E2k3 SP2 (IMF) vs. NetIQ
Jon Doe
I just loaded SP2 on all my exchange servers, and have been playing with the
IMF features. My company is in the middle of finding a permanent spam
solution, and I've recommended NetIQ spam filtering (this is before I loaded
SP2) since I used NetIQ before at my previous job and I believe it's a
pretty good spam filter.
Now with spam filtering coming with exchange, I'm wondering if microsoft can
effectively put these other spam filtering software makers out of the spam
filtering business. My question is, what (if anything) does NetIQ have on
Microsoft's IMF to make it compelling?
Is there any reason whatsoever to want to consider a software program like
NetIQ when Exchange SP2 comes with one built in? Any
advantages/disadvantages?
Thanks much!
![Mark Arnold [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWfOoakncIeAwDFlTp-kGUX3hCQcyUCiH7av8m1Ynjuwi6dWQ=s40-c)
Mark Arnold [MVP]
wrote:
3rd party solutions are updated on a regular basis, for now, the IMF
isn't.
It's a good plan to stick with any 3rd party arrangements for now and
neep an eye on what's catching what.
Daniel S. Tate
IMF is nice if you don't have anything else. Microsoft might improve it
one day, but 3rd party solutions are updated, for now, more often than
IMF. I'd stick with NetIQ or a similar solution - also look at Postini
or Barracuda devices. We use those a lot and they're rather nice.
--
Sincerely,
Daniel S. Tate,
MCSA+Messaging,
Sun Certified Security, Network and Systems Administrator
Ben M. Schorr - MVP
and see how the IMF does for you. I have a few clients who are running just
IMF (along with connection/sender filtering) and are extremely happy with
it.
It's true that the IMF is not updated as often as the 3rd party filters (at
least currently) but that may or may not matter to you. I'd give the IMF
2-4 weeks and see how it goes. If there is still too much spam coming thru
and you don't feel you can tweak IMF any more, then invest in the 3rd party
solution.
--
Aloha,
-Ben-
Ben M. Schorr, OneNote-MVP
Roland Schorr & Tower
http://www.rolandschorr.com
Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm
**I apologize but I am unable to respond to direct requests for assistance.
Please post questions and replies here in the newsgroup. Mahalo!
"Jon Doe" <jd...@comcast.net> wrote in message
news:Qf2dnZ4nS63khRze...@comcast.com...
Alexander Zammit
IMF very soon. So you might want to wait a bit before dumping IMF because of
updates. More details from here:
http://www.exchangeinbox.com/articles/013/sp2imf.htm
I hope they keep their promise!
cheers,
Alexander Zammit
Software Development Consultant
ExchangeInbox.com MS Exchange resource site
http://www.exchangeinbox.com/
"Jon Doe" <jd...@comcast.net> wrote in message
news:Qf2dnZ4nS63khRze...@comcast.com...
Jon Doe
yesterday and guess what happened today?! We got slammed!
So today we got this virus outbreak and tons of users were getting an e-mail
that had a zip file. Within the zip file was an exe file. As you might
expect with users, some of them opened the exe files. I turned on Sender ID
filtering and increased SCL blocking. These messages were still coming
through. However, I did notice that after turning on SenderID filtering, the
headers indicated that the messages were being sent from IP addresses within
our network.
Anyway, I looked up information, and it doesn't appear that IMF blocks
attachments! I know that with NetIQ, I could've simply blocked exe files and
this would never have come in in the first place. So, I should let you know
that while the spamming has reduced, this issue is still ongoing.
Did I miss anything with IMF, or is a 3rd party spam solution my best option
to block attachments?
Thanks!
"Jon Doe" <jd...@comcast.net> wrote in message
news:Qf2dnZ4nS63khRze...@comcast.com...
Ben M. Schorr - MVP
blockers, though certainly some spam blockers do it too.
Let me guess -- the virus was an e-mail that claimed to be from the FBI?
Luckily your anti-virus system killed the virus before your users, who
should know better than to open a random .EXE file, could do any real damage
right?
--
Aloha,
-Ben-
Ben M. Schorr, OneNote-MVP
Roland Schorr & Tower
http://www.rolandschorr.com
Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm
**I apologize but I am unable to respond to direct requests for assistance.
Please post questions and replies here in the newsgroup. Mahalo!
"Jon Doe" <jd...@comcast.net> wrote in message
news:cbednQO_M5L...@comcast.com...
Jon Doe
of the antivirus software, but I know that NetIQ does do virus scanning as
well. The problem was that even though our antivirus defs are updated
weekly, the one everyone had did not catch this virus. I went on symantec's
website and got today's defs (not available via automatic update) and it
caught the virus.
Either way, I know that with a 3rd party spam solution, I would block
certain attachments such as the usual suspects like .exe, .vbs...etc. So,
sounds like these FBI e-mails slammed a lot of e-mail systems today huh?
"Ben M. Schorr - MVP" <be...@bogusaddress.mvp> wrote in message
news:uuia1nw7...@TK2MSFTNGP09.phx.gbl...
Steve
50-60% of their spam, but there is no way that IMF releasing 2 updates
a month will block these spam campaigns that typically come out after a
virus infection. In fact, the Sober.U virus that went out yesterday
was probably intended to recruit a new list of zombie machines to send
out some Thanksgiving spam. You should see increasing amounts of spam
all through December as well.
I personally like the managed service approach and have used AppRiver
(www.appriver.com) for a year or so. By routing your mail through
their service, you make them handle the brunt of spam, virus and
directory harvest attacks. I don't have to worry about message
quarantine space or virus definitions, it's all handled. IMF has a
long way to go and there are so many more effective products out there,
why waste time and expose all of your users to spam that could be gone
by simply choosing an effective 3rd party solution? Sometimes free is
not better.
-Steve
Staceman
Almost all AV vendors have upgraded it to High over the last 24 hours. I run
several clients servers and most of them did not catch it as definitions are
just now coming out. Luckily, it's not a destructive virus and more of an
annoyance and a bog on Exchange servers everywhere. I have found the
quickest way to see if you are infected is to look for a
c:\\windows\WinSecurity folder..if it's there..it is likely you are infected.
Check all of you clients machines as most of my clients have had at least 1
machine infected, even with updated AV, Spam, Spyware blocks and all.
Ben M. Schorr - MVP
of their incoming spam and for some of their users reduced it to almost
none. (down from dozens or even hundreds a day before that). Of course,
that's in conjunction with some connection filtering as well.
Your mileage may vary, of course.
--
Aloha,
-Ben-
Ben M. Schorr, OneNote-MVP
Roland Schorr & Tower
http://www.rolandschorr.com
Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm
**I apologize but I am unable to respond to direct requests for assistance.
Please post questions and replies here in the newsgroup. Mahalo!
"Steve" <st...@allzero.com> wrote in message
news:1132666771.4...@f14g2000cwb.googlegroups.com...
Rich Matheisen [MVP]
>I think IMF may be a decent solution for people who want to block
>50-60% of their spam, but there is no way that IMF releasing 2 updates
>a month will block these spam campaigns that typically come out after a
>virus infection.
That depends a lot on the contents of the spam that gets sent. The IMF
employees a statistical filter that uses n-grams (probably di-grams).
The number of word pairs, and combinations of words in the pairing,
are what's important, not just simple keyword or phrase matching.
Statistical filters are pretty accurate in locating spam in these
circumstances. When the words are misspelled, or misformed, or the
parser that generates the token can be fooled, then the filter becomes
less acurate until it can train on the new mesages.
I'm not a big fan of the IMF becasue it *is* a black box and it's not
trainable. But don't knock the underlying why in which it arrives at
its conclusion about a message's spamminess.
>In fact, the Sober.U virus that went out yesterday
>was probably intended to recruit a new list of zombie machines to send
>out some Thanksgiving spam. You should see increasing amounts of spam
>all through December as well.
Just like every year.
>I personally like the managed service approach and have used AppRiver
>(www.appriver.com) for a year or so. By routing your mail through
>their service, you make them handle the brunt of spam, virus and
>directory harvest attacks. I don't have to worry about message
>quarantine space or virus definitions, it's all handled. IMF has a
>long way to go and there are so many more effective products out there,
Yes, there are.
>why waste time and expose all of your users to spam that could be gone
>by simply choosing an effective 3rd party solution? Sometimes free is
>not better.
But sometimes it's all you can afford. :)
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.p...@getronics.com
Or to these, either: mailto:h.p...@pinkroccade.com mailto:melvin.mcp...@getronics.com mailto:melvin.mcp...@pinkroccade.com
Rich Matheisen [MVP]
>The virus your referring to is the Sober.x and is spreading like crazy.
>Almost all AV vendors have upgraded it to High over the last 24 hours. I run
>several clients servers and most of them did not catch it as definitions are
>just now coming out. Luckily, it's not a destructive virus
That would depend on what it's installing on your machines. A lot of
the crap out there now isn't intent on destroying stuff as it is on
stealing stuff (data, passwords, time, bandwidth, etc.). Scroptkiddies
are disappearing and they're being replaced by criminals.