forums > Technology Discussion
uLogin ID  
Password
FAQ Members List Calendar Search Today's Posts Mark Forums Read


Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-14-2008, 06:45 PM
Mike Richichi's Avatar
Mike Richichi Mike Richichi is offline
Moderator
 
Join Date: Jun 2005
Location: Chatham, NJ
Posts: 220
Default New Spam Firewall

Here's the text of the campus-wide message:

Quote:
CNS has been evaluating and testing the Barracuda Spam Firewall as a possible replacement for our current spam filter, and had planned to switch to it in the near future. This Friday, sending and receiving email off-campus was broken for several hours, due to our current spam filtering systemís licence expiring prematurely. When the license was extended, we had significant issues bringing the system back online. While email messages were only delayed and not lost, we consider this to be a serious problem. Due to this and other ongoing concerns we have decided to advance the replacement cycle of the spam filter and complete the upgrade today.

The new system behaves slightly differently than the old one, and we believe it will do a better job of filtering unwanted messages. You will still receive daily quarantine messages. The reports have the option to release the message, release and add sender to your "whitelist" or delete the message from quarantine. http://spam.drew.edu will still be available to examine your quarantine at any time, and allows you to configure some personal preferences as well.

While these interfaces may look different we believe they should be as easy if not easier to use than the previous system. You will also notice far fewer messages in your quarantine, which should make it simpler to find legitimate emails that were blocked. This is due to the additional filtering methods the Barracuda uses to block email from known undesirable origins. Also, current deny/allow from the old system will not be on the new system; we expect to be able to migrate them for you shortly.

We've been satisfied with the Barracuda product so far, and as our renewal for the old product was coming up, the timing was right to examine other products. We expect it to be more reliable than our old solution.

You will receive one more quarantine report from the old server, and clicking on the actions in that message will still work appropriately. In addition, the old spam filter will be available at http://oldspam.drew.edu/ for at least one week in case you need to review messages it has captured.

Please use this thread for questions, problems, and what we hope is positive feedback.
__________________
--Mike Richichi
Director of Computing and Network Services
http://depts.drew.edu/cns/
Reply With Quote
  #2  
Old 03-14-2008, 08:34 PM
Franklin K. Wyman Franklin K. Wyman is offline
Young Squirrel
 
Join Date: Jun 2005
Posts: 1
Default Why does CNS change software so often?

Sir:

I am a Ph.D. candidate, over 50 years of age, and not a genius at technology. Therefore, I strongly object to the seemingly constant changes in the various Drew software systems with which we are expected to deal. It seems that as soon as I learn how to deal with one system or interface, CNS discards it in favor of another that is even more arcane and complex.

The latest switch is a perfect example of this frustrating trend. With the soon to be outgoing system, the "delete" button was too small for anyone but an eagle-eyed undergraduate to detect. I became aware of its location only after I asked about it. Why did I have to ask how to delete mail that I do not want to read? If your objective in providing a spam filter is to avoid spam, why did you select a system in which the "delete" button is so hard to see? It would appear that the spammers are in league with those who designed the filter, or vice versa.

But, lo and behold, now that I have at long last figured out how to delete mail I do not want, I see that CNS has chosen a new system. My choices appear to be to ignore it or to take valuable time in learning a system, that, perhaps, will soon be replaced in its turn.

This must stop.

Franklin K. Wyman
Caspersen School
Reply With Quote
  #3  
Old 03-14-2008, 09:09 PM
E. Axel Larsson's Avatar
E. Axel Larsson E. Axel Larsson is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 303
Default

Quote:
Originally Posted by Franklin K. Wyman
Sir:

I am a Ph.D. candidate, over 50 years of age, and not a genius at technology. Therefore, I strongly object to the seemingly constant changes in the various Drew software systems with which we are expected to deal. It seems that as soon as I learn how to deal with one system or interface, CNS discards it in favor of another that is even more arcane and complex.

The latest switch is a perfect example of this frustrating trend. With the soon to be outgoing system, the "delete" button was too small for anyone but an eagle-eyed undergraduate to detect. I became aware of its location only after I asked about it. Why did I have to ask how to delete mail that I do not want to read? If your objective in providing a spam filter is to avoid spam, why did you select a system in which the "delete" button is so hard to see? It would appear that the spammers are in league with those who designed the filter, or vice versa.

But, lo and behold, now that I have at long last figured out how to delete mail I do not want, I see that CNS has chosen a new system. My choices appear to be to ignore it or to take valuable time in learning a system, that, perhaps, will soon be replaced in its turn.

This must stop.

Franklin K. Wyman
Caspersen School
With both the old and new sstem, it is not necessary to delete messages from the Quarantine manually. Messages that are not released by you are automatically removed after 7 days, so you can simply allow them to remain and they will expire on their own.

As to switching to the new product-- we did not intend to make the switch during the semester. We recognize that switching software during mid-semester is disruptive to the user community and would only consider such actions when absolutely necessary. As Mike's message indicated, we experienced a serious failure with the previous product this morning that resulted in a multi-hour outage of email service. This outage has been preceeded by a variety of persistent unresolvable problems with the product, that had resulted in us investigating the Barracuda product in the first place. This morning's outage was the last straw in a long history of issues.

Rather than continue to subject the University community to unreliable email service, we took the prudent course and cut over to the new system right away.

Also, please do keep in mind, that it is not always up to Drew University's CNS department when we implement a new piece of software. We are forced by industry trends and vendor's support policies to stay current with this software. When we switched from GWGuardian to M+ Guardian one year ago, this was not by choice. The vendor that supported the product had started to discontinue support for GWGuardian and was no longer keeping it up to date, pushing customers who were renewing their contracts to the new software. We were actually quit happy with GWGuardian would have been content to continue using it, but it was no longer being actively maintained by the vendor. It is simply not an option to be running an anti-spam and anti-virus product that is not actively updated by the vendor, as the system would be incapable of detecting new spam and viruses and this would be both an inconvenience and a security risk to the University.

Due to the persistent issues we've had with M+ Guardian since we were pushed to switch to it a year ago, and the failure we experienced this morning, we are exercising our option not to renew our contract for another year for that product and are putting the Barracuda in place two months ahead of schedule.

We've been evaluating the Barracuda for a while and are confident that it will provide more reliable service than M+ Guardian. The product's interface for users has been relatively unchanged for several years and we have every reason to believe that they will keep it as is with only minor changes for a while yet to come...
__________________
E. Axel Larsson
Systems Architect and Director of the Enterprise Technology Center

Last edited by E. Axel Larsson : 03-14-2008 at 09:21 PM.
Reply With Quote
  #4  
Old 03-15-2008, 01:13 PM
Meaghan E. Bratichak
 
Posts: n/a
Default

I gotta tell you, I'm not thrilled. I got four emails with some variation of "please her sexually" in the subject line this morning alone. That's never happened before. Maybe it's just coincidental timing and actually has nothing to do with the new spam filter, but....
Reply With Quote
  #5  
Old 03-15-2008, 02:13 PM
Michael J. Perez
 
Posts: n/a
Default

Part of the Ship...Part of the Crew...The Dutchman Must Have A Captain
Reply With Quote
  #6  
Old 03-15-2008, 02:45 PM
Andy A. Benavides Andy A. Benavides is offline
Ranger Cub
 
Join Date: Apr 2006
Posts: 59
Default Did you ever wonder???

Did you ever wonder how chickens manage to get the yolk inside of the shell? It always gets me thinking...
Reply With Quote
  #7  
Old 03-16-2008, 03:16 AM
E. Axel Larsson's Avatar
E. Axel Larsson E. Axel Larsson is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 303
Default

Currently the thresholds are not set very aggressively. Far worse than 50 spam messages getting through is one accidentally getting quarantined (known as a false-positive) so you always have to be conservative when starting out with a new filter.

The current set up shouldn't be getting false positives, which was more of an issue the previous product. We will have to adjust the thresholds as we find a reasonable level that still does not produce false positives.

Barracuda works in a different way than Guardian. Barracuda makes heavy use of their distributed reputation system to catch most of the spam before it even gets to the quarantine stage (this is why the quarantine reports should be shorter). The reputation system uses a database of known spam campaigns that is updated at least once an hour.

Guardian relied much more on content analysis, which is looking for keywords and others characteristics of the email to decide if it is spam or not. This technique is more likely to catch unknown spam campaigns, but it is also more likely to hit false positives if the message "looks" spammy or uses certain keywords.

Barracuda does content analysis as well, but the thresholds are higher, since the reputation system should catch most of the stuff up front.

In any case, we will definitely be tweaking it over the next week.

This screenshot shows the stats on the Barracuda since it was installed. Note that the "day" column shows relatively small numbers because it is only 2:00am. The Total column encompasses only two days of message traffic. The Blocked numbers show the number captured by the reputation system, before it even gets to quarantine. Percentage-wise, what we are seeing here is not unusual. Internet email really is that spammy--it's kind of amazing it works at all.

__________________
E. Axel Larsson
Systems Architect and Director of the Enterprise Technology Center
Reply With Quote
  #8  
Old 03-16-2008, 12:49 PM
Paul R. Coen's Avatar
Paul R. Coen Paul R. Coen is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 140
Default As Axel said, we're going to be making adjustments

I've seen a few get through as well, mostly relatively innocuous stuff. In a couple of cases, it was a text-only email with a very bland subject line, a series of nonsense words or strings of random characters, and a single URL. There wasn't much else for the filter to go on, so until that source hits Barracuda's reputation filter (which it might, assuming the sites contributing to that are getting the same thing), it's hard to catch. Some of that stuff is currently only scoring a .8 or so (on a scale of 0 to 10), and looking at the messages, there's nothing hugely obvious about them to latch onto.

On the plus side, I haven't had to re-create my 40+ item "allowed" list that I needed with M+Guardian to avoid having it whack mailing list traffic that I actually want.

You can change your individual spam preferences if you go to http://spam.drew.edu and look under preferences. We currently have a system default score of "3.5" for spam. If you make that number lower, it'll be more aggressive when filtering your email, but you're likely to get more false positives and you'll have to really check the quarantine. If that's OK, or you don't care if you miss a few mail messages here and there, you can set the number lower. I wouldn't set it too low at this point, though, you're likely to suddenly get a ton of mail blocked.
Reply With Quote
  #9  
Old 03-16-2008, 01:32 PM
Scott Wood's Avatar
Scott Wood Scott Wood is offline
Moderator
 
Join Date: Jun 2005
Location: Morristown, NJ
Posts: 42
Default

We're going to continue to be conservative with setting the system default "score" for messages considered spam, but we will make minor adjustments over the next few days.

We just changed the default threshold down to 3.25 from 3.5, so any message that scores higher than 3.25 will now be quarantined.

As Paul mentioned, people may want to lower their own levels individually by changing preferences at http://spam.drew.edu. Click on the Preferences tab, then click on the Spam Settings tab, and then under Spam Scoring change Use System Defaults to no. Click on the Save Changes button and then adjust the Quarantine number up or down. Click on the Save Changes button again to commit your changes.

If you adjust your number down, you will probably want to pay extra attention to your quarantine until you are satisfied you have a number that isn't producing false-positives (i.e. legitimate mail being quarantined as spam)
Reply With Quote
  #10  
Old 03-17-2008, 10:41 AM
Ethan G. Marsh Ethan G. Marsh is offline
Squirrel
 
Join Date: Jun 2005
Posts: 28
Default Love the new Spam filter

I'd just like to say that I love the new spam filter. My quarantine was up to 30+ messages a day under M+ and I had to check it regularly because there were occasional false positives. With the new filter, I get about 1 new quarantined message a day, so far no false positives, and so far only a couple actual spam messages have slipped through. Needless to say, this is a huge improvement. Thank you!
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 06:06 PM.


Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.