how to implement strong antispam

[viaris]

Hi All

I need to implement strong antispam because I have in the INBOX on users spam mail.
Other problems is the spam that is detected is stored in the Junk Mail folder, how can I to configure for that the spam mail not stay in any folder, I want that all spam deleted.

Regards.

[phoenix]

Spam does not stay in the Junk folder eprmanently, it's gets deleted after a period of time that you set in the Admin UI. Perhaps you ought to find out why you have spam in the users Inbox, search the forums for some tips as it's been covered before.

You might also want to post details of what you version of Zimbra is, what sort of spam is in the Inbox (post some headers), what your Kill/Tag percentages are etc...

Improving Anti-spam system - Zimbra :: Wiki

[viaris]

Ok

My version is: Release 5.0.16_GA_2921.F7_20090429055651 F7 FOSS edition, in the ocnfiguracion Antivirus Antispam As/Av, I have

Kill percent: 50
Tag percent: 18

Regards.

[quietas]

The downside with the wiki solution for better antispam is much of it is eliminated when there is a Zimbra upgrade. We need to find a way which is a bit more durable when upgrading and would be better to build into Zimbra for configuration and whatnot.

[uxbod]

Well there are a few options :-

1) Search the forums for Barracua RBL and SaneSecurity Signatures
2) When changing any file keep a patch diff so it is easier to re-apply
3) Abstract the AS part of ZCS into a front-end server; say using ::: Official Home Page for MailScanner - Anti-Virus and Anti-Spam Filter :::

[mtorres]

I know this isn't the answer people are looking for, but I implemented a set of rules on our firewall to block countries that my users shouldn't have any business talking to. I did this more for content filtering but I noticed our spam decreased drastically when I did that. I am talking we went from probly around 1,000 spam a day to about 20. The downside is sometimes your users do have a legit reason to talk to IPs in these countries so you have to unblock them one at a time, but imo it was worth it. I use zen.spamhaus.org as an rbl, which helps filter the U.S. spam we get. I work for a school district though here in the U.S. so 90% of our emails we get are from parents here in our town or other school districts here in our state. I know businesses email people in other countries all the time, so you have to think about it a lot before you would do something like this. Between the firewall rules, spamhaus, and the anti-spam system zimbra has, we don't have any problem at all with spam as of now (knock on wood). We get a few here and there, but it isn't a problem. Our users realize that spammers dedicate much more time getting spam into our inboxes than I have to keep them out, so one every now and then isn't too shabby.

[uxbod]

Greylisting and a dummy MX are pretty good at stopping SPAM as long as other MTAs honor 451 messages.

[dwmtractor]

I use a combination of multiple RBLs, lowered tag & kill percentages (as OP has already done), modified scores for places that IMHO SpamAssassin is too tolerant, and penalty-scoring all commercial whitelists. I keep all such modifications in a single file /opt/zimbra/conf/spamassassin/local.cf and I keep that file backed up. That way, when I do an upgrade it's a simple matter of copying local.cf from my backup into the live directory, stop & restart spamassassin and everything stays up.

YMMV, but I've found the following Bayes modifications in local.cf to make my SA scores a lot more effective:

Code:

#My tweaks to the Bayes scoring system - DWM
score BAYES_00 0.0001 0.0001 -6.312 -9.599
score BAYES_05 0.0001 0.0001 -4.110 -6.110
score BAYES_20 0.0001 0.0001 -1.740 -3.740
score BAYES_40 0.0001 0.0001 -0.185 -0.185
score BAYES_50 0.0001 0.0001 0.001 0.001
score BAYES_60 0.0001 0.0001 1.0 1.0
score BAYES_80 0.0001 0.0001 2.5 6.5
score BAYES_95 0.0001 0.0001 7.5 8.5
score BAYES_99 0.0001 0.0001 8.5 9.5

[dwmtractor]

I should add I also found the following scoring tweaks to be helpful in my system due to some specific spam that seemed to target us:

Code:

# Increase future date score to control Asian spam
score DATE_IN_FUTURE_12_24 3.599 3.599 3.599 3.599
score DATE_IN_FUTURE_24_48 3.599 3.599 3.599 3.599

# Increase scoring of miscellaneous ad-related traits
score RDNS_NONE 1
score HTML_MESSAGE 1
score HTML_OBFUSCATE_05_10 1
score HTML_OBFUSCATE_10_20 1
score HTML_OBFUSCATE_20_30 1.5
score HTML_OBFUSCATE_30_40 2
score HTML_OBFUSCATE_50_60 2
score HTML_OBFUSCATE_70_80 2.5
score HTML_OBFUSCATE_90_100 3
score UPPERCASE_50_75 1
score UPPERCASE_75_100 1.5

The bottom line is, once you have some basic settings in your system, you need to take a look at the headers of messages that are still coming through. See what is going on in those headers, that isn't properly being scored by your system. If you like, post a couple headers here and we'll look at them with you. Often it only takes a couple tweaks to the scoring to solve fairly significant spam problems...and once solved, I find it to be pretty much set-and-forget.