Weird behaviors and LOTS of spam.

[zwvpadmin]

I'm currently running Ubuntu 8.04 server LTS with 5.0.11 FOSS. Prior to the upgrade from 6.06 LTS w/5.0.8 I had Razor/Pyzor/Rules De Jour fully updated and running smooth. Spam was not much of a problem (about 90:1) and things were mostly ok.

But after the upgrade things slowly started to get wacky. Most recently my Zimbra logger service randomly stops/starts. Nothing standing out in the logs. Also, Roules De Jour is no longer updating because SARE is on hiatus. Spam is now out of control. WAY above what i would expect from just lack of updated SARE rules.

In addition to Razor/Pyzor/RDJ, I've also enabled SPF and installed DCC. However spam now is worse than it ever was.

Also, randomly (not as frequetly as the logger) the anti-spam servers is stop/starting. again nothing much standing out in the logs.

I'd also like to note that many people are receiving spam that appears to be from themselves. This is problematic as I assume flagging these messages as junk will cause the system to filter their own emails to themselves which is a necessary function here.

running: "cat zimbra.log |grep error" yeilds:

Jan 2 09:06:13 mail saslauthd[8993]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="80665"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_268f4f25e8d 901e88e85790eb63206880b789c44_69643d33363a64656230 303737362d353935642d343138392d626332662d3831663435 613535313362653b6578703d31333a31323331303737393733 3234363b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>steel</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:14:08 mail postfix/smtpd[28400]: warning: 209.249.100.41: address not listed for hostname web41.GroundTerrorize.com
Jan 2 09:14:08 mail postfix/cleanup[29786]: 5C59AD84196: message-id=<AJfbjdjhcmdabJA@GroundTerrorize.com>
Jan 2 09:14:08 mail postfix/qmgr[8988]: 5C59AD84196: from=<3ff.4.66753628-5193972@GroundTerrorize.com>, size=7616, nrcpt=1 (queue active)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary
Jan 2 09:17:41 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="4940"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ae12829feed 61ba31b3a04aa994796beb11ce7a3_69643d33363a34336131 363933622d616334622d343765302d616230322d3062393965 323138396334343b6578703d31333a31323331303738363631 3433303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:17:59 mail saslauthd[8994]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70132"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_48180a291ec f2a04ff4322329c388058fd84090f_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363739 3033323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:18:05 mail saslauthd[8989]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70137"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ff7295a7d9d 409683da672923b3eb964e05cc4ca_69643d33363a66383563 323965342d643365622d343639652d613530392d3463633834 633963343233313b6578703d31333a31323331303738363835 3333323b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:23:06 mail saslauthd[8990]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="19545"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_7f616d154ef 96a428eff73d2846ba3b6bdb00044_69643d33363a32646465 636264612d353833652d343565332d383763392d3933653466 366232656138313b6578703d31333a31323331303738393836 3033383b747970653d363a7a696d6272613b</authToken><lifetime>172799999</lifetime><skin>lemongrass</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jan 2 09:25:01 mail saslauthd[8991]: zmpost: url='https://mail.vpsupply.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="1630"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_5839c776931 5f1a094dbb766def186ce3ca27802_69643d33363a39376162 323736392d643161302d343361632d383637642d3130653838 376166623537633b6578703d31333a31323331303739313031 3039303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

And the same for /var/log/messages:

Jan 2 09:14:08 mail amavis[29513]: (29513-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090102T091408-29513: <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com> SIZE=7616 Received: from mail.vpsupply.com ([127.0.0.1]) by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <psweet@mail.vpsupply.com>; Fri, 2 Jan 2009 09:14:08 -0500 (EST)
Jan 2 09:14:08 mail amavis[29513]: (29513-01) Checking: 3vJfsdIPCiHE [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>
Jan 2 09:14:12 mail amavis[29513]: (29513-01) Blocked SPAM, [209.249.100.41] [209.249.100.41] <3ff.4.66753628-5193972@GroundTerrorize.com> -> <psweet@mail.vpsupply.com>, Message-ID: <AJfbjdjhcmdabJA@GroundTerrorize.com>, mail_id: 3vJfsdIPCiHE, Hits: 17.192, size: 7616, 4101 ms
Jan 2 09:14:51 mail amavis[6448]: (06448-17) WARN: MIME::Parser error: part did not end with expected boundary

here is my /opt/zimbra/conf/salocal.cf.in

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
################################################## #########################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock

header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 1.5

header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5

%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
%%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%

rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 60
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

whitelist_from *@vpsupply.com
blacklist_from software_innovations4@konditions.com
blacklist_from noreply@jumpjkf.net
blacklist_from wantads@rochesterclassifiedsonline.biz
blacklist_from noreply@jumpergigi.com
blacklist_from updates@oldnavy.delivery.net
blacklist_from CA@crp.ml00.net
blacklist_from specials@123greetings.biz
blacklist_from Getpaidtowrite@apexwletter.com
blacklist_from reply@SRI-BISHOP.NET
blacklist_from OnlineBusiness@apexwizzard.com
blacklist_from AlarmCompanies.com@snowingtoday.com
blacklist_from email_bounce_handler@bounce.convio.net
blacklist_from health@realage-mail.com
blacklist_from news@apexwletter.com

body LOCAL_SIZE /size/i
score LOCAL_SIZE 0.5
header LOCAL_LOCALHOST reply-to =~ /@localhost/
score LOCAL_LOCALHOST 1
header LOCAL_DIP1OMA /dip1oma/i
score LOCAL_DIP1OMA 1
header LOCAL_FREE /free/i
score LOCAL_FREE 1

and /opt/zimbra/conf/spamassasin/local.cf:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
################################################## #########################

# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****


# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1


# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.


# Set file-locking method (flock is not safe over NFS, but is faster)
#
lock_method flock


# Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 4.7


# Use Bayesian classifier (default: 1)
#
use_bayes 1


# Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1


# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

ok_languages en
ok_locales en
skip_rbl_checks 0
use_razor2 1
use_pyzor 1
dns_available yes
trusted_networks 127. 192.168.

score RAZOR2_CHECK 2.400
score PYZOR_CHECK 2.400
score BAYES_99 4.200
score BAYES_90 3.400
score BAYES_80 2.900

bayes_ignore_header Received: from mail3.vectorsf.com
bayes_ignore_header Received: from localhost
bayes_ignore_header Received: from mail1.vectorsf.com
bayes_ignore_header Received: from mail2.vectorsf.com

dcc_path /usr/local/bin/dccproc
dcc_body_max 999999
dcc_timeout 10
dcc_fuz1_max 999999
dcc_fuz2_max 999999

We are reaching critical mass. People are receiving so many spam messages that its becoming difficult for them to find real emails buried within them.

Hopefully someone can help?

[uxbod]

What is the output of

Code:

su - zimbra
zmprov gacf | grep -i mtarestriction

[zwvpadmin]

zimbra@mail:~/conf/spamassassin$ zmprov gacf| grep -i mtarestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender

[zwvpadmin]

I also checked the local admin account for any notifications and did see an email sent by the system.

Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:47:32 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id 68975D841A6;
Tue, 30 Dec 2008 03:47:32 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eKFiJI1OWNXm; Tue, 30 Dec 2008 03:46:58 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 0BA04D841A0; Tue, 30 Dec 2008 03:46:57 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service logger stopped on mail.vpsupply.com
Message-Id: <20081230084658.0BA04D841A0@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 03:46:57 -0500 (EST)

Dec 30 03:46:57 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from running to stopped

and

Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 03:48:07 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id AF334D8418D;
Tue, 30 Dec 2008 03:48:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uQq9W5aBCKkx; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id D4D98D84197; Tue, 30 Dec 2008 03:48:05 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service logger started on mail.vpsupply.com
Message-Id: <20081230084805.D4D98D84197@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 03:48:05 -0500 (EST)

Dec 30 03:48:05 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com logger changed from stopped to running

for the logger. For the anti spam:

Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:08:40 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id 981F4D841D4;
Tue, 30 Dec 2008 13:08:40 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id iBMqLPjFdbSA; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 84841D841D5; Tue, 30 Dec 2008 13:08:39 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service antispam started on mail.vpsupply.com
Message-Id: <20081230180839.84841D841D5@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 13:08:39 -0500 (EST)

Dec 30 13:08:38 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from stopped to running

and

Return-Path: zimbra@mail.vpsupply.com
Received: from mail.vpsupply.com (LHLO mail.vpsupply.com) (192.168.1.7) by
mail.vpsupply.com with LMTP; Tue, 30 Dec 2008 13:14:41 -0500 (GMT-05:00)
Received: from localhost (localhost [127.0.0.1])
by mail.vpsupply.com (Postfix) with ESMTP id AB73FD8402C;
Tue, 30 Dec 2008 13:14:41 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.vpsupply.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-10 required=6.6
tests=[AWL=0.024, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.vpsupply.com ([127.0.0.1])
by localhost (mail.vpsupply.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id swkszOTgOTWI; Tue, 30 Dec 2008 13:14:40 -0500 (EST)
Received: by mail.vpsupply.com (Postfix, from userid 1001)
id 0FB52D841A2; Tue, 30 Dec 2008 13:07:31 -0500 (EST)
To: admin@mail.vpsupply.com
From: admin@mail.vpsupply.com
Subject: Service antispam stopped on mail.vpsupply.com
Message-Id: <20081230180731.0FB52D841A2@mail.vpsupply.com>
Date: Tue, 30 Dec 2008 13:07:31 -0500 (EST)

Dec 30 13:07:30 mail zimbramon[15282]: 15282:err: Service status change: mail.vpsupply.com antispam changed from running to stopped

Not sure if that helps any. Thanks!

[uxbod]

Okay, here is mine

Code:

[zimbra@office ~]$ zmprov gacf | grep -i mtarestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net

for the barracuda one you would need to sign up too Barracuda Central and then to implement the RBLs use

Code:

su - zimbra
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

From your post you may have already read Improving Anti-Spam system :: Wiki ? Also search the forums for BackScatter.

[zwvpadmin]

I've added those conditions, hopefully there will be an improvement.

I'm still very concerned with the random stoping/starting of the logger and anti-spam services. Any ideas on whats causing that? I only recently started happening and I've seen several other posts of similar issues but none that match exactly.

I'm worried that the system is not completely stable - if it were there would not be any errors. ideas?

[uxbod]

Please update your member profile with

Code:

su - zimbra
zmcontrol -v

if on 5.0.11 there is a patch for zmlogger.

[zwvpadmin]

I put version info in OP. It is 5.0.11, but here:

Release 5.0.11_GA_2695.UBUNTU8 UBUNTU8 FOSS edition

Where would I find the patch? And would the logger be related to the anti-spam service?