| Welcome to the Zimbra - Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
01-02-2009, 07:47 AM
| | Intermediate Member | |
Posts: 19
| |  Weird behaviors and LOTS of spam.
I'm currently running Ubuntu 8.04 server LTS with 5.0.11 FOSS. Prior to the upgrade from 6.06 LTS w/5.0.8 I had Razor/Pyzor/Rules De Jour fully updated and running smooth. Spam was not much of a problem (about 90:1) and things were mostly ok.
But after the upgrade things slowly started to get wacky. Most recently my Zimbra logger service randomly stops/starts. Nothing standing out in the logs. Also, Roules De Jour is no longer updating because SARE is on hiatus. Spam is now out of control. WAY above what i would expect from just lack of updated SARE rules.
In addition to Razor/Pyzor/RDJ, I've also enabled SPF and installed DCC. However spam now is worse than it ever was.
Also, randomly (not as frequetly as the logger) the anti-spam servers is stop/starting. again nothing much standing out in the logs.
I'd also like to note that many people are receiving spam that appears to be from themselves. This is problematic as I assume flagging these messages as junk will cause the system to filter their own emails to themselves which is a necessary function here.
running: "cat zimbra.log |grep error" yeilds: Quote:
Jan 2 09:06:13 mail saslauthd[8993]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="80665"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_268f4f25e8d 901e88e85790eb63206880b789c44_69643d33363a64656230 303737362d353935642d343138392d626332662d3831663435 613535313362653b6578703d31333a31323331303737393733 3234363b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>steel</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:14:08 mail postfix/smtpd[28400]: warning: 209.249.100.41: address not listed for hostname web41.GroundTerrorize.com
Jan 2 09:14:08 mail postfix/cleanup[29786]: 5C59AD84196: message-id=<AJfbjdjhcmdabJA@GroundTerrorize.com>
Jan 2 09:14:08 mail postfix/qmgr[8988]: 5C59AD84196: from=<3ff.4.66753628-5193972@GroundTerrorize.com>, size=7616, nrcpt=1 (queue active)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary
Jan 2 09:17:41 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="4940"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ae12829feed 61ba31b3a04aa994796beb11ce7a3_69643d33363a34336131 363933622d616334622d343765302d616230322d3062393965 323138396334343b6578703d31333a31323331303738363631 3433303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:17:59 mail saslauthd[8994]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70132"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_48180a291ec f2a04ff4322329c388058fd84090f_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363739 3033323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:18:05 mail saslauthd[8989]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70137"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ff7295a7d9d 409683da672923b3eb964e05cc4ca_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363835 3333323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:23:06 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="19545"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_7f616d154ef 96a428eff73d2846ba3b6bdb00044_69643d33363a32646465 636264612d353833652d343565332d383763392d3933653466 366232656138313b6578703d31333a31323331303738393836 3033383b747970653d363a7a696d6272613b</authToken><lifetime>172799999</lifetime><skin>lemongrass</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:25:01 mail saslauthd[8991]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="1630"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_5839c776931 5f1a094dbb766def186ce3ca27802_69643d33363a39376162 323736392d643161302d343361632d383637642d3130653838 376166623537633b6578703d31333a31323331303739313031 3039303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
| And the same for /var/log/messages: Quote:
Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary
| here is my /opt/zimbra/conf/salocal.cf.in Quote:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
################################################## #########################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 1.5
header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5
%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
%%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%
rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 60
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
whitelist_from *@vpsupply.com
blacklist_from software_innovations4@konditions.com
blacklist_from noreply@jumpjkf.net
blacklist_from wantads@rochesterclassifiedsonline.biz
blacklist_from noreply@jumpergigi.com
blacklist_from updates@oldnavy.delivery.net
blacklist_from CA@crp.ml00.net
blacklist_from specials@123greetings.biz
blacklist_from Getpaidtowrite@apexwletter.com
blacklist_from reply@SRI-BISHOP.NET
blacklist_from OnlineBusiness@apexwizzard.com
blacklist_from AlarmCompanies.com@snowingtoday.com
blacklist_from email_bounce_handler@bounce.convio.net
blacklist_from health@realage-mail.com
blacklist_from news@apexwletter.com
body LOCAL_SIZE /size/i
score LOCAL_SIZE 0.5
header LOCAL_LOCALHOST reply-to =~ /@localhost/
score LOCAL_LOCALHOST 1
header LOCAL_DIP1OMA /dip1oma/i
score LOCAL_DIP1OMA 1
header LOCAL_FREE /free/i
score LOCAL_FREE 1
| and /opt/zimbra/conf/spamassasin/local.cf: Quote:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
################################################## #########################
# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
# Set file-locking method (flock is not safe over NFS, but is faster)
#
lock_method flock
# Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 4.7
# Use Bayesian classifier (default: 1)
#
use_bayes 1
# Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
ok_languages en
ok_locales en
skip_rbl_checks 0
use_razor2 1
use_pyzor 1
dns_available yes
trusted_networks 127. 192.168.
score RAZOR2_CHECK 2.400
score PYZOR_CHECK 2.400
score BAYES_99 4.200
score BAYES_90 3.400
score BAYES_80 2.900
bayes_ignore_header Received: from mail3.vectorsf.com
bayes_ignore_header Received: from localhost
bayes_ignore_header Received: from mail1.vectorsf.com
bayes_ignore_header Received: from mail2.vectorsf.com
dcc_path /usr/local/bin/dccproc
dcc_body_max 999999
dcc_timeout 10
dcc_fuz1_max 999999
dcc_fuz2_max 999999
| We are reaching critical mass. People are receiving so many spam messages that its becoming difficult for them to find real emails buried within them.
Hopefully someone can help?
__________________
-ZW
|
01-02-2009, 08:18 AM
| | |
What is the output of Code: su - zimbra
zmprov gacf | grep -i mtarestriction
__________________ SplatNIX IT Services :: Innovation through Collaboration™  http://www.messagefortress.com |
01-02-2009, 08:27 AM
| | Intermediate Member | |
Posts: 19
| | reply
zimbra@mail:~/conf/spamassassin$ zmprov gacf| grep -i mtarestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
__________________
-ZW
|
01-02-2009, 08:39 AM
| | Intermediate Member | |
Posts: 19
| | Also
I also checked the local admin account for any notifications and did see an email sent by the system. Quote:
Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:47:32 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id 68975D841A6;
Tue, 30 Dec 2008 03:47:32 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eKFiJI1OWNXm; Tue, 30 Dec 2008 03:46:58 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 0BA04D841A0; Tue, 30 Dec 2008 03:46:57 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service logger stopped on mail.vpsupply.com
Message-Id: <20081230084658.0BA04D841A0@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 03:46:57 -0500 (EST)
Dec 30 03:46:57 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from running to stopped
| and Quote:
Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:48:07 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id AF334D8418D;
Tue, 30 Dec 2008 03:48:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uQq9W5aBCKkx; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id D4D98D84197; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service logger started on mail.vpsupply.com
Message-Id: <20081230084805.D4D98D84197@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 03:48:05 -0500 (EST)
Dec 30 03:48:05 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from stopped to running
| for the logger. For the anti spam: Quote:
Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:08:40 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id 981F4D841D4;
Tue, 30 Dec 2008 13:08:40 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id iBMqLPjFdbSA; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 84841D841D5; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service antispam started on mail.vpsupply.com
Message-Id: <20081230180839.84841D841D5@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 13:08:39 -0500 (EST)
Dec 30 13:08:38 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from stopped to running
| and Quote:
Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:14:41 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id AB73FD8402C;
Tue, 30 Dec 2008 13:14:41 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id swkszOTgOTWI; Tue, 30 Dec 2008 13:14:40 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 0FB52D841A2; Tue, 30 Dec 2008 13:07:31 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service antispam stopped on mail.vpsupply.com
Message-Id: <20081230180731.0FB52D841A2@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 13:07:31 -0500 (EST)
Dec 30 13:07:30 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from running to stopped
| Not sure if that helps any. Thanks!
__________________
-ZW
|
01-02-2009, 10:07 AM
| | |
Okay, here is mine Code: [zimbra@office ~]$ zmprov gacf | grep -i mtarestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net for the barracuda one you would need to sign up too Barracuda Central and then to implement the RBLs use Code: su - zimbra
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" From your post you may have already read Improving Anti-Spam system :: Wiki ? Also search the forums for BackScatter.
__________________ SplatNIX IT Services :: Innovation through Collaboration™ http://www.messagefortress.com |
01-02-2009, 10:20 AM
| | Intermediate Member | |
Posts: 19
| | thanks
I've added those conditions, hopefully there will be an improvement.
I'm still very concerned with the random stoping/starting of the logger and anti-spam services. Any ideas on whats causing that? I only recently started happening and I've seen several other posts of similar issues but none that match exactly.
I'm worried that the system is not completely stable - if it were there would not be any errors. ideas?
__________________
-ZW
|
01-02-2009, 10:21 AM
| | |
Please update your member profile with Code: su - zimbra
zmcontrol -v if on 5.0.11 there is a patch for zmlogger.
__________________ SplatNIX IT Services :: Innovation through Collaboration™ http://www.messagefortress.com |
01-02-2009, 10:26 AM
| | Intermediate Member | |
Posts: 19
| | 5.0.11
I put version info in OP. It is 5.0.11, but here: Quote: |
Release 5.0.11_GA_2695.UBUNTU8 UBUNTU8 FOSS edition
| Where would I find the patch? And would the logger be related to the anti-spam service?
__________________
-ZW
| | Thread Tools | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
