[SOLVED] Spam Backscatter

[jrefl5]

Looking in /opt/zimbra/conf/spamassassin/ I see 20_vbounce.cf, along with many more, which appears to check for backscatter due to forged "From" and "ReplyTo" values. Two questions 1)How do I confirm that it is being used?
2)IF its not being used how can I trigger it to be used?

I have several users who are getting a "LOT" of this type of spam which I would like to just drop in the bit bucket.

I have looked at Improving Anti-spam system - Zimbra :: Wiki any other suggestions on further reading on configuring spamassassin within Zimbra?

Thanks

[phoenix]

Details here: VBounceRuleset - Spamassassin Wiki Effectively you need to add the following to your local.cf file:

Code:

whitelist_bounce_relays myrelay.mydomain.net

Obviously put your own server name in there, this won't survive any upgrade and you'll have to redo the change.

[phoenix]

Sorry, I forgot some additional information from here: taint.org: Justin Mason’s Weblog » Dealing with backscatter, revisited

[jrefl5]

Bill,
Thanks I'll try it out shortly. It looks like 1 or more spammers are rotating through some of my users e-mail addresses that have been on a public website for several years.

Question does local.cf imply /opt/zimbra/conf/salocal.cf.in or is it in another location?

James

[LMStone]

Quote:

Originally Posted by phoenix

Sorry, I forgot some additional information from here: taint.org: Justin Mason’s Weblog » Dealing with backscatter, revisited

Hi Bill,

From the taint website it looks like I could just add:

/^Content-Type: multipart\/report; report-type=delivery-status\;/ REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; / REJECT no third-party DSNs

to /opt/zimbra/conf/postfix_header_checks.in and get most of the benefits.

But that's not the syntax for the other lines in postfix_header_checks.in so I am asking if doing so is OK?

Thanks,
Mark

[jrefl5]

I'll let you know soon.
I needed to get the correct location of the local.cf (/opt/zimbra/conf/spamassassin/local.cf) file to test.

I'm about to head to the server to make the changes.

>>Update<<

changes completed updated postfix_header_check.in, and local.cf
>zmcontrol stop start
Server back up and running a few test messages inbound and outbound seem ok.
We'll see how the backscatter cleans-up.
Thanks bill

James

[phoenix]

Mark

Adding those lines into the conf.in should just add them in the same format to the updated conf file. Let us know how you both get on with this.

[jrefl5]

Looks like that did the trick.

Bill,
Do you know of a way to reject based on Charset of the e-mail.
None of the people I support currently read any languages that are in Crylic and there is a fair volume of spam that contains the following.

Quote:

------=_NextPart_000_0002_01C8A152.056221DB
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

Thanks
James

[phoenix]

It's not something I've used as I don't get much foreign language spam but you should be able to list the accepted languages with the following added to the /opt/zimbra/conf/spamassassin/v310.pre file:

Code:

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english french 
ok_languages            en fr 

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales              en

Be careful if you use the body test for language as it will slow down spamassassin. There's a handy little generator for the list of languages at the bottom of this page: SpamAssassin Configuration Generator

[jrefl5]

Bill
Thanks. I'll look into those. I did stumble upon a possible test to put in postfix_header_check.in

Quote:

/^SUBJECT:.*koi8-r/ DISCARD No Crylic users on site

as the string appears in the SUBJECT headers on many of them.


I'll be testing it later today.

James