Results 1 to 10 of 10

Thread: Spam, best way to deal with it?

  1. #1
    quietas is offline Elite Member
    Join Date
    Aug 2007
    Location
    Anchorage, AK
    Posts
    376
    Rep Power
    7

    Default Spam, best way to deal with it?

    I see this post: Improving Anti-spam system - Zimbra :: Wiki. It's quite old though and is marked for ZCS 4.5.x.

    Essentially I have been having issues with the Protocol and DNS checks at the Global level for the MTA. Those work great and filter out 90% of the crap coming from infected PC's on dynamic home DSL and cable connections. The problem as folks probably know is that it also blocks valid email from poorly setup companies and ISP's. Often this seems to be from DNS and hostnames not matching because they send through a relay or have multiple mailservers with incorrect HELO responses.

    I'm using zen.spamhaus.org for the RBL, are there others which would be beneficial to add?

    Is there a better way to filter the garbage than having the restrictive Protocol and DNS checks?

    Personally, I have been contacting the Tech folks for the domains I see being blocked incorrectly, but it seems 1 in 5 actually seem to be able to understand what a hostname and a DNS name actually are. 1 in 10 then are able to actually fix it. I wish I could be as restrictive as somewhere like Craigslist, but the execs would not stand for it.
    Culley
    Mail | Dell 2950III | 2x Quad Core 5420 | 8gb RAM | 6x 146gb SAS RAID 0+1 | Red Hat 5.3 | Zimbra 6.0.10 Network Edition
    Test | VMware ESXi Whitebox | Phenom II Black 3.2ghz | 12gb RAM | 6x 1tb SATA RAID 0+1 | CentOS 5.4 | FOSS, Not in use now

  2. #2
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    6

    Default

    I recently added b.barracudacentral.org to our RBL list and it's helped a bunch! You have to register at BarracudaCentral.org - Technical Insight for Security Pros, but it's free to use.

    We'd been having issues with the DNS checks rejecting valid mail too. I think it was the reject_unknown_hostname that caused us issues. And I was getting tired of making up "fake" A records in our DNS just to let stuff in. So, we finally turned that option off.

    Do you have Pyzor installed? I think it's mentioned in the wiki. That helps add to the spam scores. We tried adding blacklist items to the salocal.in file, but that was a pain to upkeep and with most spam changing addresses daily it didn't help much.

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Improving Anti-spam system - Zimbra :: Wiki

    A lot can be done to combat SPAM and greylisting does help; though mis-configured remote MTAs can cause issues aswell. You could also have a read through :- [SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

    I have used the SaneSecurity Signatures for quite a while now and have never had any real issues.

    Are you receiving a particular time of SPAM ?

  4. #4
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    8

    Default

    Definitely use Barracuda. I was already using a number of DNSBLs, but things were still falling through the cracks; when I added Barracuda it had a noticeable effect.

    I actually don't use zen, preferring to query sbl, pbl, and the components of xbl (cbl and njabl) separately. The reason for this is that, last I checked, the xbl wasn't updated in realtime. So a listing could appear in cbl or njabl before it showed up in xbl. Cbl in particular is based on spamtrap hits, so timely information can make a difference in stopping an incipient spam run.

    I also use spamcop and quite a few other blacklists, including several based on country of origin. (This is acceptable for my organization; it probably wouldn't be in other environments.)

    This is a good resource for keeping track of available blacklists: Blacklists Compared

    The downside of using a bunch of DNSBLs of course is extra time and load due to the lookups, but our current (non-Zimbra) server doesn't have a problem.

    When/if we switch to Zimbra, I expect to pare the DNSBLs and rely more on server and client-based content filtering, as that gives users more control and will hopefully reduce complaints about false positives.

    I also make extensive use of custom blacklists. On my current system I have a content-based plugin running which sends me daily reports of which IP addresses have been the sources of the most spammy-looking mail. I use this information in conjunction with Senderbase lookups and WHOIS records to decide whom to block. (WHOIS records that have the owner information hidden by a privacy service like Moniker, etc., are highly suspect in my eyes.)

    (EDIT: I wonder if Zimbra's content-based tools can provide a similar summary?)

    Should the tools provided by Zimbra (and the Wiki) need supplementing, another idea is to implement ASSP. By moving some antispam functions onto a separate box, this would also take some load off of Zimbra.
    Last edited by ewilen; 03-04-2009 at 05:26 PM.

  5. #5
    quietas is offline Elite Member
    Join Date
    Aug 2007
    Location
    Anchorage, AK
    Posts
    376
    Rep Power
    7

    Default

    Quote Originally Posted by uxbod View Post
    I saw this one, but it specifies it is for 4.5.x. Is that info still valid and all the files mentioned still correct. Also, it is outdated enough that it does not mention Ubuntu except for installing SPF on 6.06.

    Quote Originally Posted by uxbod View Post
    A lot can be done to combat SPAM and greylisting does help; though mis-configured remote MTAs can cause issues aswell.
    This has been my major issue with the DNS checks. Other people's valid mail servers which are not set up correctly. I have tried helping them, but I could spend all day, everyday, looking up info for their particular system.

    Quote Originally Posted by uxbod View Post
    Are you receiving a particular time of SPAM?
    Unfortunately not, otherwise I'd add some specific filters. Also, since this is a medical supply company and pharmacy, we actually get REAL mail concerning ***ual stimulation devices and ******/cyallis/valium/other. Many of the keywords in spam are things we need to get mail about. =(

    I'll look into Pyzor/Razor and Barracuda. I knew Barracuda had front line Mail filter appliances, but I did not realize they had an open, free to use, RBL. I don't suppose someone is planning to update, remake, or recreate the Anti-Spam entry in the wiki?
    Culley
    Mail | Dell 2950III | 2x Quad Core 5420 | 8gb RAM | 6x 146gb SAS RAID 0+1 | Red Hat 5.3 | Zimbra 6.0.10 Network Edition
    Test | VMware ESXi Whitebox | Phenom II Black 3.2ghz | 12gb RAM | 6x 1tb SATA RAID 0+1 | CentOS 5.4 | FOSS, Not in use now

  6. #6
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    6

    Default

    For the "good" valium, etc. mail, do they tend to come from the same outside companies? Could you whitelist those domains?

    Of course, I'm not sure which would take precidence: the RBL trying to kick out the mail or the whitelist trying to let it in.

  7. #7
    quietas is offline Elite Member
    Join Date
    Aug 2007
    Location
    Anchorage, AK
    Posts
    376
    Rep Power
    7

    Default

    That's one thing I was wondering also. It would be nice though to get whitelists and black lists configurable from the admin GUI. Especially if they did something like the advanced search to create more advanced filtering.
    Culley
    Mail | Dell 2950III | 2x Quad Core 5420 | 8gb RAM | 6x 146gb SAS RAID 0+1 | Red Hat 5.3 | Zimbra 6.0.10 Network Edition
    Test | VMware ESXi Whitebox | Phenom II Black 3.2ghz | 12gb RAM | 6x 1tb SATA RAID 0+1 | CentOS 5.4 | FOSS, Not in use now

  8. #8
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    6

    Default

    I agree, I'd like to have it in the admin GUI too. I know there's a listing in the wiki for how to add black/whitelists, but those changes don't hold when updates are put in.

  9. #9
    quietas is offline Elite Member
    Join Date
    Aug 2007
    Location
    Anchorage, AK
    Posts
    376
    Rep Power
    7

    Default

    Exactly. I have mine saved in a text file first, but it does not always get updated or whatever.
    Culley
    Mail | Dell 2950III | 2x Quad Core 5420 | 8gb RAM | 6x 146gb SAS RAID 0+1 | Red Hat 5.3 | Zimbra 6.0.10 Network Edition
    Test | VMware ESXi Whitebox | Phenom II Black 3.2ghz | 12gb RAM | 6x 1tb SATA RAID 0+1 | CentOS 5.4 | FOSS, Not in use now

  10. #10
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    6

    Default

    Well, at least they're implementing user black/white lists. But having one at the admin level that'll cover the whole company would be great.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  2. spam - ham training
    By Viking0 in forum Administrators
    Replies: 6
    Last Post: 12-02-2008, 01:07 PM
  3. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  4. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  5. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •