Block whole domain for SPAM
Block whole domain for SPAM
How can I block whole domain for example .info or .co because I get most of spam from this domains?
Is there a possibillity to block also IP?
Is there some option to do that in Zimbra Administration?
Is there a possibillity to block also IP?
Is there some option to do that in Zimbra Administration?
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Block whole domain for SPAM
Hi,
An easy way to do it is via spamassassin, it may not be the most CPU effective, but it should do the trick quite easily.
You don't specify which version of zimbra you have, so routes my be different, but you could create /opt/zimbra/data/spamassassin/localrules/sauser.cf in your as/av servers and add the rules there. The domain one is going to be easier that the IP one, as this last one will require you to write a little regex. Use this with carefull, as SA is quite resource consuming and making this grow and grow will likely affect the performance of your server (also, tune it so it compile rules, etc...there's quite a bunch of docs regarding this).
You should have lines like this in your sauser.cf for blocking addresses or domains.
# blacklist
blacklist_from gefolhapreu@something.com zeena3221@something.com
blacklist_from *@something.com
For IPs you need a regex...although if you already know exactly which IP is giving you problem, a "literal" is the easiest way of regex and most likely the case you need. (replace the "X" with the numbers of the IPs you are trying to block).
# Blacklist IP
header BANNED_IPS Received =~ /\[XXX\.XXX\.XXX\.XXX\]/
score BANNED_IPS 100
Make sure your zimbra user and groups are owners of that file and once done, restart amavis with:
zmamavisdctl restart
Now, everytime an email comes from that IP, it should match that rule and add 100 points to it scores, which (if not changed from defaults), will reach the "kill" score for that mail, making it to even skip the "spam" folder and discarding it directly.
For IPs though...it is usually better to just use your permietral firewalls, and block those IPs there instead of creating the rules in zimbra.
An easy way to do it is via spamassassin, it may not be the most CPU effective, but it should do the trick quite easily.
You don't specify which version of zimbra you have, so routes my be different, but you could create /opt/zimbra/data/spamassassin/localrules/sauser.cf in your as/av servers and add the rules there. The domain one is going to be easier that the IP one, as this last one will require you to write a little regex. Use this with carefull, as SA is quite resource consuming and making this grow and grow will likely affect the performance of your server (also, tune it so it compile rules, etc...there's quite a bunch of docs regarding this).
You should have lines like this in your sauser.cf for blocking addresses or domains.
# blacklist
blacklist_from gefolhapreu@something.com zeena3221@something.com
blacklist_from *@something.com
For IPs you need a regex...although if you already know exactly which IP is giving you problem, a "literal" is the easiest way of regex and most likely the case you need. (replace the "X" with the numbers of the IPs you are trying to block).
# Blacklist IP
header BANNED_IPS Received =~ /\[XXX\.XXX\.XXX\.XXX\]/
score BANNED_IPS 100
Make sure your zimbra user and groups are owners of that file and once done, restart amavis with:
zmamavisdctl restart
Now, everytime an email comes from that IP, it should match that rule and add 100 points to it scores, which (if not changed from defaults), will reach the "kill" score for that mail, making it to even skip the "spam" folder and discarding it directly.
For IPs though...it is usually better to just use your permietral firewalls, and block those IPs there instead of creating the rules in zimbra.
Re: Block whole domain for SPAM
Zimbra version is 8.8.12 GA
So there is no GUI way to put in whitelist or blackilst?
I tried that in amavisd but it crashes zimbra.
How can I block for example whole .com domain?
Like this?
# blacklist
blacklist_from *.com
For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100
So there is no GUI way to put in whitelist or blackilst?
I tried that in amavisd but it crashes zimbra.
How can I block for example whole .com domain?
Like this?
# blacklist
blacklist_from *.com
For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Block whole domain for SPAM
Hi,
So there is no GUI way to put in whitelist or blackilst?
--> No, there is not.
I tried that in amavisd but it crashes zimbra.
--> You tried what exactly?
How can I block for example whole .com domain?
--> You could try this...but it would render your server quite useless. I'm not sure this will work, as this is quite unusual configuration, as people usually only blocks "one domain at the time" and not the whole ".com"
blacklist_from *@*.com
You can see more info here https://spamassassin.apache.org/full/3. ... _Conf.html
For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100
Quite sure this won't work, the "\" are escape characters. In the example I gave you, I used them and here you are only using one of them. You could try this instead:
header BANNED_IPS Received =~ /\[193\.12\.11\.180\]/
score BANNED_IPS 100
Which is escaping the "]" (indicates that a group is ending, but you are not opening one) and the "." (is a wildcard in here). You only had to replace the "X" for right numbers of the IP, you removed things you should not remove.
Also, make sure sauser.cf is owned by zimbra (as root, execute "chown zimbra:zimbra /opt/zimbra/data/spamassassin/localrules/sauser.cf")
Regards,
So there is no GUI way to put in whitelist or blackilst?
--> No, there is not.
I tried that in amavisd but it crashes zimbra.
--> You tried what exactly?
How can I block for example whole .com domain?
--> You could try this...but it would render your server quite useless. I'm not sure this will work, as this is quite unusual configuration, as people usually only blocks "one domain at the time" and not the whole ".com"
blacklist_from *@*.com
You can see more info here https://spamassassin.apache.org/full/3. ... _Conf.html
For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100
Quite sure this won't work, the "\" are escape characters. In the example I gave you, I used them and here you are only using one of them. You could try this instead:
header BANNED_IPS Received =~ /\[193\.12\.11\.180\]/
score BANNED_IPS 100
Which is escaping the "]" (indicates that a group is ending, but you are not opening one) and the "." (is a wildcard in here). You only had to replace the "X" for right numbers of the IP, you removed things you should not remove.
Also, make sure sauser.cf is owned by zimbra (as root, execute "chown zimbra:zimbra /opt/zimbra/data/spamassassin/localrules/sauser.cf")
Regards,
Re: Block whole domain for SPAM
Thank you for explaining. I will try this.
What I did is from this link and it crashed
amavis, antivirus and antispam
https://wiki.zimbra.com/index.php?title ... FBlacklist
Is there a way to improve SPAM filter?
is greylisting already build in?
regards
What I did is from this link and it crashed
amavis, antivirus and antispam
https://wiki.zimbra.com/index.php?title ... FBlacklist
or thisDomain white/black list
This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.
When scoring the domain, remember that negative scores whitelist, positive scores blacklist
Here's a whitelisting example:
Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:
{ # a hash-type lookup table (associative array)
'zimbra.com' => -10.0,
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
Remember, if you want to blacklist a domain, make the score positive
Then restart amavis:
zmamavisdctl stop && zmamavisdctl start
Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.
This can also be used with individual sender email addresses, as seen above.
User white/black list
It very simple changing amavis config:
put in /opt/zimbra/conf/amavis.conf.in
read_hash(\%whitelist_sender, '/etc/zimbra/whitelist');
read_hash(\%blacklist_sender, '/etc/zimbra/blacklist');
read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');
In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed. Example:
hotstuff@sexnzen.com
spammersites.net
A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers. [However, instead of hacking amavis.conf.in to create a spamlovers list, it's probaby better now to use zmprov <account> amavisSpamLover TRUE amavisBypassSpamChecks TRUE. It's possible that other recommendations on this page are similarly out of date--Ewilen 13:41, 9 August 2012 (PDT).]
I think we should prepare a script to save and restore this config changes upon zimbra updates...
Is there a way to improve SPAM filter?
is greylisting already build in?
regards
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Block whole domain for SPAM
Hi,
I don't know about those configurations. If your amavis is still broken, then you'll first need to undo what you did and THEN, apply what I'm suggesting.
Yes, you can improve anti-spam in zimbra, but there is a crazy way to do it, and then there is the supported way to do it. Follow the advices I gave you, which have no risk of breaking anything, is a supported way of tunning antispam and will work for what you need. Once done, you may open new threads asking concrete questions, because "improve antispam" is way too open to provide a proper answer imho.
Let us know how it goes.
I don't know about those configurations. If your amavis is still broken, then you'll first need to undo what you did and THEN, apply what I'm suggesting.
Yes, you can improve anti-spam in zimbra, but there is a crazy way to do it, and then there is the supported way to do it. Follow the advices I gave you, which have no risk of breaking anything, is a supported way of tunning antispam and will work for what you need. Once done, you may open new threads asking concrete questions, because "improve antispam" is way too open to provide a proper answer imho.
Let us know how it goes.
Re: Block whole domain for SPAM
I already did what you suggest, so I need to wait for some spam to come.
Amavis work now I have undone all but still didn't work until I do some database update, now all works.
I will let you know if it works.
I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
Amavis work now I have undone all but still didn't work until I do some database update, now all works.
I will let you know if it works.
I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Block whole domain for SPAM
Hi,
"I already did what you suggest, so I need to wait for some spam to come."
--> If the configuration works, you won't be able to see the spam, not even in the "spam" folder At least the ones coming from that particular IP.
Amavis work now I have undone all but still didn't work until I do some database update, now all works.
--> Ok. i hope you mean "database update" by means of just tunning the zimbra value to autoupdate spamassassin and letting it run Otherway, try these on all your as/av zimbra servers:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
--> Ohh ok. So best way to go is little by little. That particular article has some outdated info. Take a look at this updated guide written by Mark Stone instead of the one published as "community contribution" (which also has information given by Mark) that you are checking http://www.missioncriticalemail.com/201 ... ices-2019/
Once you get familiar with the things used in that guide (only time and experience will help you), you will be able to start addressing some very specific things you may need to address.
Also, the information given in these 2 guides is quite important and will also help you avoiding spam:
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
Take a look at this guide also:
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
Implement cpolicyd to limit the rate of outgoing emails and enable webUI (not officialy supported, but is worth the "risk" and it works in all the places I enabled it and it has been years since I use it in several versions) if you don't want to go crazy configuring that thing with sql statements...
https://imanudin.net/2014/09/08/how-to- ... imbra-8-5/
https://imanudin.net/2014/09/12/zimbra- ... cyd-webui/
https://imanudin.net/2014/09/09/zimbra- ... n-policyd/
Hope that helps,
"I already did what you suggest, so I need to wait for some spam to come."
--> If the configuration works, you won't be able to see the spam, not even in the "spam" folder At least the ones coming from that particular IP.
Amavis work now I have undone all but still didn't work until I do some database update, now all works.
--> Ok. i hope you mean "database update" by means of just tunning the zimbra value to autoupdate spamassassin and letting it run Otherway, try these on all your as/av zimbra servers:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
--> Ohh ok. So best way to go is little by little. That particular article has some outdated info. Take a look at this updated guide written by Mark Stone instead of the one published as "community contribution" (which also has information given by Mark) that you are checking http://www.missioncriticalemail.com/201 ... ices-2019/
Once you get familiar with the things used in that guide (only time and experience will help you), you will be able to start addressing some very specific things you may need to address.
Also, the information given in these 2 guides is quite important and will also help you avoiding spam:
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
Take a look at this guide also:
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
Implement cpolicyd to limit the rate of outgoing emails and enable webUI (not officialy supported, but is worth the "risk" and it works in all the places I enabled it and it has been years since I use it in several versions) if you don't want to go crazy configuring that thing with sql statements...
https://imanudin.net/2014/09/08/how-to- ... imbra-8-5/
https://imanudin.net/2014/09/12/zimbra- ... cyd-webui/
https://imanudin.net/2014/09/09/zimbra- ... n-policyd/
Hope that helps,
Re: Block whole domain for SPAM
Thank you for your help!
- JDunphy
- Outstanding Member
- Posts: 883
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Block whole domain for SPAM
Some awesome advice and links from Sebastian.
Unfortunately with all this stuff... it hard to know what you are missing and every article I had read didn't seem to help so I wrote a wiki to share with friends. It's a start
It walks you through writing some rules and shows how to debug your rules so you don't have to wait for the next spam message. We have been able to use Zimbra to build a scoring model that is tailed for our type of spam. Looking at the trained spam/ham was a good start for us to make our own rules more effective and underscoring many rules that were scored too high by default for our spam/ham mix.
ref: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
With Zimbra, you can block at 3 levels.... at the MX with postfix or other, at amavisd and finally at clamav or SA. Each has advantages but we do most at SA here. You can even allow clamav to contribute to scoring if you configure amavisd and SA because clamav can be a better tool when looking at binary documents for example. Think of amavsid as the daemon that runs clamav and SA and is the final judge after gathering all the facts (ie. scores ). That might be a helpful conceptual model. If you only want to block via RBL's vs get more into meta rules with SA, then enable postscreen and configure the scoring there to reduce the false positives to a minimum. IP reputation is a small part of our scoring model these days because they often lead to false positives if you are not careful.
It's fairly trivial to block a domain with SA... just score it past 5 and its in the junk folder... score it past 15 and it won't be delivered. If you score it with SA, you can test your rule without having to wait for the next delivery. The link above explains some of this.
Good luck.
Unfortunately with all this stuff... it hard to know what you are missing and every article I had read didn't seem to help so I wrote a wiki to share with friends. It's a start
It walks you through writing some rules and shows how to debug your rules so you don't have to wait for the next spam message. We have been able to use Zimbra to build a scoring model that is tailed for our type of spam. Looking at the trained spam/ham was a good start for us to make our own rules more effective and underscoring many rules that were scored too high by default for our spam/ham mix.
ref: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
With Zimbra, you can block at 3 levels.... at the MX with postfix or other, at amavisd and finally at clamav or SA. Each has advantages but we do most at SA here. You can even allow clamav to contribute to scoring if you configure amavisd and SA because clamav can be a better tool when looking at binary documents for example. Think of amavsid as the daemon that runs clamav and SA and is the final judge after gathering all the facts (ie. scores ). That might be a helpful conceptual model. If you only want to block via RBL's vs get more into meta rules with SA, then enable postscreen and configure the scoring there to reduce the false positives to a minimum. IP reputation is a small part of our scoring model these days because they often lead to false positives if you are not careful.
It's fairly trivial to block a domain with SA... just score it past 5 and its in the junk folder... score it past 15 and it won't be delivered. If you score it with SA, you can test your rule without having to wait for the next delivery. The link above explains some of this.
Good luck.