techblog 

We recently completed the installation of a pair of IronPort C30 servers and these are now filtering out almost all spam, as we expected them to do after our evaluation. The IronPorts come as 2U appliances, with all the software pre-installed. They are actually Dell servers underneath as we found out when the impressive looking bezel fell off one. Most visitors to our computer room notice them straight away.

The IronPorts come with two different anti-spam systems:

The first of these is the excellent Brightmail anti-spam system, which is a signature and heuristic content filter. Brightmail is now owned by Symantec so there is always the possibility that some marketing person will ruin it, but so far it seems to be unaffected. The Brightmail service seems to be pretty efficient, we have had no false positives so far and not that much seems to get past it. I don’t have any stats yet on just how much we think it misses but anecdotaly it appears to be just a few messages per person per day.

As we run Lotus Notes we have installed the Brightmail plugin for Notes that allows us to mark messages as spam and it dutifully moves them to a spam folder. To be honest I’m not sure exactly what communication then takes place with the IronPorts if you do that, but I do know that it loads a DLL, making it unusable on our OSX boxes.

The second anti-spam system is the SenderBase Reputation Score (SBRS), which we are not yet using. This looks up the address of the MTA that connects to the IronPorts in the SenderBase database and assigns it a score of -10 (definitley spam) to +10. You can then decide how different ranges of scores are handled. SenderBase assigns scores based on a number of different sources, including SpamCop, which ironPort owns along with SenderBase. This probably explains why the IronPort does not support RBL or DNSBL services directly, since they all go into SBRS.

Once of the nice features of the IronPort is that you can choose to accept messages from a particular source but throttle the number of messages it can send.

You can configure the IronPort to share its logs with SenderBase to help increase the effectiveness of SenderBase. However we have at least one MTA that receives mail before the IronPorts, processes some that matches a particular format and forwards the rest to the IronPorts. Since this MTA receives a lot of spam it does mean that the IronPort sees it as a source of spam. So if you share your data with SenderBase and you have this particular setup then you can actually end up giving your own MTAs a bad reputation. For that reason we have had to disable sharing with SenderBase. Unfortunately you cannot turn off this sharing on a per MTA or per group basis.

The final integrated product is Sophos anti-virus, which comes with all the usual features though it is much easier to configure through the IronPort interface than normally.

The most unusual thing about the IronPort is that it runs their own operating system, based on FreeBSD, called AsyncOS. This claims to allow for extremely high volume processing but we have not yet tested it to destruction (though with our excellent Spirent Avalanche we could always try). One side effect of the use of AsyncOS is that it never writes the email to disk, so if you have a power failure after it has received a message but before it has forwarded it, then that message is lost.

The IronPort has quite a nice web interface through which you can configure the box, view reams of statistics and create adhoc and scheduled reports. The actual configuration concepts are fairly obtuse and unfriendly. It takes a few reads of the manual to understand them and configure it correctly. You can do all sorts of custom filtering, for example we do not allow anyone to connect to us specifying a hostname in our domain in their HELO command. However finding where to set this kind of thing is not always obvious. In this example it appears at a point that I think is much too late in the mail handling process, since of course the HELO command comes first. Despite the awkwardness we haven’t yet found anything we can’t get it to do.

We’ve used IronPort support and they were quick and helpful. IronPort do password protect their online manuals and knowledgebase, but with a username/password combination that is obviously shared by all users, so it just acts as an irritation.

The IronPorts are expensive and I can see why you might not want to fork out this much. Bear in mind then that you could always build something similar yourself. Brightmail is available to purchase directly from Symantec, and of course Sophos is widely available. SenderBase is actually free to use, even though it is owned by IronPort. So you could always install your own server with a decent mail server like Postfix and add on these services. The one thing you might miss is the IronPort reports but I guess Brightmail probably does a lot of that.