cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
4
Replies

Best practise for blacklist

Analyst42
Level 1
Level 1

Hello,

i would like to open discussion about, what is the best way to block spam/malicious senders for incoming emails. 

I finding best manageable option and don't know decide which is better from these:

HAT - There is an option for add sender IP or geolocation, this option is probably good for persistent spam/malicious senders

Policy - Policy which is on first place where matching senders and is used content filter for not delivering. This comes to me little messy when list starts to grow.

Content filter - Policy like previous but all senders will be in Dictionary and used in content filter, this option look most familiar for me.

 

Kind regards

4 Replies 4

The best practice is to create a policy, where the only thing enabled is a content rule that drops all mail.
As you noted, it's the earliest opportunity once the mail is in the box... and since you're not doing anything but dropping it, you turn off all of the scanners.
Depending upon what sort of stuff you're dropping, using the HAT only really blocks IPs, so you can't block domains sending junk using the big mailers (gmail/Microsoft/etc)

What i'm afraid in this solution is when the blacklist is full of random spam emails/domains and at that moment is not intelligible readable as well as won't that use up system available resources? What to do after one year? Is good practise to make analysis how many senders are still active?

It would probably be a good idea to clean up old addresses that you end up blocking this way.

We haven't seen a performance hit with ours... maybe 100 addresses, and we may not have the flow you do...

... we see bigger issues when we use regex anywhere.


tminchin
Level 1
Level 1

If we get persistent senders which are easily identified to an IP or IP range - we just block them on the firewall to the mail servers. Even with senderbase refusal getting a lot of continous connections consumes resources so just block them before they even get to the ESA. After six months/12 months empty out the ACL and start again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: