<div dir="ltr">The thing with a lot of modern malware is that it often goes through a crypter before it gets sent out, which means that it's not uncommon for every single sample in a given campaign to be completely unique - this is why people have been bemoaning the fact that signature based AV has been broken for years.<div><br></div><div>Ironport is for stopping spam, it can look for known malware whilst it's at it but this relies upon signatures (see above). There are some pretty good cloud based as a service offerings for Spam/Malware filtering but email is just one vector of attack, as has been mentioned. Users are used to clicking on dropbox links etc and downloading files all day long, even more so if you block all zip files on your mail server.<div><br></div><div>Everyone has a laptop and a smartphone these days, so if you stop them doing something on the corp gateway, they will often tether their phone, grab what they want and drop back on the corp network minutes later.</div><div><br></div><div>You need defence in depth, you need ongoing security awareness training (Schools not prisons), you still need good backups, you should be thinking about next gen firewalls, you still need traditional AV, and you might want to consider app whitelisting (Esp for problem users or vulnerable vectors like HR opening resumes all day) .</div><div><br></div><div>There are a bunch of cool things on the market that can also solve some of these problems from Sandboxing to MicroVM's etc but they can be costly so I think you need to address the fundamentals first.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 October 2015 at 12:36, Rhys Hanrahan <span dir="ltr"><<a href="mailto:rhys@nexusone.com.au" target="_blank">rhys@nexusone.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Noel,<br>
<br>
Personally, I agree with your opinion, and typically have stayed away from these solutions over the years for exactly this reason. However, over the last few months things seem to have worsened to the point where we need to try something different.<br>
<br>
We've been running a typical postfix+rbls+spamassassin+clamav+lots of other bits for about the last 5 years, with me running the same setup personally, prior to that. And over the years, aside from some performance tweaks to get more throughput on Amavis, it's done fine. There's always been stuff it's missed, but like people have said, there's no silver bullet.<br>
<br>
The problem is that the amount of stuff it misses seems to miss has gone up by a fair amount for us in recent times - not just with the crypto stuff, but with general junk that comes through.<br>
<br>
I'm not going to extend this thread to "how do I fix our setup", because that's way outside the scope of the list, but I'll just say that I've already looked at improving the config in several ways and I feel like I've taken the setup as far as I can take it in terms of tweaks to reasonably improve its accuracy.<br>
<br>
I know they're probably running the same or similar setup under the hood of any appliance, but the thing is, if they're going to provide me 24x7x365 signature updates that they manage, which can stay on top of outbreaks, then to me that's worth paying for.<br>
<br>
Hopefully I manage to find something that doesn't end up falling over. :-)<br>
<span class="HOEnZb"><font color="#888888"><br>
Rhys.<br>
</font></span><span class="im HOEnZb"><br>
-----Original Message-----<br>
From: AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Noel Butler<br>
Sent: Friday, 2 October 2015 10:07 AM<br>
To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
Subject: Re: [AusNOG] Fw: important<br>
<br>
</span><div class="HOEnZb"><div class="h5">nearly missed this, found it in Junk because you replied direct, please reply to list only<br>
<br>
On 01/10/2015 17:10, Brad Peczka wrote:<br>
> Google will also show me examples of the aliens that landed at<br>
> Roswell, if I look hard enough. Doesn't mean it's real! :-)<br>
><br>
<br>
That maybe so, but the nightmares of ironport are well realised by those with a clue, including those that run networks large enough to make telstra look like a ma 'n pa part time vISP<br>
<br>
<br>
> Ironport ESAs are a solid product, as evidenced through their use in<br>
> Australia by iiNet, Micron21, and many others in both the ISP and<br>
<br>
and I (and assume others) recall a numnber of problems with mail and iinet in recent times because of ironport<br>
<br>
Like I said YMMV, but most are shying away from these things, well, those that care do :)<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>