Results 1 to 10 of 10

Thread: Confusion regarding spam filters

  1. #1
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    7

    Exclamation Confusion regarding spam filters

    OK, the spam filtering has me really confused now. I've recently turned down my kill and tag percentages to 45/25 to help catch a few more things. But I've seen a couple of somewhat explicit spam messages get delivered in the last couple days. Unless asked, I won't list the specific words in the messages. But this stuff is delivering into the users' inbox! I'd have thought for sure that ***ual words would trigger the spam flag. Am I wrong?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    I would have said that 45 is rather low for the kill percentage, I have my kill/tag at 66/25 and don't see much more than 1 or 2 spam emails per week in the Junk folder

    To answer your question, you'd need to post the headers from some spam email to see what's happening. What happens if you mark that spam as Junk? Have you made any other changes such as the ones in the wiki or additional RBL lists?

    I'm sure you know this but there will always be some spam getting through, no anti-spam technique is 100% accurate.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    7

    Default

    Well, we I haven't seen any legit mail come through with a spam score of 8 or 9, hense the 45 percentage. But if I come across any more messages like that, I'll definitely post the headers.

    I was never expecting 100% accuracy, I just figured that certain anatomy type words would hit the spam scores pretty hard.

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    It depends really as your bayes may have been poisoned aswell. It is well worth look at the wiki arcticle Phoenix has pointed you too and implementing greylisting.

  5. #5
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    7

    Default

    I was just browsing the greylist option in the wiki. I'm not sure that'll work for us. If I understand it correctly, if it doesn't recognize the IP it bounces the mail back saying "try again later". However, we're an online retail company, so a good portion of our email is from customers that may have never contacted us before. They'd get plenty ticked off if we bounce their mail back at them.

    We've added in the Pyzor bit and added zen.spamhaus.org into the RBL. I've got the kill percentage at 45 to kill off the worst of the spam. A good deal of the crud mail we get scores 4.5 or higher. I haven't seen any legit mail that high. I had our kill percent at 66 for a long time too, but turned it down to block out some of the mail we get.

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Implementing the SaneSecurity ClamAV sigs would certainly reduce the number even more. From my home server here are some stats
    Code:
    RBLs
    b.barracudacentral.org       857
    zen.spamhaus.org             159
    dnsbl.sorbs.net                2
    =================================
    Total DNSBL rejections:      1018
    
    SaneSecurity Sigs at the top :)
    
    =========================================================================================
    SpamAssassin Rule Hits: Spam
    -----------------------------------------------------------------------------------------
    Rank     Hits    % Msgs   % Spam    % Ham      Score Rule
    ----     ----    ------   ------    -----      ----- ----
       1       48    35.82%  100.00%    0.00%          8 L_AV_SS_Spam
       2       48    35.82%  100.00%    0.00%        3.5 BAYES_99
       3       48    35.82%  100.00%    0.00%        0.5 RAZOR2_CF_RANGE_51_100
       4       48    35.82%  100.00%    0.00%        0.5 RAZOR2_CHECK
       5       45    33.58%   93.75%   27.91%      0.001 HTML_MESSAGE
       6       41    30.60%   85.42%    0.00%      1.955 URIBL_BLACK
       7       40    29.85%   83.33%    0.00%        1.5 RAZOR2_CF_RANGE_E8_51_100
       8       34    25.37%   70.83%    0.00%       1.86 URIBL_AB_SURBL
       9       33    24.63%   68.75%    0.00%       1.96 RCVD_IN_BL_SPAMCOP_NET
      10       32    23.88%   66.67%    1.16%      1.501 URIBL_JP_SURBL
      11       32    23.88%   66.67%    0.00%      1.499 URIBL_SBL
      12       28    20.90%   58.33%    0.00%        1.5 RAZOR2_CF_RANGE_E4_51_100
      13       22    16.42%   45.83%    1.16%        1.5 URIBL_OB_SURBL
      14       21    15.67%   43.75%    0.00%      0.001 DIGEST_MULTIPLE
      15       21    15.67%   43.75%    0.00%        3.7 PYZOR_CHECK
      16       20    14.93%   41.67%    9.30%      1.457 MIME_HTML_ONLY
      17       19    14.18%   39.58%    0.00%      1.778 HTML_IMAGE_ONLY_32
      18       17    12.69%   35.42%    0.00%      0.474 URIBL_SC_SURBL
      19       15    11.19%   31.25%    0.00%        1.5 URIBL_WS_SURBL
    You may wish to implement the Barracuda Central RBL aswell which seems to do a good job. This is a free service that you would need to sign up to though.

  7. #7
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    On another note somebody PM'd and asked how I generated the SA report well here you go Postfix and Amavis Log Reporters

    You will need to increase the log_level to 2 in /opt/zimbra/conf/amavisd.conf.in and restart ZCS aswell.

    The RBL count can be generated using :- dnsblcount - Count RBL Rejections in Postix Log

  8. #8
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    7

    Default

    Wow! I added Barracuda last week and our junk has really gone down! I've been helping one user keep her inbox clean by going in and moving stuff from her inbox to the junk folder. She was easily getting 20-30 junk mails per hour in her inbox and junk folder. In about 4 hours today she's gotten maybe 12 total.

    Great suggestion to add that one! I owe you a cookie!

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    You might also want to look at pflogsumm, it produces a nicely formatted report of your mail statistics including RBL stats.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    And if you want to take AV checking to another level have a read through [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Spam filters bypassed when Relay MTA used.
    By Jimbud in forum Administrators
    Replies: 0
    Last Post: 01-22-2009, 04:47 AM
  2. Applying spam filters for external POP3 Email.
    By iaimtomisbehave in forum Developers
    Replies: 2
    Last Post: 12-11-2008, 12:48 PM
  3. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  4. Spam Filters just stopped working.
    By SurrealSystems in forum Administrators
    Replies: 1
    Last Post: 02-19-2008, 03:16 AM
  5. Replies: 3
    Last Post: 04-06-2007, 07:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •