Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: [SOLVED] Spam Backscatter

  1. #1
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default [SOLVED] Spam Backscatter

    Looking in /opt/zimbra/conf/spamassassin/ I see 20_vbounce.cf, along with many more, which appears to check for backscatter due to forged "From" and "ReplyTo" values. Two questions 1)How do I confirm that it is being used?
    2)IF its not being used how can I trigger it to be used?

    I have several users who are getting a "LOT" of this type of spam which I would like to just drop in the bit bucket.

    I have looked at Improving Anti-spam system - Zimbra :: Wiki any other suggestions on further reading on configuring spamassassin within Zimbra?

    Thanks
    Last edited by jrefl5; 04-21-2008 at 10:07 AM. Reason: moved to solved and spelling change

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Details here: VBounceRuleset - Spamassassin Wiki Effectively you need to add the following to your local.cf file:

    Code:
    whitelist_bounce_relays myrelay.mydomain.net
    Obviously put your own server name in there, this won't survive any upgrade and you'll have to redo the change.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Sorry, I forgot some additional information from here: taint.org: Justin Masonís Weblog Ľ Dealing with backscatter, revisited
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default Thks

    Bill,
    Thanks I'll try it out shortly. It looks like 1 or more spammers are rotating through some of my users e-mail addresses that have been on a public website for several years.

    Question does local.cf imply /opt/zimbra/conf/salocal.cf.in or is it in another location?

    James
    Last edited by jrefl5; 04-17-2008 at 08:27 AM.

  5. #5
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by phoenix View Post
    Sorry, I forgot some additional information from here: taint.org: Justin Masonís Weblog Ľ Dealing with backscatter, revisited
    Hi Bill,

    From the taint website it looks like I could just add:

    /^Content-Type: multipart\/report; report-type=delivery-status\;/ REJECT no third-party DSNs
    /^Content-Type: message\/delivery-status; / REJECT no third-party DSNs

    to /opt/zimbra/conf/postfix_header_checks.in and get most of the benefits.

    But that's not the syntax for the other lines in postfix_header_checks.in so I am asking if doing so is OK?

    Thanks,
    Mark

  6. #6
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default Updating

    I'll let you know soon.
    I needed to get the correct location of the local.cf (/opt/zimbra/conf/spamassassin/local.cf) file to test.

    I'm about to head to the server to make the changes.

    >>Update<<

    changes completed updated postfix_header_check.in, and local.cf
    >zmcontrol stop start
    Server back up and running a few test messages inbound and outbound seem ok.
    We'll see how the backscatter cleans-up.
    Thanks bill

    James
    Last edited by jrefl5; 04-17-2008 at 02:38 PM. Reason: Update

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Mark

    Adding those lines into the conf.in should just add them in the same format to the updated conf file. Let us know how you both get on with this.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default Solved?

    Looks like that did the trick.

    Bill,
    Do you know of a way to reject based on Charset of the e-mail.
    None of the people I support currently read any languages that are in Crylic and there is a fair volume of spam that contains the following.
    ------=_NextPart_000_0002_01C8A152.056221DB
    Content-Type: text/plain;
    charset="koi8-r"
    Content-Transfer-Encoding: quoted-printable

    Thanks
    James

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    It's not something I've used as I don't get much foreign language spam but you should be able to list the accepted languages with the following added to the /opt/zimbra/conf/spamassassin/v310.pre file:

    Code:
    # Mail using languages used in these country codes will not be marked
    # as being possibly spam in a foreign language.
    # - english french 
    ok_languages            en fr 
    
    # Mail using locales used in these country codes will not be marked
    # as being possibly spam in a foreign language.
    ok_locales              en
    Be careful if you use the body test for language as it will slow down spamassassin. There's a handy little generator for the list of languages at the bottom of this page: SpamAssassin Configuration Generator
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default

    Bill
    Thanks. I'll look into those. I did stumble upon a possible test to put in postfix_header_check.in
    /^SUBJECT:.*koi8-r/ DISCARD No Crylic users on site
    as the string appears in the SUBJECT headers on many of them.


    I'll be testing it later today.

    James

Similar Threads

  1. Replies: 9
    Last Post: 07-01-2009, 09:20 AM
  2. [SOLVED] Spam
    By chrisp8756 in forum Administrators
    Replies: 11
    Last Post: 03-27-2008, 12:30 PM
  3. [SOLVED] Spam Being Sent Thru Server - Help Needed!
    By msf004 in forum Administrators
    Replies: 22
    Last Post: 03-14-2008, 11:11 PM
  4. [SOLVED] Many false positive spam after 4.5.7 upgrade
    By deepblue in forum Administrators
    Replies: 8
    Last Post: 10-10-2007, 09:57 AM
  5. [SOLVED] Reject SPAM
    By s0undt3ch in forum Users
    Replies: 9
    Last Post: 08-22-2007, 03:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •