More Spam after upgrading to 6.0.5

[fragility]

I recently upgraded Zimbra from 6.0.4 to 6.0.5. I did not change any settings during the upgrade. However, the amount of Spam reaching users' inboxes has increased noticeably. Is there something I'm missing when it comes to performing an upgrade?

[uxbod]

Prior to upgrading had you made any changes to Zimbra or even modified anything like salocal.cf ?

[fragility]

Quote:

Originally Posted by uxbod

Prior to upgrading had you made any changes to Zimbra or even modified anything like salocal.cf ?

The only file I have modified manually is /opt/zimbra/postfix/conf/master.cf to enable the alternate SMTP port. Here is the content of my salocal.cf file:

header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 1.5

header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5

trusted_networks 127.0.0.0/8 xxx.xxx.xxx.0/27
lock_method flock

rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 60
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

[uxbod]

Do you mean more SPAM is being processed or that more is is ending up in your Inbox ? Perhaps you could post the headers from one ?

[fragility]

Quote:

Originally Posted by uxbod

Do you mean more SPAM is being processed or that more is is ending up in your Inbox ? Perhaps you could post the headers from one ?

More is ending up in the inboxes. Here are the headers from one that made it to my inbox:

X-Virus-Scanned: amavisd-new at myserver
X-Spam-Flag: NO
X-Spam-Score: 6.392
X-Spam-Level: ******
X-Spam-Status: No, score=6.392 tagged_above=-10 required=6.6
tests=[AWL=-0.146, BAYES_50=0.001, EXCUSE_24=2.596,
HS_INDEX_PARAM=0.001, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001,
RDNS_NONE=0.1, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501] autolearn=no


Here are the headers from one that did get scored high enough to be marked as spam:

X-Virus-Scanned: amavisd-new at mx.mdsc.com
X-Spam-Flag: YES
X-Spam-Score: 12.643
X-Spam-Level: ************
X-Spam-Status: Yes, score=12.643 tagged_above=-10 required=6.6
tests=[BAYES_99=3.5, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
RCVD_IN_PBL=0.905, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501,
URIBL_OB_SURBL=1.5, URIBL_SBL=1.499, URIBL_WS_SURBL=1.5]
autolearn=spam

[uxbod]

You should look to adding some more RBLs using SpamAssassin. If you are a low volume system < 100k DNS lookups per day you can add this to your config

Code:

################################################################################
# SpamRats RBL (www.spamrats.com)
################################################################################
header     RCVD_IN_SPAMRATS_DYNA  eval:check_rbl('spamratsdyna','dyna.spamrats.com.')
describe   RCVD_IN_SPAMRATS_DYNA  Sender listed in SpamRats DYNA
tflags     RCVD_IN_SPAMRATS_DYNA  net
score      RCVD_IN_SPAMRATS_DYNA  2

header     RCVD_IN_SPAMRATS_NOPTR  eval:check_rbl('spamratsnoptr','noptr.spamrats.com.')
describe   RCVD_IN_SPAMRATS_NOPTR  Sender listed in SpamRats NOPTR
tflags     RCVD_IN_SPAMRATS_NOPTR  net
score      RCVD_IN_SPAMRATS_NOPTR  2

################################################################################
# JunkEMailFilter RBL (www.junkemailfilter.com)
################################################################################
header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
tflags          __RCVD_IN_JMF         net

header          RCVD_IN_JMF_W         eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe        RCVD_IN_JMF_W         Sender listed in JMF-WHITE
tflags          RCVD_IN_JMF_W         net nice
score           RCVD_IN_JMF_W         -1.5

header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
tflags          RCVD_IN_JMF_BL        net
score           RCVD_IN_JMF_BL        1.5

header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
tflags          RCVD_IN_JMF_BR        net
score           RCVD_IN_JMF_BR        0.6

################################################################################
# SPAMEatingMonkey RBL (www.spameatingmonkey.net)
################################################################################
header          RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
tflags          RCVD_IN_SEMBACKSCATTER net
describe        RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
score           RCVD_IN_SEMBACKSCATTER 0.5

header          RCVD_IN_SEMBLACK       eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
tflags          RCVD_IN_SEMBLACK       net
describe        RCVD_IN_SEMBLACK       Received from an IP listed by SEM-BLACK
score           RCVD_IN_SEMBLACK       0.5

urirhssub       SEM_URI                uribl.spameatingmonkey.net. A 2
body            SEM_URI                eval:check_uridnsbl('SEM_URI')
describe        SEM_URI                Contains a URI listed by SEM-URI
tflags          SEM_URI                net
score           SEM_URI                0.5

urirhssub       SEM_URIRED             urired.spameatingmonkey.net. A 2
body            SEM_URIRED             eval:check_uridnsbl('SEM_URIRED')
describe        SEM_URIRED             Contains a URI listed by SEM-URIRED
tflags          SEM_URIRED             net
score           SEM_URIRED             0.5

urirhssub       SEM_FRESH              fresh.spameatingmonkey.net. A 2
body            SEM_FRESH              eval:check_uridnsbl('SEM_FRESH')
describe        SEM_FRESH              Contains a domain registered less than 5 days ago
tflags          SEM_FRESH              net
score           SEM_FRESH              0.5

You should also search the forums for SaneSecurity signatures.

[swrightsls]

We are also seeing a lot more spam ending up in the inbox since upgrading from 5.018 to 6.05 a few weeks ago. We are not doing any DNSBL checks ahead of SA as we had too many issues with FPs. Server load/bandwidth is not really any issue, so we'd rather just score the DNSBL checks. I've added your code to salocal.cf.in as follows - how can I check that it is working correctly?

Code:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock

header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 1.5

header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5

%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
%%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%

rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 60
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

# SLS changes 
score FORGED_MUA_OUTLOOK 0

# below is from http://www.zimbra.com/forums/administrators/38209-more-spam-after-upgrading-6-0-5-a.html
# 7/Apr/2010 9:02
################################################################################
# SpamRats RBL (www.spamrats.com)
################################################################################
header     RCVD_IN_SPAMRATS_DYNA  eval:check_rbl('spamratsdyna','dyna.spamrats.com.')
describe   RCVD_IN_SPAMRATS_DYNA  Sender listed in SpamRats DYNA
tflags     RCVD_IN_SPAMRATS_DYNA  net
score      RCVD_IN_SPAMRATS_DYNA  2

header     RCVD_IN_SPAMRATS_NOPTR  eval:check_rbl('spamratsnoptr','noptr.spamrats.com.')
describe   RCVD_IN_SPAMRATS_NOPTR  Sender listed in SpamRats NOPTR
tflags     RCVD_IN_SPAMRATS_NOPTR  net
score      RCVD_IN_SPAMRATS_NOPTR  2

################################################################################
# JunkEMailFilter RBL (www.junkemailfilter.com)
################################################################################
header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
tflags          __RCVD_IN_JMF         net

header          RCVD_IN_JMF_W         eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe        RCVD_IN_JMF_W         Sender listed in JMF-WHITE
tflags          RCVD_IN_JMF_W         net nice
score           RCVD_IN_JMF_W         -1.5

header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
tflags          RCVD_IN_JMF_BL        net
score           RCVD_IN_JMF_BL        1.5

header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
tflags          RCVD_IN_JMF_BR        net
score           RCVD_IN_JMF_BR        0.6

################################################################################
# SPAMEatingMonkey RBL (www.spameatingmonkey.net)
################################################################################
header          RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
tflags          RCVD_IN_SEMBACKSCATTER net
describe        RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
score           RCVD_IN_SEMBACKSCATTER 0.5

header          RCVD_IN_SEMBLACK       eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
tflags          RCVD_IN_SEMBLACK       net
describe        RCVD_IN_SEMBLACK       Received from an IP listed by SEM-BLACK
score           RCVD_IN_SEMBLACK       0.5

urirhssub       SEM_URI                uribl.spameatingmonkey.net. A 2
body            SEM_URI                eval:check_uridnsbl('SEM_URI')
describe        SEM_URI                Contains a URI listed by SEM-URI
tflags          SEM_URI                net
score           SEM_URI                0.5

urirhssub       SEM_URIRED             urired.spameatingmonkey.net. A 2
body            SEM_URIRED             eval:check_uridnsbl('SEM_URIRED')
describe        SEM_URIRED             Contains a URI listed by SEM-URIRED
tflags          SEM_URIRED             net
score           SEM_URIRED             0.5

urirhssub       SEM_FRESH              fresh.spameatingmonkey.net. A 2
body            SEM_FRESH              eval:check_uridnsbl('SEM_FRESH')
describe        SEM_FRESH              Contains a domain registered less than 5 days ago
tflags          SEM_FRESH              net
score           SEM_FRESH              0.5

[uxbod]

Right click on one of the emails in the Junk folder and select "Show Original" ... take a look at the headers and it should show which rules and RBLs have been hit. Once you added to the salocal.cf.in did you perform a restart ?

[swrightsls]

Quote:

Originally Posted by uxbod

Right click on one of the emails in the Junk folder and select "Show Original" ... take a look at the headers and it should show which rules and RBLs have been hit. Once you added to the salocal.cf.in did you perform a restart ?

I did do a zmamavisdctl reload - is that enough? I have not had any spam show up in junk since then. Below are headers from a spammy message in the inbox:

X-Spam-Flag: NO
X-Spam-Score: 1.958
X-Spam-Level: *
X-Spam-Status: No, score=1.958 tagged_above=-10 required=4
tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MISSING_MID=0.001,
URIBL_BLACK=1.955] autolearn=no

I've also seen this:

X-Spam-Status: No, score=-1.885 tagged_above=-10 required=4 tests=[AWL=0.713,
BAYES_00=-2.599, HTML_MESSAGE=0.001] autolearn=unavailable

and:

X-Spam-Status: No, score=-3.738 tagged_above=-10 required=4
tests=[ALL_TRUSTED=-1.8, AWL=0.660, BAYES_00=-2.599,
HTML_MESSAGE=0.001] autolearn=ham

What is the significance of the 'autolearn' tag?

[uxbod]

Would you be able to post one of the SPAM emails here :- Spamalyser and send me the link so I can run it through my system ?