Zimbra antispam gateway

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mech1
Posts: 5
Joined: Mon Jun 19, 2017 8:19 pm

Zimbra antispam gateway

Postby mech1 » Fri Jul 26, 2019 8:57 am

Hello,

I'm fighting against spam using SpamAssassin on Zimbra and Eset EMS for Linux on external gateway.
I don't have good results and many of spams (50 per day and user) are filtered when Outlook app is started with Eset Endpoint plugin.

I'm looking for solution how to improve server filtering. I read almost all of the articles how to tune up SpamAssassin on Zimbra and Eset EMS.
I'm thinking that I need some better (paid) antispam gateway. What people are you using these days? Do you have experience with some good one?

Thank you


phoenix
Ambassador
Ambassador
Posts: 26244
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra antispam gateway

Postby phoenix » Fri Jul 26, 2019 10:06 am

Why don't you take a look at Rspamd?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
mech1
Posts: 5
Joined: Mon Jun 19, 2017 8:19 pm

Re: Zimbra antispam gateway

Postby mech1 » Fri Jul 26, 2019 10:50 am

That's really good note! Than you for it.
I'll definitelly check it!
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1994
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Zimbra antispam gateway

Postby L. Mark Stone » Fri Jul 26, 2019 11:57 am

Have you looked at my blog post? I discuss how to supplement Zimbra’s baked in capabilities with two paid blacklist providers, and I provide a number of tuning recommendations as well.

https://www.missioncriticalemail.com/20 ... ices-2019/

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
phoenix
Ambassador
Ambassador
Posts: 26244
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra antispam gateway

Postby phoenix » Fri Jul 26, 2019 2:38 pm

mech1 wrote:That's really good note! Than you for it.
I'll definitelly check it!
I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.

Hello everyone,

I'm sure that many of you are aware that our datasets are already used
in Rspamd's default config, but I wanted to reach out and let you know
that we have developed a specialized set of rules that works with our
Data Query Service (DQS) product. The DQS provides you with additional
feeds: Zero Reputation Domain & AuthBL, and it also receives updates in
'realtime.' This last point is key, because, as you can see in the
latest Virus Bulletin report
(https://www.virusbulletin.com/testing/r ... l-security),
DQS catches 42% more spam than our RSYNC service or public mirrors.

Last but not least, the usage terms for DQS are the same as for our
public mirrors, meaning that if you already use our public mirrors, you
can register for a personal DQS key free of charge.

You can find all the needed files and install instructions here:
https://github.com/spamhaus/rspamd-dqs

Have fun with our data, and if you spot problems with the files
provided, you can drop us a line at datafeed-support@spamteq.com, post
here or open an issue on Github. I'll try to keep the list monitored to
deliver as much help as I can (altough I'm not really a Rspamd expert,
so please bear with me

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

--
Users mailing list
Users@lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 459
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P12 RHEL6 Network Edition
Contact:

Re: Zimbra antispam gateway

Postby JDunphy » Fri Jul 26, 2019 10:17 pm

phoenix wrote:I've pasted content of a recent post on the Rspamd mailing list, if you do install Rspamd you might also consider adding the rules for using DQS with Rspamd.


Thanks Bill for the reminder.

I signed up for a free key when I saw it early this month on the SA mailing list but forgot to get it into testing. For the SA enthusiasts:

https://github.com/spamhaus/spamassassin-dqs

One of the more useful RBL's we use is invaluement (commercial) because it seems to tag our more difficult junk in our spam mix that other RBL's can miss from time to time.

Here is an example to show effectiveness of some better known RBL's we have configured. First with discard on our spam/ham mix on my home machine. Average score is around 60 points so these are fairly easy to catch by SA core rules in addition to various RBL's.

Code: Select all

% check_rejected_spam.pl --discard | grep Discard
Total counts: 913 Discarded Email: 913

with IVM being invaluement.

Code: Select all

% check_rejected_spam.pl --discard | egrep '(IVM)' | wc -l
868
% check_rejected_spam.pl --discard | egrep -i '(BARRACUDA)' | wc -l
508
% check_rejected_spam.pl --discard | egrep -i '(SPAMCOP)' | wc -l
351
% check_rejected_spam.pl --discard | egrep -i '(SORBS)' | wc -l
587
% check_rejected_spam.pl --discard | egrep  '(IBM)' | wc -l
326

The tools output looks like this:

Code: Select all

% check_rejected_spam.pl --discard | head -3
user is @ rules[0] ham[0] spam[0] discard[1]
Score [58.006] To: user@example.com From: wxprofglq@walla.com
      BAYES_99=4,BAYES_999=0.2,BLACKLIST_COUNTRY=2.5,BL_BARRACUDA=1,BL_ZEN_SPAMHAUS=1,EMPTY_MESSAGE=2.32,FREEMAIL_FROM=0.001,FSL_HELO_BARE_IP_1=2.347,GB_FREEMAIL_DISPTO=0.499,HELO_MISC_IP=0.001,INVALID_MSGID=0.568,J_BL_BARRACUDA=3,J_BL_SPAMCOP=3,J_BL_ZEN_SPAMHAUS=3,J_DNSBL_MILTER_META=0.3,J_FOREIGN_SORBS_1=2,J_RCVD_IN_HOSTKARMA_BL=0.002,J_ROLEACCT_TO_MISSING=3,J_ROLE_ACCNT=0.01,J_SORBS_BL=0.1,MALFORMED_FREEMAIL=1.988,MISSING_HEADERS=1.021,MISSING_SUBJECT=1.799,MSGID_SHORT=0.001,RCVD_HELO_IP_MISMATCH=2.368,RCVD_IN_BL_SPAMCOP_NET=1,RCVD_IN_IVMSIP=3,RCVD_IN_PBL=3.335,RCVD_IN_PSBL=2.7,RCVD_IN_RP_RNBL=1.31,RCVD_IN_SBL_CSS=3.335,RCVD_IN_XBL=0.375,RDNS_DYNAMIC=0.982,TO_NO_BRKTS_DYNIP=2.999,TT_MSGID_TRUNC=1.448,UNCLOSED_BRACKET=1.496,UNPARSEABLE_RELAY=0.001

Looking at spam (email that ended up in the junk folders) tells a different story in our spam mix.

Code: Select all

% check_rejected_spam.pl --spam | grep Spam
Total counts: 647 Spam Email: 647
% check_rejected_spam.pl --spam | egrep '(IVM)' | wc -l
69
% check_rejected_spam.pl --spam | egrep -i '(BARRACUDA)' | wc -l
16
% check_rejected_spam.pl --spam | egrep -i '(SPAMCOP)' | wc -l
37
% check_rejected_spam.pl --spam | egrep -i '(SORBS)' | wc -l
55
% check_rejected_spam.pl --spam | egrep -i '(IBM)' | wc -l
27

So it takes a lot of work other than RBL's to mark email as spam here given there were 647 emails I was searching against in /var/log/zimbra.log that was still growing that we scored as spam. ... BTW, Sorbs has 29 ham FP's because they mark ip's such as AWS address space and the free mail providers like gmail... but if you ladder that rule with other checks it can be effective for looking a little closer at email to eliminate that FP risk. We do that for all the RBL's including invaluement.

Note: check_rejected_spam.pl tool is on my github page and has options for spam|ham|discard, etc. Some variation of it was also posted in these forums a while back and it should work with any zimbra install without installing additional software. It's not very sophisticated and I never finished it but can help you learn what RBL's and rules are working for your spam/ham mix. Note: Amavis log level has to be set to 3 which is listed as comments at the top of that small perl script.

Code: Select all

Zimbra Assumptions:
# Amavis at level 3 logging to see spam_scan lines in /var/log/zimbra.log to parse:
% zmprov ms `zmhostname` zimbraAmavisLogLevel 3
% zmantispamctl restart


I am not a complete believer in RBL's by themselves but they are becoming a necessary component in our reputation engine along with DKIM, DMARC, SPF, ip4 geography, MTA signature, etc, etc. Find some good RBL's and you can ladder your scoring with some custom rules for your own particular spam mix and hopefully achieve better results. If Barracuda (low FP's) and Invaluement (low FP's) and spamcop (low FP's) and __NOT_A_PERSON and perhaps not in countries you normally have correspondence in, you might score that a little higher. We try and protect "role" accounts that exist on websites that way for example and add them to the rule mix (ie. sales|info|accounting, noc, etc). If they are also doing tracking and obfuscation also then we continue adding points. Modern spam tools like rspam and SA are super flexible in this regard so you can build your own model that perfectly matches your unique spam/ham mix.

HTH,

Jim

Return to “Administrators”

Who is online

Users browsing this forum: jasggomes and 23 guests