Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: [SOLVED] increase of spam

  1. #1
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default [SOLVED] increase of spam

    I general our spam well controled...

    I got rid of almost all email comming with different from/return path and
    the fake email coming from our domain

    thanks to the great help from the poeple on this forum...


    but lately I have seen and increase in spam and I am just wondering if you guys know how to get rid of them...

    a lot of spam email lately comes with
    they all have a .rtf attachement to them???

    here is to example...

    Return-Path: genericness@idcol.org
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
    18:52:30 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id D22252DC005;
    Mon, 14 Jun 2010 18:52:30 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    X-Spam-Flag: NO
    X-Spam-Score: 5.038
    X-Spam-Level: *****
    X-Spam-Status: No, score=5.038 tagged_above=-10 required=6.6
    tests=[BAYES_60=1, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
    RDNS_DYNAMIC=0.1] autolearn=no
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 4j0accI0bgzk; Mon, 14 Jun 2010 18:52:29 -0300 (ADT)
    Received: from awaydy.kabel-badenwuerttemberg.de (HSI-KBW-078-043-178-048.hsi4.kabel-badenwuerttemberg.de [78.43.178.48])
    by mail.redballinternet.com (Postfix) with SMTP id 901B32DC004
    for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 18:52:29 -0300 (ADT)
    Message-ID: <4C16A3B4.7020802@idcol.org>
    Date: Mon, 14 Jun 2010 23:54:53 +0200
    From: Linebaugh Digiouanni <genericness@idcol.org>
    MIME-Version: 1.0
    To: Pais Donah <customerprivacy@redballinternet.com>
    Subject: Same seat in a buggy: if the white ma
    Content-Type: application/octet-stream; name="moralisingly.rtf"
    Content-Transfer-Encoding: base64


    Return-Path: flowered@kantipur.com.np
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
    13:54:42 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 007332DC005
    for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 13:54:42 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    X-Spam-Flag: NO
    X-Spam-Score: 3.568
    X-Spam-Level: ***
    X-Spam-Status: No, score=3.568 tagged_above=-10 required=6.6
    tests=[BAYES_60=1, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877,
    RDNS_DYNAMIC=0.1, SPF_NEUTRAL=0.686] autolearn=no
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id DDszhuh3dSvg for <xxxxxx@redballinternet.com>;
    Mon, 14 Jun 2010 13:54:40 -0300 (ADT)
    Received: from mpuk.telepac.pt (bl5-34-23.dsl.telepac.pt [82.154.34.23])
    by mail.redballinternet.com (Postfix) with SMTP id 0BDFB2DC004
    for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 13:54:39 -0300 (ADT)
    Message-ID: <4C165E0F.1060302@kantipur.com.np>
    Date: Mon, 14 Jun 2010 17:56:59 +0100
    From: Lynetta Szostak <flowered@kantipur.com.np>
    MIME-Version: 1.0
    To: Adriene Valine <xxxxxx@redballinternet.com>
    Subject: He was poisoned by his wife Ethelburga daughter vnto Offa king of M
    Content-Type: application/octet-stream; name="homemaker.rtf"
    Content-Transfer-Encoding: base64




    i also have have what i call real spam...
    email with the same from/return path that just dont get pick up as spam




    Return-Path: myqehuci5634@superkabel.de
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Tue, 15 Jun 2010
    08:45:52 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 5CECE2DC005
    for <xxxxxx@redballinternet.com>; Tue, 15 Jun 2010 08:45:52 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    X-Spam-Flag: NO
    X-Spam-Score: 5.964
    X-Spam-Level: *****
    X-Spam-Status: No, score=5.964 tagged_above=-10 required=6.6
    tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
    MISSING_MID=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1] autolearn=no
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id LtCy1MDPSe9S for <xxxxxx@redballinternet.com>;
    Tue, 15 Jun 2010 08:45:51 -0300 (ADT)
    Received: from superkabel.de (95-91-154-28-dynip.superkabel.de [95.91.154.28])
    by mail.redballinternet.com (Postfix) with ESMTP id 4AA9C2DC004
    for <xxxxxxx@redballinternet.com>; Tue, 15 Jun 2010 08:45:51 -0300 (ADT)
    From: TopViagra WebPharmacy <myqehuci5634@superkabel.de>
    To: careers@redballinternet.com
    Subject: To careers. 80% off Wholesale. by FL In German
    Date: Tue, 15 Jun 2010 13:48:10 +0200
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 8bit
    Message-Id: <20100615114552.5CECE2DC005@mail.redballinternet.c om>




    Return-Path: accessw8@rayholtz.com
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
    04:36:22 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 1CEB32DC005
    for <xxxxxxx@redballinternet.com>; Mon, 14 Jun 2010 04:36:22 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    X-Spam-Flag: NO
    X-Spam-Score: 5.857
    X-Spam-Level: *****
    X-Spam-Status: No, score=5.857 tagged_above=-10 required=6.6
    tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905,
    RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id pm15aQP+QVT4 for <xxxxxx@redballinternet.com>;
    Mon, 14 Jun 2010 04:36:21 -0300 (ADT)
    Received: from SJKWJSIVPW (unknown [94.51.176.157])
    by mail.redballinternet.com (Postfix) with ESMTP id 547302DC004
    for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 04:36:21 -0300 (ADT)
    Received: from 94.51.176.157 by mailstore1.secureserver.net; Mon, 14 Jun 2010 11:38:33 +0300
    Date: Mon, 14 Jun 2010 11:38:33 +0300
    From: "Russel Mcdowell" <accessw8@rayholtz.com>
    X-Mailer: The Bat! (v3.71.01) Educational
    Reply-To: accessw8@rayholtz.com
    X-Priority: 3 (Normal)
    Message-ID: <697484003.79122794904937@rayholtz.com>
    To: xxxxxx@redballinternet.com
    Subject: 2 Girls Show Tits and Pussy in a Home Movie
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------410FF7D1F130AA"

    ------------410FF7D1F130AA
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit

    Dam that girl works a strapon

    Open attached file to watch video

    ------------410FF7D1F130AA
    Content-Type: text/html; name="open.html"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="open.html"

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Search the forums for SaneSecurity.

  3. #3
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    Search the forums for SaneSecurity.
    I found this tread on the forum.. is this the best on how to implement sanesecurity???

    http://www.zimbra.com/forums/adminis...n-plugins.html

    thanks

  4. #4
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    required=6.6 is a little on higher side
    we have our servers between 5.5 - 5.8 and we rarely get any false positive at 5+ score..if there is any there will be a reason.

    so i suggest you lower your "required" spam score in admin

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  5. #5
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    Hi uxbod,

    I have try to add the sanesecurity signatures last night...
    I did the step you told bhickey a couple years ago but like him I dont see the sanes entries when i select show originals...

    Here are the step I did till now

    Quote Originally Posted by uxbod View Post
    Okay here we go!

    Update /opt/zimbra/conf/amavisd.conf.in with
    Code:
    @virus_name_to_spam_score_maps =
      (new_RE(  # the order matters!
        [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
        [ qr'^Sanesecurity(\.[^., ]*)*\.'                             => 0.1 ],
        [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
        [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
        [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                           => 0.1 ],
        [ qr'^MBL_'                                 => undef ],  # keep as infected
        [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
        [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
        [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
        [ qr'-SecuriteInfo\.com(\.|\z)'             => undef ],  # keep as infected
      ));
    ensure this is before 1; # insure a defined return
    at the end of the file. Then ...

    And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with
    Code:
    ################################################################################
    # SaneSecurity & MSRBL Signatures
    ################################################################################
    header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
    header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
    header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
    header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
    header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
    header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|****|Spam[A-Za-z0-9]?|Stk|Junk)\.}
    header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
    header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
    header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
    header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
    meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
    header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
    header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
    header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_}
    header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}
    
    score  L_AV_Phish       14
    score  L_AV_SS_Phish    5
    score  L_AV_SS_PhishBar 0.5
    score  L_AV_SS_Scam     8
    score  L_AV_SS_Spam     8
    score  L_AV_SS_Hdr      6
    score  L_AV_SS_Img      3.5
    score  L_AV_SS_Bounce   0.1
    score  L_AV_SS_other    1
    score  L_AV_SS_Malware  14
    score  L_AV_MBL         14
    score  L_AV_MSRBL_Img   3.5
    score  L_AV_MSRBL_Spam  6
    score  L_AV_SecInf      8
    at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask enjoy.
    Find the section keep_decoded_original_maps and change to
    Code:
    @keep_decoded_original_maps = (new_RE(
      qr'^MAIL$',   # retain full original message for virus checking (can be slow)
      qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
      qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
      qr'^Zip archive data',     # don't trust Archive::Zip
    ));
    The only different I did change all the score to 0.1 for testing...

    I restart the server after doing that...

    And here i am... but like I said I don't see any entries in my original with a sanes signatures


    Thanks for you help
    Paul-Rene

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    have you downloaded the Sane signatures and where are they being stored ?

  7. #7
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    have you downloaded the Sane signatures and where are they being stored ?
    I did not... hehehe
    how do i do that...

    i am trying to find some info on the internet.. there isn't much?
    Last edited by Plurnay; 06-16-2010 at 07:10 AM.

  8. #8
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Down the tarball from Index of /pub and follow the INSTALL document. You will need to set a few parameters in the configuration to allow it to work with Zimbra. Below is a diff of the values I set
    Code:
    < PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
    ---
    > PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/zimbra/clamav/bin"
    40,41c40,41
    < clam_user="clamav"
    < clam_group="clamav"
    ---
    > clam_user="zimbra"
    > clam_group="zimbra"
    45c45
    < clam_dbs="/var/lib/clamav"
    ---
    > clam_dbs="/opt/zimbra/data/clamav/db"
    48c48
    < clamd_pid="/var/run/clamd.pid"
    ---
    > clamd_pid="/opt/zimbra/log/clamd.pid"
    65c65
    < #reload_opt="kill -USR2 `cat $clamd_pid`"
    ---
    > reload_opt="kill -USR2 `cat $clamd_pid`"
    219c223
    < work_dir="/usr/unofficial-dbs"   #Top level working directory
    ---
    > work_dir="/opt/zimbra/data/clamav/db/unofficial-dbs"   #Top level working directory
    256c260
    < user_configuration_complete="no"
    ---
    > user_configuration_complete="yes"

  9. #9
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    Thank you so much...

    So just to be sure

    I made the changes to the clamav-unofficial-sigs.conf
    to your spec

    Code:
    < PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
    ---
    > PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/zimbra/clamav/bin"
    40,41c40,41
    < clam_user="clamav"
    < clam_group="clamav"
    ---
    > clam_user="zimbra"
    > clam_group="zimbra"
    45c45
    < clam_dbs="/var/lib/clamav"
    ---
    > clam_dbs="/opt/zimbra/data/clamav/db"
    48c48
    < clamd_pid="/var/run/clamd.pid"
    ---
    > clamd_pid="/opt/zimbra/log/clamd.pid"
    65c65
    < #reload_opt="kill -USR2 `cat $clamd_pid`"
    ---
    > reload_opt="kill -USR2 `cat $clamd_pid`"
    219c223
    < work_dir="/usr/unofficial-dbs"   #Top level working directory
    ---
    > work_dir="/opt/zimbra/data/clamav/db/unofficial-dbs"   #Top level working directory
    256c260
    < user_configuration_complete="no"
    ---
    > user_configuration_complete="yes"

    now in the install file its says to
    Make sure script files are executable and have the appropriate UID/GID set:
    chmod 755 *.sh
    chown <user>:<group> *.sh

    the chown would it be zimbra:zimbra?


    next it says to
    Install:
    cp clamav-unofficial-sigs.sh /path/to/script_dir (usually something like /usr/local/bin)
    cp clamav-unofficial-sigs.conf /path/to/config_dir (/etc & usually something like /usr/local/etc)
    cp clamav-unofficial-sigs.8 /path/to/man/man8 (usually something like /usr/local/man/man8)

    i dont have a folder man8 in man... do i just create it???

    cp clamav-unofficial-sigs-cron /path/to/cron.d (usually something like /etc/cron.d)
    cp clamav-unofficial-sigs-logrotate /path/to/logrotate.d (usually something like /etc/logrotate.d)


    After I copied the file in there appropriate folder...
    Is there anything else I have to do... do I need to run something?

    Thanks again for your help
    Paul-Rene Hebert

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    I would put the .sh in /usr/local/bin and the .conf in /usr/local/etc. I put the cron file into /etc/cron.d with the following entry
    Code:
    45 * * * * root /usr/local/bin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf
    You can test it first by running the .sh and pointing to the conf file as above. Then check in /opt/zimbra/data/clamav/db/unofficial-dbs to make sure the files have been downloaded and have the correct permissions.

Similar Threads

  1. [SOLVED] Huge increase in SPAM
    By padraig in forum Administrators
    Replies: 4
    Last Post: 06-22-2010, 08:12 AM
  2. zen.spamhaus.org SPAM increase
    By andremta in forum Administrators
    Replies: 1
    Last Post: 03-03-2010, 06:02 AM
  3. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 11:54 PM
  4. Recent spam increase & greylisting
    By grunty in forum Administrators
    Replies: 0
    Last Post: 04-18-2008, 03:37 AM
  5. Increase spam filtrering
    By timothyalangorman in forum Administrators
    Replies: 0
    Last Post: 11-28-2007, 01:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •