Post-install we have had to tune the thing a bit. Having said that, I'm not responding to a flurry of inbound hoax and chain mails (none, to tell you the truth), I'm just putting a rule in to try and catch the keywords in case it doesn't flag them itself (I prefer the belt and braces approach). There are some preconfigured dictionaries that were already there - profanity and sexual content, as well as some other custom ones that deal with stuff like SSNs, credit card numbers, and the like, that I have left inactive.
The biggest problem is trying to separate spam from what users have signed themselves up to without generating false positives. We have just ditched Symantec Mail Security for this and we had to have Symantec turned *way *up to try and catch the "normal" spam, which was blocking a lot of legitimate mail. I have to say - the IronPort's reputation filtering has allowed us to operate more relaxed anti-spam rules as it blocks all of the pharmaceutical, casinos and other crap without ever letting it near the mail server. That part of it seems to work fantastically well. We've had a few marketing things slipping through, but they were all things our users had subscribed to, and turning the filtering up slightly has now quarantined them. We haven't had a false positive yet - at least not since we graded the terms in the profanity and sexual content dictionaries (a very enlightening procedure!) Obviously it wasn't appropriate for the IronPort to be doing things such as flag one of our suppliers under the sexual content filter just because his surname was John Cumming. Aside from a bit of tuning, it seems very good in its default config. The reputation filtering is a massive help compared to what we had before. But you do need to adjust it to your needs I think - YMMV Cheers, 2009/10/16 Kevin Lundy <[email protected]> > James - we are looking at the IronPort ourselves right now. Based on what > the Cisco tech told us, I would have expected these to be blocked out of the > box. Are you saying they weren't? > > Kevin > > On Fri, Oct 16, 2009 at 9:47 AM, James Rankin <[email protected]>wrote: > >> I've just gotten myself an IronPort (thanks to all who recommended it, and >> other, solutions) and am currently trying to configure various filters and >> policies for it. I was thinking along the lines of being able to quarantine >> things that looked like chain emails, hoax police warnings, and the like. >> Basically anything that doesn't serve a business purpose and asks for the >> mail to be resent. Does anybody have any ideas what kind of string I could >> be searching for in the body to pick these out? I was thinking of something >> along the lines of "forward this onto all people" or something like that.... >> >> Or is there another way to attack this using the features of the IronPort? >> I would be grateful for any insight, as we scrimped on the training costs >> and basically got a half-hour tutorial. >> >> TIA, >> >> >> >> >> jRR >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> http://raythestray.blogspot.com >> >> >> >> >> >> > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
