Improve Spam in 5.0.1?

[bertie_uk]

Since upgrading to FOSS 5.0.1 from 4.5.10, my users are seeing much more spam, both in the Junk folder and through to their Inbox.

I have enabled the various dns checks, etc in the AV/AS Zimbra Admin page but not much change.

I've followed some of the features in the Wiki page: Improving Anti-spam system - Zimbra :: Wiki

Razor2, DCC, etc but I'm not sure if the wiki page is still applicable for Zimbra 5.

Has anyone else seen an increase in spam?
Has anyone implemented the features in the wiki page in 5?
Has anyone any other ideas?

Thanks in advance

[uscell]

Seems Intresting ,,,, i have not seen this problem any more... but i need to keep looking on this ..
i will update you if anything i will catch.

Thanks,
Yukari !!!

[uxbod]

Bertie,

would need to see one of the SPAM emails and the headers to see how it has been scored. They would not happen to be google redirect SPAMs would they?

I personally run a lot of other third party extensions to SpamAssassin, plus RBLs @ MTA level and PolicyD for greylisting. I get about .1% SPAM through now.

Cheers,

[bertie_uk]

Here is the raw message for an email that is spam and getting through:

Code:

Return-Path: iatrochemist@troullides.com
Received: from 85.113.82.134 (LHLO mail.teamnetsol.com) (85.113.82.134) by
 mail.teamnetsol.com with LMTP; Thu, 31 Jan 2008 02:23:55 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
	by mail.teamnetsol.com (Postfix) with ESMTP id 63E8C107D078;
	Thu, 31 Jan 2008 02:20:46 +0000 (GMT)
X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: NO
X-Spam-Score: 5.305
X-Spam-Level: *****
X-Spam-Status: No, score=5.305 tagged_above=-10 required=6.6
	tests=[BAYES_99=4.3, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.teamnetsol.com ([127.0.0.1])
	by localhost (mail.teamnetsol.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id eGFDHBG2Modo; Thu, 31 Jan 2008 02:20:40 +0000 (GMT)
Received: from dhahdt (unknown [117.5.81.249])
	by mail.teamnetsol.com (Postfix) with SMTP id BFC24107C6D8
	for <sysadmin@teamnetsol.com>; Thu, 31 Jan 2008 02:20:36 +0000 (GMT)
Message-ID: <000701c863ae$7fd23100$0100007f@yxysve>
From: "Alastair Brooks" <iatrochemist@troullides.com>
To: <sysadmin@teamnetsol.com>
Subject: Ado6e Akrobat Pro 8 for MAC\XP\Vlsta 79, Retail 599 (save 520)
Date: Thu, 31 Jan 2008 09:20:13 +0700
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 12.0.4210
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

ulead mediastudio pro v8.0 with extras - 79
parallels desktop 3.0 for mac - 29
microsoft vista ultimate - 89
autodesk autocad lt 2008 - 69
media tools professional 5 - 39
adobe framemaker 8.0 - 69
avid liquid pro 7 - 69
adobe illustrator cs3 - 69
realize voice 3.51 - 29
v!slt `oemfactorysale. com` in your |nternet Explorer

444
55
66

Is there something I can set to block:

Code:

Received: from dhahdt (unknown [117.5.81.249])

Bertie

[uxbod]

Here is how we scored that email :-

Content analysis details: (17.5 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.9 TVD_RCVD_IP TVD_RCVD_IP
3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=117.5.81.249,nordns]
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
2.3 MANGLED_VISIT BODY: mangled visit
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[117.5.81.249 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4999]
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
1.0 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

Are your SA rules getting updated ?

[bertie_uk]

Are your SA rules getting updated ?

How can I check?

All I have changed from the default 5.0.1 is attempted to improve the spam filtering by following the Wiki page to add razor, etc. because the spam was getting through.

My 4.5.10 installation that I upgraded from was like a brick wall to spam, never got any though and was very impressed.

Bertie