Zimbra antispam gateway

[mech1]

Hello,

I'm fighting against spam using SpamAssassin on Zimbra and Eset EMS for Linux on external gateway.
I don't have good results and many of spams (50 per day and user) are filtered when Outlook app is started with Eset Endpoint plugin.

I'm looking for solution how to improve server filtering. I read almost all of the articles how to tune up SpamAssassin on Zimbra and Eset EMS.
I'm thinking that I need some better (paid) antispam gateway. What people are you using these days? Do you have experience with some good one?

Thank you

[phoenix]

Why don't you take a look at Rspamd?

[mech1]

That's really good note! Than you for it.
I'll definitelly check it!

[L. Mark Stone]

Have you looked at my blog post? I discuss how to supplement Zimbra’s baked in capabilities with two paid blacklist providers, and I provide a number of tuning recommendations as well.

https://www.missioncriticalemail.com/20 ... ices-2019/

Hope that helps,
Mark

[phoenix]

That's really good note! Than you for it.
I'll definitelly check it!

I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.

Hello everyone,

I'm sure that many of you are aware that our datasets are already used
in Rspamd's default config, but I wanted to reach out and let you know
that we have developed a specialized set of rules that works with our
Data Query Service (DQS) product. The DQS provides you with additional
feeds: Zero Reputation Domain & AuthBL, and it also receives updates in
'realtime.' This last point is key, because, as you can see in the
latest Virus Bulletin report
(https://www.virusbulletin.com/testing/r ... l-security),
DQS catches 42% more spam than our RSYNC service or public mirrors.

Last but not least, the usage terms for DQS are the same as for our
public mirrors, meaning that if you already use our public mirrors, you
can register for a personal DQS key free of charge.

You can find all the needed files and install instructions here:
https://github.com/spamhaus/rspamd-dqs

Have fun with our data, and if you spot problems with the files
provided, you can drop us a line at datafeed-support@spamteq.com, post
here or open an issue on Github. I'll try to keep the list monitored to
deliver as much help as I can (altough I'm not really a Rspamd expert,
so please bear with me

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

--
Users mailing list
Users@lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users

[JDunphy]

I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.

Thanks Bill for the reminder.

I signed up for a free key when I saw it early this month on the SA mailing list but forgot to get it into testing. For the SA enthusiasts:

https://github.com/spamhaus/spamassassin-dqs

One of the more useful RBL's we use is invaluement (commercial) because it seems to tag our more difficult junk in our spam mix that other RBL's can miss from time to time.

Here is an example to show effectiveness of some better known RBL's we have configured. First with discard on our spam/ham mix on my home machine. Average score is around 60 points so these are fairly easy to catch by SA core rules in addition to various RBL's.

Code: Select all

% check_rejected_spam.pl --discard | grep Discard
Total counts: 913 Discarded Email: 913


with IVM being invaluement.

Code: Select all

% check_rejected_spam.pl --discard | egrep '(IVM)' | wc -l
868
% check_rejected_spam.pl --discard | egrep -i '(BARRACUDA)' | wc -l
508
% check_rejected_spam.pl --discard | egrep -i '(SPAMCOP)' | wc -l
351
% check_rejected_spam.pl --discard | egrep -i '(SORBS)' | wc -l
587
% check_rejected_spam.pl --discard | egrep  '(IBM)' | wc -l
326


The tools output looks like this:

Code: Select all

% check_rejected_spam.pl --discard | head -3
user is @ rules[0] ham[0] spam[0] discard[1]
Score [58.006] To: user@example.com From: wxprofglq@walla.com
      BAYES_99=4,BAYES_999=0.2,BLACKLIST_COUNTRY=2.5,BL_BARRACUDA=1,BL_ZEN_SPAMHAUS=1,EMPTY_MESSAGE=2.32,FREEMAIL_FROM=0.001,FSL_HELO_BARE_IP_1=2.347,GB_FREEMAIL_DISPTO=0.499,HELO_MISC_IP=0.001,INVALID_MSGID=0.568,J_BL_BARRACUDA=3,J_BL_SPAMCOP=3,J_BL_ZEN_SPAMHAUS=3,J_DNSBL_MILTER_META=0.3,J_FOREIGN_SORBS_1=2,J_RCVD_IN_HOSTKARMA_BL=0.002,J_ROLEACCT_TO_MISSING=3,J_ROLE_ACCNT=0.01,J_SORBS_BL=0.1,MALFORMED_FREEMAIL=1.988,MISSING_HEADERS=1.021,MISSING_SUBJECT=1.799,MSGID_SHORT=0.001,RCVD_HELO_IP_MISMATCH=2.368,RCVD_IN_BL_SPAMCOP_NET=1,RCVD_IN_IVMSIP=3,RCVD_IN_PBL=3.335,RCVD_IN_PSBL=2.7,RCVD_IN_RP_RNBL=1.31,RCVD_IN_SBL_CSS=3.335,RCVD_IN_XBL=0.375,RDNS_DYNAMIC=0.982,TO_NO_BRKTS_DYNIP=2.999,TT_MSGID_TRUNC=1.448,UNCLOSED_BRACKET=1.496,UNPARSEABLE_RELAY=0.001


Looking at spam (email that ended up in the junk folders) tells a different story in our spam mix.

Code: Select all

% check_rejected_spam.pl --spam | grep Spam
Total counts: 647 Spam Email: 647
% check_rejected_spam.pl --spam | egrep '(IVM)' | wc -l
69
% check_rejected_spam.pl --spam | egrep -i '(BARRACUDA)' | wc -l
16
% check_rejected_spam.pl --spam | egrep -i '(SPAMCOP)' | wc -l
37
% check_rejected_spam.pl --spam | egrep -i '(SORBS)' | wc -l
55
% check_rejected_spam.pl --spam | egrep -i '(IBM)' | wc -l
27


So it takes a lot of work other than RBL's to mark email as spam here given there were 647 emails I was searching against in /var/log/zimbra.log that was still growing that we scored as spam. ... BTW, Sorbs has 29 ham FP's because they mark ip's such as AWS address space and the free mail providers like gmail... but if you ladder that rule with other checks it can be effective for looking a little closer at email to eliminate that FP risk. We do that for all the RBL's including invaluement.

Note: check_rejected_spam.pl tool is on my github page and has options for spam|ham|discard, etc. Some variation of it was also posted in these forums a while back and it should work with any zimbra install without installing additional software. It's not very sophisticated and I never finished it but can help you learn what RBL's and rules are working for your spam/ham mix. Note: Amavis log level has to be set to 3 which is listed as comments at the top of that small perl script.

Code: Select all

Zimbra Assumptions:
# Amavis at level 3 logging to see spam_scan lines in /var/log/zimbra.log to parse:
% zmprov ms `zmhostname` zimbraAmavisLogLevel 3
% zmantispamctl restart


I am not a complete believer in RBL's by themselves but they are becoming a necessary component in our reputation engine along with DKIM, DMARC, SPF, ip4 geography, MTA signature, etc, etc. Find some good RBL's and you can ladder your scoring with some custom rules for your own particular spam mix and hopefully achieve better results. If Barracuda (low FP's) and Invaluement (low FP's) and spamcop (low FP's) and __NOT_A_PERSON and perhaps not in countries you normally have correspondence in, you might score that a little higher. We try and protect "role" accounts that exist on websites that way for example and add them to the rule mix (ie. sales|info|accounting, noc, etc). If they are also doing tracking and obfuscation also then we continue adding points. Modern spam tools like rspam and SA are super flexible in this regard so you can build your own model that perfectly matches your unique spam/ham mix.

HTH,

Jim