Help me understand this SPAM please

[kazooless]

I would like to understand a little more about the way Zimbra looks at this SPAM message. ZIMBRA is configured with a kill percent of 75 and a tag percent of 33. The following SPAM seems so blatant that I am wondering why it isn't above 75.

Here are SPAM headers:

X-DSPAM-Result: Spam
X-DSPAM-Class: Spam
X-DSPAM-Confidence: 0.54
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: N/A
X-Virus-Scanned: amavisd-new at kazules.com
X-Spam-Flag: YES
X-Spam-Score: 11.557
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.557 tagged_above=-10 required=6.6
tests=[BAYES_50=0.001, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457,
UNPARSEABLE_RELAY=0.001, DSPAM:Spam=10.000] autolearn=no

And here is the body:

Subject: Junk:Shoot your gin into her vagina
Your girl will get used to be in legs-spread position, after you buy our male boosters! Make air boil of heat!

I don't understand the scores here. Any insight as to what I can do to increase the chances of this filth being rejected would be appreciated.

Thanks,

Kazoo

[dwmtractor]

Hey Kazoo,

As I'm sure you know, the spam engine scores mail on the basis of various header and/or content. I'm not at a Zimbra machine at the moment to check, but I would have thought there's a filter somewhere for the keyword "vagina" and I'd certainly look at putting in such a keyword filter. Frankly, none of the rest of the words are going to be unique enough to categorize the message as sexual in nature, even though when we look at the phrases built from the words, they're obviously not medical terminology!

Here's what I can tel you about your scores:

The percentages of tag and kill are percentages of 20 total points. That means that to get absolutely wiped out (blocked, not in the junk folder) your message's total spam score would have to be >= 15 (75% of 20). To not hit the junk folder at all, the score has to be < 6.67. In between, it hits the junk folder. Personally I think those scores are too generous. As I have detailed in several locations but probably best here, there are a variety of tweaks that I have found make the spam system pretty darn effective. The simple start is dropping your tag percentage to 15 and your kill percentage (if you like) to 50 or less (FWIW, I have NEVER seen legitimate mail get over a 3 or 4-point hit with all of my filters, and even that is quite rare).

Of all the recommendations I described in the post I linked, I strongly recommend that you enable the RBLs which don't currently show on your headers. That plus some scoring tweaks should help a lot.

[kazooless]

Thanks. I'll go back to that thread and re-educate myself. I recently turned off gray listing out of frustration when signing up on a forum and having to wait one too many times. The system has been running for a long time now, and I'm still extremely impressed with Zimbra. I thought I'd look into the spam I still receive and try to do a little tweaking.

Thanks again,

kazoo

[kazooless]

Interestingly, in the spamassasin local.cf file, none of the options are enabled. (e.g. "# use_bayes 1," "# bayes_auto_learn 1," etc.). They are all remarked out. But I thought by default Zimbra was learning from the junk folders of each mail user. ???

[dwmtractor]

That's not the file where they are. local.cf is the last file parsed, so any tweaks you put in there (your own custom stuff) overrides the settings in any of the other SA files, but you won't find much there in a default installation.

[kazooless]

Dan,

Here is another one. This is before I just now applied your tweaks to the local.cf file, but I have no idea why this e-mail is rated so low. (DSPAM INNOCENT? SCORE=4.121?) This particular user gets a ton of spam, and I am wondering if there is something in my config that treats her differently than the rest of my users. Possible?

Return-Path: vanhofwegennfcurbxymshd1979@hotmail.com
Received: from mail.kazules.com (LHLO mail.kazules.com) (192.168.0.10) by
mail.kazules.com with LMTP; Mon, 30 Nov 2009 16:10:30 -0800 (PST)
Received: from localhost (localhost.kazules.com [127.0.0.1])
by mail.kazules.com (Postfix) with ESMTP id 5B2D81ED41E7
for <email address hidden for this post>; Mon, 30 Nov 2009 16:10:30 -0800 (PST)
X-DSPAM-Result: Innocent
X-DSPAM-Class: Innocent
X-DSPAM-Confidence: 0.99
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: N/A
X-Virus-Scanned: amavisd-new at kazules.com
X-Spam-Flag: NO
X-Spam-Score: 4.121
X-Spam-Level: ****
X-Spam-Status: No, score=4.121 tagged_above=-10 required=6.6
tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, URI_NOVOWEL=1.62,
DSPAM:Innocent=-1.000] autolearn=no
Received: from mail.kazules.com ([127.0.0.1])
by localhost (mail.kazules.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id H0nOOZ1Odd5w for <email address hidden for this post>;
Mon, 30 Nov 2009 16:10:26 -0800 (PST)
Received: from snt0-omc2-s30.snt0.hotmail.com (snt0-omc2-s30.snt0.hotmail.com [65.55.90.105])
by mail.kazules.com (Postfix) with ESMTP id 3016C1ED41E4
for <email address hidden for this post>; Mon, 30 Nov 2009 16:10:25 -0800 (PST)
Received: from SNT122-W22 ([65.55.90.72]) by snt0-omc2-s30.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 30 Nov 2009 16:10:21 -0800
Message-ID: <SNT122-W22AC185C3BFC54D4F3B269B2960@phx.gbl>
Content-Type: multipart/alternative;
boundary="_a0649033-9bfc-4340-b9b2-59c799af139c_"
X-Originating-IP: [212.200.215.178]
From: Tamra Vanhofwegen <vanhofwegennfcurbxymshd1979@hotmail.com>
To: <shayna_396@yahoo.com>
Subject: Little sweety suuicking and fu-icking thick diik
Date: Mon, 30 Nov 2009 19:10:21 -0500
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 01 Dec 2009 00:10:21.0283 (UTC) FILETIME=[ABF00330:01CA721A]

--_a0649033-9bfc-4340-b9b2-59c799af139c_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Wm&#39;s space - Windows Live
Let us first perform our devotions at the fane. A thought formed at last: B=
oastful fool=2C Ineznia!
Sir Lenard uttered a grim laugh. He found himself wondering what the office=
r was thinking=2C doing.
From your point of view=2C this is a happy situation. He could easily run t=
wo miles to their one. =20
__________________________________________________ _______________
Windows Live: Friends get your Flickr=2C Yelp=2C and Digg updates when they=
e-mail you.
http://www.microsoft.com/middleeast/...-in-action/so=
cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092=
010=

--_a0649033-9bfc-4340-b9b2-59c799af139c_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
<A href=3D"http://Bolusgwwmwrqhzqauxe1987.spaces.live.com/">http://Bolusgww=
mwrqhzqauxe1987.spaces.live.com/</A><BR>Let us first perform our devotions =
at the fane. A thought formed at last: Boastful fool=2C Ineznia!<BR>Sir Len=
ard uttered a grim laugh. He found himself wondering what the officer was t=
hinking=2C doing.<BR>From your point of view=2C this is a happy situation. =
He could easily run two miles to their one. <br /><hr />Windows =
Live: <a href=3D'http://www.microsoft.com/middleeast/windows/windowslive/s=
ee-it-in-action/social-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL=
:en-xm:SI_SB_3:092010' target=3D'_new'>Friends get your Flickr=2C Yelp=2C a=
nd Digg updates when they e-mail you.</a></body>
</html>=

--_a0649033-9bfc-4340-b9b2-59c799af139c_--

[dwmtractor]

Unfortunately, Kazoo, I don't use DSPAM at all, so I really can't comment on why it does what it does. I've stuck to the RBLs and SpamAssassin, and that combination has served me well enough I haven't bothered to put any other solutions in place. I'm afraid I'll have to defer to others where DSPAM is concerned. If Phoenix is online, I think he might be able to help you there; if memory serves he uses it. . .

[kazooless]

I see, but isn't that just -1 part of the entire score? Seems like the rest of the SA score should be much higher. Could the DSPAM be affecting it worse than the -1?

I made all the changes you suggested in the thread you linked, so we'll see over the next few days how that's working out.

Thanks for the help, as always.

kazoo

[veronica]

If you feel DSPAM is assigning -ve scores to spam emails, you can very well disable it in conf/amavis.conf.in
comment this line %%uncomment LOCAL:amavis_dspam_enabled%%$dspam = '/opt/zimbra/dspam/bin/dspam';

and zmamavisdctl stop
zmamavisdctl start

[dwmtractor]

Take a look at your header, Kazu. I'll reproduce it here without the distracting stuff:

Code:

X-Spam-Status: No, score=4.121 tagged_above=-10 required=6.6
	tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, URI_NOVOWEL=1.62,
	DSPAM:Innocent=-1.000]

That's all there is. Add the scores in "tests" and you'll see that they add up to 4.121, which is the total score tagged. Now, the changed tag & kill percentages (get tag down to 3) will at least land this in the Junk folder. If you make all the changes I did, a BAYES_99 score will be higher than 3.5--it'll be 9.5 and it'll definitely get killed if you lowered your kill percentage below 50%. Other things you might do is to jack up the score for an HTML message (making sure that it's not so high that BAYES_0 or BAYES_10 can't reverse it--there is legitimate HTML mail, so I don't recommend scoring HTML higher than 1 or 2). Then there's the process of adding keyword filters. . .which I have never messed with because it's such a whack-a-mole process (how many different ways can you miss-spell p3n!s?).

But sure, if you find DSPAM is not filling the bill for you, you can always de-score it or turn it off.

Realistically, I think that lowering your tag and kill, up-scoring Bayes, and turning on RBLs makes a pretty solid combination.

But yeah, let it run for a week or two and then post back a header of whatever's getting thru. Just remember--nothing meaningful in the header means no filter matches. It's gotta get a hit on filters to score at all, which means the sexual content of your spam has not (yet) raised any red flags on your filters (with the possible exception of your BAYES filters, which will be trained by stuff you classify as spam).