receiving more spam mail

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
boovan
Posts: 8
Joined: Fri May 12, 2017 5:28 am

receiving more spam mail

Postby boovan » Sun Jul 30, 2017 4:28 pm

Hi Guys,

We have a problem of receiving more spam mails in zimbra.My current zimbra version is 8.0.7_GA_6021.FOSS.Please suggest me solution


User avatar
lokesh.v
Posts: 15
Joined: Thu Jul 21, 2016 6:43 am

Re: receiving more spam mail

Postby lokesh.v » Mon Jul 31, 2017 8:26 am

Hi All,

I am also have this issue kindly some one help to resolve this issue.

Thanks,
Lokesh.V
phoenix
Ambassador
Ambassador
Posts: 25209
Joined: Fri Sep 12, 2014 9:56 pm

Re: receiving more spam mail

Postby phoenix » Mon Jul 31, 2017 9:25 am

Neither of you have provided any information about what type of spam, where it's coming from, what triggers it, what RBLs you're using, what settings you've modified in ZCS nor what steps you've taken to try and resolve the problem. There are many threads on the forum and a wiki article on how to check your spam 'problem' and steps you can take to improve the situation - have you looked at any of those or tried any of those solutions? Give us a full description of your problem and what you've tried and perhaps someone may be able to give you some advice.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
JDunphy
Advanced member
Advanced member
Posts: 138
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: receiving more spam mail

Postby JDunphy » Mon Jul 31, 2017 3:34 pm

It is my opinion that spamassassin has had a lot of problems of late. Love the framework for building a scoring engine/model for our type of spam but not as happy with the rules. First we had no updates to the rules in April/May ( exacts dates or how long fail me now) because of a new physical server build and after a few weeks the new rules stopped coming because the scores were incorrect and they had to hand edit them I believe to get something working again. They are still not sure why at this point so automatic updates have been stopped for the past 30+ days. I dug deeper on our zimbra systems and what I found was that a lot of the plugins have not been updated to handle modern html techniques that spammers were using to get around the rules. If that parsing doesn't work then the rules don't work well and the scoring is off and/or more false positives. I currently have patches for these:

Code: Select all

mail:~/Zimbra/SpamAssassinAttatchPlugin:46> ls patches/*.pm
patches/HTMLEval.pm  patches/HTTPSMismatch.pm  patches/PerMsgStatus.pm
patches/HTML.pm      patches/MIMEEval.pm


I also noticed they were finding new obfuscation methods because of the above problems which was resulting in more success in Bayes poisoning so a lot of focus went into that. Finally, Zimbra's spamassassin has a lot of whitelist RBL's included so weird stuff like this RCVD_IN_MSPIKE_H2 was -5 or something crazy since RCVD_IN_MSPIKE_H3 wasn't as high. As a result, I had to adjust some of the scoring in the whitelisting. Nothing fancy just disabling the big negative scores that were causing us problems.

Code: Select all

#whitelists
score RCVD_IN_MSPIKE_H2 0.1
score RCVD_IN_RP_CERTIFIED 0.1
score RCVD_IN_RP_SAFE 0.1
score RCVD_IN_IADB_OPTIN 0.1
score RCVD_IN_IADB_VOUCHED 0.1
score RCVD_IN_IADB_DOPTIN 0.1
score USER_IN_DEF_DKIM_WL 0.1


I don't know the answer, but in the end I wrote a few plugin's, modified a few sendmail milters that are in the front end on a different machine to add some headers so spamassassin could score better. Previously, I had just a few rules but now find myself in full development mode. I recently started to mark incoming connections from foreign countries (! US/CANADA/UK/IE ) to help us make additional choices with certain types of tracking spam for one customer that is US based for their email mix. I began following both the developers and users spamassassin mailing groups but none of what I am seeing appears to be a priority that I have seen or we are the only one with this type of problem... I wanted more reputation checks based on the structure, envelope, etc. Our clients don't want false positives and they want all their email so it's been a battle for the past few months. Something changed for us. I would love to get some of these patches into Zimbra but spam is a very specialized thing these days so what works for someone isn't best for everyone. My initial thought process was to get these patches in the main trunk of spamassassin but that is proving difficult.

I tried to update HTML.pm with the patches to their spamassassin developers group but believe they see my changes as a start to opening a can of worms and have not confirmed my bug. They obviously have a deeper understanding of their system than I do. We found once we got in there, the more we changed the more problems that existed. For us HTML_FONT_LOW_CONTRAST needed to work better or bayes was at risk. That is what started the journey. It's a mess and its a lot of work but it's rewarding work to increase accuracy for your users, delivery email and tag spam. I would like to think we are in the business of delivering email not rejecting email so simply choosing more blacklists when spam seems to be winning isn't as helpful. We did add a milter to add headers of various BL's and then score the message on aggregate with additional envelope and other meta checks. Crazy what we have been doing.

I would be interested if others have found spam to be a bigger problem in the past 2-3 months.

One thing that has come out of this is that customization for your mix of spam is what I believe the spamassassin community expects you to do. Previously, I was content with just a few custom rules but the current set of rules let in too much spam and created too many false positives. My milter stuff is on sendmail and I have modified both blackmilter and dnsbl-milter. Blackmilter has a very fast lookup in comparison to DNS lookups so I went with that after rewriting the cidr's into /8, /16, and /24. I chose the negative case... I list the countries I am interested in and anything else gets a header we use later. Again these are only parts of a larger scoring engine so country lookups are a very small part unless they are on 3 or 4 other blacklists. That was my change to dnsbl-milter so that we could see how many blacklists some of these incoming connections were on. Again, just a small fraction of the score since blacklists like zen and sorbs can at time have gmail listed.

I saw that Bill posted something about rspamd which I hadn't seen before. I was looking at mailscanner given a few of the spamassassin developers like to use it to feed spamassassin more data. No shortage of solutions for sure.
phoenix
Ambassador
Ambassador
Posts: 25209
Joined: Fri Sep 12, 2014 9:56 pm

Re: receiving more spam mail

Postby phoenix » Mon Jul 31, 2017 4:29 pm

JDunphy wrote:I saw that Bill posted something about rspamd which I hadn't seen before. I was looking at mailscanner given a few of the spamassassin developers like to use it to feed spamassassin more data. No shortage of solutions for sure.
Yes, I did here: viewtopic.php?f=15&t=62443 - I think it's a far better solution than spamassassin and it's lightweight (on resources) by comparison to anything else I've seen, it's also relatively trivial to implement (after trying it on a test server, of course :)).
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
boovan
Posts: 8
Joined: Fri May 12, 2017 5:28 am

Re: receiving more spam mail

Postby boovan » Tue Aug 01, 2017 11:30 am

phoenix wrote:Neither of you have provided any information about what type of spam, where it's coming from, what triggers it, what RBLs you're using, what settings you've modified in ZCS nor what steps you've taken to try and resolve the problem. There are many threads on the forum and a wiki article on how to check your spam 'problem' and steps you can take to improve the situation - have you looked at any of those or tried any of those solutions? Give us a full description of your problem and what you've tried and perhaps someone may be able to give you some advice.


.........................................

Actually spam mail with our own domain name ex:go@ourdomain.com is coming but GO user not at all there in our domain.How to resolve this issue
User avatar
JDunphy
Advanced member
Advanced member
Posts: 138
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: receiving more spam mail

Postby JDunphy » Tue Aug 01, 2017 1:41 pm

Assuming you are talking about spoofed from's and not envelope from's. If you view the received headers in your email you should be able to determine which type of spoofed from you have. The 'From:' header comes in the DATA phase of SMTP so it could be anything or even missing. The envelope from is what the connecting MTA uses... ie. RCPT TO:<go@example.net>. Without that, it would bounce or return no such user for invalid email addresses unless you have your MTA configured for deferred bounce, etc.

This might help for the header "From: spoofed type" variety. See other threads recently on how to modify /opt/zimbra/data/spamassassin/localrules/sauser.cf
and test with spamassassin --lint and then howto's to see if the rules will work. There are other ways to reject it outright depending on your environment. The example below demonstrates a spamassassin method.

Note: DKIM_VALID_AU is signed by authors domain whereas DKIM_VALID is signed if that helps since it's not uncommon to see multiple DKIM's per message.

You would need to digital sign your email, SPF, DMARC, etc. Without doing that, many of the bigger sites wills send your email directly to the junk folder. You also reduce your opportunities to filter with spam as in the example below.

Code: Select all

#spoofed from
header __SPFSENDER_FROM From:addr =~ /\@example\.com|\@example.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed


By scoring it past 5 or what your minimum is for junk, it goes to the users junk. If you score it past 15, it can be discarded directly by the spam system and not delivered. If you want this new rule to only contribute to your junk score, then lower the score to a few points and let the system use the other rules to determine how spammy it was. Much of this is discussed in various zimbra wiki's about spam in greater detail.

Note: I hesitate to post this because these forums could quickly evolve into I have this type of spam message and what do I do. The spamassassin users mailing group is a great place to learn and discuss your specific questions about spamassassin. I know enough about spamassassin to be dangerous so you have been warned. :-) Hope this helps.

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot] and 11 guests