Hello!
Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.7.11_P14.
I want to block phishing emails based on certain words in the email body.
1) In this instruction "https://imanudin.net/2015/02/13/zimbra- ... ody-email/" need to edit /opt/zimbra/conf/salocal.cf.in file. But this instruction is old, and if i open this file i see text: "# Do not modify this file", and in salocal.cf file i see text: "# This is the right place to customize your installation of SpamAssassin."
Tell me please which file is correct to make changes in my version of zimbra?
2) In many phishing emails, the word "Zimbra" is found, while in normal correspondence, this word is almost not used. Is it correct to block the word "Zimbra" Or it can damage some internal mechanisms of the mail server?
Question about SpamAssasin customization
Re: Question about SpamAssasin customization
1) You need to edit /opt/zimbra/conf/salocal.cf.in file. After restart service (zmmtactl stop && zmmtactl start) all changes will be in salocal.cf file.
2) You can create custom rules. Create file /opt/zimbra/data/spamassassin/localrules/myrule.cf and put in it:
body MY_RULE_1 /Zimbra/
score MY_RULE_1 5
And all emails with word "Zimbra" in body (not header) will be assigned to this rule.
Also you can control, how much score level will be added (in this case will added 5, you can change it).
By default, as I remember, email need to reach score 5 or above to be SPAM and get into spam folder. (You can see it email original, "X-Spam-Status")
You can set score 50, and that email will be banned permanently, but a lot of legitimate email may be banned. Do not recommend use it.
2) You can create custom rules. Create file /opt/zimbra/data/spamassassin/localrules/myrule.cf and put in it:
body MY_RULE_1 /Zimbra/
score MY_RULE_1 5
And all emails with word "Zimbra" in body (not header) will be assigned to this rule.
Also you can control, how much score level will be added (in this case will added 5, you can change it).
By default, as I remember, email need to reach score 5 or above to be SPAM and get into spam folder. (You can see it email original, "X-Spam-Status")
You can set score 50, and that email will be banned permanently, but a lot of legitimate email may be banned. Do not recommend use it.
Re: Question about SpamAssasin customization
Nobody should be changing the /opt/zimbra/conf/salocal.cf.in file, or any *.in file for that matter.
As Ghosto already mentioned, put your rules in in *.cf file in the /opt/zimbra/data/spamassassin/localrules/ directory.
Changes to the /opt/zimbra/conf/salocal.cf.in file will not survive upgrades.
Any *.cf files that are created or updated and are located in the /opt/zimbra/data/spamassassin/localrules/ directory, will require to restart the Amavis service.
zmamavisdctl restart
As Ghosto already mentioned, put your rules in in *.cf file in the /opt/zimbra/data/spamassassin/localrules/ directory.
Changes to the /opt/zimbra/conf/salocal.cf.in file will not survive upgrades.
Any *.cf files that are created or updated and are located in the /opt/zimbra/data/spamassassin/localrules/ directory, will require to restart the Amavis service.
zmamavisdctl restart
--
Rick King
Rick King
-
L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Question about SpamAssasin customization
[quote="king0770"]Nobody should be changing the /opt/zimbra/conf/salocal.cf.in file, or any *.in file for that matter.
<snip>
/quote]
Hi Rick!
I confess I typically do update the /opt/zimbra/con/amavisd.conf.in file, but understand that any changes I make will be lost whenever I upgrade Zimbra to a new version, or when Zimbra issues a Patch that updates the MTA component.
FWIW, the two changes I make are first to give a large negative pre-score to the sender of the Daily Mail Report, and second to increase the max size of emails scanned from 512Kb to 102Kb.
The first change I make because the Daily Mail Report, which contains the URLS/domains of blocked senders, is otherwise frequently marked as spam.
The second change I make is because spammers pad emails with hidden cruft to exceed the default body scan size.
The two changes are documented thusly:
Hope that helps!
All the best,
Mark
<snip>
/quote]
Hi Rick!
I confess I typically do update the /opt/zimbra/con/amavisd.conf.in file, but understand that any changes I make will be lost whenever I upgrade Zimbra to a new version, or when Zimbra issues a Patch that updates the MTA component.
FWIW, the two changes I make are first to give a large negative pre-score to the sender of the Daily Mail Report, and second to increase the max size of emails scanned from 512Kb to 102Kb.
The first change I make because the Daily Mail Report, which contains the URLS/domains of blocked senders, is otherwise frequently marked as spam.
The second change I make is because spammers pad emails with hidden cruft to exceed the default body scan size.
The two changes are documented thusly:
Code: Select all
# ORIGINAL LINE BELOW - CHANGES TO THIS FILE WILL NOT SURVIVE ZIMBRA UPGRADES
# $sa_mail_body_size_limit = 512*1024; # don't waste time on SA if mail is larger
$sa_mail_body_size_limit = 1024*1024; # don't waste time on SA if mail is larger
<some other pieces of amavisd.conf.in>
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
'daily-mail-report-sender@your-domain.com' => -20.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Question about SpamAssasin customization
Hey Mark!
I can see your rationale for editing amavisd.conf.in. Have you tried whitelisting the daily-mail-report address?
e.g.
zmprov md example.com +amavisWhitelistSender daily-mail-report@example.com
I can see your rationale for editing amavisd.conf.in. Have you tried whitelisting the daily-mail-report address?
e.g.
zmprov md example.com +amavisWhitelistSender daily-mail-report@example.com
--
Rick King
Rick King
-
L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Question about SpamAssasin customization
Hi Rick!king0770 wrote:Hey Mark!
I can see your rationale for editing amavisd.conf.in. Have you tried whitelisting the daily-mail-report address?
e.g.
zmprov md example.com +amavisWhitelistSender daily-mail-report@example.com
I have not tried that! I did not realize the whitelist sender attribute can be applied to a domain, thanks!
Question though...
If the daily mail report sender and the daily mail report recipients are on different domains, which domain do I modify please?
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate