Has anyone found a solution to this besides turning off the conduit?

I'm still turning the conduit on and off .. Symantec rang me a while back as I downloaded the trial version of brightmail. I told the guy about the quota problem and he said he'll check with the support team and get back to me.

He never got back to me ... that doesn't sound good!

I wouldn't recommend turning the conduit on and off manually. This would cause a massive detection impact as he rules come in small portions every few minutes.

If the conduit is off you brightmail will miss this rule and the spam will not be detected.

Please keep in mind that the traffic shows quality of the rules and therefore for the product. It would be much more easier to send out a stupid RBL-List of IPs - but do you really want to generate false positives? 

Yes, I understand why the updates are so large. But unless you've lived in a country where internet access is metered, you probably wouldn't understand why it's simply not viable for us to run spam-filtering software that takes up ~30GB a month in updates.

My entire office's internet plan come with 30GB a month, which costs AUD$110 monthly.

I'm very willing to compromise - I don't mind reducing the effectiveness if it doesn't require our *entire* internet quota just for updates.

At the moment I can go between 2-4 days before spam starts appearing. So if I were able to configure Brightmail to only download updates once a day, I could possibly reduce its bandwidth usage to a very manageable 35MB a day - just over a gigabyte a month.

If 30 GB will cost you 110AUG why wouldn't you concider a a hosted mail security? 

Our 30GB internet plan is for general office use - websurfing etc.

What I don't want is to have to pay another $110 a month just for spam filtering, when all that's needed is a setting to reduce the frequency of the updates.

Updating once a day will work for us, judging from the amount of time in between when i stop the conduit and when I start receiving spam. It seems like a pretty easy feature for Symantec to include too. That'll solve the problem for anyone with an internet quota.

Oh I should mention, the conduit runs as a service and is named bmiconduitsvc, so you can schedule a net start/stop.

Not as convenient as ticking boxes, but it does the job. I don't know why it took me so long to check the services! 

You have most likely found your best solution for the bandwidth issues by scheduling a stop and start of the conduit service. Brightmail checks fairly frequently for updates and will actually update about once every 5-20 minutes. (Or there abouts) So for limited bandwidth operations it's understandable that this could be cumbersome.

With how often spam waves change and propagate it's one of the ways that Symantec stays on top of the curve. So I would say that you have the best solution available at this time as this will allow you to manage what works for your environment.

Using a hosted solution would obviously keep from having this issue as stated before.

I'm just surprised so few people seem to notice it or mention it. 30+GB/month is a large amount of data. Doesn't anyone else have internet quotas? I think (most of) the rest of the world has been spoiled by quota-less plans. :(

My 1-update-a-day schedule worked really well, till about 3 weeks ago when spam seemed to get really aggressive. I had 2-3 spam mails coming through each day. I've been so used to virtually no spam at all though, so I've configured the updates to twice a day. I now get maybe 2 spam mails a week, if at all.

Pre-Brightmail, I would get around 40 spam mails a day, so it's a large improvement.

I'm glad to hear it's working so well for you. Aside from the internet quota issues. And I would agree with you that it could easily get set aside as being an issue without feeling the pain yourself, but I'm certain that this has at least been looked at some point in time.

I will see if there are any plans to do this in the future but without widespread exposure it may not be as hot of an issue since a workaround is available. I know at least getting the rules trimmed down has always been something being worked on and has seen some progress.

Thanks for the input!

As the original poster, I'd like it noted that other countries have Internet quota issues as well.  Over here, we're either extremely limited or extremely expensive, and Brightmail's traffic has been absolutely unmanageable. 

I'm glad that the service scheduling option helped, and would like to suggest to Symantec that this needs to be a configurable option or some other workaround must be found.

For the meantime, we have discarded Brightmail as being unusable, and are looking at alternate solutions; GFI MailEssentials so far seems the best bet, but we'll also look at Symantec Endpoint Protection or Symantec Multitier Protection, which may turn out to share Brightmail's issues if they have the same development team on the Antispam component.

Hello Andrew,

I'm sorry to hear that it is causing these problems for you with the internet quotas. One possible avenue for you would be to submit an enhancement request at the following site. It will get more exposure than this forum. http://www.symantec.com/feedback/

I can assure you that these get looked at and are important to Symantec. I will also make it a point to bring it up in our weekly meeting with our development and QA teams and give it a little more exposure and see what we can do about it.

As far as the other mail security products offered by Symantec, you would need to talk to the product teams as to whether they are going to pull down rules as often. This is most likely going to be determined by whether they are using our "Premium Antispam" rule sets or not, but can vary per product. Remember you can always run a trial on Symantec products or go through presales to answer some technical questions for you.

I thank you for your input!

- Tom

Hello Andrew,

I wanted to let you know that this issue was brought up with our QA and development teams, and this is something that has been considered for quite some time. Basically the stance held for right now is that we can't "suggest" scheduling starts and stops of services as this would be pretty much cutting our effectiveness off at the knees. As always our main concern is that our customers are protected in the best possible manner.

This being said, it is also reasonable to be concerned about the inherent bandwidth issues for customers with limitations here. So as such it has always been a goal to make the program as effective as possible with the smallest possible rule sets.

With the amount of spam out there and with how prolific it is we have to weigh as a business unit the balance of effectiveness vs. rule size. And trust me, this is not an easy thing to do.

Your best solution that can be offered by Symantec is our hosted solution. There are several reasons that this would benefit someone in your situation:

1. This would completely eliminate your concern of bandwidth issues of rulesets and also improve it to a great degree.

2. As I'm sure you are well aware, generally 60-90% of mail is spam. Even if we stopped 80% of that, you are looking at a 70+% drop in mail flow. Which would in turn decrease your quota usage.

3. It frees up hardware in your environment for other reasons since you wont be working with the program in-house.

4. It lessens the load on your mail servers which increases productivity.

I would really suggest that you, or anyone with this same concern, at least look into running a trial of this offering and see if it works for them. I personally think this is going to be one of the best solutions for you to keep effectiveness up and also decrease bandwidth usage.

Please let me know if you have any questions or concerns.

Thanks!

Hi Tom

We'll certainly consider the hosted option.

Getting back to the size of the rule set download: do you not use delta update technology to avoid re-downloading existing rules?  Surely that would substantially reduce the download size, and Symantec uses deltas extensively in their other products.

Regards

Andrew

Hi Andrew,

Yes Symantec does use a "delta" type of rule sets for Brightmail and all other Premium Anti-Spam using technologies. There are things we have been doing to try to help with these but with the amount of spam out there, the list of rules gets fairly extensive. I appreciate the input though.

Tom

Hi Guys,

I came searching to see if 170mb a day was too much! We had several clients last year doing 1gb a day on brightmail. Sysmantec support helped us get to an advanced setting page in the brightmail web console. On the settings page (doing this from memory as we have uninstalled on all sites) leave the mouse in the rather empty righthand pane and press ctrl-a or ctrl-shift-a or something like that and it brings up an advanced settings creen. Deselect the enterprise updates and the 1gb a day goes away. Not sure what else it turns off, but this is not a good slook to blow out the internet that much. We have in fact moved away to hosted services as the user numbers were quite small. But does anyone know it 170mb a day is too much for the brightmail downloads from Premium Antispam.

Cheers

Jarrod

Hello Jarrod,

As I appreciate your reply, these are generally settings that we would prefer to keep in supports realm. The reason that we do so is because the settings in the advanced configurations page can severely change the inner working of our programs. These should not be changed without support guidance. The setting that you are specifically talking about changes the way we are going to do our scanning and can, (depending on environment) adversely effect scanning of spam.

I'm not saying that this is going to happen in your environment or all others, but this is something that Symantec support likes to caveat. As such we would prefer these steps stay in support troubleshooting so that we can properly advise customers.

I appreciate your candid response and insight but would also appreciate a little more discreetness in disseminating these type of steps.

Thanks!

I am seeing the same thing here too...

How do you get into these advanced config options?

thanks kindly

Hi,

The previous poster was talking about a settings page in Brightmail Gateway, not SMS-SMTP as you've mentioned in your other post.

As Tom pointed out, it's an advanced config page that can _dramatically_ change things in your deployment if you are not entirely sure of the consequences.  For that reason we don't really advocate it being used without supports guidance.

Cheers,

--ian

So is there actually a way to get the update size down?

Both enterprise and standard rulesets are large for me. I avoided touching all the other settings to avoid any dramatic change in my deployment. :)

Is there a different section for this problem on SMS SMTP ?
We have the same problem with massive traffic and don't know how to deal with it..