Spam, best way to deal with it?

[quietas]

I see this post: Improving Anti-spam system - Zimbra :: Wiki. It's quite old though and is marked for ZCS 4.5.x.

Essentially I have been having issues with the Protocol and DNS checks at the Global level for the MTA. Those work great and filter out 90% of the crap coming from infected PC's on dynamic home DSL and cable connections. The problem as folks probably know is that it also blocks valid email from poorly setup companies and ISP's. Often this seems to be from DNS and hostnames not matching because they send through a relay or have multiple mailservers with incorrect HELO responses.

I'm using zen.spamhaus.org for the RBL, are there others which would be beneficial to add?

Is there a better way to filter the garbage than having the restrictive Protocol and DNS checks?

Personally, I have been contacting the Tech folks for the domains I see being blocked incorrectly, but it seems 1 in 5 actually seem to be able to understand what a hostname and a DNS name actually are. 1 in 10 then are able to actually fix it. I wish I could be as restrictive as somewhere like Craigslist, but the execs would not stand for it.

[Jbrabander]

I recently added b.barracudacentral.org to our RBL list and it's helped a bunch! You have to register at BarracudaCentral.org - Technical Insight for Security Pros, but it's free to use.

We'd been having issues with the DNS checks rejecting valid mail too. I think it was the reject_unknown_hostname that caused us issues. And I was getting tired of making up "fake" A records in our DNS just to let stuff in. So, we finally turned that option off.

Do you have Pyzor installed? I think it's mentioned in the wiki. That helps add to the spam scores. We tried adding blacklist items to the salocal.in file, but that was a pain to upkeep and with most spam changing addresses daily it didn't help much.

[uxbod]

Improving Anti-spam system - Zimbra :: Wiki

A lot can be done to combat SPAM and greylisting does help; though mis-configured remote MTAs can cause issues aswell. You could also have a read through :- [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

I have used the SaneSecurity Signatures for quite a while now and have never had any real issues.

Are you receiving a particular time of SPAM ?

[ewilen]

Definitely use Barracuda. I was already using a number of DNSBLs, but things were still falling through the cracks; when I added Barracuda it had a noticeable effect.

I actually don't use zen, preferring to query sbl, pbl, and the components of xbl (cbl and njabl) separately. The reason for this is that, last I checked, the xbl wasn't updated in realtime. So a listing could appear in cbl or njabl before it showed up in xbl. Cbl in particular is based on spamtrap hits, so timely information can make a difference in stopping an incipient spam run.

I also use spamcop and quite a few other blacklists, including several based on country of origin. (This is acceptable for my organization; it probably wouldn't be in other environments.)

This is a good resource for keeping track of available blacklists: Blacklists Compared

The downside of using a bunch of DNSBLs of course is extra time and load due to the lookups, but our current (non-Zimbra) server doesn't have a problem.

When/if we switch to Zimbra, I expect to pare the DNSBLs and rely more on server and client-based content filtering, as that gives users more control and will hopefully reduce complaints about false positives.

I also make extensive use of custom blacklists. On my current system I have a content-based plugin running which sends me daily reports of which IP addresses have been the sources of the most spammy-looking mail. I use this information in conjunction with Senderbase lookups and WHOIS records to decide whom to block. (WHOIS records that have the owner information hidden by a privacy service like Moniker, etc., are highly suspect in my eyes.)

(EDIT: I wonder if Zimbra's content-based tools can provide a similar summary?)

Should the tools provided by Zimbra (and the Wiki) need supplementing, another idea is to implement ASSP. By moving some antispam functions onto a separate box, this would also take some load off of Zimbra.

[quietas]

Quote:

Originally Posted by uxbod

Improving Anti-spam system - Zimbra :: Wiki

I saw this one, but it specifies it is for 4.5.x. Is that info still valid and all the files mentioned still correct. Also, it is outdated enough that it does not mention Ubuntu except for installing SPF on 6.06.

Quote:

Originally Posted by uxbod

A lot can be done to combat SPAM and greylisting does help; though mis-configured remote MTAs can cause issues aswell.

This has been my major issue with the DNS checks. Other people's valid mail servers which are not set up correctly. I have tried helping them, but I could spend all day, everyday, looking up info for their particular system.

Quote:

Originally Posted by uxbod

Are you receiving a particular time of SPAM?

Unfortunately not, otherwise I'd add some specific filters. Also, since this is a medical supply company and pharmacy, we actually get REAL mail concerning ***ual stimulation devices and ******/cyallis/valium/other. Many of the keywords in spam are things we need to get mail about. =(

I'll look into Pyzor/Razor and Barracuda. I knew Barracuda had front line Mail filter appliances, but I did not realize they had an open, free to use, RBL. I don't suppose someone is planning to update, remake, or recreate the Anti-Spam entry in the wiki?

[Jbrabander]

For the "good" valium, etc. mail, do they tend to come from the same outside companies? Could you whitelist those domains?

Of course, I'm not sure which would take precidence: the RBL trying to kick out the mail or the whitelist trying to let it in.

[quietas]

That's one thing I was wondering also. It would be nice though to get whitelists and black lists configurable from the admin GUI. Especially if they did something like the advanced search to create more advanced filtering.

[Jbrabander]

I agree, I'd like to have it in the admin GUI too. I know there's a listing in the wiki for how to add black/whitelists, but those changes don't hold when updates are put in.

[quietas]

Exactly. I have mine saved in a text file first, but it does not always get updated or whatever.

[Jbrabander]

Well, at least they're implementing user black/white lists. But having one at the admin level that'll cover the whole company would be great.