Continuing to Spam Protection with Cisco IronPort c170

Foreword

About IronPort c170 I wrote on Habré a year ago. And this was my first article that gave me an invite. Unfortunately, since that time, not a single (!) Article about this piece of hardware has appeared on Habré, which, I consider, is not permissible for such a resource as Habr.
To begin with, I, of course, remind about my first article: habrahabr.ru/post/148317
She is an overview and does not draw any conclusions. But over the course of a year, I figured out a bit with the piece of iron, learned some tricks and met with a firmware error ... and in general now I am ready to tell about it something more than nothing :)

For starters, I would like to show again how much spam in the world goes.

Billion emails per day. Total spam accounts for approximately 85% of the total mail traffic in the world.
Despite its low efficiency, its amount is not going to decrease. Damn, who reads it at all? Do people really call these phones? Well, okay, distracted ...

So. To begin with, let's recall the general default spam screening technique. First of all, IronPort cares not the body of the letter, but its sender. Address, subnet for it has a big role and for each source the piece of iron puts points from -10 to +10. IronPort scores are taken from senderbase.org. If you just go to the site and enter the address of your outgoing mail server, you can only see a short poor, good or neutral. But IronPort knows more than that and puts it down to the tenth. By default, the system terminates the smtp session even before data transfer, if the server rating is less than -3.

How I improved the anti-spam filter

This section is more likely for those who already own a piece of iron.
')
It suited me, I saw that letters come with such a rating and if the client has a negative rating at all, it definitely means that many emails with bad content were noticed from this source and you should trust this server with caution and it’s better not to trust at all.
So far ... the long-awaited letter for the director was not just dropped. And I considered it an unpleasant event. I quickly added the server to the white list and gently informed the director that I had read the letter as spam ... and I could send it again! Everything worked out, the lightning bolts didn’t throw and I began to think how could I modernize the system so that spam would not come and the letters wouldn’t drop.

I started with a simple one: I separated traffic -3, but did not destroy it, but created a special quarantine, into which I began to throw letters. It was the simplest, but most importantly, it protected me from irretrievable destruction of letters. For quarantine, I allocated the maximum remaining space on 2.3GB disks (I don’t know why there is so little, but no more) with a retention period of 50 days. And now, on average, this quarantine is 55% full.
However, this was not enough. I noticed that there is an unacceptable amount of spam with a negative rating anywhere from -0.5 to -3. It was sad because you cannot just sort them out - a few percent of the letters from them were benign. Since all the same, no one reads the whole text, I hasten to inform you that the towel has removed this post. However, I noticed that none of the spam emails contain the correct PTR records, but all the correct letters with such a rating contain the correct bunch of PTR-A. However, my disappointment did not have a limit. In standard filtering, it is not possible to configure the filter by the source group of the sender. You can immediately drop a letter, and you can not filter it! Stupidity.


I had to go further and blow off the dust from the pdf instructions and see what else is in the settings. In order to solve the filtering problem for non-PTR sources, we had to go deep into the bowels of the inhospitable command interface.
As a result, I had to create a special filtering rule. It looks pretty simple:

And it does exactly what is needed - if the letter comes from the group of senders UNVERIFIED_LowScore, then it goes into that very special quarantine.

As a result, compared with the original setting, where the letters less than -3 were simply destroyed, and almost everyone goes above, my settings showed a higher level of filtering, as well as unsurpassed resistance to letter loss, even the most notorious trash will be stored ... just in case: ) Only letters with the wrong recipient are killed immediately.

Observation: From the moment I began to accept all smtp sessions and letters with them, the number of connections has drastically decreased! And decreased several times. From which I concluded that spammers do not care what your temporary delay sessions, drops and all the rest, they will try to send a letter many times, and not one, as it is considered.

Problem with the firmware

At some point, very strange letters began to be sent to the mail from the piece of iron. Something like this:

The text is constantly changing. For some time he didn’t pay much attention to them and believed that while the letters are being filtered, you can not worry. Everything was fine until the letters stopped filtering :) IronPort at some point simply stopped assigning points to the senders' servers and it turned out that “astrologers announced a week of the long MHP. The amount of spam has increased 10 times. ”
Well, I did as it was written: I turned to tech support.
At first, a certain Ahmed Aaref began a conversation with me. Probably from sunny India. But then, when they opened the case, an employee from Germany contacted me. Then, there were long ordeals that would set up a special security channel for technical support. All this didn’t work out and agreed that I’ll just give them full SSH access :) Not very safe, I thought, but it’s impossible to go beyond the standard IronPort with standard tools. After that, the engineer started poking around. And, lo and behold, it all worked.
However, to the depths of my soul I was struck by the reason for the failure:

Tons of terrible mistakes, and the reason is ... a subfolder. Nevertheless, in the end I want to say that I liked the communication with technical support. Though they behaved themselves, at least to some extent, with stereotypes, it was still felt that there were people there and they wanted to help. They understood my bold English, and I also understood them)

What I did not like after a year of operation

• Still, not enough thoughtful web interface that makes you think of crutches. Maybe this is done specifically to attract engineers to perform more complex tasks.
• Lack of LACP link aggregation support.
• Inability to do a reverse check of the sender.
• Not enough flexible rules. I would like to independently manage grades, add new verification tools to increase or decrease grades.

What pleased? Is it worth his?

I do not know if he is worth his money) The cost is still rather big. About $ 20-30 per user per year. Maybe now I would look for other solutions, but for all the time the real problem was only one. And it is described above. If I didn’t conduct a firmware update, it wouldn’t appear at all. No more problems with the device. It is worth it, buzzing itself in the server room, it does not ask. Sometimes I forget on which ports I set up the administrative part and generally forget where everything is, when something needs to be done. In this regard, everything is gorgeous :)
Spam also filters sufficiently high quality, and personal quarantine allows the administrator to save on manual actions to retrieve letters, the user can unlock the letter in a weekly report on his quarantine.
Thanks to everyone who read it. If someone has questions on a piece of iron, I will answer all. Within the limits of what I know, of course :)

Well, I add a screen with my statistics.