Results 1 to 8 of 8

Thread: Weird behaviors and LOTS of spam.

  1. #1
    zwvpadmin Guest

    Default Weird behaviors and LOTS of spam.

    I'm currently running Ubuntu 8.04 server LTS with 5.0.11 FOSS. Prior to the upgrade from 6.06 LTS w/5.0.8 I had Razor/Pyzor/Rules De Jour fully updated and running smooth. Spam was not much of a problem (about 90:1) and things were mostly ok.

    But after the upgrade things slowly started to get wacky. Most recently my Zimbra logger service randomly stops/starts. Nothing standing out in the logs. Also, Roules De Jour is no longer updating because SARE is on hiatus. Spam is now out of control. WAY above what i would expect from just lack of updated SARE rules.

    In addition to Razor/Pyzor/RDJ, I've also enabled SPF and installed DCC. However spam now is worse than it ever was.

    Also, randomly (not as frequetly as the logger) the anti-spam servers is stop/starting. again nothing much standing out in the logs.

    I'd also like to note that many people are receiving spam that appears to be from themselves. This is problematic as I assume flagging these messages as junk will cause the system to filter their own emails to themselves which is a necessary function here.

    running: "cat zimbra.log |grep error" yeilds:


    Jan 2 09:06:13 mail saslauthd[8993]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="80665"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_268f4f25e8d 901e88e85790eb63206880b789c44_69643d33363a64656230 303737362d353935642d343138392d626332662d3831663435 613535313362653b6578703d31333a31323331303737393733 3234363b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>steel</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jan 2 09:14:08 mail postfix/smtpd[28400]: warning: 209.249.100.41: address not listed for hostname web41.GroundTerrorize.com
    Jan 2 09:14:08 mail postfix/cleanup[29786]: 5C59AD84196: message-id=<AJfbjdjhcmdabJA@GroundTerrorize.com>
    Jan 2 09:14:08 mail postfix/qmgr[8988]: 5C59AD84196: from=<3ff.4.66753628-5193972@GroundTerrorize.com>, size=7616, nrcpt=1 (queue active)
    Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
    Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
    Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
    Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary
    Jan 2 09:17:41 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="4940"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ae12829feed 61ba31b3a04aa994796beb11ce7a3_69643d33363a34336131 363933622d616334622d343765302d616230322d3062393965 323138396334343b6578703d31333a31323331303738363631 3433303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jan 2 09:17:59 mail saslauthd[8994]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70132"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_48180a291ec f2a04ff4322329c388058fd84090f_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363739 3033323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jan 2 09:18:05 mail saslauthd[8989]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70137"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ff7295a7d9d 409683da672923b3eb964e05cc4ca_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363835 3333323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jan 2 09:23:06 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="19545"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_7f616d154ef 96a428eff73d2846ba3b6bdb00044_69643d33363a32646465 636264612d353833652d343565332d383763392d3933653466 366232656138313b6578703d31333a31323331303738393836 3033383b747970653d363a7a696d6272613b</authToken><lifetime>172799999</lifetime><skin>lemongrass</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jan 2 09:25:01 mail saslauthd[8991]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="1630"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_5839c776931 5f1a094dbb766def186ce3ca27802_69643d33363a39376162 323736392d643161302d343361632d383637642d3130653838 376166623537633b6578703d31333a31323331303739313031 3039303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    And the same for /var/log/messages:

    Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
    Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
    Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
    Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary
    here is my /opt/zimbra/conf/salocal.cf.in

    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ################################################## #########################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock

    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5

    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5

    %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
    %%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%

    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

    whitelist_from *@vpsupply.com
    blacklist_from software_innovations4@konditions.com
    blacklist_from noreply@jumpjkf.net
    blacklist_from wantads@rochesterclassifiedsonline.biz
    blacklist_from noreply@jumpergigi.com
    blacklist_from updates@oldnavy.delivery.net
    blacklist_from CA@crp.ml00.net
    blacklist_from specials@123greetings.biz
    blacklist_from Getpaidtowrite@apexwletter.com
    blacklist_from reply@SRI-BISHOP.NET
    blacklist_from OnlineBusiness@apexwizzard.com
    blacklist_from AlarmCompanies.com@snowingtoday.com
    blacklist_from email_bounce_handler@bounce.convio.net
    blacklist_from health@realage-mail.com
    blacklist_from news@apexwletter.com

    body LOCAL_SIZE /size/i
    score LOCAL_SIZE 0.5
    header LOCAL_LOCALHOST reply-to =~ /@localhost/
    score LOCAL_LOCALHOST 1
    header LOCAL_DIP1OMA /dip1oma/i
    score LOCAL_DIP1OMA 1
    header LOCAL_FREE /free/i
    score LOCAL_FREE 1
    and /opt/zimbra/conf/spamassasin/local.cf:

    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    # Only a small subset of options are listed below
    #
    ################################################## #########################

    # Add *****SPAM***** to the Subject header of spam e-mails
    #
    # rewrite_header Subject *****SPAM*****


    # Save spam messages as a message/rfc822 MIME attachment instead of
    # modifying the original message (0: off, 2: use text/plain instead)
    #
    # report_safe 1


    # Set which networks or hosts are considered 'trusted' by your mail
    # server (i.e. not spammers)
    #
    # trusted_networks 212.17.35.


    # Set file-locking method (flock is not safe over NFS, but is faster)
    #
    lock_method flock


    # Set the threshold at which a message is considered spam (default: 5.0)
    #
    required_score 4.7


    # Use Bayesian classifier (default: 1)
    #
    use_bayes 1


    # Bayesian classifier auto-learning (default: 1)
    #
    bayes_auto_learn 1


    # Set headers which may provide inappropriate cues to the Bayesian
    # classifier
    #
    bayes_ignore_header X-Bogosity
    bayes_ignore_header X-Spam-Flag
    bayes_ignore_header X-Spam-Status

    ok_languages en
    ok_locales en
    skip_rbl_checks 0
    use_razor2 1
    use_pyzor 1
    dns_available yes
    trusted_networks 127. 192.168.

    score RAZOR2_CHECK 2.400
    score PYZOR_CHECK 2.400
    score BAYES_99 4.200
    score BAYES_90 3.400
    score BAYES_80 2.900

    bayes_ignore_header Received: from mail3.vectorsf.com
    bayes_ignore_header Received: from localhost
    bayes_ignore_header Received: from mail1.vectorsf.com
    bayes_ignore_header Received: from mail2.vectorsf.com

    dcc_path /usr/local/bin/dccproc
    dcc_body_max 999999
    dcc_timeout 10
    dcc_fuz1_max 999999
    dcc_fuz2_max 999999
    We are reaching critical mass. People are receiving so many spam messages that its becoming difficult for them to find real emails buried within them.

    Hopefully someone can help?

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    What is the output of
    Code:
    su - zimbra
    zmprov gacf | grep -i mtarestriction

  3. #3
    zwvpadmin Guest

    Default reply

    zimbra@mail:~/conf/spamassassin$ zmprov gacf| grep -i mtarestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender

  4. #4
    zwvpadmin Guest

    Default Also

    I also checked the local admin account for any notifications and did see an email sent by the system.

    Return-Path: zimbra@mail.vpsupply.com
    Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
    mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:47:32 -0500 (GMT-05:00)
    Received: from localhost (localhost [127.0.0.1])
    by mail.vpsupply.com (Postfix) with ESMTP id 68975D841A6;
    Tue, 30 Dec 2008 03:47:32 -0500 (EST)
    X-Virus-Scanned: amavisd-new at mail.vpsupply.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.576
    X-Spam-Level:
    X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
    tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
    Received: from mail.vpsupply.com ([127.0.0.1])
    by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id eKFiJI1OWNXm; Tue, 30 Dec 2008 03:46:58 -0500 (EST)
    Received: by mail.vpsupply.com (Postfix, from userid 1001)
    id 0BA04D841A0; Tue, 30 Dec 2008 03:46:57 -0500 (EST)
    To: admin@mail.vpsupply.com
    From: admin@mail.vpsupply.com
    Subject: Service logger stopped on mail.vpsupply.com
    Message-Id: <20081230084658.0BA04D841A0@mail.vpsupply.com>
    Date: Tue, 30 Dec 2008 03:46:57 -0500 (EST)

    Dec 30 03:46:57 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from running to stopped
    and

    Return-Path: zimbra@mail.vpsupply.com
    Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
    mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:48:07 -0500 (GMT-05:00)
    Received: from localhost (localhost [127.0.0.1])
    by mail.vpsupply.com (Postfix) with ESMTP id AF334D8418D;
    Tue, 30 Dec 2008 03:48:07 -0500 (EST)
    X-Virus-Scanned: amavisd-new at mail.vpsupply.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.576
    X-Spam-Level:
    X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
    tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
    Received: from mail.vpsupply.com ([127.0.0.1])
    by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id uQq9W5aBCKkx; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
    Received: by mail.vpsupply.com (Postfix, from userid 1001)
    id D4D98D84197; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
    To: admin@mail.vpsupply.com
    From: admin@mail.vpsupply.com
    Subject: Service logger started on mail.vpsupply.com
    Message-Id: <20081230084805.D4D98D84197@mail.vpsupply.com>
    Date: Tue, 30 Dec 2008 03:48:05 -0500 (EST)

    Dec 30 03:48:05 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from stopped to running
    for the logger. For the anti spam:

    Return-Path: zimbra@mail.vpsupply.com
    Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
    mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:08:40 -0500 (GMT-05:00)
    Received: from localhost (localhost [127.0.0.1])
    by mail.vpsupply.com (Postfix) with ESMTP id 981F4D841D4;
    Tue, 30 Dec 2008 13:08:40 -0500 (EST)
    X-Virus-Scanned: amavisd-new at mail.vpsupply.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.576
    X-Spam-Level:
    X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
    tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
    Received: from mail.vpsupply.com ([127.0.0.1])
    by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id iBMqLPjFdbSA; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
    Received: by mail.vpsupply.com (Postfix, from userid 1001)
    id 84841D841D5; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
    To: admin@mail.vpsupply.com
    From: admin@mail.vpsupply.com
    Subject: Service antispam started on mail.vpsupply.com
    Message-Id: <20081230180839.84841D841D5@mail.vpsupply.com>
    Date: Tue, 30 Dec 2008 13:08:39 -0500 (EST)

    Dec 30 13:08:38 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from stopped to running
    and

    Return-Path: zimbra@mail.vpsupply.com
    Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
    mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:14:41 -0500 (GMT-05:00)
    Received: from localhost (localhost [127.0.0.1])
    by mail.vpsupply.com (Postfix) with ESMTP id AB73FD8402C;
    Tue, 30 Dec 2008 13:14:41 -0500 (EST)
    X-Virus-Scanned: amavisd-new at mail.vpsupply.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.576
    X-Spam-Level:
    X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
    tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
    Received: from mail.vpsupply.com ([127.0.0.1])
    by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id swkszOTgOTWI; Tue, 30 Dec 2008 13:14:40 -0500 (EST)
    Received: by mail.vpsupply.com (Postfix, from userid 1001)
    id 0FB52D841A2; Tue, 30 Dec 2008 13:07:31 -0500 (EST)
    To: admin@mail.vpsupply.com
    From: admin@mail.vpsupply.com
    Subject: Service antispam stopped on mail.vpsupply.com
    Message-Id: <20081230180731.0FB52D841A2@mail.vpsupply.com>
    Date: Tue, 30 Dec 2008 13:07:31 -0500 (EST)

    Dec 30 13:07:30 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from running to stopped
    Not sure if that helps any. Thanks!

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Okay, here is mine
    Code:
    [zimbra@office ~]$ zmprov gacf | grep -i mtarestriction
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    for the barracuda one you would need to sign up too Barracuda Central and then to implement the RBLs use
    Code:
    su - zimbra
    zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
    From your post you may have already read Improving Anti-Spam system :: Wiki ? Also search the forums for BackScatter.

  6. #6
    zwvpadmin Guest

    Default thanks

    I've added those conditions, hopefully there will be an improvement.

    I'm still very concerned with the random stoping/starting of the logger and anti-spam services. Any ideas on whats causing that? I only recently started happening and I've seen several other posts of similar issues but none that match exactly.

    I'm worried that the system is not completely stable - if it were there would not be any errors. ideas?

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Please update your member profile with
    Code:
    su - zimbra
    zmcontrol -v
    if on 5.0.11 there is a patch for zmlogger.

  8. #8
    zwvpadmin Guest

    Default 5.0.11

    I put version info in OP. It is 5.0.11, but here:

    Release 5.0.11_GA_2695.UBUNTU8 UBUNTU8 FOSS edition
    Where would I find the patch? And would the logger be related to the anti-spam service?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •