does this make sense? Logic check

johnny virgil_ironport · ‎04-21-2005

This is our current sender group order. Does it make sense?

Internal machines that are allowed to relay through IronPort

WHITELIST: TRUSTED Trusted senders have no Brightmail or rate limiting

ManualBlock: BLOCKED manual blocks, and really bad reputations (-8 to -10)

NoBrightMail: TRUSTEDBUTRATELIMITED Bypasses Brightmail Scanning for sending domains with SBRS of +5 or greater

SuspendThrottle: NOTHROTTLE For people that have a bad SBRS that whine

SenderBaseBlocked: SBRSBLOCKED Block senders with SenderBase Rep of -2 to -10

SenderBaseThrottled: SBRSTHROTTLED Throttle senders with SenderBase values of 0 to -1.9

atucker_ironport · ‎04-21-2005

Personally I would have the manually blocked domains first in the list (considering I usually have more blocked domains than whitelisted domains).

But it looks like you have everything set up fine. I am just guessing from your names, but are you rate limiting people with a hight sbrs score? Generally those are the people you can trust to nor flood your network.

Supposedly. :D

johnny virgil_ironport · ‎04-21-2005

Kinda -- we have a problem with tons of NDRs coming in from Phishing expeditions. The sheer volume was overloading brightmail, even though the vast number of returns were to non-existent email addresses on our side, sent from respectable domains. What that rule does is allow them in without going through brightmail, but still allow us to rate limit things like if a large number were coming from AOL, for instance.

atucker_ironport · ‎04-22-2005

Are you unable to use the ldap queries and DHAP?

Also, and I am sure someone will correct me if I am off base here, The SBRS score is based on the sending IP address. So if someone is forging an @aol.com email for phishing, the SBRS score will be from the sending IP address (not aols SBRS score). Of course if if the phishing is coming from actuall aol users or the varmits are forging ip addresses I guess that won't work. :)