[SOLVED] Help with outbound blacklisting

[su_A_ve]

Hello,

We've got some targeted phishing scams lately, and trying to figure out how to blacklist outbound mail, so my lusers who still reply to those are at least dropped. Bottom line, lusers reply with their passwords, then hackers log in and spam out.

I enabled sender_scores_sitewide in amavisd's config file and works great for incoming messages, however I don't think it works for outgoing (this is for sender, not recipient - never got an answer from the amavis list on how to accomplish this).

So I tried what it had worked for me in the past, which was adding to salocal.cf:

blacklist_to teachers.org

Which should just blacklist this. However it's not, and the only guess I take it that since it is the local server, the trusted networks might trump it ?

Oh, note that yes, I edited the salocal.cf.in and amavisd.conf.in and then restarted with zmamavisdctl

TIA...

[su_A_ve]

OK - answering my own questions???

Got a bit further... Apparently the blacklist_to needs an actual full email address or at least an *@domain.tld

But I'm adding about 10 points to the score. It's sets it as SPAM in the logs, but the message still gets delivered out the door.

AFAIK, unless it's 15+ it won't get dropped/quarantined...

[uxbod]

Code:

su - zimbra
zmprov gacf | grep Percent

so we can see what your tag/kill SPAM scores are set to please.

[su_A_ve]

zimbraSpamKillPercent: 75
zimbraSpamTagPercent: 33

Looking at the amavisd.conf.in evasive actions is set to 15. I didn't want to change our overall rules, however was looking for an option similar to sender_scores_sitewide, or adjust the score for the individual domain

So far fromt he amavis list, I got zilch - Marc Martine is pretty good about replying...

TIA.

[su_A_ve]

bump ?

Again, an external file being read such as sender_scores would be ideal...

[su_A_ve]

The following code was given by Mark Martinec, author of amavisd. It needs to be placed right after the end of the @score_sender_maps array and before the @decoders array in amavisd.conf.in

Code:

### The following will read a hash of recipients and scores
{ my($hr) = read_hash("/etc/zimbra/recip_scores_sitewide");
  my($outer) = {};
  while (my($recip,$score) = each %$hr) { $outer->{$recip} = [{'.'=>$score}] }
    push(@score_sender_maps, $outer);
}

Then simply create a text file named recip_scores_sitewide and the fomat would be like:

Code:

blocked_recip@domain.com  +50
.spamdomain.com +50
whitelisted_recip@otherdomain.com -50
.gooddomain.com -50

And reload with zmamavisdctl