Yeah, we're seeing them too. Although, they seem to have slowed down for me. They were really bad in Nov/Dec of '05.

I've not been happy with Brightmail's spam filtering, period. We run all mail that makes it past our IronPort Gateway through another box that runs it through SpamAssassin. Not only does this catch messages like those, but it also allows us to include secondary virus scanning with clamAV which identifies phishing attempts. Because SpamAssassin is not the "black box" that Brightmail is, we are able to tailor the filters to our needs and wind up blocking thousands of additional messages every day that aren't even flagged as "supected spam" by Brightmail.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then - this has not been my experience. I've found SA to have a much better track record of false-positives and a much better track record of catching spam - including phishing emails that have not been added to the clamAV signature database yet.

Of course, this is not with the "stock" SA configuration, I've sellected other addons from the community which allow it to more accurately reflect our environment. We catch a lot of those "gif" spams that the GP was complaining about in SA - they ALL made it through BM.

I agree that as a spammer, I'd rather be up against a system that I can see the rules so that I can learn to game them, but it would be nice if BM actually used their "closed" nature more to their advantage because SA seems to still come out way ahead. Although, to be fair it only has to work on messages that made it through BM. If SA was exposed to the entire load of spam - It's results may be entirely different.

I'm happy using both, as they give me the best of both worlds - heck, I'd throw a third one in there if I thought it would help ;-). Right now, if you disregard internal email, we average about 97% spam from the outside world - which we block - and I still get complaints from my users about "so much spam" :?

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then

I can see about keeping the rules a secret; however, if they get a false positive and they refuse to adjust their rules or tell you what is causing the problem then I have an issue. We recently had an issue where official company mail got marked as suspect spam and many at the company thought it was an insult that it got marked as suspect spam. At first we were told a reason why that I could not bring to my management and eventually they did change the rule set; however, it wasn't easy convincing them that they needed to make a change.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.


I have to defend Brightmail on this one.  Keeping their rules secret is part of their defense. Spammers know how SpamAssassin works, and have been in a constant arms race against it since day one. And because spammers know how SA works, they can tailor their messages to play to its weaknesses. The fact that Bm's rules are secret means the spammers have a much harder time trying to game them.

Another point is that Bm is deliberately hands-off as a selling point: "We worry about tweaking the rules so you don't have to." That's one of the things that sold us on Bm in the first place: we don't have to devote nearly as much manpower to the spam wars. Essentially, we've outsourced that task to Bm. I just wish they'd pick up the slack a little.

We really haven't seen many false positive issues. In over two years I can still count them on one hand. I don't consider "suspect spam" to be a false positive, mainly because we don't use it very aggressively - almost not at all.

One of my concerns it the fact BM seems to be getting weaker at catching spam and slower at creating new rule sets. I mean the cycle time from when a new spam variant hits until they have new rules, seems over 5 days when it used to be under 2.

A second concern is every new BM engine upgrade really brings a lot more system load. I don't know exactly how much 6.0.2 added, but it noticeably lowered our overall through put. Now 6.0.3 clams to be adding 20% additional system load! This kind of lack of performance tuning on Symantec's part will drive us to spend the time to really compare IronPort's Anti-Spam engine. In two years with IronPorts in our environment the worst critical impact I've had to email delivery was directly due to a Brightmail definition which apparently did not get performance checked and caused a HUGE processing delay on all emails until they got the definition removed. (NOTE: This was back in May of 2004).

Overall I am still pleased with the Brightmail product, but the past 6 months my impression of it has gone down. And the idea of no tracking on missed spam or false positive submissions is just inexcusable.

I totally agree with Erich. The performance of brightmail has steadily declined to a critical point.

In our environment we are looking at alternatives as well. We are very happy with Ironport, but the Antispam process is eating to much CPU... causing mail delays.

Does CPU usage improve when Suspect Spam detection is turned off?

We don't have much throughput (about 6000/hour per C60) so our CPU is about 20% with 6.0.3

Does CPU usage improve when Suspect Spam detection is turned off?

I also agree with Erich. We hardly use the Suspect Spam piece at all. We're also seeing a decline in Brightmail's shine that we used to like so much about it. The one thing that I would like to add is that reputation filtering is key to us. It's where we block most of our SPAM/malware. By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

We're also seeing a decline in Brightmail's shine that we used to like so much about it.

By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

An increase of large messages results in an unexpected decrease in scanner performance

Situation:

An influx of messages scanned by the Symantec Brightmail product very slowly. The messages are large and some and a check reveals some are not valid email. The scanner becomes backed up. The messages are queued for processing or pass through unfiltered.

One of the following versions is installed:
--Symantec Brightmail AntiSpam 6.0.x
--Symantec Brightmail 6.0
--Brightmail 5.5
--Brightmail 4.0


Solution:
This mostly affects Windows and Openwave mail transport authorities (MTA's), as sendmail and postfix both have an MTA limitation that prevents this from happening. What is occurring is that a sender is sending a message with an extremely large number of headers-- 1000's of them. This could be a spammer attempting a denial of service (DoS) attack. The Scanner software attempts to scan all of the headers and takes a long time doing so, tying up the CPU.

Symantec is working on this problem. Patches will be made available for Brightmail 4.0 and Symantec Brightmail AntiSpam 6.0.x.

Workaround
When you can determine where the messages are coming from, block the sender of any email that is not legitimate.