| Welcome to the Zimbra - Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|  | | 
07-05-2009, 02:22 AM
| | | SpamAssassin Additional Rules SpamAssassin :: Botnet Plugin - By John Rudd Quote: |
Botnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics.
|
__________________
Last edited by uxbod : 07-05-2009 at 05:05 AM.
Reason: Changed title so less specific
| 
07-05-2009, 05:07 AM
| | | If anybody else is getting hit by SPAM with a URL that contains spaces here is a rule that was posted on the MailScanner mailing list. Seems to work a treat with no FPs. Code: # Rule to find URLs with spaces
body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i
score ASDM_OBF_URL 4.5
describe ASDM_OBF_URL URLs with spaces Either add in /opt/zimbra/conf/salocal.cf.in and restart ZCS or create your own .cf under /opt/zimbra/conf/spamassassin.
__________________ | 
07-05-2009, 11:53 AM
| | | Thanks ubox. really helpful | 
07-10-2009, 06:24 AM
| | | Another decent RBL :- Spam DNS Lists - Computer Tyme Support Wiki
Some statistics on how it performs against other RBLs :- Blacklists Compared
and the rules in /opt/zimbra/conf/salocal.cf.in to use it (remember to restart ZCS to write the change out to salocal.cf) :- Code: header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
tflags __RCVD_IN_JMF net
header RCVD_IN_JMF_WL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_WL Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_WL net nice
score RCVD_IN_JMF_WL -1.5
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 1.5
header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
tflags RCVD_IN_JMF_BR net
score RCVD_IN_JMF_BR 0.5
__________________ | 
07-11-2009, 08:34 AM
| | | If you are being hit by obfuscation SPAM then these rules may help out. Code: ################################################################################
# Obfuscation Rules
################################################################################
body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i
describe ASDM_OBF_URL URLs with spaces
score ASDM_OBF_URL 2.0
body URI_OBFU_XX99_WS /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe URI_OBFU_XX99_WS Space-obfuscated xxx999 URI
score URI_OBFU_XX99_WS 2.0
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 2.0
__________________ | 
07-17-2009, 02:47 AM
| | | Updated AE_MED42 rule to 44 Code: body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
meta AE_MED44 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED44 Shorter rule to catch spam obfuscation
score AE_MED44 2.0 Courtesy of Dan M from the SpamAssassing mailing list.
__________________ | 
07-26-2009, 02:46 AM
| | | Updated to 47 as the Spammers have changed the obfuscation. Code: body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alnum:]]{2,10}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alnum:]]{2,10}\.(?:com|net|org)\b/i
meta AE_MED47 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED47 Shorter rule to catch spam obfuscation
score AE_MED47 4.0
__________________ | 
07-28-2009, 08:02 AM
| | | Quote:
Originally Posted by uxbod | I'm just starting to investigate how to tighten our zimbra servers spam settings. Are there instructions anywhere for installing something like this? | 
07-28-2009, 08:06 AM
| | | Copy both files into /opt/zimbra/conf/spamassassin and ensure that the permissions and ownership are zimbra:zimbra 444. You can then modify BotNet.cf to your own scores.
__________________ | 
08-01-2009, 01:53 AM
| | | SpamAssassin Additional Rules :: RelayCountry Well thought would post a quick how to, which appears to work for both 5.0.18 and 6.0 RC1, to get the SA RelayCountry plug in going to so you can score based on which country a email has been relayed through. So here goes :-
1) You will need to install the Perl module IP::Country::Fast which can either be done by grabbing it from your repo or using Code: perl -MCPAN -e 'install IP::Country::Fast' 2) You will need to create a new amavis custom configuration file with the following content Code: package Amavis::Custom;
BEGIN {
import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
import Amavis::Util qw(do_log untaint safe_encode safe_decode);
import Amavis::rfc2821_2822_Tools;
import Amavis::Notify qw(build_mime_entity);
}
sub new {
my($class,$conn,$msginfo) = @_;
my($self) = bless {}, $class;
$self; # returning an object activates further callbacks,
# returning undef disables them
}
sub before_send {
my($self,$conn,$msginfo) = @_;
my($all_local) = !grep { !$_->recip_is_local }
@{$msginfo->per_recip_data};
if ($all_local) {
my($hdr_edits) = $msginfo->header_edits;
my ($rly_country) =
$msginfo->supplementary_info('RELAYCOUNTRY');
$hdr_edits->add_header('X-Relay-Countries', $rly_country) if defined $rly_country && $rly_country ne '';
my($languages) = $msginfo->supplementary_info('LANGUAGES');
$hdr_edits->add_header('X-Spam-Languages', $languages)
if defined $languages && $languages ne '';
}
}
1; # insure a defined return write that into /opt/zimbra/conf/amavisd-custom.conf with the permissions zimbra:zimbra read only.
3) Update /opt/zimbra/conf/amavisd.conf.in and add the following line at the end of the file Code: include_config_files('/opt/zimbra/conf/amavisd-custom.conf'); this has to be before the line Code: 1; # insure a defined return 4) Now enable the actual plugin by unhashing loadplugin Mail::SpamAssassin::Plugin::RelayCountry in /opt/zimbra/conf/spamassassin/init.pre
5) Update /opt/zimbra/conf/spamassassin/salocal.cf and add the following Code: add_header all Relay-Country _RELAYCOUNTRY_ 5) Now restart amavis using Code: su - zimbra
zmamavisdctl restart 6) When you next few emails come in check the headers as your should now see something like Code: X-Relay-Countries: US 7) With this new header in place you can now create your own custom rules in /opt/zimbra/conf/spamassassin/local.cf eg. Code: header RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
describe RELAYCOUNTRY_CN Relayed through China
score RELAYCOUNTRY_CN 0.5 Good luck and I hope you find that useful.
__________________
Last edited by uxbod : 08-01-2009 at 02:32 AM.
| | Thread Tools | | | | Display Modes | Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.  |