Understood. We're generally *very* happy with the Barracuda device. It takes so little to admin it and it just works.... We're just about to pull the trigger on a Mirapoint email system here to replace all the internal mail servers (other than Exchange...for now) and that has it's own capabilities which may prove to assist in this. From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Boza Sent: Tuesday, July 25, 2006 9:17 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: file filtering best practice? Ah, but Antigen can also scan the SMTP blobs at your gateways. Of course, a *nix smtp gateway would preclude this, but I'd have to check if the new edge services would support it - I tend to think it would. You'd be dropping a Win2K3 server in place of your gateway though, and I doubt you were looking for a major change in your architecture. Anyhow, just a thought! And certainly just a suggestion of course, all environments and requirements are different when you get into the upper strata as you describe. On 7/25/06 9:08 AM, "Arnold, Jamie" <harnold@xxxxxxxxxxxxxx> wrote: Thanks, Rick: I've actually used Antigen from it's inception. They were the only cluster aware product back in 1997. This issue is larger than that unfortunately. I'm looking at our main campus mail system which is *IX based (Cyrus and Sendmail). We currently use a Barracuda as the edge proxy and it works wonderfully. We get around 1 million emails a day and drop over 96% of them due to file filtering or infection. Currently, we simply drop emails with certain file extensions as we have over 48,000 unique email addresses and asking every user to monitor and maintain their quarantine space would be a staggering undertaking. Many would simply never look there and the storage requirements for some 940,000 emails daily is, well...enormous. I use Antigen in the manner you mentioned, but we only have around 1000 mailboxes on the Exchange boxen right now. Thanks From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Boza Sent: Tuesday, July 25, 2006 8:56 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: file filtering best practice? I've had great experiences with Antigen (formerly Sybari, now Microsoft) on this very topic. Antigen opens all zips and quarantines those that have infections. Password protected ones can be automatically quarantined. Another great feature is the ability to scan and/or filter files that have had their extensions changed in an attempt to get past a mail filter - it opens the file up and examines it rather than just relying on .zip as the extension to identify it. Great stuff. Rick On 7/25/06 8:49 AM, "Arnold, Jamie" <harnold@xxxxxxxxxxxxxx> wrote: Martin: May I ask what you use to quarantine them? Thanks From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Martin Blackstone Sent: Tuesday, July 25, 2006 8:33 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: file filtering best practice? We quarantine them, then release if they are OK. The users don't love it, but they understand it. ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Arnold, Jamie Sent: Tuesday, July 25, 2006 5:31 AM To: exchangelist@xxxxxxxxxxxxx Cc: Exchange2000@xxxxxxxxxxxxxxx Subject: [ExchangeList] file filtering best practice? In dealing with zip files specifically, I'm wondering what is considered the "best practice"? We simply remove the file at our edge proxy, but have been getting a little flack from a few users. Our data shows that nearly 94% of the .zip files that come in via email are infected so I'm not likely to be convinced to allow them through. What say you?