Results 1 to 4 of 4

Thread: Simple Spam Assassin help needed

  1. #1
    gfdos.sys is offline Senior Member
    Join Date
    Sep 2005
    Location
    Buffalo, NY
    Posts
    65
    Rep Power
    9

    Question Simple Spam Assassin help needed

    I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

    I want to tell spam assassin to kill all messages with
    Received: from 210.7.68.50
    before they are even delivered.

    They are all virus mails.

    I get mails from the zimbra admin user letting me know that every day, and its almost as annoying as spam:

    Code:
    From: "Content-filter at mail.domain.org" <admin@mail.domain.org>
    Subject: VIRUS (Worm.SomeFool.Gen-2) IN MAIL TO YOU (from <?@[210.7.68.50]>)
    To: <user@domain.org>
    Message-ID: <VRzRH71qzb08K4@mail.domain.org>
    
    VIRUS ALERT
    
    Our content checker found
        virus: Worm.SomeFool.Gen-2
    
    in an email to you from unknown sender:
      ?@[210.7.68.50]
    claiming to be: <skelly@xpressdocs.com>
    
    First upstream SMTP client IP address: [210.7.68.50] 
    
    According to the 'Received:' trace, the message originated at:
      [210.7.68.50]
      domain.org (unknown [210.7.68.50])
    
    Our internal reference code for the message is 03331-05/zRH71qzb08K4.
    The message has been quarantined as:
      virus-zRH71qzb08K4
    
    Please contact your system administrator for details.
    could I get simple instructions?

  2. #2
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default

    Quote Originally Posted by gfdos.sys View Post
    I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

    I want to tell spam assassin to kill all messages with
    Received: from 210.7.68.50
    before they are even delivered.
    It's simple to describe, but if I have understood other threads on the subject, not so simple to implement. The config files for spamassassin are at /opt/zimbra/conf/spamassassin/ but I only see a whitelist file in there, not a blacklist.

    My first question would be what other options you have enabled for your antispam. The installation manual has some good instructions for enabling blacklists that may solve your problem, as an IP spamming virii is likely to make it into other people's blacklist as well.

    These two threads:
    [SOLVED] I don't think RBLs or Bayes are working for me
    Improving spam filtering

    also helped me.

    But finally there is a request on bugzilla for enhanced control of both antispam and antivirus on the GUI, and so far it shows very little traffic. If a few of you would add comments and vote for it we might get it up in the priority range. Visit bug 16329 and add your 0.02 in the currency of your choice!

  3. #3
    brained is offline Loyal Member
    Join Date
    Dec 2005
    Posts
    94
    Rep Power
    9

    Default

    Quote Originally Posted by gfdos.sys View Post
    I need to do something VERY simple (i think) 98% of the mail making it through to my users is all received from a relay in asia: 210.7.68.50.

    I want to tell spam assassin to kill all messages with
    Received: from 210.7.68.50
    before they are even delivered.

    They are all virus mails.

    I get mails from the zimbra admin user letting me know that every day, and its almost as annoying as spam:

    Code:
    From: "Content-filter at mail.domain.org" <admin@mail.domain.org>
    Subject: VIRUS (Worm.SomeFool.Gen-2) IN MAIL TO YOU (from <?@[210.7.68.50]>)
    To: <user@domain.org>
    Message-ID: <VRzRH71qzb08K4@mail.domain.org>
    
    VIRUS ALERT
    
    Our content checker found
        virus: Worm.SomeFool.Gen-2
    
    in an email to you from unknown sender:
      ?@[210.7.68.50]
    claiming to be: <skelly@xpressdocs.com>
    
    First upstream SMTP client IP address: [210.7.68.50] 
    
    According to the 'Received:' trace, the message originated at:
      [210.7.68.50]
      domain.org (unknown [210.7.68.50])
    
    Our internal reference code for the message is 03331-05/zRH71qzb08K4.
    The message has been quarantined as:
      virus-zRH71qzb08K4
    
    Please contact your system administrator for details.
    could I get simple instructions?


    iptables -A INPUT -s 210.7.68.50 -j DROP

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I would definitely recommend blocking at the firewall if you can do so...because then your not even dealing with possibility of processing the mail.

    You could:
    smtpd_client_restrictions = check_client_access hash:/whatever/location/like/etc/postfix/maps/access_client, permit (this is in addition to anything else you have implemented)
    The content of access_client would be:
    210.7.68.50 REJECT
    Then compile access_client into access_client.db:
    postmap hash:access

    Other spamassassin blacklisting methods are in here as well:
    Improving Anti-spam system - ZimbraWiki
    Improving Anti-spam system - #Class_A_IP_Address_Blocks - ZimbraWiki
    Last edited by mmorse; 09-17-2007 at 12:54 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Help needed. Simple Zimlet
    By Martinchin2289 in forum Zimlets
    Replies: 6
    Last Post: 11-24-2008, 03:12 AM
  2. Spam Assassin Learning
    By dlochart in forum Users
    Replies: 9
    Last Post: 11-07-2008, 05:19 AM
  3. [SOLVED] Spam Being Sent Thru Server - Help Needed!
    By msf004 in forum Administrators
    Replies: 22
    Last Post: 03-14-2008, 11:11 PM
  4. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  5. Simple lookup zimlet, help needed
    By Dirk in forum Zimlets
    Replies: 15
    Last Post: 09-20-2007, 08:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •