Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: bad spam getting thru

  1. #1
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default bad spam getting thru

    I know that spam is a big topic and I have read everything there is on the forums but I am a bit of a novice in this area so bear with me. I have had a zimbra server up and running for a small private school for the past 3 months. Spam has been greatly reduced from what they are used to but how can an email get thru with the F word in the subject line? at first I had just whatever was default setup, I have since reduced the numbers from 75/33 to 30/15. I enabled SPF and installed razor. I followed one of the guides in the wiki but they were written several versions ago. I am running ubuntu 8.04 with 5.09 installed.
    I dont think I want to use greylisting so what are the best recommendations and easiest way to implement them? I can follow a guide well enough. Any ideas?
    thanks
    Bill B

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    I would recommend taking a look at SaneSecurity - Phishing and Scam Signatures for ClamAV. Even though SARE Ninjas are currently not developing their signatures some of the old ones are pretty good. Also, Kevin McGrail rules for SA are pretty good.

  3. #3
    BrianA is offline Senior Member
    Join Date
    Jan 2008
    Posts
    70
    Rep Power
    7

    Default

    with all due respect to the zimbra guys, I find it easiest to have a "perimeter" box that does the spam n virus filtering, then relays to zimbra. I have the zimbra spam n AV turned off.
    This means I can have a really neat setup that doesnt get trashed if I want to upgrade zimbra versions.
    Some things I have set up in our spam filtering include
    - country based rejection. country is based on IP address ranges - see The DNSBL countries.nerd.dk loaded into a dns server that returns a value 1,2,3,4 depending on how I arbitarily rated the country. nigeria gets a 4.
    - rule to allow emails with our companys sig in them thru (like an auto whitelist for replys to our emails)
    - the ninjas rules are good
    - the sane security is good too
    - the botnet spamassassin ruleset
    - pyzor
    - razor
    - honeypot email addresses that go straight to training
    - bayes OCR image spam detection
    - a few 1 minute delays in the reject rules to slow the rate of spammers

    we are blocking a modest 4000 odd spams a day on a 35 user site, and yet my boss takes the initiative in sending me the 1 or 2 spams he gets daily.

    I have to do callouts to zimbra to confirm the recipient, otherwise I could generate backscatter spam, instead of dropping the email with the 550 error.

    I've had to whitelist a few dozen senders (false positives) but this could be avoided by sending them email first to reply to - signature allow rule.

    cheers

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    I do the same thing Brian by running MailScanner in front of Zimbra. Like yourself I feel I have better control of AV/AS then as I can include multiple AV scanners aswell. And as your say when upgrading ZCS there is less potential for any changes we have made to be destroyed.

  5. #5
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    I posted a quick reply several days ago but it seems it never made it. I wanted to thank all of you for your replies. I appreciate the recommendations on putting the spam protection on an another server but I dont have the resources for that. after reading thru all the suggestions I decided that I had the complete wrong idea about greylisting. I installed postgrey because it was in the ubuntu repositories and I found a wiki describing how to install it. It has only been 12 hours so I cant be sure it has made much of a difference yet. How can I tell if it is working as planned?
    thanks
    Bill B

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You will need to monitor your maillog to see the connections being grey-listed, and then to see if they ever connect again. Are you auto-whitelisting aswell ?

  7. #7
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    I believe I am at least that is what I wanted it to do. simple way to check?

  8. #8
    yoom@hostwebase.com is offline Active Member
    Join Date
    Jan 2008
    Posts
    26
    Rep Power
    7

    Default

    Brian,


    It sounds like you are very good at this email spam issues. I am wondering if you can provide some point on how to get rid of Backscatter Spam.

    I am running version 5.X and have implemented some sugguestion from other posted on how to get rid of Blackscatter. However, I am still getting thousand thousand of these Returned, Undelivered mail. Do you have a correct configuration to share. I am hoping Zambra has this capability. There are only 10 users on this pilot server.

    Thanks in advance,

    Y

  9. #9
    BrianA is offline Senior Member
    Join Date
    Jan 2008
    Posts
    70
    Rep Power
    7

    Default I think postfix is a bit ordinary in this regards...

    which is why I have put my spam filtering on another box, with exim as the MTA.

    have you tried this...

    http://wiki.zimbra.com/index.php?tit...alid_Addresses

  10. #10
    mtorres is offline Trained Alumni
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    Don't know if you've tried this, but ever since I added zen.spamhaus.org to my RBL list, our spam has been reduced by a ton. According to dnsblcount, just today it has rejected 1,959 spam e-mails.

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Spam/Ham training under Outlook/Thunderbird/etc.
    By chuckm in forum Administrators
    Replies: 23
    Last Post: 03-18-2009, 11:01 AM
  2. mobile calender Internal Server Error
    By padraig in forum Administrators
    Replies: 19
    Last Post: 04-24-2008, 08:04 AM
  3. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •