Harden ZCS Spam Filters

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dgskmf
Posts: 5
Joined: Mon Sep 08, 2014 3:33 pm

Harden ZCS Spam Filters

Postby dgskmf » Fri Oct 03, 2014 3:57 pm

I'm currently running ZCS 8.5 on a CentOS 6.4 box. We are seeing a large amount of spam landing in our inbox on a daily basis and it appears that marking items as Spam dont really have much affect. I initially installed and enabled Pyzor and Razor following this guide http://wiki.zimbra.com/wiki/SpamAssassin_Customizations#For_SpamAssassin_and_Anti-spam_Updates.  I also enabled Dspam and that helped a lot after used had the opportunity to train Dspam. But that was over a year ago and now the spam appears to be ramping back up. I was hoping to get ideas from the community on things that have been done to increase the effective of the spam filters on your server. We would really like to avoid using a hardware filter but it may be our only option if we cant get this under control.



User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Harden ZCS Spam Filters

Postby quanah » Fri Oct 03, 2014 5:16 pm

Have you enabled RBLs, etc, at the postfix level, as noted in the wiki?

With what is in place in the wiki, we receive very little spam. There are always new spam patterns and systems coming online, so there's always opportunity for some to get through in a given day, but I rarely get more than 2-3 a day at this point.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
User avatar
faulumpy
Posts: 48
Joined: Fri Sep 12, 2014 10:39 pm
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Harden ZCS Spam Filters

Postby faulumpy » Tue Oct 07, 2014 1:38 am

The best anti spam method I implemented is in my opinion greylisting. I also run razor/pyzor/dspam/dcc and use some dns blacklists but the largest spam reduction came from using postgrey.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P6.
dgskmf
Posts: 5
Joined: Mon Sep 08, 2014 3:33 pm

Harden ZCS Spam Filters

Postby dgskmf » Wed Oct 08, 2014 4:26 pm

I definitely wouldn't mind getting 2-3 a day. That would be a big time improvement.

I decided to just go through the entire wiki again since we recently updated our Zimbra server. Figured that would give me the confidence that at least all these steps have been applied correctly. I was able to remove and reinstall pyzor and razor with no issue. I also verified that all the Spamassassin scoring matched the scores given in the wiki and made sure they were in the correct file which I believe is /opt/zimbra/data/spamassassin/localrules/local.cf . The values the show in the headers of my spam don't seem to reflect the one in my configuration tho so I wonder If I'm not putting them in the correct place.

This the header from one of extremely obvious spam that wasnt caught by the filter
X-Spam-Status: No, score=-1.99 tagged_above=-10 required=5
tests=[BAYES_00=-1.9, RAZOR2_CHECK=0.922, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, DSPAM.Innocent=-1.000]
autolearn=no autolearn_force=no

I'm not utilizing the Kevin McGrail rules right now for fear of too many false positives and I also skipped over the SOUGHT ruleset for now.

The next problem i'm running into is when I am trying get DCC installed and configured. I'm fine until i get to the configuration portion. I get an error at this point
./configure --homedir=/opt/zimbra/dcc-1.3.155
--disable-sys-inst --with-uid=zimbra --disable-server
--disable-dccifd --disable-dccm
--with-updatedcc_pfile=/opt/zimbra/data/dcc
--with-rundir=/opt/zimbra/data/dcc/run
--bindir=/opt/zimbra/dcc-1.3.155/bin
creating cache ./config.cache
Rhyolite Software DCC 1.3.155
checking for cc... no
checking for gcc... no
error: no acceptable cc found in $PATH; set CC=something?

I've verified the directory /opt/zimbra/dcc-1.3.155 is created and zimbra is the owner with full permissions. Are these commands supposed to be run within the actual dcc-1.3.155 directory that is located in the zimbra directory or are they supposed to be run within the tmp/dcc that the wiki has you create? Thats where I'm stuck at the moment.

So it appears my Spamassassin custom values aren't respected by the mail server and I also can't get DCC up and running. Any assistance is greatly appreciated. After I complete these steps I will look into greylisting as faulumpy suggested.

brf
Posts: 30
Joined: Fri Sep 12, 2014 11:28 pm
ZCS/ZD Version: 8.8.6_GA_1906.RHEL7_64 NE

Harden ZCS Spam Filters

Postby brf » Thu Oct 09, 2014 2:08 am

re: the DCC build error, it would seem that you don't have the C compiler installed on your system. You'll need to rectify that first. DCC's pretty worthwhile in my experience, so I'd spend the time to get it working.



Also, local.cf is the wrong place to put your custom SA rules. They're supposed to be in sauser.cf. I'm not sure whether this would explain your additions not working, though.



The best thing you can do, in my experience, is activate DNSBLs and RHSBLs at the Postfix level, there are configuration items for this in the Zimbra admin console. Here's what I'm using:

(Note that barracudacentral.org requires registration before you can use their DNSBL.)



$ zmprov gcf zimbraMtaRestriction

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_unknown_reverse_client_hostname

zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

zimbraMtaRestriction: reject_rbl_client bl.spamcop.net

zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org

zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org

zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org

zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org

zimbraMtaRestriction: reject_rhsbl_client black.uribl.com

zimbraMtaRestriction: reject_rhsbl_sender black.uribl.com

zimbraMtaRestriction: reject_rhsbl_reverse_client black.uribl.com

zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org

zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org

zimbraMtaRestriction: reject_rhsbl_reverse_client multi.surbl.org



Be sure that you have installed the "dnscached" component of Zimbra before you start using DNSBLs/RHSBLs, or if not, that you're already running some kind of local caching nameserver.



Additionally, I add this line to /opt/zimbra/postfix/conf/main.cf (there is no Zimbra config key for it yet):



smtpd_helo_restrictions = permit_mynetworks, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_helo black.uribl.com, reject_rhsbl_helo multi.surbl.org, permit



That compares the names presented during SMTP HELO against the RHSBL's, and does help further in some cases that I've seen.
imanudin11
Outstanding Member
Outstanding Member
Posts: 297
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Harden ZCS Spam Filters

Postby imanudin11 » Thu Oct 09, 2014 3:17 am

Hi,



If you want to strict, you can apply PTR/Reverse DNS check on your system. Try this command to apply it



zmprov mcf +zimbraMtaRestriction "reject_unknown_client_hostname"



Every email incoming, will be check between hostname and reverse dns suitable
**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
brf
Posts: 30
Joined: Fri Sep 12, 2014 11:28 pm
ZCS/ZD Version: 8.8.6_GA_1906.RHEL7_64 NE

Harden ZCS Spam Filters

Postby brf » Thu Oct 09, 2014 3:21 am

If you use reject_unknown_client_hostname, you will undoubtedly reject some legitimate email servers that are poorly configured.



On the other hand, reject_unknown_reverse_client_hostname will still catch a lot of spammers, and is near 100% safe to use.



All depends on how aggressive you want to be, of course.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests