Spam quarantine?

[nodrog]

Hi

I have Zimbra Network 8.8.15 sitting behind a Proxmox MailGateway device which is filtering spam / malicious emails. The Proxmox MailGateway permits the recipient to release emails from the spam quarantine stored on the gateway which then releases the email to Zimbra.
One user has released several emails but they didn't land in his inbox / Junk folders and no NDR was received by the sender. I can only assume that the spam filter on Zimbra has picked it up. What would have happened to those emails. I can view the virus quarantine but they are not in there (guess that is just for ClamAV). Is there a spam quarantine or do they just get dropped?

Any help appreciated.

thanks

[JDunphy]

Most likely they were dropped if they scored over 15 and you didn't see them delivered to the junk folder of the user. You can verify by doing something like this:

Code: Select all

% grep -i blocked /var/log/zimbra.log | awk '{print $22,$12}' | sort
48.131, <4383-238-65151-1330-anna=example.com@mail.dancklion.us>
48.849, <7219-3014-57637-1916-bld=example.com@mail.autolights.buzz>
50.049, <7227-10623-54937-1919-helen=example.com@mail.autolights.buzz>
...

This is controlled by a kill level score which I think might be 15 or 20 by default. See /opt/zimbra/conf/amavisd.conf to see where it is set for your environment. It is controlled by zimbra via the admin interface or via the command line via this ldap variable: zimbraSpamKillPercent

There are a few ways around this ... raise the score to something very high or enable the amavisSpamLover option for user or domain.

Code: Select all

# su - zimbra
% zmprov md example.com amavisSpamLover TRUE
% zmprov ma user@example.com amavisBypassSpamChecks TRUE amavisSpamLover TRUE

I have a script I use to verify the rules that fired which is probably overkill vs that 1-liner above. It has the following syntax and can report ham or spam or discard and the rules

Code: Select all

check_rejected_spam.pl 
user is @ rules[0] ham[0] spam[0] discard[0]
usage: % check_spam.pl 
      [--user=<username>]
      [--ham|h ]
      [--spam|s ]
      [--discard|d ]
      [--rules|r ]
      [--option|o ]
    requires one of
       --ham | --spam | --discard
    where
       --ham will display only ham
       --spam will display only spam
       --discard will display not delivered email due to scoring
       --rules DO NOT display SA rules that fired
       --user will display only email destined for that user

I posted this quick and dirty script in these forums a while back and its on my github but the script requires that amavis is logging at level 3 and isn't completely bug free as it doesn't account for inter-winded threaded writes but is close enough for most cases to provide some confidence if your rules are working as they should. The following is documented in the top of that script

Code: Select all

# Zimbra Assumptions:
# Amavis at level 3 logging to see spam_scan lines in /var/log/zimbra.log to parse:
#   % zmprov ms `zmhostname` zimbraAmavisLogLevel 3
#   % zmantispamctl restart

There is also an amavis command that you can run:

Code: Select all

# su - zimbra
% /opt/zimbra/common/bin/amavis-logwatch /var/log/zimbra.log

That script also suffers from the same inter-winded thread write issue and also will give additional information as the log levels are increased for amavisd. If you have enough debugging log levels enabled, it will report the top rules that fired for example. It also has a nice summary by default of how many blocked, rejected, etc.

HTH,

Jim

[nodrog]

Thanks so much for the comprehensive response Jim.

I will dig a little for these specific emails using your guide but ultimately I think I will just disable the Zimbra AntiSpam service as the Proxmox tool is a bit more manageable and gives the option for end user self-service.