Hello,
I'm fighting against spam using SpamAssassin on Zimbra and Eset EMS for Linux on external gateway.
I don't have good results and many of spams (50 per day and user) are filtered when Outlook app is started with Eset Endpoint plugin.
I'm looking for solution how to improve server filtering. I read almost all of the articles how to tune up SpamAssassin on Zimbra and Eset EMS.
I'm thinking that I need some better (paid) antispam gateway. What people are you using these days? Do you have experience with some good one?
Thank you
Zimbra antispam gateway
Re: Zimbra antispam gateway
Why don't you take a look at Rspamd?
Re: Zimbra antispam gateway
That's really good note! Than you for it.
I'll definitelly check it!
I'll definitelly check it!
- L. Mark Stone
- Elite member
- Posts: 2215
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 8.8.15 Network Edition
- Contact:
Re: Zimbra antispam gateway
Have you looked at my blog post? I discuss how to supplement Zimbra’s baked in capabilities with two paid blacklist providers, and I provide a number of tuning recommendations as well.
https://www.missioncriticalemail.com/20 ... ices-2019/
Hope that helps,
Mark
https://www.missioncriticalemail.com/20 ... ices-2019/
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
Re: Zimbra antispam gateway
I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.mech1 wrote:That's really good note! Than you for it.
I'll definitelly check it!
Hello everyone,
I'm sure that many of you are aware that our datasets are already used
in Rspamd's default config, but I wanted to reach out and let you know
that we have developed a specialized set of rules that works with our
Data Query Service (DQS) product. The DQS provides you with additional
feeds: Zero Reputation Domain & AuthBL, and it also receives updates in
'realtime.' This last point is key, because, as you can see in the
latest Virus Bulletin report
(https://www.virusbulletin.com/testing/r ... l-security),
DQS catches 42% more spam than our RSYNC service or public mirrors.
Last but not least, the usage terms for DQS are the same as for our
public mirrors, meaning that if you already use our public mirrors, you
can register for a personal DQS key free of charge.
You can find all the needed files and install instructions here:
https://github.com/spamhaus/rspamd-dqs
Have fun with our data, and if you spot problems with the files
provided, you can drop us a line at datafeed-support@spamteq.com, post
here or open an issue on Github. I'll try to keep the list monitored to
deliver as much help as I can (altough I'm not really a Rspamd expert,
so please bear with me
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
--
Users mailing list
Users@lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
- JDunphy
- Outstanding Member
- Posts: 533
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 8.8.15_P16 RHEL6 Network Edition
- Contact:
Re: Zimbra antispam gateway
phoenix wrote:I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.
Thanks Bill for the reminder.
I signed up for a free key when I saw it early this month on the SA mailing list but forgot to get it into testing. For the SA enthusiasts:
https://github.com/spamhaus/spamassassin-dqs
One of the more useful RBL's we use is invaluement (commercial) because it seems to tag our more difficult junk in our spam mix that other RBL's can miss from time to time.
Here is an example to show effectiveness of some better known RBL's we have configured. First with discard on our spam/ham mix on my home machine. Average score is around 60 points so these are fairly easy to catch by SA core rules in addition to various RBL's.
Code: Select all
% check_rejected_spam.pl --discard | grep Discard
Total counts: 913 Discarded Email: 913
with IVM being invaluement.
Code: Select all
% check_rejected_spam.pl --discard | egrep '(IVM)' | wc -l
868
% check_rejected_spam.pl --discard | egrep -i '(BARRACUDA)' | wc -l
508
% check_rejected_spam.pl --discard | egrep -i '(SPAMCOP)' | wc -l
351
% check_rejected_spam.pl --discard | egrep -i '(SORBS)' | wc -l
587
% check_rejected_spam.pl --discard | egrep '(IBM)' | wc -l
326
The tools output looks like this:
Code: Select all
% check_rejected_spam.pl --discard | head -3
user is @ rules[0] ham[0] spam[0] discard[1]
Score [58.006] To: user@example.com From: wxprofglq@walla.com
BAYES_99=4,BAYES_999=0.2,BLACKLIST_COUNTRY=2.5,BL_BARRACUDA=1,BL_ZEN_SPAMHAUS=1,EMPTY_MESSAGE=2.32,FREEMAIL_FROM=0.001,FSL_HELO_BARE_IP_1=2.347,GB_FREEMAIL_DISPTO=0.499,HELO_MISC_IP=0.001,INVALID_MSGID=0.568,J_BL_BARRACUDA=3,J_BL_SPAMCOP=3,J_BL_ZEN_SPAMHAUS=3,J_DNSBL_MILTER_META=0.3,J_FOREIGN_SORBS_1=2,J_RCVD_IN_HOSTKARMA_BL=0.002,J_ROLEACCT_TO_MISSING=3,J_ROLE_ACCNT=0.01,J_SORBS_BL=0.1,MALFORMED_FREEMAIL=1.988,MISSING_HEADERS=1.021,MISSING_SUBJECT=1.799,MSGID_SHORT=0.001,RCVD_HELO_IP_MISMATCH=2.368,RCVD_IN_BL_SPAMCOP_NET=1,RCVD_IN_IVMSIP=3,RCVD_IN_PBL=3.335,RCVD_IN_PSBL=2.7,RCVD_IN_RP_RNBL=1.31,RCVD_IN_SBL_CSS=3.335,RCVD_IN_XBL=0.375,RDNS_DYNAMIC=0.982,TO_NO_BRKTS_DYNIP=2.999,TT_MSGID_TRUNC=1.448,UNCLOSED_BRACKET=1.496,UNPARSEABLE_RELAY=0.001
Looking at spam (email that ended up in the junk folders) tells a different story in our spam mix.
Code: Select all
% check_rejected_spam.pl --spam | grep Spam
Total counts: 647 Spam Email: 647
% check_rejected_spam.pl --spam | egrep '(IVM)' | wc -l
69
% check_rejected_spam.pl --spam | egrep -i '(BARRACUDA)' | wc -l
16
% check_rejected_spam.pl --spam | egrep -i '(SPAMCOP)' | wc -l
37
% check_rejected_spam.pl --spam | egrep -i '(SORBS)' | wc -l
55
% check_rejected_spam.pl --spam | egrep -i '(IBM)' | wc -l
27
So it takes a lot of work other than RBL's to mark email as spam here given there were 647 emails I was searching against in /var/log/zimbra.log that was still growing that we scored as spam. ... BTW, Sorbs has 29 ham FP's because they mark ip's such as AWS address space and the free mail providers like gmail... but if you ladder that rule with other checks it can be effective for looking a little closer at email to eliminate that FP risk. We do that for all the RBL's including invaluement.
Note: check_rejected_spam.pl tool is on my github page and has options for spam|ham|discard, etc. Some variation of it was also posted in these forums a while back and it should work with any zimbra install without installing additional software. It's not very sophisticated and I never finished it but can help you learn what RBL's and rules are working for your spam/ham mix. Note: Amavis log level has to be set to 3 which is listed as comments at the top of that small perl script.
Code: Select all
Zimbra Assumptions:
# Amavis at level 3 logging to see spam_scan lines in /var/log/zimbra.log to parse:
% zmprov ms `zmhostname` zimbraAmavisLogLevel 3
% zmantispamctl restart
I am not a complete believer in RBL's by themselves but they are becoming a necessary component in our reputation engine along with DKIM, DMARC, SPF, ip4 geography, MTA signature, etc, etc. Find some good RBL's and you can ladder your scoring with some custom rules for your own particular spam mix and hopefully achieve better results. If Barracuda (low FP's) and Invaluement (low FP's) and spamcop (low FP's) and __NOT_A_PERSON and perhaps not in countries you normally have correspondence in, you might score that a little higher. We try and protect "role" accounts that exist on websites that way for example and add them to the rule mix (ie. sales|info|accounting, noc, etc). If they are also doing tracking and obfuscation also then we continue adding points. Modern spam tools like rspam and SA are super flexible in this regard so you can build your own model that perfectly matches your unique spam/ham mix.
HTH,
Jim
Who is online
Users browsing this forum: Google [Bot] and 13 guests