Solution for large size spam

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mikec24
Posts: 4
Joined: Mon Mar 20, 2017 4:52 pm

Solution for large size spam

Postby mikec24 » Thu Nov 02, 2017 3:56 pm

Hi all

Zimbra Collaboration Suite 8.7.2

My apologies if this has been covered elsewhere (I did search) being a relative newbie to this forum I may have overlooked previous posts

My question is twofold

Is there an up to date Anti-Spam Strategy document? the one published in the Zimbra Tech Centre was used up to entering the various RBL's but then I found that my usual echo mailers failed to work and that after a few hours I had no email at all. multi.uribl.com was responsible for rejecting the echo mailers

I did stop using that guide before installing Pyzor and Razor2 as by then my confidence was shaken a tad

The whole reason for enabling anti-spam was that I have been receiving a lot (80+/day) of large size email mostly made up of Regular Expression characters, these emails can be up to 800K in size

Any help will be greatly appreciated

Regards

Mikec24


phoenix
Ambassador
Ambassador
Posts: 26785
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Solution for large size spam

Postby phoenix » Thu Nov 02, 2017 4:03 pm

If you want an alternative (and in my opinion, better) strategy for your anti-spam then take a look at rspamd, mentioned in my signature. I'd suggest installing it on a test server first, assuming you have one, and seeing how you get on but it is relative trivial to install and get running. If you do try it here's the usual proviso, make sure you backup all files before modifying them. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
mikec24
Posts: 4
Joined: Mon Mar 20, 2017 4:52 pm

Re: Solution for large size spam

Postby mikec24 » Tue Nov 07, 2017 2:39 pm

Hi Bill thanks for your reply

I am still in the early stages of becoming familiar with ZCS and would be reluctant to go 'off piste' at this time. I would rather see if I can resolve my issue with what is available within ZCS

The problem that I am facing, is large size spam (>1M) bypassing spamassassin.

I understand that spam is passed from spamc to spamd and that spamc has a default max size of 500K, above which spam would be let through without checking.

Although the documents suggest that there is a config file, I have not discovered it's whereabouts within ZCS

I have discovered that you can pass arguments regarding maximum size when calling spamc and there is a fairly elegant work around below

mv /usr/bin/spamc /usr/bin/spamc-orig

Create /usr/bin/spamc with this as the contents:

#!/bin/sh
ARGS=`echo $@ | sed "s/\-s\ 256000/\-s\ 1024000/g"` << change size to suit
/usr/bin/spamc-orig $ARGS

(The above published by Evan F from the Plesk forum)

Before I go this route, I would like to know if there is a better way?

Regards

Mikec24
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2237
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Solution for large size spam

Postby L. Mark Stone » Tue Nov 07, 2017 3:05 pm

mikec24 wrote:Hi all

Zimbra Collaboration Suite 8.7.2

My apologies if this has been covered elsewhere (I did search) being a relative newbie to this forum I may have overlooked previous posts

My question is twofold

Is there an up to date Anti-Spam Strategy document? the one published in the Zimbra Tech Centre was used up to entering the various RBL's but then I found that my usual echo mailers failed to work and that after a few hours I had no email at all. multi.uribl.com was responsible for rejecting the echo mailers

I did stop using that guide before installing Pyzor and Razor2 as by then my confidence was shaken a tad

The whole reason for enabling anti-spam was that I have been receiving a lot (80+/day) of large size email mostly made up of Regular Expression characters, these emails can be up to 800K in size

Any help will be greatly appreciated

Regards

Mikec24


There are IMHO too many anti-spam wiki documents (and I wrote a big portion of one of them years ago), so not surprised that you are not finding clarity there.

Large spams is an issue we started seeing earlier this year in our Barracuda, which, like the amavisd/spamassassin combo in ZImbra, gives large emails some exceptions from in-depth anti-spam scanning -- primarily because doing so is very disk intensive. Barracuda and Zimbra both have a setting to raise the threshold.

In Zimbra's case, you'll need to hand edit /opt/zimbra/conf/amavisd.conf.in. This file is a kind of "template" that Zimbra's zmconfigd service uses to rewrite the actual amavisd.conf file each time the service is restarted, so if you keep a backup you won't be going too far "off piste".

Essentially, the line to look for in /opt/zimbra/conf/amavisd.conf.in is:

Code: Select all

$sa_mail_body_size_limit = 512*1024; # don't waste time on SA if mail is larger


You can increase the size threshold some (increase the 512) but understand this will add load on your disks. Depending on how many emails per hour your Zimbra server processes, you may want to move the MTA function out to a dedicated Zimbra server and/or use a big enough RAM disk for amavis's tmp directory (again, not going too far off piste at all...).

The bottom line is that the RBLs typically pick up on the large spam senders pretty quickly, so if you change nothing and some still sneaks through, likely you will find that additional such large spams are being subsequently blocked via the RBLs.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider] and 19 guests