Results 1 to 10 of 65

Thread: Help dealing with spam

Hybrid View

  1. #1
    Join Date
    Apr 2006
    Posts
    49
    Rep Power
    9

    Default Help dealing with spam

    I'm trying to understand how the spam checker works and am hoping someone can clear up a few things.

    1) Admin guide speaks of using the "Junk" button when spam makes it's way into the inbox. This will help "learning" of what to classify as spam and what not to. Does that button do something special or does the act of moving mail to the junk folder accomplish the same thing? Specifically, if I use Thunderbird or some other app to move mail to the junk folder will the "learning" aspect still be accomplished?

    I guess the same sort of questions apply to items mistakenly marked as spam.

    2) Tweaking the filters... Are there some guidelines to how to do this? I have the settings on Kill 75 and Tag 33. (Default?) With these setting stuff is getting caught, but I have one user that is still getting a larger amount of spam in the Inbox than I'd like. I've seen mention of looking in the headers to determine the ratings that were given, but I'm not sure what I'm looking for and if what I see is good or bad. Is there a discussion somewhere that might help me further tweak Zimbra?

    Thanks,

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Well, it depends which release you're on. The current release also has DSPAM to catch stuff, anything in the junk folder will be run through zmtrainsa on a daily basis (a cron job is run overnight).

    I have my kill/tag filters set at 66/25 respectively and that catches almost all of the spam, I think I get about one message per week that it's unsure of and ends up in the junk folder automatically. Those settings are good for me but you'll have to set them to your own levels, it's a balancing act between getting most of the spam (you'll never get it all) and not catching any innocent mail.

    You could also have a look at setting-up some additional filter by using rules_du_jour, have a look through the forums and the wiki for some info, I also have these installed.
    Last edited by phoenix; 10-22-2006 at 12:20 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Apr 2006
    Posts
    49
    Rep Power
    9

    Default

    Thanks Bill. I'm on the newest 3.1 level and have set up the rules to disallow the spam lists (except for one that was denying legit mail).

  4. #4
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    zmsatrain actually only looks at the spam and ham mailboxes. So you must use the 'Junk' and 'Not Junk' buttons to get training to take effect. If you just move things to Junk with an IMAP client it doesn't trigger a reference to go into the spam/ham mailboxes.

    You can run zmsatrain manually and point to your Junk folder if you'd like. This will make sure all the mail in your junk folder is counted and trained. Best way in general is teach user's to use the Junk/Not Junk buttons and you'll have an admin free way of training and keeping your spam training current.


    For the headers just use a 'View Original' in the web client. You'll see several headers from DSPAM and SA. I check any Spam's that get into my inbox and look for test that are giving a positive score. You'll also see the SPAM value and how close it was to your current settings. An example is like this:

    Code:
    X-DSPAM-Result: Spam
    X-DSPAM-Processed: Wed May 10 22:36:20 2006
    X-DSPAM-Confidence: 0.9997
    X-DSPAM-Probability: 1.0000
    X-DSPAM-Signature: 4462cd545181873812410
    X-DSPAM-Factors: 15,
    X-Virus-Scanned: amavisd-new at mail.example.com
    X-Spam-Status: Yes, score=11.261 tagged_above=-10 required=4 autolearn=no
     tests=[BAYES_95=3, DSPAM_SPAM=0.5, RCVD_IN_BL_SPAMCOP_NET=1.558,
     RCVD_IN_XBL=3.897, UNPARSEABLE_RELAY=0.001, X_IP=2.305]
    X-Spam-Score: 11.261
    X-Spam-Level: ***********
    X-Spam-Flag: YES
    You see here this is a very *spammy* message. All the tests that triggered a positive spam vote and it triggered several RBLs, both SA and DSPAM's highest spam value. Got scored an 11.2 but only needed a 4 to be considered spam.

    FYI our internal Zimbra server's Tag/Kill is -> Tag: 20 Kill: 75
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Sorry, my error - I had a cron job running against my junk mailbox for a while and forgot to remove it. As KevinH said, it's only for the training mailboxes.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Apr 2006
    Posts
    49
    Rep Power
    9

    Default

    Ok, here's one I got today and am not sure I understand. It seems DSPAM knew it was spam, but it didn't get marked that way. Why not?

    Free website offer...
    Code:
    X-DSPAM-Result: Spam
    X-DSPAM-Processed: Wed May 10 20:20:09 2006
    X-DSPAM-Confidence: 0.9997
    X-DSPAM-Probability: 1.0000
    X-DSPAM-Signature: 44628339251791222944467
    X-DSPAM-Factors: 15,
    X-Virus-Scanned: amavisd-new at 
    X-Spam-Status: No, score=5.826 tagged_above=-10 required=6.6 autolearn=no
     tests=[DNS_FROM_AHBL_RHSBL=0.306, DSPAM_SPAM=0.5, SUBJ_YOUR_OWN=0.127,
     URIBL_JP_SURBL=3.36, URIBL_WS_SURBL=1.533]
    X-Spam-Score: 5.826
    X-Spam-Level: *****
    And a stock pick....

    Code:
    X-DSPAM-Result: Innocent
    X-DSPAM-Processed: Wed May 10 18:04:24 2006
    X-DSPAM-Confidence: 0.6818
    X-DSPAM-Probability: 0.0000
    X-DSPAM-Signature: 4462636822051336712104
    X-DSPAM-Factors: 27,
    X-Virus-Scanned: amavisd-new at 
    X-Spam-Status: No, score=5.682 tagged_above=-10 required=6.6 autolearn=no
     tests=[DSPAM_HAM=-0.1, RCVD_IN_NJABL_DUL=1.713, RCVD_IN_SORBS_DUL=1.988,
     STRONG_BUY=2.08, UNPARSEABLE_RELAY=0.001]
    X-Spam-Score: 5.682
    X-Spam-Level: *****

  7. #7
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Both of those are getting very heavy SPAM votes. in the 5.6 range. With the Zimbra settings they would have been spam, since we only require a score of 4. Your settings (the default) require 6.6 so needs to be more spammy for them to get marked as spam.

    The way we use DSPAM is it's just another vote in the voting system. A DSPAM vote for spam is counted a little heavier than a ham vote. Just want the SA wiki recommends.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  8. #8
    Join Date
    Oct 2005
    Location
    Calgary, AB
    Posts
    232
    Rep Power
    10

    Default

    So I am positive my Spam Training is not functioning. Let's see if I have this straight.

    How it is supposed to work?:

    1. User sees unflagged SPAM in folder
    2. User highlights message and presses "Junk" on the toolbar
    3. Message is moved to the users "Junk" folder
    4. A copy of the message is also sent to the "spam account junk folder"
    5. The zmtrainsa cron executes and learns from the contents in the "junk folder" of the Spamaccount

    Is that correct?

    So my problem is, when I designate a message in my Inbox as Junk, it does not appear in the account I have designated as the Spam Account. And when the zmtrainsa cron runs it does not appear that it is finding messages either.

    The system I am running is: Release 3.1.1_GA_394.FC3_20060505121237 FC3 FOSS edition

    'zmprov gcf zimbraSpamIsNotSpamAccount' returns: zimbraSpamIsNotSpamAccount: hamaccount@avmax-internal.net

    'zmprov gcf zimbraSpamIsSpamAccount' returns:
    zimbraSpamIsSpamAccount: spamaccount@avmax-internal.net

    The only thing I can think of at this point, is that I am clicking the "Junk" button on a 'avmax.ca' domain account while the SpamAccount is a 'avmax-internal.net' domain account. Is it possible that this is a problem? Or does the problem lie elsewhere?

    Thanks in advance,

    Travis

Similar Threads

  1. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  2. [SOLVED] Reject SPAM
    By s0undt3ch in forum Users
    Replies: 9
    Last Post: 08-22-2007, 04:07 AM
  3. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 01:07 PM
  4. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM
  5. Spam questions 3.11
    By cdyer in forum Administrators
    Replies: 10
    Last Post: 05-22-2006, 11:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •