Hi All,
Suddenly my domain is facing some spoofing attacks on my users, receiving mail from my own domain, I have SPF enabled, i just find it very tedious to find any documentation about Zimbra AntiSpam, spam assassin, whether its working or not or how to set score or where is its config file? please direct me with any spam assassin documentation by Zimbra or i should move to rspamd.
This is what I see in one of the email spoofing headers -
X-Virus-Scanned: amavisd-new at company.com
X-Spam-Flag: NO
X-Spam-Score: 4.454
X-Spam-Level: ****
X-Spam-Status: No, score=4.454 required=6.6 tests=[BAYES_80=2,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, LOCALPART_IN_SUBJECT=1.107,
RCVD_IN_BL_SPAMCOP_NET=1.347, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
I doubt if the spamassassin is even doing a SPF check.
Help Appreciated!
How do you improve SpamAssassin?
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: How do you improve SpamAssassin?
Hi,
"please direct me with any spam assassin documentation by Zimbra "
- https://wiki.zimbra.com/wiki/Improving_Anti-spam_system (outdated but maybe still valid for your zimbra version).
- https://wiki.zimbra.com/wiki/Anti-spam_Strategies
"I doubt if the spamassassin is even doing a SPF check."
It seems it is doing the SPF check, and for that specific mail is passing the check, thus making it look valid...although the score is low, only "SPF_PASS=-0.001". The reason for that mail to pass the spf check is most likely as the spam is being sent by your own server as per a non authenticated user (someone using a fake/valid email address from your own domain, sending to your domain).
For that kind of phising, you need to read and understand these 2 articles, although again, your zimbra version (which you did not provide as context to this post) is very relevant on how to achieve these things.
- https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
- https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
Pyzor and razor are good, but in my experience what works best is the bayes in zimbra, although I usually need to tweak their scores. As you may read in one of the previous articles, best way to do it is by creating your /opt/zimbra/data/spamassassin/localrules/sauser.cf (i'm writing this on memory so double check it), and just write your own scores in there. Also, if you need/want to write your own spamassassin rules, there is this book from o'reilly which is really nice, although not really necessary for normal stuff (i read it but I manage myself with zimbra kbs).
Also, don't make the mistake of implementing all measures at once, go step by step, day by day. Also understand that there are a lot of "spamassassin rules" you can download from git repositories...but they are very cpu demanding and again, you will be able to identify most of your spam with little false possitives just by adjusting your scores and implementing those 2 kb articles about "from addresses".
good luck,
"please direct me with any spam assassin documentation by Zimbra "
- https://wiki.zimbra.com/wiki/Improving_Anti-spam_system (outdated but maybe still valid for your zimbra version).
- https://wiki.zimbra.com/wiki/Anti-spam_Strategies
"I doubt if the spamassassin is even doing a SPF check."
It seems it is doing the SPF check, and for that specific mail is passing the check, thus making it look valid...although the score is low, only "SPF_PASS=-0.001". The reason for that mail to pass the spf check is most likely as the spam is being sent by your own server as per a non authenticated user (someone using a fake/valid email address from your own domain, sending to your domain).
For that kind of phising, you need to read and understand these 2 articles, although again, your zimbra version (which you did not provide as context to this post) is very relevant on how to achieve these things.
- https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
- https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
Pyzor and razor are good, but in my experience what works best is the bayes in zimbra, although I usually need to tweak their scores. As you may read in one of the previous articles, best way to do it is by creating your /opt/zimbra/data/spamassassin/localrules/sauser.cf (i'm writing this on memory so double check it), and just write your own scores in there. Also, if you need/want to write your own spamassassin rules, there is this book from o'reilly which is really nice, although not really necessary for normal stuff (i read it but I manage myself with zimbra kbs).
Also, don't make the mistake of implementing all measures at once, go step by step, day by day. Also understand that there are a lot of "spamassassin rules" you can download from git repositories...but they are very cpu demanding and again, you will be able to identify most of your spam with little false possitives just by adjusting your scores and implementing those 2 kb articles about "from addresses".
good luck,
Re: How do you improve SpamAssassin?
Thanks!,
For now i have tweaked the tag score to 4, hoping this will move the spoofing and spams to junk folder..
otherwise what is the recommended Kill and Tag score? currently in my amavisd.conf after tweaking tag2 level.
$sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 14.0; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 14.0; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 14.0; # likewise, but for a likely valid From
$sa_quarantine_cutoff_level = 14.0; # spam level beyond which quarantine is off
For now i have tweaked the tag score to 4, hoping this will move the spoofing and spams to junk folder..
otherwise what is the recommended Kill and Tag score? currently in my amavisd.conf after tweaking tag2 level.
$sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 14.0; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 14.0; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 14.0; # likewise, but for a likely valid From
$sa_quarantine_cutoff_level = 14.0; # spam level beyond which quarantine is off
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: How do you improve SpamAssassin?
Hi,
It depends. While tunning your antispam, you'll find that is a process that takes time. During that time, it is important to understand what filters are being applied to your spams and which adjustments you need to do to them in order to minimize the false positves while marking as much spam as possible. After saying this, during tunning time, I think avoiding "kill" percentage is the best option. I would also configure the "autolearn" to disable, so the bayes filter won't autolearn from spam mails with a low score (most commercial email nowadays, will have a proper dmarc configured).
So...my advice would be:
- move away from editing amavisd.conf directly. If what you need is modifying mark and kill %, use the adminUI or zmprov.
- disable autolearn (until you consider it safe to activate it again). You can do this by adding this line to your sauser.cf
bayes_auto_learn 0
- disable kill % all together. You can use zmprov like this to achieve that.
zmprov mcf zimbraAmavisFinalSpamDestiny D_PASS
- take daily reviews to your ham and spam accounts to see what your users are marking as spam or ham and adjust spam scores in consequence. btw, by adjusting spam scores I'm talking about changing what each filter charges the email if it is a hit, and not the % for marking a mail as spam. For instance, in you example, you have this header:
X-Spam-Status: No, score=4.454 required=6.6 tests=[BAYES_80=2,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, LOCALPART_IN_SUBJECT=1.107,
RCVD_IN_BL_SPAMCOP_NET=1.347, SPF_PASS=-0.001]
I would suggest to you to change your BAYES_80 from 2, to 4. You can achieve this by (again), editing your sauser.cf file, adding this line to it:
BAYES_80 4.000
Also, the HEADER_FROM_DIFFERENT_DOMAINS=0.001, is mostly used by spammers, so 0.001 is quite low imho. So maybe you could also add to your sauser.cf file this:
HEADER_FROM_DIFFERENT_DOMAINS 1
Basically, spamassassin is configured considering a 20 points score. The % you see, are the % considering this number, 20. When an email comes to your server, it has 0 points of score. All the filters like HEADER_FROM_DIFFERENT_DOMAINS and all the BAYES_xx, will add n points to that email, if the filter is triggered (each triggered filter, is what you see in that header). Some filters add negative points (like the SPF_PASS=-0.001, which means that if the email passes this filter, it removes scores from it so it has less chances to be marked as spam...this is good). When the score reaches that %, it will mark the spam as spam (or not) and act in consequence. Tunning your spam filter is basically modifying those scores and maybe adding some rules to your filter...but again, BAYES will do most of the heavy lifting for you, but it takes time to be trained.
Just as an example, this is an extract from one of my customers (the file is quite bigger actually). But be aware that for each customer, this file is different as each Zimbra needs special care when it comes to spam and this conf, although is working great with one zimbra, may not work good for you.
# pyzor
use_pyzor 0
pyzor_path /usr/bin/pyzor
pyzor_timeout 10
pyzor_options --homedir /opt/zimbra/data/amavisd/.pyzor
score PYZOR_CHECK 3.250
# razor
use_razor2 0
score RAZOR2_CHECK 3.250
# configuraciones
bayes_auto_learn 0
# scores ordenados alfabéticamente
score ALL_TRUSTED -4.000
score BAD_ENC_HEADER 0.400
score BAYES_00 0.400
score BAYES_05 1.100
score BAYES_20 1.500
score BAYES_40 1.500
score BAYES_50 2.000
score BAYES_60 3.500
score BAYES_80 4.000
score BAYES_90 5.000
score BAYES_95 5.000
score BAYES_99 5.000
score BAYES_999 5.000
score DATE_IN_PAST_12_24 2.000
score DNS_FROM_AHBL_RHSBL 0
score FORGED_OUTLOOK_HTML 1.500
score HEADER_FROM_DIFFERENT_DOMAINS 2.000
score HTML_FONT_LOW_CONTRAST 2.000
score HTML_IMAGE_RATIO_02 2.000
score HTML_IMAGE_RATIO_04 1.700
score HTML_IMAGE_RATIO_06 1.400
score HTML_IMAGE_RATIO_08 0.500
score HTML_MESSAGE 0.400
score HTML_MIME_NO_HTML_TAG 1.000
score LOTS_OF_MONEY 2.000
score MIME_HTML_ONLY 2.000
score RCVD_IN_BRBL_LASTEXT 3.500
score RCVD_IN_PBL 0.905
score RCVD_IN_RP_CERTIFIED -2.500
score RCVD_IN_RP_SAFE -1.500
score RDNS_NONE 0.000
score REMOTE_IMAGE 2.500
score RP_MATCHES_RCVD -0.000
score SPAMCOP_BL 3.500
score SPF_FAIL 3.000
score SPF_HELO_FAIL 3.000
score SPF_PASS -0.900
It depends. While tunning your antispam, you'll find that is a process that takes time. During that time, it is important to understand what filters are being applied to your spams and which adjustments you need to do to them in order to minimize the false positves while marking as much spam as possible. After saying this, during tunning time, I think avoiding "kill" percentage is the best option. I would also configure the "autolearn" to disable, so the bayes filter won't autolearn from spam mails with a low score (most commercial email nowadays, will have a proper dmarc configured).
So...my advice would be:
- move away from editing amavisd.conf directly. If what you need is modifying mark and kill %, use the adminUI or zmprov.
- disable autolearn (until you consider it safe to activate it again). You can do this by adding this line to your sauser.cf
bayes_auto_learn 0
- disable kill % all together. You can use zmprov like this to achieve that.
zmprov mcf zimbraAmavisFinalSpamDestiny D_PASS
- take daily reviews to your ham and spam accounts to see what your users are marking as spam or ham and adjust spam scores in consequence. btw, by adjusting spam scores I'm talking about changing what each filter charges the email if it is a hit, and not the % for marking a mail as spam. For instance, in you example, you have this header:
X-Spam-Status: No, score=4.454 required=6.6 tests=[BAYES_80=2,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, LOCALPART_IN_SUBJECT=1.107,
RCVD_IN_BL_SPAMCOP_NET=1.347, SPF_PASS=-0.001]
I would suggest to you to change your BAYES_80 from 2, to 4. You can achieve this by (again), editing your sauser.cf file, adding this line to it:
BAYES_80 4.000
Also, the HEADER_FROM_DIFFERENT_DOMAINS=0.001, is mostly used by spammers, so 0.001 is quite low imho. So maybe you could also add to your sauser.cf file this:
HEADER_FROM_DIFFERENT_DOMAINS 1
Basically, spamassassin is configured considering a 20 points score. The % you see, are the % considering this number, 20. When an email comes to your server, it has 0 points of score. All the filters like HEADER_FROM_DIFFERENT_DOMAINS and all the BAYES_xx, will add n points to that email, if the filter is triggered (each triggered filter, is what you see in that header). Some filters add negative points (like the SPF_PASS=-0.001, which means that if the email passes this filter, it removes scores from it so it has less chances to be marked as spam...this is good). When the score reaches that %, it will mark the spam as spam (or not) and act in consequence. Tunning your spam filter is basically modifying those scores and maybe adding some rules to your filter...but again, BAYES will do most of the heavy lifting for you, but it takes time to be trained.
Just as an example, this is an extract from one of my customers (the file is quite bigger actually). But be aware that for each customer, this file is different as each Zimbra needs special care when it comes to spam and this conf, although is working great with one zimbra, may not work good for you.
# pyzor
use_pyzor 0
pyzor_path /usr/bin/pyzor
pyzor_timeout 10
pyzor_options --homedir /opt/zimbra/data/amavisd/.pyzor
score PYZOR_CHECK 3.250
# razor
use_razor2 0
score RAZOR2_CHECK 3.250
# configuraciones
bayes_auto_learn 0
# scores ordenados alfabéticamente
score ALL_TRUSTED -4.000
score BAD_ENC_HEADER 0.400
score BAYES_00 0.400
score BAYES_05 1.100
score BAYES_20 1.500
score BAYES_40 1.500
score BAYES_50 2.000
score BAYES_60 3.500
score BAYES_80 4.000
score BAYES_90 5.000
score BAYES_95 5.000
score BAYES_99 5.000
score BAYES_999 5.000
score DATE_IN_PAST_12_24 2.000
score DNS_FROM_AHBL_RHSBL 0
score FORGED_OUTLOOK_HTML 1.500
score HEADER_FROM_DIFFERENT_DOMAINS 2.000
score HTML_FONT_LOW_CONTRAST 2.000
score HTML_IMAGE_RATIO_02 2.000
score HTML_IMAGE_RATIO_04 1.700
score HTML_IMAGE_RATIO_06 1.400
score HTML_IMAGE_RATIO_08 0.500
score HTML_MESSAGE 0.400
score HTML_MIME_NO_HTML_TAG 1.000
score LOTS_OF_MONEY 2.000
score MIME_HTML_ONLY 2.000
score RCVD_IN_BRBL_LASTEXT 3.500
score RCVD_IN_PBL 0.905
score RCVD_IN_RP_CERTIFIED -2.500
score RCVD_IN_RP_SAFE -1.500
score RDNS_NONE 0.000
score REMOTE_IMAGE 2.500
score RP_MATCHES_RCVD -0.000
score SPAMCOP_BL 3.500
score SPF_FAIL 3.000
score SPF_HELO_FAIL 3.000
score SPF_PASS -0.900