[SOLVED] Dropping OutBound SPAM

[jfone]

We are providing a free email service to the public. We use separate servers for the MTA inbound and MTA outbound. The problem we are having relates to the outbound MTA.

Unfortunately we have problems stopping users creating SPAM accounts and then obviously spamming.

We have been able to stop the spammers (not %100) by using postifix header_checks to match patterns on known spam subjects or from addresses and then reject the messages which match. This is not the best option as it is a manual change. What I wish to do is match the spamassasin X-Spam headers to check if it is spam and then use the header_checks to reject these emails if they are tagged as SPAM.

The problem I'm having is that I although I can match From, To, Subject headers etc.. I am not able to match X-Spam headers with header_checks. It feels like the X-Spam headers are added after header_check has been parsed.

If anyone has ideas why the X-Spam headers are not being matched or any pointers to other ways outbound SPAM is captured (other than policyd) please let me know.

[uxbod]

You could always setup a smarthost so your ZCS would relay through that. You would get all the headers then to match again. It would also be useful to look at SaneSecurity signatures for use with ClamAV. They are fairly easy to setup with use in either a smarthost or ZCS.

[uxbod]

Looking at the message flow you should be able to match the headers okay. I believe it goes Postfix -> AmavisD -> Postfix so what you are trying to should be possible. What header_check rule are you using ?

[jfone]

Thanks for the quick responses, I have listed the data from header_checks

[zimbra@lwmtao1 ~]$ zmlocalconfig | grep header_checks
postfix_header_checks = regexp:/opt/zimbra/postfix/conf/header_checks

[zimbra@lwmtao1 ~]$ grep REJECT /opt/zimbra/postfix/conf/header_checks
/^Subject:.*Known Spam Sublect/ REJECT This from address has been regularly used as a spam account **This matches correctly and rejects mail***

/^From:.*Known SPAM from address/ REJECT This from address has been regularly used as a spam account **This matches correctly and rejects mail***

/^X-Spam/ REJECT rejected due to spam header **Test to reject any mails with X-Spam---doesn't match for some unknown reason-- have tried mutiple regex's with X-Spam**

[uxbod]

Why not use something like

Code:

/^X-Spam-Flag: YES/ REJECT This is a SPAM

[jfone]

I did try the below but it didn't match

Code:

/^X-Spam-Flag: YES/ REJECT This is a SPAM

I did the below as to capture any X-Spam headers

Code:

/^X-Spam/ REJECT rejected due to spam header

Unfortunately no go in either case. Is it possible to put amavisd and spamassain in debug mode to see what gets parsed and matched?

[uxbod]

Yep kind of ... If you modify /opt/zimbra/conf/amavisd.conf.in and change line ~50 too $log_level = 2 this will generate more detailed output. You will need to restart ZCS then.

[uxbod]

Okay, think I have found it Have a look at /opt/zimbra/postfix/conf/master.cf.in on line 111. When amavisd has finished its checks it injects the email back into Postfix on port 10025. The line

Code:

 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

overides the defauls and no header/body checks are performed. You would need to remove the no_header_body_checks part and restart ZCS so that they are indeed performed. The rationale is that your own server should be sending out SPAM email I have not tested this so no warranty implied

[uxbod]

Thinking about this something that could be useful would be to use a pipe and then reject. Similar to how Wiki :: Adding a disclaimer works as you could trap who is sending out SPAMs to a mysql database for taking action against the user and trending.

[jfone]

Thank-you very,very much.

removing the override no_header_body_checks did the trick. I will look at your other suggestion regarding tracking the user in the very near future.

Thanks again.