Quote:
|
Originally Posted by dwmtractor zimbraMtaRestriction: reject_non-fqdn_hostname |
This is incorrect, the - (dash) should be _ (underscore).
Quote:
|
Originally Posted by dwmtractor zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org |
Turn this off-it's now part of a paid trendmicro service-else you are just wasting bandwidth for 'no licence' return values.
dns checks:
reject_unknown_client -I leave off because every client needs a valid A record or it won't deliver
reject_unknown_hostname -I leave off because every server that sends you mail needs a A & MX record (and I definitely want alerts from some of my servers that don't have mx records)
reject_unknown_sender_domain -I leave this on; the @domain.com part of their email address must resolve proper A/mx
I also use:
host checks- to conform to the industry standards:
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
RBL's - Real Time Black Lists:
Code:
reject_rbl_client dnsbl.njabl.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client zen.spamhaus.org
zen combines spamhaus' sbl, xbl and pbl (while I don't always agree with the pbl, zen resolves much faster/has more copies out there, so i've given in to their policies)
Check their websites for details, some I usually get the most 'spam' returns from spamcop & spamhaus. Keep in mind they all tend to share info with each other-and score it differently, check their websites for details.
You enter them all on one (or use +) else you'll erase the currently set values:
Quote:
|
zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non_fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction reject_unknown_sender_domain zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org”
|
to check:
Code:
zmprov gacf | grep zimbraMtaRestriction
To reduce email to accounts that you don't even have:
Change the entry in zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)
(Add your IP's to the trusted area of local.cfg, -you don't want some user marking an email from a coworker at your same organization as junk, then it affecting the bayes score (this is not to be confused with mtamynetworks-which is for submitting mail from remote networks)
Quote:
|
Anyway, the question is this: Should RBL scores show in my headers whether or not the source IP has a hit in one of the databases, or will it only show in the case of a hit?
|
Only added when you get a 'hit'.
-check the /opt/zimbra/conf/spamassassin folder for the points added
Quote:
|
As a second point I think maybe I should weight my Bayesian filter higher than 3.5, but I don't see in the documentation how one goes about changing the absolute score a feature can give--in my case Bayes seems to top out at 3.5 which seems to let an awful lot through, because with a required score of 6.6 for spam, a 100% hit on Bayes is only 53% of the way to scoring as spam. So far I'd say that's insufficient. How do I adjust that range?
|
Quote:
|
3) If I could just increase the Bayesian weighting by about .75 to 1 point, it'd push him over the edge. This is more desirable than lowering the point threshold on ALL messages since it would just give more weight to my Bayesian scores for stuff I have classified as junk, rather than allowing the random combination of all the other scores to increase false positives.
|
You can manually edit values in your /opt/zimbra/conf/spamassassin folder (there will be a bunch of files in there defining rules)
-Also see the all important /opt/zimbra/conf/amavisd.conf.in (only edit the .in not the live copy - it then gets copied live on restart)
While your browsing through that file you can fix any 'wheight listing' which starts by applying +- to mail from a certain address/domain (there's a few defaults provided.) Negative scores mean it's legit. The higher the positive score the worse.
Also, while there change the 'sa_dsn_cutoff_level' to something more realistic. (near top of file) You dont' want to send delivery status notifications "I got your mail" to the spammers.
(I suggest you change kill/tag levels through zmprov/admin console though -not amavisd.conf.in- so i'll keep through upgrades)
Quote:
|
On that note, there are references all over the forum to changing the kill and tag percentages on the admin UI, but nowhere have I been able to find documentation of just how those percentage numbers relate mathematically to the various scores I see in the headers of emails. Could someone clarify this for me please?
|
No sweat, it's the standard 20point system
20in spamassassin/amavisd.conf.in =100% in the admin console
10=50%
5=25%
etc
zmprov mcf zimbraSpamKillPercent 50
(It's given in percentages-so that would kill anything with 10pts on the 20pt scale)
100% = 20pts
33% = 6.6pts
75% = 15pts
etc
You can change the action (discard vs bounce etc) in amavisd.conf.in (don't edit amavisd.conf directly, edit the .in and restart)
$final_spam_destiny=D_DISCARD;
You can also play with the dsn (delivery status notification) setting; so over a certain level you won't be responding 'I got your mail' to the spammers.
$sa_dsn_cutoff_level = 50;
To delete/not bother quarantining high scoring spam (therefore reducing the number of items in the quarantine) this setting allows you to discard quarantined spam above this level:
$sa_quarantine_cutoff_level = 90;
It is cleaned up every day though:
0 1 * * * find /opt/zimbra/amavisd/quarantine -type f -mtime +7 -exec rm -f {} \; > /dev/null 2>&1
Note: In that amavisd.conf.in file, wherever possible it's better to set the values with zmprov/admin console (ie: the tag & kill levels) so that it stays consistent across upgrades.
zmprov mcf zimbraSpamTagPercent 30
-would put everything above 6pts in the junk folder (and label with a custom **SPAM** in the subject line if you have that enabled) - I personally don't because it's already in the junk folder.
tag level - Mail goes to the junk folder (Unless the user has their own filter that moves it elsewhere; then I suggest they/you make an accompanying x-spam-level header filter: say contains at least **** then move back to junk etc)
kill level - The mail does not get delivered to the users (unless you set final_spam_destiny to D_PASS -
values are D_PASS, D_BOUNCE, D_REJECT and D_DISCARD -search the postfix documentation for descriptions)
For more ideas see
Improving Anti-spam system - ZimbraWiki
I especially like graylisting- You take the mail 'hold it', then you send back a temporary error; so that they try mail delivery again. Then when a legit connection is attempted again the mail goes through. Spammers just tend to move on and not bother. The preferred method: if no retry is made within say 1hr you add x points to it's score and still deliver it.
Razor is also very good.
Bugzilla
Wiki
Source
[SOLVED] I don't think RBLs or Bayes are working for me 
. . . but I looked at a whole bunch of the config files in /opt/zimbra/conf/spamassassin and I can't figure out how which of those files influences the total points assigned by the Bayesian filter to each message. 
Linear Mode
