Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Simple Spam Assassin help needed

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-17-2007, 08:05 AM
Senior Member
  
Posts: 65
Question Simple Spam Assassin help needed
I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

I want to tell spam assassin to kill all messages with
Received: from 210.7.68.50
before they are even delivered.

They are all virus mails.

I get mails from the zimbra admin user letting me know that every day, and its almost as annoying as spam:

Code:
From: "Content-filter at mail.domain.org" <admin@mail.domain.org>
Subject: VIRUS (Worm.SomeFool.Gen-2) IN MAIL TO YOU (from <?@[210.7.68.50]>)
To: <user@domain.org>
Message-ID: <VRzRH71qzb08K4@mail.domain.org>

VIRUS ALERT

Our content checker found
    virus: Worm.SomeFool.Gen-2

in an email to you from unknown sender:
  ?@[210.7.68.50]
claiming to be: <skelly@xpressdocs.com>

First upstream SMTP client IP address: [210.7.68.50] 

According to the 'Received:' trace, the message originated at:
  [210.7.68.50]
  domain.org (unknown [210.7.68.50])

Our internal reference code for the message is 03331-05/zRH71qzb08K4.
The message has been quarantined as:
  virus-zRH71qzb08K4

Please contact your system administrator for details.
could I get simple instructions?
Reply With Quote
  #2 (permalink)  
Old 09-17-2007, 11:58 AM
Moderator
  
Posts: 1,027
Default
Quote:
Originally Posted by gfdos.sys View Post
I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

I want to tell spam assassin to kill all messages with
Received: from 210.7.68.50
before they are even delivered.
It's simple to describe, but if I have understood other threads on the subject, not so simple to implement. The config files for spamassassin are at /opt/zimbra/conf/spamassassin/ but I only see a whitelist file in there, not a blacklist.

My first question would be what other options you have enabled for your antispam. The installation manual has some good instructions for enabling blacklists that may solve your problem, as an IP spamming virii is likely to make it into other people's blacklist as well.

These two threads:
[SOLVED] I don't think RBLs or Bayes are working for me
Improving spam filtering

also helped me.

But finally there is a request on bugzilla for enhanced control of both antispam and antivirus on the GUI, and so far it shows very little traffic. If a few of you would add comments and vote for it we might get it up in the priority range. Visit bug 16329 and add your 0.02 in the currency of your choice!
Reply With Quote
  #3 (permalink)  
Old 09-17-2007, 12:17 PM
Loyal Member
  
Posts: 94
Default
Quote:
Originally Posted by gfdos.sys View Post
I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

I want to tell spam assassin to kill all messages with
Received: from 210.7.68.50
before they are even delivered.

They are all virus mails.

I get mails from the zimbra admin user letting me know that every day, and its almost as annoying as spam:

Code:
From: "Content-filter at mail.domain.org" <admin@mail.domain.org>
Subject: VIRUS (Worm.SomeFool.Gen-2) IN MAIL TO YOU (from <?@[210.7.68.50]>)
To: <user@domain.org>
Message-ID: <VRzRH71qzb08K4@mail.domain.org>

VIRUS ALERT

Our content checker found
    virus: Worm.SomeFool.Gen-2

in an email to you from unknown sender:
  ?@[210.7.68.50]
claiming to be: <skelly@xpressdocs.com>

First upstream SMTP client IP address: [210.7.68.50] 

According to the 'Received:' trace, the message originated at:
  [210.7.68.50]
  domain.org (unknown [210.7.68.50])

Our internal reference code for the message is 03331-05/zRH71qzb08K4.
The message has been quarantined as:
  virus-zRH71qzb08K4

Please contact your system administrator for details.
could I get simple instructions?


iptables -A INPUT -s 210.7.68.50 -j DROP
__________________
Brian Harden
www.chromedcomputing.com
Reply With Quote
  #4 (permalink)  
Old 09-17-2007, 12:51 PM
Moderator
  
Posts: 6,237
Default
I would definitely recommend blocking at the firewall if you can do so...because then your not even dealing with possibility of processing the mail.

You could:
smtpd_client_restrictions = check_client_access hash:/whatever/location/like/etc/postfix/maps/access_client, permit (this is in addition to anything else you have implemented)
The content of access_client would be:
210.7.68.50 REJECT
Then compile access_client into access_client.db:
postmap hash:access

Other spamassassin blacklisting methods are in here as well:
Improving Anti-spam system - ZimbraWiki
Improving Anti-spam system - #Class_A_IP_Address_Blocks - ZimbraWiki
Last edited by mmorse; 09-17-2007 at 12:54 PM..
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.