I have mentioned before the results I have received from Vamsoft ORF in the past, most recently using they honey pot feature http://blog.sembee.co.uk/archive/2009/09/26/108.aspx.
However recently I deployed the product with another client and the results are truly spectacular.
The client has approximately 300 users, and they noticed the results almost immediately.
It was deployed as I have written in the above blog posting, so running in test only for a day or two to build up a white list to begin with then it went live.
The proof is in the numbers, so here is a screenshot of the statistics. At the time this was taken, the system had been running for almost 12 days.
For those of you not believing their eyes, that is 8.8 million messages were attempted to be delivered.
Roughly 700,000 messages a day.
Of which 60,000 were not spam, so around 5,000 a day or 16 per user on average.
The spam ratio hovers at between 99% and 100% (there is some rounding going on there as it is to the nearest full percentage point).
The logs have been watched very carefully for false positives. There have been none.
So lets just go through what is working with that client.
First is DHA protection. Direct Harvest Attack. This is simply a large number of email messages coming from the same IP address to multiple email addresses in a short space of time. For some reason this client receives a lot of messages to invalid recipients. The software blocks the host from sending more messages. It works hand in hand with the honey pot test and recipient validation.
Next is the Honey pot test. I have talked about that before (link above), but in brief it is blocking hosts sending to known non-valid recipients. This feature is simply the most effective thing I have seen against spam for a long time.
Third is recipient validation. Dropping email that is simply sent to users who do not exist. This is a straight query against the AD.
A DNS blacklist is being used - Spamhaus ZEN, but it is only blocking a small percentage of email.
What the screenshot doesn't show is that the built in Exchange 2007 Content Filtering is also enabled, but the number of messages being received in to the quarantine mailbox is a handful a day.
We are not using Greylisting, reverse DNS or the SPF tests.
In short - the three tests that are getting the most results are based on two factors - non-valid recipients and blocking hosts that are sending to them.
The messages are blocked at the point of delivery, therefore the amount of bandwidth used is negligible. The messages do not come in and have to be processed by Exchange, scanned by AV and anti spam software
Due to the volume of email and the number of queries, this system will most likely be moved to an SQL backed database and the load on the domain controller that is used is being watched carefully and the hardware of the DC increased if required.
If you haven't had a chance to try Vamsoft ORF, then I suggest that you do. The impact can be almost immediate. It is priced per server and because it is based on host and recipients, no definition files to be updated.
Works with all versions of Exchange, including Exchange 2010.
Vamsoft ORF: http://www.shareit.com/product.html?productid=169362&affiliateid=200023740