Trend Micro CSM spam folder

Discussion in 'Windows Small Business Server' started by Gregg Hill, Feb 5, 2006.

  1. Gregg Hill

    Gregg Hill Guest

    Hello!

    I installed Trend CSM 3.0 on my SBS 2003 Premium server to test it before
    installing at client sites. At first, I really liked the idea of letting end
    users manage their own spam folder using the End User Quarantine (EUQ)
    feature. Now, I am not so sure about that. This version seems to let through
    a lot more spam than did Symantec Mail Security, but on the other hand,
    having the EUQ allows my users to never miss an important email because it
    got dropped completely by a spam filter.

    Version 3.0 seems to miss a lot of spam and incorrectly sends a lot of valid
    mail to the spam folder. I read that Trend uses Bayesian filtering, and what
    I read said it was far superior to static lists such as those used by
    Symantec, which is why I switched. Either that was hype, or version 3.0 does
    not use Bayesian filtering.

    Question: if I remove the EUQ feature, where does CSM 3.0 drop the mail it
    thinks is spam?

    I am currently testing CSM 2.0 on another server to see if it is any better
    with spam than is version 3.0. I need something accurate with spam and easy
    to review if users miss something they should have received.

    Thank you for your time!

    Gregg Hill
     
    Gregg Hill, Feb 5, 2006
    #1
    1. Advertisements

  2. That's a design issue with CSM v3 - server side quarantine has been removed.
    The only option you have is EUQ, so instead of it being an added feature,
    it's a replacement. One given, another taken away.

    And yes, I believe the spam filtering provided by eManager (in CSM v2) is
    better at not only filtering spam, but also logging and archiving.
     
    Les Connor [SBS Community Member - SBS MVP], Feb 5, 2006
    #2
    1. Advertisements

  3. I am currently in the process of an SBS 2003 migration and am running Trend
    Micro with the old SBS 2000. We had lots of problems upgarding from v2 to
    v3. I don't know if we will have the same problems installing v3 on the SBS
    2003 or not or if you recommend we stay with v2?

    Thanks for any suggestions.


     
    Tom in Pittsburgh, Feb 5, 2006
    #3
  4. Hi Tom,

    Personally I'd recommend CSM v2 at this time, as there's absolutely nothing
    wrong with it ;-).

    And, depending on the migration technique you're using - if it's swing
    migration (www.sbsmigration.com) then it's possible to take the Trend
    database from the old server to the new - meaning no client machines need be
    touched.


    --
    Les Connor [SBS Community Member - SBS MVP]
    -----------------------------------------------------------
    SBS Rocks !
    ----------------------
    "Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
    understand." - Confucius


     
    Les Connor [SBS Community Member - SBS MVP], Feb 5, 2006
    #4
  5. Gregg Hill

    Gregg Hill Guest

    Les,

    How good is the anti-spyware stuff in CSM 2 (or is there any)?

    Was I correct about the Bayesian filtering?

    Gregg Hill



     
    Gregg Hill, Feb 5, 2006
    #5
  6. There isn't any anti-spyware in CSM v2, nor is there in CSM v3. It's a
    separate product.

    I have MS Antispyware on workstations, and like it (don't install it on your
    server)

    Bayesian? I haven't a clue, sorry ;-).

    --
    Les Connor [SBS Community Member - SBS MVP]
    -----------------------------------------------------------
    SBS Rocks !
    ----------------------
    "Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
    understand." - Confucius


     
    Les Connor [SBS Community Member - SBS MVP], Feb 5, 2006
    #6
  7. Gregg Hill

    Gregg Hill Guest

    Les,

    Do you have any problems with spam getting into your Inbox in spite of
    Trend? I assume you are on version 2.0. My SBS 2003 server, with
    about-to-be-removed version 3.0, gets a bunch of spam that makes it into the
    Inbox. I have Recipient Filtering and tarpitting at 45 seconds to cut out
    messages to bogus names and try to prevent a directory harvest, plus
    Connection Filtering with sbl-xbl.spamhaus.org, list.dsbl.org, and
    dnsbl.sorbs.net for my RBL servers.

    Example below of body of messages that keep going to my Inbox:

    -------------------------------------------------------------------------

    From: Vartouhi Garg [mailto:]
    Sent: Sunday, February 05, 2006 4:05 PM
    To: Gregg Hill
    Subject: Re: q news 284

    Hi,

    (I snipped the URL of spam site)

    V j I x A a G j R c A v v $ q 3 i , f 3 g 3 o V d A j L i I h U k M c t
    $ c 1 w , r 2 d 1 s C e I n A e L g I w S y a $ u 3 a , b 7 z 5 k
    -------------------------------------------------------------------------


    Thanks for your time, Les!

    Gregg Hill




     
    Gregg Hill, Feb 6, 2006
    #7
  8. Gregg Hill

    Gregg Hill Guest

    Wow! The text of the example message did not come out even close to what it
    is in the spam message.

    It shows

    Viagra $3,33
    valium $1,21
    Cialis $3,75

    with three lines of garbage text on the right side of the message.

    Gregg Hill


     
    Gregg Hill, Feb 6, 2006
    #8
  9. Neither CSM 2, 3, or IMF is picking those up ATM. They must be smart
    spammers. IMF is currently tagging them at about 5 for SCL, and you can't
    set IMF to reject that low, because there would be too many false positives.

    So far as the RBL servers go, I don't get any better results with them than
    I do with either eManager alone, or CSM v3 with IMF out front and rejecting
    at SCL 7 and above. So I don't use them. Tarpitting - nope, don't use that
    either. It's useful in certain circumstances, but not that frequently.


    --
    Les Connor [SBS Community Member - SBS MVP]
    -----------------------------------------------------------
    SBS Rocks !
    ----------------------
    "Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
    understand." - Confucius


     
    Les Connor [SBS Community Member - SBS MVP], Feb 6, 2006
    #9
  10. Gregg Hill

    Gregg Hill Guest

    Les,

    You should see the HTML behind the messages! Fargin bastiges!

    This is their code to display V A L I U M

    <DIV>V
    <DIV style="FLOAT: right">o </DIV>A
    <DIV style="FLOAT: right">j </DIV>L
    <DIV style="FLOAT: right">v </DIV>I
    <DIV style="FLOAT: right">z </DIV>U
    <DIV style="FLOAT: right">v </DIV>M
    <DIV style="FLOAT: right">n </DIV>&nbsp;
    <DIV style="FLOAT: right">g </DIV>$
    <DIV style="FLOAT: right">t </DIV>1
    <DIV style="FLOAT: right">m </DIV>,
    <DIV style="FLOAT: right">j </DIV>2
    <DIV style="FLOAT: right">v </DIV>1
    <DIV style="FLOAT: right">v </DIV></DIV>



    I use tarpitting only when I turn on Recipient Filtering. I had three people
    for whom I subcontract get hit with reverse NDR attacks, necessitating the
    Recipient Filtering and tarpitting.

    Oh, regarding the Connection Filtering question, I was brain-dead. I had
    enabled it before, but had turned it off again. I will leave it on and see
    what happens.

    Nice talking to you!

    Gregg Hill




     
    Gregg Hill, Feb 6, 2006
    #10
  11. Recipient filtering is one you definately want ;-).

    Yeah, these are smart spammers. Every email is different in multiple ways -
    very hard to filter. Did you know that CSM will reject HTML emails ;-)? But
    that's a pretty big hammer.

    --
    Les Connor [SBS Community Member - SBS MVP]
    -----------------------------------------------------------
    SBS Rocks !
    ----------------------
    "Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
    understand." - Confucius


     
    Les Connor [SBS Community Member - SBS MVP], Feb 6, 2006
    #11
  12. Gregg Hill

    Gregg Hill Guest

    Microsoft recommends tarpitting whenever you use Recipient Filtering, or you
    are open to a directory harvest attack to determine legitimate addresses.

    I agree that killing HTML email would be way too drastic.

    Gregg Hill



     
    Gregg Hill, Feb 6, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.