Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Spam Filter - a few questions

  1. #1
    Join Date
    Mar 2007
    Location
    Near Pittsburgh
    Posts
    146
    Rep Power
    8

    Question Spam Filter - a few questions

    Hi all,

    A few Q's about the spam filter.

    - Is it OK to shut it off? Will shutting it off make Zimbra unstable?

    - Does shutting it off require a reboot or restart of services? I already have a spam appliance.

    - Where do emails go that are marked as spam? If I get a "false-positive" - how do I find, then move that email to where it should go?

    Thanks,
    Rob

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Is it OK to shut it off? Will shutting it off make Zimbra unstable?
    Nope, though I honestly recomend that you don't shut spamassassin/AV off all together.
    You can never have too much insturance!
    The checkbox in global settings > as/av tab turns off both. If you click servers > services you can select them individually.

    Here's a method some use when they just want it as extra insurance:
    -Set clam av updates to x hrs. (heck if you want it on as fallback insurance set it for like 24hrs or something)
    -Set kill rate at 100% -SpamAssassin score of 20points is considered 100%
    (something marked 20+ will definately be spam)
    -Set your tag rate to 99% (it will complain if their both using 100%)
    and you have 'effectively' kept spamassisn on the zimbra box from actually deleting spam-unless somehow something marked 20points slips through-but I doubt it will.

    check current settings:
    zmprov gacf | grep zimbraMtaRestriction

    dns checks:
    reject_unknown_client
    reject_unknown_hostname
    reject_unknown_sender_domain
    host checks:
    reject_invalid_hostname
    reject_non_fqdn_hostname
    reject_non_fqdn_sender
    RBL's - Real Time Black Lists:
    reject_rbl_client dnsbl.njabl.org
    reject_rbl_client cbl.abuseat.org
    reject_rbl_client bl.spamcop.net
    reject_rbl_client dnsbl.sorbs.net
    reject_rbl_client sbl.spamhaus.org (or zen.spamhaus.org)
    reject_rbl_client relays.mail-abuse.org

    -----
    for those who find this later:
    To turn them ON you would do something like:
    zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non_fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”
    Last edited by mmorse; 08-08-2007 at 12:42 PM.

  3. #3
    Join Date
    Mar 2007
    Location
    Near Pittsburgh
    Posts
    146
    Rep Power
    8

    Default

    Thanks. I set the Spam Kill Percent at 100 and the Tag Percent at 99. I hope this is correct...

    One other thing - where can I go to get the emails that have already been treated as spam? Can I get them back?

    Rob

  4. #4
    Join Date
    Oct 2006
    Location
    St Louis
    Posts
    27
    Rep Power
    9

    Default DNS Checks

    mmorse

    In your example text from the zimbraMtaRestrictions the DNS Checks are listed (reject_unknown_client, etc). But in the paragraph you show listing the command to enable RBL feature you don't include the DNS Checks.

    Is that an oversight in the details? Or is that because they're a bit obscure, and not common practice to set? IE, you'll get rejections from... who... netadmins who don't set up reverse dns?

    I've been reviewing the forum trying to find mention of problems when these are set, but few show examples that they've set them, and no one mentions the DNS Checks are giving them problems.

    So what is best practice for these three settings? Yes, no, some, YMMV?

    Cheers,
    Jim
    Last edited by alivebyscience; 07-08-2007 at 10:16 PM. Reason: edited to be more specific

  5. #5
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    That paragraph was copied from the wiki- there's even have a misplaced "-" in that (reject_non-fqdn_hostname should be reject_non_fqdn_hostname)

    for the dns checks-sometimes you need to be a little more careful
    netadmins who don't set up reverse dns?
    yup for instance:
    reject_unknown_client the official postfix docs read: "Reject the request when the client IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record."

    reject_unknown_hostname -Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).
    If there's no external dns record for that host...

    Personally I don't use the above two but I do use:
    reject_unknown_sender_domain -Reject the request when the sender mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

    btw a bunch of the rbl's overlap, and mail-abuse.org may now be a trendmicro service
    I've also found that graylisting cuts down on spam quite nicely
    Last edited by mmorse; 07-08-2007 at 10:49 PM.

  6. #6
    Join Date
    Oct 2006
    Location
    St Louis
    Posts
    27
    Rep Power
    9

    Default RBLs and Graylisting

    Sorry man, call me dumb, but graylisting? Is that the same as RBLs?

    mmorse, you've made mention of the RBLs being redundant, and the one referred to as mail-abuse.org is now Trend Micro premium service.

    Questions about RBLs...
    Someone else mentioned that spamassassin uses the "RBL DNS lists" already. Uhhh... Which one of this list of RBLs is that?

    The list...
    dnsbl.njabl.org
    cbl.abuseat.org
    bl.spamcop.net
    dnsbl.sorbs.net
    sbl.spamhaus.org (or zen.spamhaus.org)
    relays.mail-abuse.org (no longer in service - now trend micro owned)

    I guess my bottom line question - if you or anyone knows - which RBLs are valid to use on a system that doesn't get a lot of training by its users, but is several months old?

    The Trend Micro RBL... Any experience, or feedback as to how effective it is for folk? We're a Trend Micro reseller and I've submitted a request for use of their service. Thought I'd check it out and do some tests, unless it's been reviewed and rated by a knowledgeable and credible source.

    I believe adding more RBLs is an overhead to the email server and increases our bandwidth. I just want what's effective, not taxing and redundant.

  7. #7
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Quote Originally Posted by alivebyscience View Post
    Sorry man, call me dumb, but graylisting? Is that the same as RBLs?
    Basically, graylisting means only mail from senders who are persistent (attempt delivery twice) get through right away. Other email gets held for a bit/extra points added/extra hard spam processing etc.

    The server looks at any combination of from address, from IP, and TO address then puts the mail in a 'queue' and it sends a a temporary delivery failure. -which tells most servers to retry in say 5 minutes

    Greylisting.org - Postfix implementations

    Connecting with SQLGrey - ZimbraWiki

    Greylisting - Wikipedia, the free encyclopedia - "If the mail is legitimate, the originating server will try again to send it later, at which time the destination will accept it. If the mail is from a spammer, it will probably not be retried. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will attempt to connect again later on to deliver the e-mail."

    Now I'm sure your asking what happens if a server doesn't retry?
    Several methods could be used:
    -You might compare against any other emails (sent to other accounts in the same domain) from that IP/from: address that have re-tried and delivered.
    -You might run the email through a stricter spam filter process.
    -Deliver the email after x timeperiod, but give the email x amount of points if a re-send never occurred.

    (of course you an always have a whitelist of domains and IP ranges that always go through)

    For RBL's it's all about personal preference-and how you like their practices.

    For instance I'm a fan of spamhaus's sbl and xbl but I don't use zen (their combined list) because I don't agree with their pbl policies.
    -we might occasionally deal with a client who might fall under:
    "Spamhaus's Policy Block List (PBL) is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

    Obviously with all the spammers out there things do overlap-for instance:
    "NJABL.org will be working with Spamhaus on the PBL"
    or
    spamcop might copy some of abuseat's definitions every so often etc

    Yup, mail-abuse.org is now a trend micro paid service.
    Personally, I'd try out the major free one's first-if they don't do the job well enough for you then maybe consider a paid service. Though you said your a reseller-if you can get it for cheap that's a plus.

    A lot of them-even the free one's-sometimes also allow you to get a copy of their lists via rsync so the lookups can be performed against a machine on your network instead of using your internet bandwidth.

    there are other's out there too-hunt for 'RBL providers compatible with spamassassin'

    Visit their respective sites, check their stats, policies on identifying spammers, IP removal policies for accidental blocks, etc.
    dnsbl.njabl.org
    cbl.abuseat.org
    bl.spamcop.net
    dnsbl.sorbs.net
    sbl.spamhaus.org (or zen.spamhaus.org also xbl.spamhaus.org)
    Last edited by mmorse; 08-30-2007 at 09:53 AM.

  8. #8
    Join Date
    Jul 2007
    Location
    Indiana
    Posts
    45
    Rep Power
    8

    Default

    Quote Originally Posted by mmorse View Post

    To turn them ON you would do something like:
    zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”
    This doesnt work in the latest version does it? I am getting an error when I try to add any of the rbl listings to mine.
    I get this
    zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org”
    usage: modifyConfig(mcf) attr1 value1 [attr2 value2...]

    That is just trying to add one if i add them all i get and LDAP Error Code 17

  9. #9
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Bet it's because of the dash in reject_non-fqdn_hostname
    su zimbra
    zmprov mcf reject_non_fqdn_hostname

    (the dns and hostname checks are also easily set with checkboxes in the admin console > global settings > mta tab)

  10. #10
    Join Date
    Jul 2007
    Location
    Indiana
    Posts
    45
    Rep Power
    8

    Default

    Thank you that worked great!

    You are a lifesaver. Too bad cut and past changed all of the " to . but once I fixed that it took it.

Similar Threads

  1. [SOLVED] Spam Filter Blocking Proper Email
    By ingmarfreyz in forum Administrators
    Replies: 4
    Last Post: 10-23-2008, 06:56 AM
  2. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  3. How do I bypass the spam filter?
    By SiteDiscovery in forum Administrators
    Replies: 3
    Last Post: 01-05-2007, 12:14 PM
  4. Spam questions 3.11
    By cdyer in forum Administrators
    Replies: 10
    Last Post: 05-22-2006, 11:14 PM
  5. Replies: 3
    Last Post: 05-14-2006, 06:28 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •