Since I’ve begun a trend of posting my bonehead moves on my blog for all to see, I figured I’d share this one as well. I’ve been a Maysoft SpamSentinel customer since 2005 and I’ve always been vocal with my praise when the topic of spam comes up. I especially love the focus on continued improvement. Backscatter? No problem, they just added that functionality to the product. They even snuck in a new feature recently that made a bonehead move on my part less spectacular. Here’s how that went…
Yesterday I noticed that there were zero messages in our B/C quarantines. I immediately sent a screenshot of the dashboard page to Chris Rich (who is so good at support that I’ve often considered referring to him as ‘Yoda’) to see if any recent update might be the cause of this change. He responded quickly, asking if the quarantines were also empty for the days shown by the dashboard page. I confirmed that this was the case and then started back-tracking everything I’d done this week, as I have a tendency to be the cause of many of my issues.
I mulled it over for a few hours, going back, back, back in time until I got to Monday afternoon. I got a call from a guy upstairs about their scan-to-email copier that had recently stopped delivering the scans. I checked the SS log and sure enough they were getting caught in the quarantine, so I checked to see if the copier IP was whitelisted. It wasn’t, of course.
What *was* whitelisted were a lot of individual IPs from our server subnet, and I thought to myself “well this is getting messy and it’s really rubbing my OCD the wrong way”. While adding the copier IP I decided it was time to consolidate those server IPs into a single [x.x.x.*] entry! Less to manage, a tidy list, I was pleased! I made the changes, clicked save and went about the rest of my day.
Our inbound mail infrastructure is like this: Internet -> Symantec Brightmail (x2) -> SpamSentinel -> Mail Servers. Inbound and outbound smtp are fully redundant via MX records. A word on Brightmail; our global agreement with Symantec includes the licenses so we can use it essentially for free. Brightmail does a great job with compliance rules, virus scanning, and reputation checking, but it is garbage for spam filtering. I ran a full Brightmail spam-scanning configuration in front of SS for 30 days and SS still caught ~30% of the mail that Brightmail considered ‘clean’. SS wins!
Ok back to the problem… Guess what else is in the server subnet? Yes, that’s right…our SMTP gateway! I had whitelisted our SMTP gateway, so nothing was being scanned by SS. Fortunately this wasn’t as bad as it could have been because SS still deletes Spam-D email (thank you for that, Maysoft!) even from a whitelisted source.
So, let this serve as a cautionary tale. Chances are you’ll never make this mistake, but if you wear way too many hats like I do, it can happen.
Twitter
