Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: [SOLVED] Dropping OutBound SPAM

  1. #1
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default [SOLVED] Dropping OutBound SPAM

    We are providing a free email service to the public. We use separate servers for the MTA inbound and MTA outbound. The problem we are having relates to the outbound MTA.

    Unfortunately we have problems stopping users creating SPAM accounts and then obviously spamming.

    We have been able to stop the spammers (not %100) by using postifix header_checks to match patterns on known spam subjects or from addresses and then reject the messages which match. This is not the best option as it is a manual change. What I wish to do is match the spamassasin X-Spam headers to check if it is spam and then use the header_checks to reject these emails if they are tagged as SPAM.

    The problem I'm having is that I although I can match From, To, Subject headers etc.. I am not able to match X-Spam headers with header_checks. It feels like the X-Spam headers are added after header_check has been parsed.

    If anyone has ideas why the X-Spam headers are not being matched or any pointers to other ways outbound SPAM is captured (other than policyd) please let me know.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You could always setup a smarthost so your ZCS would relay through that. You would get all the headers then to match again. It would also be useful to look at SaneSecurity signatures for use with ClamAV. They are fairly easy to setup with use in either a smarthost or ZCS.

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Looking at the message flow you should be able to match the headers okay. I believe it goes Postfix -> AmavisD -> Postfix so what you are trying to should be possible. What header_check rule are you using ?

  4. #4
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default

    Thanks for the quick responses, I have listed the data from header_checks

    [zimbra@lwmtao1 ~]$ zmlocalconfig | grep header_checks
    postfix_header_checks = regexp:/opt/zimbra/postfix/conf/header_checks

    [zimbra@lwmtao1 ~]$ grep REJECT /opt/zimbra/postfix/conf/header_checks
    /^Subject:.*Known Spam Sublect/ REJECT This from address has been regularly used as a spam account **This matches correctly and rejects mail***

    /^From:.*Known SPAM from address/ REJECT This from address has been regularly used as a spam account **This matches correctly and rejects mail***

    /^X-Spam/ REJECT rejected due to spam header **Test to reject any mails with X-Spam---doesn't match for some unknown reason-- have tried mutiple regex's with X-Spam**

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Why not use something like
    Code:
    /^X-Spam-Flag: YES/ REJECT This is a SPAM

  6. #6
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default

    I did try the below but it didn't match

    Code:
    /^X-Spam-Flag: YES/ REJECT This is a SPAM
    I did the below as to capture any X-Spam headers
    Code:
    /^X-Spam/ REJECT rejected due to spam header
    Unfortunately no go in either case. Is it possible to put amavisd and spamassain in debug mode to see what gets parsed and matched?

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Yep kind of ... If you modify /opt/zimbra/conf/amavisd.conf.in and change line ~50 too $log_level = 2 this will generate more detailed output. You will need to restart ZCS then.

  8. #8
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Okay, think I have found it Have a look at /opt/zimbra/postfix/conf/master.cf.in on line 111. When amavisd has finished its checks it injects the email back into Postfix on port 10025. The line
    Code:
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
    overides the defauls and no header/body checks are performed. You would need to remove the no_header_body_checks part and restart ZCS so that they are indeed performed. The rationale is that your own server should be sending out SPAM email I have not tested this so no warranty implied

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Thinking about this something that could be useful would be to use a pipe and then reject. Similar to how Wiki :: Adding a disclaimer works as you could trap who is sending out SPAMs to a mysql database for taking action against the user and trending.

  10. #10
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Smile

    Thank-you very,very much.

    removing the override no_header_body_checks did the trick. I will look at your other suggestion regarding tracking the user in the very near future.

    Thanks again.

Similar Threads

  1. Spam/Ham training under Outlook/Thunderbird/etc.
    By chuckm in forum Administrators
    Replies: 23
    Last Post: 03-18-2009, 11:01 AM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 09:26 AM
  3. spam - ham training
    By Viking0 in forum Administrators
    Replies: 6
    Last Post: 12-02-2008, 12:07 PM
  4. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  5. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 08:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •