Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: recieving spam mails

  1. #1
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Post recieving spam mails

    I had install zcs 4.5.10 on linux RHEL5 64bit

    one of the user at our end getting spam mails

    From: abran lisa [mailto:cpeng@elitemt.com.tw]
    Sent: Tuesday, July 15, 2008 5:50 PM
    To: priya@rebi.in
    Subject: thanks!

    The sample file you sent contains a new virus version of mydoom.j.


    Regards,
    chandu

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    What are you actually asking for help about ?

  3. #3
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Post

    what to check now and where to check ?

    i had keep the setting, Kill percentage 75
    tag percentage 33

    Defination update frequency 2 hrs




    Regards,
    chandu

  4. #4
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    To understand why this particular spam is getting through, we'll need more information. Post a copy of the complete headers of the offending message. You can find these either in the web client by right-clicking on the message and choosing "Show Original" or in an IMAP client by using the "View Source" option (Thunderbird) or the "Properties" (OE).

    You'll probably want to obfuscate the domain and/or IP addresses in your headers, but we specifically want to see what labels and scores the SpamAssassin put on your email.
    Cheers,

    Dan

  5. #5
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    I really should have added -- the wiki has a ton of information on making adjustments/tweaks/customizations to your spam filters. Take a look!

    Improving Anti-spam system - Zimbra :: Wiki
    Cheers,

    Dan

  6. #6
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Post header of the spam mail

    Received: from localhost (localhost.localdomain [127.0.0.1])
    by rebi.in (Postfix) with ESMTP id 73B96B7FDF
    for <ceo@rebi.in>; Sun, 3 Aug 2008 21:58:48 +0530 (IST)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: 3.601
    X-Spam-Level: ***
    X-Spam-Status: No, score=3.601 tagged_above=-10 required=5
    tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
    Received: from rebi.in ([127.0.0.1])
    by localhost (rebi.in [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 8V6ghdI1XGRu for <ceo@rebi.in>;
    Sun, 3 Aug 2008 21:58:47 +0530 (IST)
    Received: from p6026-ipbfp204tokusinwcc.tokushima.ocn.ne.jp (unknown [10.10.8.250])
    by rebi.in (Postfix) with ESMTP id F14E3B7FDD
    for <ceo@rebi.in>; Sun, 3 Aug 2008 21:58:15 +0530 (IST)
    Message-ID: <000601c8f586$034581a7$a85c499d@crwcd>
    From: "fabiano wei-ning" <sabeever@baltagroup.com>
    To: <ceo@rebi.in>
    Subject: New dvd Avril Lavigne
    Date: Sun, 03 Aug 2008 14:41:32 +0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0003_01C8F586.0344665F"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2720.3000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0003_01C8F586.0344665F
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    #YyPUZaNicole Kidman Shocking video without cowards.

    #bSvKLQThe presentation is Interesting!

    #yPUZaA
    Download it now >>>=20

    ------=_NextPart_000_0003_01C8F586.0344665F
    Content-Type: text/html;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; =
    charset=3Diso-8859-1">
    <META content=3D"MSHTML 6.00.2720.3000" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV style=3D"text-align:center; padding:24px; width:100%; height:90%; =
    background: #FFE1E1; font-weight:bold;">
    <STYLE>
    #YyPUZa
    </STYLE>
    <DIV id=3D"AFLTpM">
    Nicole Kidman Shocking video without cowards.<BR>
    </DIV>
    <STYLE>
    #bSvKLQ
    </STYLE>
    <DIV id=3D"kaACwd">
    The presentation is Interesting!<BR>
    </DIV>
    <STYLE>
    #yPUZaA
    </STYLE>
    <DIV class=3D"FLTpMX">
    <B><A href=3D"http://igssur.com/index1.php">Download it now >>></A> </B>
    </DIV>
    </DIV></BODY></HTML>
    ------=_NextPart_000_0003_01C8F586.0344665F--

  7. #7
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    OK this gives us some insight. The spam you're getting is not getting flagged by any major filters, which makes me think you may not have them turned on. I would suggest you consider turning on some of the RBLs (see the Zimbra documentation on how to do this) to add weight to known spam sources.

    You also need to understand how your Bayes filters work. You have a score of BAYES_99 which means that the Bayes filters understand perfectly well that you have classified this kind of message as spam. The problem is, as currently configured (and this is the default), BAYES_99 gives your message only 3.5 points, and you reqire 5 points for it to be classified as spam. There are two ways to fix this:
    1. Adjust your Bayesian filters to increase the point score for positive spams. I'll give you my own Baysian score tweaks here, you can use these or decide on your own point scores (put these in /opt/zimbra/conf/spamassassin/local.cf)
      Code:
      score BAYES_00 0.0001 0.0001 -4.312 -4.599
      score BAYES_05 0.0001 0.0001 -3.110 -3.110
      score BAYES_20 0.0001 0.0001 -1.740 -2.740
      score BAYES_40 0.0001 0.0001 -0.185 -0.185
      score BAYES_50 0.0001 0.0001 0.001 0.001
      score BAYES_60 0.0001 0.0001 1.0 1.0
      score BAYES_80 0.0001 0.0001 2.5 2.5
      score BAYES_95 0.0001 0.0001 5.5 5.5
      score BAYES_99 0.0001 0.0001 6.5 6.5
      Be sure and study this wiki for many more options for tweaking your spam filters.
    2. Adjust your tag and kill percentages down. Currently your tag percent must be 25% since your required score is 5 (25% * 20). I have mine set to only 15% which gives me a required=3, and I have virtually no false positives.
    Any such changes require a restart of the Zimbra antispam/antivirus services before they will take effect. I have found it's actually more reliable to stop and restart the whole Zimbra service tree to be sure everything populates correctly.

    And of course, feel free to post back with more questions!
    Cheers,

    Dan

  8. #8
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Post

    I had already configured these setting,

    when i give the command,

    zmprov gacf | grep zimbraMtaRestriction

    it gives,

    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
    zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org

    Is something wrong, with that

  9. #9
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by chandu View Post
    I had already configured these setting,

    when i give the command,

    zmprov gacf | grep zimbraMtaRestriction

    it gives,

    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
    zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org

    Is something wrong, with that
    No, nothing is wrong with this, it's just irrelevant for the spam you posted. Apparently the sender of that particular spam is not in any of the Realtime Blacklists (RBLs), and therefore there is no RBL score in the anti-spam header of your message.

    The RBLs have nothing to do with your Bayesian filter, which DID classify the message as spam with the highest possible score (BAYES_99), it's just that due to your current settings a 100% hit on your Bayesian filter is not enough, in and of itself, to get the message tagged as junk. To do this, as I said in my last post, you've got to either increase the scores for your Bayesian filters, decrease the tag and kill percentages for overall spam classification, or preferably both.

    Spam filtering is not an exact science, but the one thing you can be absolutely certain of is that no single approach will do the job by itself. IMHO RBLs are a necessary part of the equation, but alone they are not sufficient.
    Cheers,

    Dan

  10. #10
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Post

    Thanks for clarification, Dan

    I had change my antispam setting as follows,

    KIll percentage 66
    Tag percentage 15

    Is it ok or need to change.

Similar Threads

  1. Delete spam mails from queue
    By sandiphw in forum Administrators
    Replies: 15
    Last Post: 11-01-2012, 11:07 AM
  2. Spam/Ham training under Outlook/Thunderbird/etc.
    By chuckm in forum Administrators
    Replies: 23
    Last Post: 03-18-2009, 12:01 PM
  3. Spam Mails gets no SPAM Header
    By randall in forum Installation
    Replies: 3
    Last Post: 06-10-2008, 04:54 AM
  4. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  5. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 01:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •