local mail getting marked as spam?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bjquinn
Advanced member
Advanced member
Posts: 179
Joined: Fri Sep 12, 2014 10:00 pm

local mail getting marked as spam?

Postby bjquinn » Tue Jan 13, 2009 10:29 am

Your suggestion does of course work, it's just that Pyzor and the DUL Blacklist are very powerful when it comes to recognizing spam. Lowering those scores does work better than globally raising my tag percent, but it still lets more spam through than if authenticated users were whitelisted.


bjquinn
Advanced member
Advanced member
Posts: 179
Joined: Fri Sep 12, 2014 10:00 pm

local mail getting marked as spam?

Postby bjquinn » Fri Mar 27, 2009 10:13 am

Anyone know if there's any work been done on this? It's been coming up on a year now that I've had this problem, and it's really getting difficult to manage.
Anyone had this problem and found a way around it?
sniechzial
Posts: 3
Joined: Fri Sep 12, 2014 11:34 pm

local mail getting marked as spam?

Postby sniechzial » Sun Apr 05, 2009 8:05 am

Hi,
following the discussion above I came up with the following workaround:


  • Setup a second mta server that accepts only authenticated users (smtpd_recipient_restrictions = permit_sasl_authenticated, reject)

  • Disable Services Anti-Spam (and Anti-Virus) on that server


Do you think that could be a working solution?
syedbilalmasaud
Posts: 33
Joined: Sat Sep 13, 2014 12:06 am

local mail getting marked as spam?

Postby syedbilalmasaud » Sun Apr 05, 2009 8:51 am

Hi,
Its much better , train your spamassasin your self by reading header , url and subject values and study how to block malware
might it will help you to reduce your spam and it will take time to setup and maintain rules
Bilal
phoenix
Ambassador
Ambassador
Posts: 26714
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

local mail getting marked as spam?

Postby phoenix » Sun Apr 05, 2009 9:07 am

[quote user="bjquinn"]Anyone know if there's any work been done on this? It's been coming up on a year now that I've had this problem, and it's really getting difficult to manage.[/QUOTE]No work wil be 'done on this' because you haven't filed any bug report.
[quote user="bjquinn"]Anyone had this problem and found a way around it?[/QUOTE]You should actually have your users send mail through the correct Submission Port which is 587, there's several descriptions in the forums of how to enable but here's one of them. Try that and see if that does anything to help.
Which version of Zimbra do you currently have installed and what's the contents of your MyNetwork setting? Do you have any hardware firewall in front of this server? Does the server sit on a public or private IP? Is this only one user or all users?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
sniechzial
Posts: 3
Joined: Fri Sep 12, 2014 11:34 pm

local mail getting marked as spam?

Postby sniechzial » Mon Apr 06, 2009 1:00 pm

Using
zcs-5.0.14_GA_2850.UBUNTU8.20090303190551

I'll try to use the submission-port instead of 25, but I wonder how SpamAssassin will know about that, if there is no additional header information added.
Found this information, that helped fixing the problem in an other mailserver setup
DynablockIssues - Spamassassin Wiki

smtpd_sasl_authenticated_header = yes
bjquinn
Advanced member
Advanced member
Posts: 179
Joined: Fri Sep 12, 2014 10:00 pm

local mail getting marked as spam?

Postby bjquinn » Mon Apr 20, 2009 11:03 am

[quote user="10330phoenix"]No work wil be 'done on this' because you haven't filed any bug report.

[/QUOTE]
Yes I did, please see post #34 of this thread and bug 31333. It's been outstanding for seven months.
[quote user="10330phoenix"]

You should actually have your users send mail through the correct Submission Port which is 587, there's several descriptions in the forums of how to enable but here's one of them. Try that and see if that does anything to help.

[/QUOTE]
Thanks, but if you read over the thread, we've been over this and that doesn't solve the problem.


However, after looking for nearly a year on this, here's what DOES solve the problem, and it is actually fairly easy and doesn't require setting up a second email server, etc. This is basically what sniechzial found, although I wish I had read his post and saved myself some trouble, as it would have pointed me in the right direction.
Zimbra sending local mail to trash -
This happens when a remote authenticated user (i.e. someone with an email account on the server but who is currently outside of the local network and NOT using the web client or Zimbra Desktop) sends an email to another email address local to the email server. What happens is that instead of the local email server's IP address getting counted as the originating email server IP (after all, it's both that user's incoming and outgoing mail server and they are authenticated), instead the IP of the internet connection they're on (probably a DHCP DSL connection or something) gets correctly identified as being a bad IP to be sending email from. Problem is, they're not really sending email FROM that IP in the sense that it's not the IP of their email server -- the originating mail server is the local Zimbra server, and it should detect itself as such. There are a couple of ways to handle this.
If you're using a version of Zimbra which contains Postfix >= 2.3 and = 2.5 should enable the desired feature by default without having to set this option. This will allow SpamAssassin? >= 3.1.4 (again, most relatively modern Zimbras) to know that an SMTP sender is authenticated and it will consequently flag a rule called ALL_TRUST for authenticated users and subtracts by default 1.8 points from the score. Sometimes this problem can flag RCVD_IN_SORBS_DUL (2.046), PYZOR_CHECK (3.7), and TVD_RCVD_SINGLE (1.351), but in addition to subtracting 1.8 points from the score, this rule should also prevent all tests about the source IP of the message from running. This doesn't mean ALL spam tests, just ones like the RBL ones above.
Secondarily, if in doubt, one could also create meta rules that awarded a negative score equivalent to the positive score for the RBL checks we're having problems with above based on the fact that the sender at least CLAIMS to be using a domain local to the email server. Of course checking to see that they're ALL_TRUST (or authenticated SMTP users) is better, but this could work if your Zimbra version is too old or you have other problems. Any other rules, like FORGED_MUA_OUTLOOK or something which seem too often to get flagged for local users could be negated this way or in combination with the ALL_TRUST rule as well.
su_A_ve
Advanced member
Advanced member
Posts: 173
Joined: Fri Sep 12, 2014 10:22 pm

local mail getting marked as spam?

Postby su_A_ve » Mon Apr 20, 2009 11:29 am

[quote user="bjquinn"]

If you're using a version of Zimbra which contains Postfix >= 2.3 and = 2.5 should enable the desired feature by default without having to set this option. [/QUOTE]
Latest 4.5 version still uses postfix-2.2.9 - Where would this change exactly go? I've enabled 587 submission protocol (as well as 465) (via ~zimbra/postfix/conf/master.cf). Would this be an option in master.cf in each submission port or via a section inside zmmta.cf (and if so where)?
IE:


SECTION mta

....

POSTCONF smtpd_sasl_authenticated_header yes

....

sniechzial
Posts: 3
Joined: Fri Sep 12, 2014 11:34 pm

local mail getting marked as spam?

Postby sniechzial » Mon Apr 20, 2009 12:11 pm

[quote user="bjquinn"] This is basically what sniechzial found, [...] [/QUOTE]
Thanks for the feedback and detailed explanation of your solution. After not feeling comfortable with my way of having two mailservers I implemented exactly your solution, just didn't have the time to write it down here.
[quote user="su_A_ve"]Where would this change exactly go[/QUOTE]

Postfix configuration can be changed by using

postconf -ev key=value

postfix reload


Don't forget to make backups, as changes will get lost during upgrades of Zimbra.
Tested and in production with 5.0.14_GA_2850.UBUNTU8
ewilen
Elite member
Elite member
Posts: 1429
Joined: Fri Sep 12, 2014 11:34 pm

local mail getting marked as spam?

Postby ewilen » Mon Jul 27, 2009 7:33 pm

Can bug #31333 please be reopened and re-assigned a severity of Normal or higher?
I don't think the solution in this thread really qualifies as a fix unless the rule is configured as a default in Zimbra.
(Also the recommendation in http://www.zimbra.com/forums/113800-post7.html doesn't address the issue.)
I'm using ZCS 5.0.18 NE and mail sent by an authenticated user got this header:
X-Spam-Status: Yes, score=6.862 tagged_above=-10 required=6.6

tests=[AWL=0.267, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13,

FH_HELO_ALMOST_IP=3.565, HELO_DYNAMIC_SPLIT_IP=3.493,

HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]
I was able to locate a session that occurred under circumstances similar to those of this email, with these log entries:
[QUOTE]Jul 26 21:24:38 zimbra saslauthd[19653]: zmauth: authenticating against elected url 'https://zimbra.company.com:7071/service/admin/soap">https://zimbra.company.com:7071/service/admin/soap/' ...

Jul 26 21:24:38 zimbra saslauthd[19653]: zmpost: url='https://zimbra.company.com:7071/service/admin/soap">https://zimbra.company.com:7071/service/admin/soap/' returned buffer->data='http://www.w3.org/2003/05/soap-envelope"> xmlns="urn:zimbra">0_c3b99ddcbbcaef0824f739fe9d48b29ed0a78b24_69643d33363a62633932373635362d623334372d346166342d393532642d3130656266646232306264343b6578703d31333a313234383834313437383133333b747970653d363a7a696d6272613b172800000sky', hti->error=''

Jul 26 21:24:38 zimbra saslauthd[19653]: auth_zimbra: myboss@mycompany.com auth OK

Jul 26 21:24:38 zimbra postfix/smtpd[32621]: lost connection after RCPT from unknown[117.81.93.214]

Jul 26 21:24:38 zimbra postfix/smtpd[32621]: disconnect from unknown[117.81.93.214]

Jul 26 21:24:38 zimbra postfix/smtpd[32623]: B3D732D60001: client=234.sub-75-210-148.myvzw.com[75.210.148.234], sasl_method=PLAIN, sasl_username=myboss@mycompany.com

Jul 26 21:24:40 zimbra postfix/cleanup[32625]: B3D732D60001: message-id=

Jul 26 21:24:40 zimbra postfix/qmgr[4638]: B3D732D60001: from=, size=4337, nrcpt=1 (queue active)

Jul 26 21:24:40 zimbra amavis[5716]: (05716-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090726T212440-05716: -> SIZE=4337 Received: from zimbra.company.com ([127.0.0.1]) by localhost (zimbra.company.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Sun, 26 Jul 2009 21:24:40 -0700 (PDT)

Jul 26 21:24:40 zimbra amavis[5716]: (05716-01) Checking: rj4QngtKye1C [75.210.148.234] ->

Jul 26 21:24:44 zimbra postfix/smtpd[32632]: connect from localhost.localdomain[127.0.0.1]

Jul 26 21:24:44 zimbra postfix/smtpd[32632]: 49E382D60002: client=localhost.localdomain[127.0.0.1]

Jul 26 21:24:44 zimbra postfix/cleanup[32625]: 49E382D60002: message-id=

Jul 26 21:24:44 zimbra postfix/smtpd[32632]: disconnect from localhost.localdomain[127.0.0.1]

Jul 26 21:24:44 zimbra postfix/qmgr[4638]: 49E382D60002: from=, size=4804, nrcpt=1 (queue active)

Jul 26 21:24:44 zimbra amavis[5716]: (05716-01) FWD via SMTP: -> ,BODY=7BIT 250 2.6.0 Ok, id=05716-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49E382D60002

Jul 26 21:24:44 zimbra amavis[5716]: (05716-01) Passed SPAMMY, [75.210.148.234] [75.210.148.234] -> , Message-ID: , mail_id: rj4QngtKye1C, Hits: 5.999, size: 4337, queued_as: 49E382D60002, 4284 ms

Jul 26 21:24:44 zimbra postfix/smtp[32628]: B3D732D60001: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=5.8, delays=1.6/0.01/0.01/4.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 49E382D60002)

Jul 26 21:24:44 zimbra postfix/qmgr[4638]: B3D732D60001: removed

Jul 26 21:24:45 zimbra postfix/smtp[32633]: 49E382D60002: to=, relay=b.mx.mail.yahoo.com[66.196.97.250]:25, delay=0.82, delays=0/0.01/0.32/0.49, dsn=2.0.0, status=sent (250 ok dirdel)

Jul 26 21:24:45 zimbra postfix/qmgr[4638]: 49E382D60002: removed

Jul 26 21:25:20 zimbra zmmailboxdmgr[515]: status requested

Jul 26 21:25:20 zimbra zmmailboxdmgr[515]: status OK

Jul 26 21:25:20 zimbra zmmailboxdmgr[585]: status requested

Jul 26 21:25:20 zimbra zmmailboxdmgr[585]: status OK

Jul 26 21:25:41 zimbra postfix/smtpd[32623]: disconnect from 234.sub-75-210-148.myvzw.com[75.210.148.234]

[/QUOTE]As you can see the user is authenticating, but because they're using a Verizon Wireless connection, they're getting hit by a ton of positive scores--and ALL_TRUSTED is not firing.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests