Block whole domain for SPAM

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Blisk
Posts: 44
Joined: Tue May 21, 2019 7:47 am

Block whole domain for SPAM

Post by Blisk »

How can I block whole domain for example .info or .co because I get most of spam from this domains?
Is there a possibillity to block also IP?
Is there some option to do that in Zimbra Administration?
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Block whole domain for SPAM

Post by pup_seba »

Hi,

An easy way to do it is via spamassassin, it may not be the most CPU effective, but it should do the trick quite easily.

You don't specify which version of zimbra you have, so routes my be different, but you could create /opt/zimbra/data/spamassassin/localrules/sauser.cf in your as/av servers and add the rules there. The domain one is going to be easier that the IP one, as this last one will require you to write a little regex. Use this with carefull, as SA is quite resource consuming and making this grow and grow will likely affect the performance of your server (also, tune it so it compile rules, etc...there's quite a bunch of docs regarding this).

You should have lines like this in your sauser.cf for blocking addresses or domains.
# blacklist
blacklist_from gefolhapreu@something.com zeena3221@something.com
blacklist_from *@something.com

For IPs you need a regex...although if you already know exactly which IP is giving you problem, a "literal" is the easiest way of regex and most likely the case you need. (replace the "X" with the numbers of the IPs you are trying to block).

# Blacklist IP
header BANNED_IPS Received =~ /\[XXX\.XXX\.XXX\.XXX\]/
score BANNED_IPS 100

Make sure your zimbra user and groups are owners of that file and once done, restart amavis with:
zmamavisdctl restart

Now, everytime an email comes from that IP, it should match that rule and add 100 points to it scores, which (if not changed from defaults), will reach the "kill" score for that mail, making it to even skip the "spam" folder and discarding it directly.

For IPs though...it is usually better to just use your permietral firewalls, and block those IPs there instead of creating the rules in zimbra.
Blisk
Posts: 44
Joined: Tue May 21, 2019 7:47 am

Re: Block whole domain for SPAM

Post by Blisk »

Zimbra version is 8.8.12 GA
So there is no GUI way to put in whitelist or blackilst?
I tried that in amavisd but it crashes zimbra.
How can I block for example whole .com domain?
Like this?
# blacklist
blacklist_from *.com

For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Block whole domain for SPAM

Post by pup_seba »

Hi,

So there is no GUI way to put in whitelist or blackilst?
--> No, there is not.

I tried that in amavisd but it crashes zimbra.
--> You tried what exactly?

How can I block for example whole .com domain?
--> You could try this...but it would render your server quite useless. I'm not sure this will work, as this is quite unusual configuration, as people usually only blocks "one domain at the time" and not the whole ".com"
blacklist_from *@*.com

You can see more info here https://spamassassin.apache.org/full/3. ... _Conf.html

For IP I put exactly this into /opt/zimbra/data/spamassassin/localrules/sauser.cf
header BANNED_IPS Received =~ /\[193.12.11.180]/
score BANNED_IPS 100

Quite sure this won't work, the "\" are escape characters. In the example I gave you, I used them and here you are only using one of them. You could try this instead:
header BANNED_IPS Received =~ /\[193\.12\.11\.180\]/
score BANNED_IPS 100

Which is escaping the "]" (indicates that a group is ending, but you are not opening one) and the "." (is a wildcard in here). You only had to replace the "X" for right numbers of the IP, you removed things you should not remove.

Also, make sure sauser.cf is owned by zimbra (as root, execute "chown zimbra:zimbra /opt/zimbra/data/spamassassin/localrules/sauser.cf")

Regards,
Blisk
Posts: 44
Joined: Tue May 21, 2019 7:47 am

Re: Block whole domain for SPAM

Post by Blisk »

Thank you for explaining. I will try this.
What I did is from this link and it crashed
amavis, antivirus and antispam
https://wiki.zimbra.com/index.php?title ... FBlacklist
Domain white/black list

This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.

When scoring the domain, remember that negative scores whitelist, positive scores blacklist

Here's a whitelisting example:

Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:

{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,


At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:

{ # a hash-type lookup table (associative array)
'zimbra.com' => -10.0,
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,

Remember, if you want to blacklist a domain, make the score positive

Then restart amavis:

zmamavisdctl stop && zmamavisdctl start

Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.

This can also be used with individual sender email addresses, as seen above.
or this
User white/black list

It very simple changing amavis config:

put in /opt/zimbra/conf/amavis.conf.in

read_hash(\%whitelist_sender, '/etc/zimbra/whitelist');
read_hash(\%blacklist_sender, '/etc/zimbra/blacklist');
read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');

In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed. Example:

hotstuff@sexnzen.com
spammersites.net

A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers. [However, instead of hacking amavis.conf.in to create a spamlovers list, it's probaby better now to use zmprov <account> amavisSpamLover TRUE amavisBypassSpamChecks TRUE. It's possible that other recommendations on this page are similarly out of date--Ewilen 13:41, 9 August 2012 (PDT).]


I think we should prepare a script to save and restore this config changes upon zimbra updates...

Is there a way to improve SPAM filter?
is greylisting already build in?

regards
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Block whole domain for SPAM

Post by pup_seba »

Hi,

I don't know about those configurations. If your amavis is still broken, then you'll first need to undo what you did and THEN, apply what I'm suggesting.

Yes, you can improve anti-spam in zimbra, but there is a crazy way to do it, and then there is the supported way to do it. Follow the advices I gave you, which have no risk of breaking anything, is a supported way of tunning antispam and will work for what you need. Once done, you may open new threads asking concrete questions, because "improve antispam" is way too open to provide a proper answer imho.

Let us know how it goes.
Blisk
Posts: 44
Joined: Tue May 21, 2019 7:47 am

Re: Block whole domain for SPAM

Post by Blisk »

I already did what you suggest, so I need to wait for some spam to come.
Amavis work now I have undone all but still didn't work until I do some database update, now all works.
I will let you know if it works.

I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Block whole domain for SPAM

Post by pup_seba »

Hi,

"I already did what you suggest, so I need to wait for some spam to come."
--> If the configuration works, you won't be able to see the spam, not even in the "spam" folder :) At least the ones coming from that particular IP.

Amavis work now I have undone all but still didn't work until I do some database update, now all works.
--> Ok. i hope you mean "database update" by means of just tunning the zimbra value to autoupdate spamassassin and letting it run :) Otherway, try these on all your as/av zimbra servers:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true

I was asking improving SPAM as regarded of this article, to install something more or add greylisting or something else.
Don't know what already is in Zimbra and what more can be. So don't know what to ask.
https://wiki.zimbra.com/index.php?title ... FBlacklist
--> Ohh ok. So best way to go is little by little. That particular article has some outdated info. Take a look at this updated guide written by Mark Stone instead of the one published as "community contribution" (which also has information given by Mark) that you are checking http://www.missioncriticalemail.com/201 ... ices-2019/
Once you get familiar with the things used in that guide (only time and experience will help you), you will be able to start addressing some very specific things you may need to address.

Also, the information given in these 2 guides is quite important and will also help you avoiding spam:
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above

Take a look at this guide also:
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC

Implement cpolicyd to limit the rate of outgoing emails and enable webUI (not officialy supported, but is worth the "risk" and it works in all the places I enabled it and it has been years since I use it in several versions) if you don't want to go crazy configuring that thing with sql statements...
https://imanudin.net/2014/09/08/how-to- ... imbra-8-5/
https://imanudin.net/2014/09/12/zimbra- ... cyd-webui/
https://imanudin.net/2014/09/09/zimbra- ... n-policyd/

Hope that helps,
Blisk
Posts: 44
Joined: Tue May 21, 2019 7:47 am

Re: Block whole domain for SPAM

Post by Blisk »

Thank you for your help!
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 883
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Block whole domain for SPAM

Post by JDunphy »

Some awesome advice and links from Sebastian.

Unfortunately with all this stuff... it hard to know what you are missing and every article I had read didn't seem to help so I wrote a wiki to share with friends. It's a start
It walks you through writing some rules and shows how to debug your rules so you don't have to wait for the next spam message. We have been able to use Zimbra to build a scoring model that is tailed for our type of spam. Looking at the trained spam/ham was a good start for us to make our own rules more effective and underscoring many rules that were scored too high by default for our spam/ham mix.

ref: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting

With Zimbra, you can block at 3 levels.... at the MX with postfix or other, at amavisd and finally at clamav or SA. Each has advantages but we do most at SA here. You can even allow clamav to contribute to scoring if you configure amavisd and SA because clamav can be a better tool when looking at binary documents for example. Think of amavsid as the daemon that runs clamav and SA and is the final judge after gathering all the facts (ie. scores ). That might be a helpful conceptual model. If you only want to block via RBL's vs get more into meta rules with SA, then enable postscreen and configure the scoring there to reduce the false positives to a minimum. IP reputation is a small part of our scoring model these days because they often lead to false positives if you are not careful.

It's fairly trivial to block a domain with SA... just score it past 5 and its in the junk folder... score it past 15 and it won't be delivered. If you score it with SA, you can test your rule without having to wait for the next delivery. The link above explains some of this.

Good luck.
Post Reply