Thread Info
  • Locked Locked
  • Replies 12 replies
  • Subscribers 6 subscribers
  • Views 18043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEA vs Puremessage: Feedback

lferrara

Hi All,

I am running SEA on a customer and to be honest I am not really happy about the SPAM catched from SEA. Before SEA, there was Pure Message and it blocked more SPAM and SUSPECT SPAM by adjusting the slider controls. This is something that is not achievable on SEA.

Also Sophos is selling multiple SPAM filters:

  • SEA
  • Pure Message
  • XG MTA
  • UTM9 MTA

I think that Sophos needs to understand that SPAM protection is very important and the only one (I think) that works as it should is Pure Message. Also on ideas.sophos.com there is not even an area on Pure Message/ SEA to open/vote feature requests.

I am looking forward to hearing from you guys on what experience you have and your feedback.

I am using Pure Message since 2008 and SEA since 2011.

Regards



This thread was automatically locked due to age.

  • I too have been running PureMessage for many years. I have "Upgraded" to SEA and now find the filtering very poor in comparison.

    The

    Spam High (discard)

    and

    Spam medium (Quarantine) 

    functions on the SEA are way less effective than PureMessage where I could tweak an slider up and discard anything with a rating over (say) 70.

     I would normally get 200 messages in quarantine with Puremessage over a weekend. I now have to battle with the SEA web interface to deal with 2000+ messages! I cannot adjust "spam medium" other than to delete it! 

    It also detects a lot of genuine senders as Blacklisted that would normally have been fine.

    Regards,

  • in reply to Tony Smith2

    Tony Smith2 said:

    functions on the SEA are way less effective than PureMessage where I could tweak an slider up and discard anything with a rating over (say) 70.

     

    The slider is missing in SEA and other Sophos Anti-spam products. They should bring the slider back to other products. Pure Message is still the best one.

    Thanks Tony for your feedback. It seems we are alone here.....

  • Hi Luk,

    I can assure that the SEA is much more adept in catching spam, however there are many different areas that need to be configured.   Here is my AS configuration KB, ensure that your settings match.   https://community.sophos.com/kb/en-us/120802

    Other notes:

    Ensure delay queue is active and the settings are as the above KB.  this feature is highly effective against snowshoe spam but... it must remain in collect mode for 10.45 days or 1M seconds before it will start enforcing, or any time the feature is changed to off.

    The SEA also allows you to create any sort of envelope or DATA rules you can think of.. for example you could drop entire countries, or domains like .info or . You could also create your own sub string and regular expression matching if you wish.

     

    The slider for spam has little impact when it comes to the scale that is used to determine if a message is spam.  The way spam is scored will either be greatly below 50% or above. 

  • in reply to Red_Warrior

    Thanks Red_Warrior for your advice but I already know the KB and SEA is configured at the top. Still some spam is passing through SEA. Hope other advanced features can be included in the next future in SEA, like slider spam option like Pure Message, Dual Anti-SPAM Engines, RBL.

  • in reply to lferrara

    Hi,

    I agree, Over the weekend our (Approx 200 users) have generated 1000+ messages into quarantine... but 728 of them are rated as Spam Medium! There are some few false positives so I WILL have to manually filter them. In puremessage I could have adjusted the slider to reduce my spam instantly! Please also allow us to select RBL checks manually - Messages that get quarantined due to senders IP are 80% genuine! 

  • We recently moved over to SEA from OnlyMyEmail (a web based tool which did a great job), but our users are getting too much spam as well. And when they report spam, they still keep getting it. Now, SPX is not even working correctly and is just cumbersome. Folks, I really want the SEA to be our solution but it might not be. 

    With all that said, is it possible to run both SEA and PureMessage? 

     

    Wanting to hangout at the beach watching the SEA but keep getting rolled by waves.

  • in reply to LRSpartan

    I use two spam filters in sequence successfully.   The first one does most of the filtering, but my UTM provides a second set of filtering using a different spam engine.

    In a relaying configuration, only the first device knows the IP address and host name of the sending system, so only the first device can filter based on source IP, host name, or SPF.

    UTM has a transparent SMTP option, which works around this problem.   UTM can enforce SPF, but it cannot block based on host name.   So one could configure UTM first in transparent mode with SPF enforcement, and a second device with Reverse DNS filtering.   Of course, the preferred option is to have one device that can do both.

    I don't know if either SEA or PureMessage offer a transparent mode, or whether they have gaps that would make transparent mode useful.   But you can definitely string SMTP gateways together with using as many layers as you desire.   You can also configure different paths for inbound and outbound traffic, if desired.

  • in reply to DouglasFoster

    In theory if you wanted to use all of these products together.. you could... but it's not recommended. If it's not done properly you may end up with more than one quarantine.. making a mess of everything. tbh if you want to improve your scanning .. your best to use xg/utm & puremenssage AV .. or sea and puremenssage AV.

     

    Anyways ... If I was going to do it... it would look something like this:

     

    XG/UTM

    forward facing XG/UTM:

    configure it via mx/a records so that mail is delivered to it.

    configure it in mta mode

    under the spam settings configure it to "tag subject and continue" or tag an xheader

    deliver to the sea

     

    SEA

    the sea should have the upstream utm/xg listed as a trusted relay

    configure spam rules to quarantine medium and high spam

    configure an additional policy to search the "Subject" for the the word [spam] (or what ever you configured upstream, quarantine it for the reason of spam

    filtering options: change it to "policy level blocking" and remove the check bod for the ip blocker (this makes the appliance accept all mail and look at the headers for blacklisted ips vs if if the blocker is enabled the connection would be dropped and no email accepted)

    option: you could configure the appliance to proxy mail out through the utm/xg or have it deliverer out its self.

     

    PUREMESSAGE

    install puremssage for exchange antivirus ONLY edition on your mail box servers and set up a scanning rotation. (the file name is something like puremessage4_3AV.exe

     

    this will allow you to use multiple av engines and av store scanning.

     

    CONS:

    delay queue on the email appliance will not work as you are not allowing the mta to connect.

    ip filtering (the blocker service) on the sea will not work

    complex routing

    possibility of increased spam

    possibility of email policy / dropped mail in 2 different locations

     

    PROS:

    after the fact AV scanning on the mailbox server

  • in reply to DouglasFoster

    Thanks for the info DF. We have Meraki as our UTM. I might see what it can do. I wish I could switch to Sophos for this but, I have another three years with Meraki and a very small budget.

  • in reply to Red_Warrior

    RW,

     

    In my case we have only the SEA active. I have not installed Pure Message. Should I only install Pure Message AV on my Exchange (2010) serve and let the SEA continue to be the primary scanner?

     

    Thanks!...again!

    John

Unfiltered HTML