ZCS Administrator Guide 7.2.1
ZCS Administrator Guide 7.2.1
Open Source Edition


Zimbra MTA > Anti-Spam Protection

Anti-Spam Protection
SpamAssassin, a mail filter that attempts to identify unsolicited commercial email (spam) with learned data stored in either the Berkeley DB database or a MySQL database.
SpamAssassin uses predefined rules as well as a Bayes database to score messages with a numerical range. Zimbra uses a percentage value to determine "spaminess" based on a SpamAssassin score of 20 as 100%. Any message tagged between 33%-75% is considered spam and delivered to the user’s junk folder. Messages tagged above 75% are always considered spam and discarded. The ZCS default is to use data in the Berkeley DB database.
SpamAssassin can alternatively be configured to use a MySQL-backed database for spam training. To use this method, set zmlocalconfig antispam_mysql_enabled to TRUE on the MTA servers. When this is enabled, Berkeley DB database is not enabled. See the Scalable Anti-Spam Using Spamassassin and MySQL wiki article at wiki.zimbra.com.
Note:
The DSPAM spam filter is also included with ZCS but the default is to not enable DSPAM. You can enable DSPAM by setting the localconfig attribute amavis_dspam_enabled to TRUE on the MTA servers.

zmlocalconfig -e amavis_dspam_enabled=true
Anti-Spam Training Filters
When ZCS is installed, the automated spam training filter is enabled and two feedback system mailboxes are created to receive mail notification.
*
Spam Training User to receive mail notification about mail that was not marked as spam, but should be.
*
Non-spam (referred to as ham) training user to receive mail notification about mail that was marked as spam, but should not have been.
For these training accounts, the mailbox quota is disabled (i.e. set to 0) and attachment indexing is disabled. Disabling quotas prevents bouncing messages when the mailbox is full.
How well the anti-spam filter works depends on recognizing what is considered spam or not considered spam (ham). The SpamAssassin filter can learn what is spam and what is not spam from messages that users specifically mark as spam or not spam by sending them to their junk folder in the web client or via Outlook for ZCO and IMAP. A copy of these marked messages is sent to the appropriate spam training mailbox. The ZCS spam training tool, zmtrainsa, is configured to automatically retrieve these messages and train the spam filter.
In order to correctly train the spam/ham filters, when ZCS is installed, spam/ham cleanup is configured on only the first MTA. The zmtrainsa script is enabled through a crontab job to feed mail that has been classified as spam or as non-spam to the SpamAssassin application, allowing SpamAssassin to ‘learn’ what signs are likely to mean spam or ham. The zmtrainsa script empties these mailboxes each day.
Note:
New installs of ZCS limit spam/ham training to the first MTA installed. If you uninstall or move this MTA, you will need to enable spam/ham training on another MTA, as one host should have this enabled to run zmtrainsa --cleanup. To do this, set zmlocalconfig -e zmtrainsa_cleanup_host=TRUE.
The ZCS default is that all users can give feedback in this way. If you do not want users to train the spam filter, you can modify the global configuration attributes, ZimbraSpamIsSpamAccount and ZimbraSpamIsNotSpamAccount, and remove the account addresses from the attributes. To remove, type as:
zmprov mcf <attribute> ‘’
When these attributes are modified, messages marked as spam or not spam are not copied to the spam training mailboxes.
Initially, you may want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes. When zmtrainsa runs, these messages are used to teach the spam filter. Make sure you add a large enough sampling of messages to these mailboxes. In order to get accurate scores to determine whether to mark messages as spam at least 200 known spams and 200 known hams must be identified.
The zmtrainsa command can be run manually to forward any folder from any mailbox to the spam training mailboxes. If you do not enter a folder name when you manually run zmtrainsa for an account, for spam, the default folder is Spam. For ham, the default folder is Inbox.
Protecting Alias Domains From Backscatter Spam
A milter that runs a Postfix SMTP Access Policy Daemon that validates RCPT To: content specifically for alias domains can be enabled to reduce the risk of backscatter spam.
Note:
This functionality is enabled using the CLI, zmlocalconfig.
1.
zmlocalconfig -e postfix_enable_smtpd_policyd=yes
2.
3.
zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
4.
Restart, type postfix start
The policy daemon runs after you set the bits in steps 1 and 3 above and then restart Postfix. The postfix_policy_time_limit key is because the Postfix spawn (8) daemon by defaults kills its child process after 1000 seconds. This is too short for a policy daemon that may run as long as an SMTP client is connected to an SMTP process.
Disable Postfix Policy Daemon
To disable the Postfix Policy Daemon, type the following:
1.
2.
3.
4.
Restart, type postfix start
Email Recipient Restrictions
RBL (Real-time black-hole lists) can be turned on or off in the Zimbra MTA from the administration console or using the Zimbra CLI. From the administration account go to the Global Settings>MTA tab.
For protocol checks, the following three RBLs can be enabled:
*
*
*
You can set the following, in addition to the three above:
*
*
*
*
*
*
As part of recipient restrictions, you can also use the reject_rbl_client <rbl hostname> option. In the Global Settings>MTA>DNS checks section on the administration console specify the list of RBLs. For a list of current RBL’s, see the Comparison of DNS blacklists article at http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
Adding RBLs using the CLI
1.
2.
Enter zmprov gacf | grep zimbraMtaRestriction, to see what RBLs are set.
3.
zmprov mcf zimbraMtaRestriction [RBL type]
To add all the possible restrictions, the command would be
zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”
Note:
Copyright © 2012 VMware Inc.