Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Image SPAM

  1. #11
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Ya, outbound whitelisting based on receipt/sender is fine; one thing that the commercial product I posted above does is watermark the emails (which I believe has been patented). Now I go back to what I originally said is that to effectively reduce FPs is to balance your score across multiple techniques and not just a single one. Is that a sound theory ?

  2. #12
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    It's a very sound theory but the other half of it is that you should score each technique according to its precision. Off the top of my head I'd qualify that further: techniques with low false positive rates should have high scores even if they have high false negative rates. (At least this is true of "boolean" techniques like "is this IP address in blacklist X".)

    I haven't read the theory behind SA as a whole, but really, the entire scoring system would benefit from automatic rescoring, not just the text pattern matching. It's not clear to me if SA under Zimbra does this but when I have time I'll look into it more closely.

    Basically, you want each technique to have a score that represents how much independent confirmation it offers. E.g. if 100% of email with the string "buy c1ali$" also contained links in the URIBL--and all of the email with links in URIBL was spam, then you'd give a low score to "buy ciali$" and a high score to URIBL, meaning URIBL has all the information you need.

  3. #13
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    FuzzyOCR has now been installed (nice smooth install with ZCS) so will post some information once it has processed some email

  4. #14
    Join Date
    Mar 2006
    Posts
    300
    Rep Power
    9

    Default

    To add a bit to the ASSP post I made.
    I implemented ASSP many years ago now, initially in front
    of our old email systsm before we migrated to Zimbra and
    honestly, after the first three months you'll almost
    never touch the thing again. It just works. At least that's
    been my experience with it. Occasionally
    I do have to dig out an email that gets caught that shouldn't
    have but it is rare...and ironically always the same user. :-)
    If there is a weakness with ASSP it's retrieving snagged emails,
    but then again it's a problem with SA and Zimbra as well.
    YMMV, but if you are suffering with SA/Zimbra, try ASSP for three months
    and see if it's a better fit for you.

  5. #15
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Quote Originally Posted by tgx View Post
    If there is a weakness with ASSP it's retrieving snagged emails, but then again it's a problem with SA and Zimbra as well.
    With SA/Zimbra, spam just goes into the Junk folder and retrieval is trivial. True, by default the most egregious spam gets deleted directly, but you can turn that off if you want. And really, the stuff with that high a score is extremely unlikely to be wanted.

    That said, working off the idea I posted upthread, I wonder if you could do the following:

    • Turn off SA in Zimbra, but leave the spam/ham addresses intact
    • Have ASSP check those addresses
    • Have ASSP insert a header field that Zimbra can recognize (e.g. via Filters) and put the spam into Junk


    Then, if the Junk/Not Junk button is still functional in ZWC, and if the system still forwards mail to the spam/ham addresses when it's moved into/out of
    the Junk folder, you now have an easy reporting interface to ASSP along with easy retrieval of marked mail.

    (Note: there's an RFE, by me, to have mail forwarded to spam if it's Filtered into Junk. That would break this model if Filters are used to recognize the ASSP junk-marking.)

  6. #16
    Join Date
    Mar 2006
    Posts
    300
    Rep Power
    9

    Default

    Quote Originally Posted by ewilen View Post
    With SA/Zimbra, spam just goes into the Junk folder and retrieval is trivial. True, by default the most egregious spam gets deleted directly, but you can turn that off if you want. And really, the stuff with that high a score is extremely unlikely to be wanted.
    From testing, the stuff that ends up in Junk on Zimbra never gets delivered with ASSP.
    Stuff that gets quarantined in Zimbra as SPAM also gets quarantined by ASSP. The version of ASSP I am using is quite old so I cannot reference its present capabilities. Like I said, I set it up and forgot about it.

    Emails quarantined under Zimbra are handled the same way as ASSP so getting the email back is the same exercise...digging in the filesystem for the email. Almost exclusively these emails are when someone tries to enroll in some sort of online system where they send you an email with username or password. And it happens almost universally. Happens to me as well, but I know to add the site to my okdomains.txt before I try to sign up. Also have issues with emails sent from online purchases.

  7. #17
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    I ran MailScanner for four years both at home and commercially, and have looked at ASSP before, now I am not saying that either is bad; it is that I have tried to focus on how to make ZCS even better from a AV/AS perspective without putting a front-end filter in place. That said, if I did return to that setup then MailScanner would be the obvious choice IMHO. This is a great thread and thank you to all the posts. Keep them coming

  8. #18
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Quote Originally Posted by tgx View Post
    From testing, the stuff that ends up in Junk on Zimbra never gets delivered with ASSP.
    But if you want not to see it at all in Zimbra, then you can just lower the kill percent under Global Settings:AS/AV.

    Conversely,
    Emails quarantined under Zimbra are handled the same way as ASSP so getting the email back is the same exercise...digging in the filesystem for the email.
    In that case you could increase the kill percent to disable "kill" altogether. Result: all your junk mail goes into Junk instead of being quarantined. If that has too much of an impact on storage you can then decrease the spam message lifetime under Class of Service:Advanced.

    This is not to say that ASSP isn't cool, and given my planned installation I could use it anyway at least as an edge SMTP proxy+RBL blocker, to take some load off of Zimbra. I remember it has Greylisting and maybe some other non-content-based tools as well. If I can then integrate its content filtering with Zimbra in such a way as to give users Zimbra's ease of re-classifying ham/spam, plus putting ASSP-identified spam directly into Junk, that would be great.

    One thing I'm remembering, though, ASSP recommended that users set their SMTP server to ASSP rather than (in this case) Zimbra. I believe that was required for auto-whitelisting based on addresses found in outbound mail. Thing is, this would mess up Zimbra's excellent server-based storage of Sent mail. Not to mention, you couldn't do it for web mail. But maybe I could use Servers:MTA:Relay MTA for external delivery to point Zimbra at ASSP.

  9. #19
    Join Date
    Aug 2009
    Location
    Denver Colorado
    Posts
    82
    Rep Power
    6

    Wink

    Quote Originally Posted by uxbod View Post
    FuzzyOCR has now been installed (nice smooth install with ZCS) so will post some information once it has processed some email
    Hey.. how about that update you posted here..

  10. #20
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    The latest round of image SPAM, flag type, bypasses any hits in FuzzyOCR The only real defence I have seen so far is either SA rules or SaneSecurity sigs.

Similar Threads

  1. spam filtering/training methodology
    By ewilen in forum Administrators
    Replies: 6
    Last Post: 04-24-2009, 09:26 AM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  3. spam - ham training
    By Viking0 in forum Administrators
    Replies: 6
    Last Post: 12-02-2008, 01:07 PM
  4. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 11:54 PM
  5. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •