SURBL

[snowymoountain]

Hi,

I would like to use an SURBL in Zimbra we currently use Magicspam which is great but would like to use SURBL lists specifically the Invaluement SURBL where do we put this in the settings in Zimbra, in this case to be absolutely clear we want to examine IP address' as links in Email not the IP address of the email...

as detailed here...

https://web.archive.org/web/20120505190 ... om/ivmuri/

Also is there much point in installing RAZOR & PYZOR ?

I have ASSP in a separate VM but it looks so complex I would rather not use it... certainly for now although the feature set is tempting... especially sender whitelisting.

[JDunphy]

We use invaluement. Put it with your other local rules: sauser.cf (/opt/zimbra/data/spamassassin/localrules/sauser.cf)

Note: we reduced the scores that Rob had as his SA examples because there can be FP's but it's pretty accurate nonetheless. He will remove FP's and is very responsive but some banks kept getting listed so that became tedious. If you create a meta rule, you can ladder up the scores to get the same benefit as his default scores.

Example:

Code: Select all

meta    __J_BL_MULTIPLE   (BL_BARRACUDA + J_SORBS_BL + URIBL_IVMURI + RCVD_IN_IVMSIP + BL_SPAMCOP) > 2
meta     J_BL_MULTIPLE0    (__J_BL_MULTIPLE && SPF_HELO_NONE)
score    J_BL_MULTIPLE0    1
Describe J_BL_MULTIPLE0    At least 3 blacklists with no SPF

It's a paid for black list in case you were not aware and you need to register your ip's with Rob when you sign up for the service. Have used it for a few years with excellent results and it can help with some difficult spam. Especially the URI list.

ref:https://www.invaluement.com/

We don't use the Razor/Pyzor here but heavily customize sauser.cf for our spam mixes.

[L. Mark Stone]

We use invaluement. Put it with your other local rules: salocal.cf (/opt/zimbra/data/spamassassin/localrules/sauser.cf)

Note: we reduced the scores that Rob had as his SA examples because there can be FP's but it's pretty accurate nonetheless. He will remove FP's and is very responsive but some banks kept getting listed so that became tedious. If you create a meta rule, you can ladder up the scores to get the same benefit as his default scores.

Example:

Code: Select all

meta    __J_BL_MULTIPLE   (BL_BARRACUDA + J_SORBS_BL + URIBL_IVMURI + RCVD_IN_IVMSIP + BL_SPAMCOP) > 2
meta     J_BL_MULTIPLE0    (__J_BL_MULTIPLE && SPF_HELO_NONE)
score    J_BL_MULTIPLE0    1
Describe J_BL_MULTIPLE0    At least 3 blacklists with no SPF

It's a paid for black list in case you were not aware and you need to register your ip's with Rob when you sign up for the service. Have used it for a few years with excellent results and it can help with some difficult spam. Especially the URI list.

ref:https://www.invaluement.com/

We don't use the Razor/Pyzor here but heavily customize salocal.cf for our spam mixes.

I too can sing invaluement's praises, and have documented its usage in my 2019 Anti-Spam Best Practices blog post: https://www.missioncriticalemail.com/20 ... ices-2019/

Also, @JDunphy, editing salocal.cf is suboptimal, because when you install a new Zimbra version salocal.cf typically gets written over. Better is to create a new file, sauser.cf, with your own customizations; this file will survive Zimbra upgrades. Further, sauser.cf gets loaded after salocal.cf and so in the event of any conflicts between the two (e.g. you've adjusted a spam score for a specific test), the value in your sauser.cf will replace the value loaded by salocal.cf.

Hope that helps,
Mark

[JDunphy]

Also, @JDunphy, editing salocal.cf is suboptimal, because when you install a new Zimbra version salocal.cf typically gets written over. Better is to create a new file, sauser.cf, with your own customizations; this file will survive Zimbra upgrades. Further, sauser.cf gets loaded after salocal.cf and so in the event of any conflicts between the two (e.g. you've adjusted a spam score for a specific test), the value in your sauser.cf will replace the value loaded by salocal.cf.

Hope that helps,
Mark

Absolutely Mark! typo on my part... modify sauser.cf. Don't modify salocal.cf ... I had the pathname correct above. I'll edit my post above so that doesn't hang around. BTW, when you upgrade to SA 3.4.2 or above you will definitely appreciate not touching salocal.cf

[invaluement]

but some banks kept getting listed so that became tedious

This is Rob McEwen, CEO of invaluement. Thanks for all the recommendations of invaluement in this thread. There was one criticism found above, that was absolutely deserved, although No anti-spam blacklist is perfect. Off-list, I reached out to JDunphy to learn more about this situation. While we always had that particular bank's main domain name whitelisted, they were using some weird off-the-beaten path extra domain that got blacklisted by invaluement a few times a while back. I have since added that domain to our whitelist, and I identified changes that we're in the process of making that will make situations like that one even more rare in the future. However, in spite of our mistake, thankfully, it appears that this was JDunphy's worst example of a false positive, and it happened a while ago - back in 2017. In spite of this one mistake from 2017, both others and JDunphy recommended invaluement in this thread, and we're very grateful for that.

[Syd4floyd]

Invaluement is a nightmare. I would never use them. They block genuine mails.
It has happened to me three times. Most recently today.
When I say three times, the second time, I was blocked to two e-mail adresses (members of my family) for several days until I worked out how to contact invaluement.
The first itme, I hadn't realised where the problem lay, and I sent a paper letter to my correspondent instead.
I am a client of the French ISP SFR, a major company.
When I send a mail I am dynamically allocated an IP.
Invaluement block a whole range of IPs, so even if I try again, and get a different allocation, the mail is still blocked.
So don't sing the praises of invaluement. You may be spam free, but you may never know which genuine mails you are missing.

[L. Mark Stone]

Invaluement is a nightmare. I would never use them. They block genuine mails.
It has happened to me three times. Most recently today.
When I say three times, the second time, I was blocked to two e-mail adresses (members of my family) for several days until I worked out how to contact invaluement.
The first itme, I hadn't realised where the problem lay, and I sent a paper letter to my correspondent instead.
I am a client of the French ISP SFR, a major company.
When I send a mail I am dynamically allocated an IP.
Invaluement block a whole range of IPs, so even if I try again, and get a different allocation, the mail is still blocked.
So don't sing the praises of invaluement. You may be spam free, but you may never know which genuine mails you are missing.

Just to be clear... Are you saying you host your own Zimbra server on a dynamic IP address?

If that’s the case, you will be frequently blacklisted by many dnsbls, not just invaluement.

In the first case, dynamic IP ranges are on many blacklists because exploited home devices are often spam sources.

Second, your domain will likely become blacklisted as it will appear that your domain is changing IP addresses to use a new IP address after the previous one got blacklisted.

Hope that helps,
Mark

[Syd4floyd]

Sorry, I should have been clearer.
I found myself on the Zimbra forum because I googled invaluement.
Seeing these posts praising invaluement made me see red, so I registered in order to reply.
I am just a simple guy with an email address which I created with SFR over 20 years ago.
Until recently, I have not suffered blacklisting.
Then suddenly on 18 August this year I got a blacklist message. At the time I didn't really understand it. I didn't know the destinataire so I sent a paper letter by post.
Then on 2 october, I was blocked again. This time for two mails to members of my family. So this time I went further and found the way to request an unblock.
Then again, today, invalument has blocked me from an address with which I correspond a lot.
As I sent several mails, on the occasion in October, all of which had slightly different IP addresses, and all of which were blocked, it is clear invaluement had blocked a whole range.
And I maintain. If just having a dynamic IP means one is likely to be blocked by overzealous spam blockers, there is something wrong in principle.
An ordinary guy like me doesn't have his own domain. The vast majority of emails all over the world must be sent from generic domains like SFR or gmail or wanadoo, etc.
Companies have their own domains, individuals don't. My wife receives mails from her journalist's union, a fully fledged organisation. The domain is gmail.
So, I am sorry if I have cluttered up a forum with something that doesn't really concern Zimbra. But I was (am) so angry, I had to get it off my chest.

[L. Mark Stone]

Sorry, I should have been clearer.
I found myself on the Zimbra forum because I googled invaluement.
Seeing these posts praising invaluement made me see red, so I registered in order to reply.
I am just a simple guy with an email address which I created with SFR over 20 years ago.
Until recently, I have not suffered blacklisting.
Then suddenly on 18 August this year I got a blacklist message. At the time I didn't really understand it. I didn't know the destinataire so I sent a paper letter by post.
Then on 2 october, I was blocked again. This time for two mails to members of my family. So this time I went further and found the way to request an unblock.
Then again, today, invalument has blocked me from an address with which I correspond a lot.
As I sent several mails, on the occasion in October, all of which had slightly different IP addresses, and all of which were blocked, it is clear invaluement had blocked a whole range.
And I maintain. If just having a dynamic IP means one is likely to be blocked by overzealous spam blockers, there is something wrong in principle.
An ordinary guy like me doesn't have his own domain. The vast majority of emails all over the world must be sent from generic domains like SFR or gmail or wanadoo, etc.
Companies have their own domains, individuals don't. My wife receives mails from her journalist's union, a fully fledged organisation. The domain is gmail.
So, I am sorry if I have cluttered up a forum with something that doesn't really concern Zimbra. But I was (am) so angry, I had to get it off my chest.

I totally understand your frustration, but the world of email has changed a lot in the years that you have been using your ISP's email service.

First, more than ~95% of all email sent out these days is spam/malware; and the overwhelming majority of that comes from compromised computers -- on dynamic IP addresses. So I agree, there is something wrong in principle here, and it's nothing that you've done.

But I would also disagree with you that individuals do not have their own domain. My family has a domain, and I know lots of others who have their own email domains for strictly personal use. Domains are cheap to buy and paid email hosting is relatively inexpensive. With a good provider, you will avoid the problems you are now having, and since you control your own domain, you can have an email address for life.

All the best,
Mark

[Syd4floyd]

Individuals having their own domain must be an American thing. I have just scrolled through my contacts list and there is not a single individual with his or her own domain. It would seem the most common is gmail.

Also, my ISP has a spam blocker, so I see how many spams have been blocked. it is nothing like 95%. More like 15-20%. Also I have to look once a day, because there is usually at least one false positive.

However, I will take your advice on board. I am loathe to change my e-mail address of 20 years, but I can see the advantage of having a domaine that you control and is not dependant on an ISP.