Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: More Spam after upgrading to 6.0.5

  1. #1
    fragility is offline Junior Member
    Join Date
    Mar 2010
    Posts
    5
    Rep Power
    5

    Default More Spam after upgrading to 6.0.5

    I recently upgraded Zimbra from 6.0.4 to 6.0.5. I did not change any settings during the upgrade. However, the amount of Spam reaching users' inboxes has increased noticeably. Is there something I'm missing when it comes to performing an upgrade?

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Prior to upgrading had you made any changes to Zimbra or even modified anything like salocal.cf ?

  3. #3
    fragility is offline Junior Member
    Join Date
    Mar 2010
    Posts
    5
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    Prior to upgrading had you made any changes to Zimbra or even modified anything like salocal.cf ?
    The only file I have modified manually is /opt/zimbra/postfix/conf/master.cf to enable the alternate SMTP port. Here is the content of my salocal.cf file:

    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5

    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5

    trusted_networks 127.0.0.0/8 xxx.xxx.xxx.0/27
    lock_method flock

    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Do you mean more SPAM is being processed or that more is is ending up in your Inbox ? Perhaps you could post the headers from one ?

  5. #5
    fragility is offline Junior Member
    Join Date
    Mar 2010
    Posts
    5
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    Do you mean more SPAM is being processed or that more is is ending up in your Inbox ? Perhaps you could post the headers from one ?
    More is ending up in the inboxes. Here are the headers from one that made it to my inbox:

    X-Virus-Scanned: amavisd-new at myserver
    X-Spam-Flag: NO
    X-Spam-Score: 6.392
    X-Spam-Level: ******
    X-Spam-Status: No, score=6.392 tagged_above=-10 required=6.6
    tests=[AWL=-0.146, BAYES_50=0.001, EXCUSE_24=2.596,
    HS_INDEX_PARAM=0.001, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001,
    RDNS_NONE=0.1, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501] autolearn=no


    Here are the headers from one that did get scored high enough to be marked as spam:

    X-Virus-Scanned: amavisd-new at mx.mdsc.com
    X-Spam-Flag: YES
    X-Spam-Score: 12.643
    X-Spam-Level: ************
    X-Spam-Status: Yes, score=12.643 tagged_above=-10 required=6.6
    tests=[BAYES_99=3.5, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
    RCVD_IN_PBL=0.905, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501,
    URIBL_OB_SURBL=1.5, URIBL_SBL=1.499, URIBL_WS_SURBL=1.5]
    autolearn=spam

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    You should look to adding some more RBLs using SpamAssassin. If you are a low volume system < 100k DNS lookups per day you can add this to your config
    Code:
    ################################################################################
    # SpamRats RBL (www.spamrats.com)
    ################################################################################
    header     RCVD_IN_SPAMRATS_DYNA  eval:check_rbl('spamratsdyna','dyna.spamrats.com.')
    describe   RCVD_IN_SPAMRATS_DYNA  Sender listed in SpamRats DYNA
    tflags     RCVD_IN_SPAMRATS_DYNA  net
    score      RCVD_IN_SPAMRATS_DYNA  2
    
    header     RCVD_IN_SPAMRATS_NOPTR  eval:check_rbl('spamratsnoptr','noptr.spamrats.com.')
    describe   RCVD_IN_SPAMRATS_NOPTR  Sender listed in SpamRats NOPTR
    tflags     RCVD_IN_SPAMRATS_NOPTR  net
    score      RCVD_IN_SPAMRATS_NOPTR  2
    
    ################################################################################
    # JunkEMailFilter RBL (www.junkemailfilter.com)
    ################################################################################
    header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
    describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
    tflags          __RCVD_IN_JMF         net
    
    header          RCVD_IN_JMF_W         eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
    describe        RCVD_IN_JMF_W         Sender listed in JMF-WHITE
    tflags          RCVD_IN_JMF_W         net nice
    score           RCVD_IN_JMF_W         -1.5
    
    header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
    describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
    tflags          RCVD_IN_JMF_BL        net
    score           RCVD_IN_JMF_BL        1.5
    
    header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
    describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
    tflags          RCVD_IN_JMF_BR        net
    score           RCVD_IN_JMF_BR        0.6
    
    ################################################################################
    # SPAMEatingMonkey RBL (www.spameatingmonkey.net)
    ################################################################################
    header          RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
    tflags          RCVD_IN_SEMBACKSCATTER net
    describe        RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
    score           RCVD_IN_SEMBACKSCATTER 0.5
    
    header          RCVD_IN_SEMBLACK       eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
    tflags          RCVD_IN_SEMBLACK       net
    describe        RCVD_IN_SEMBLACK       Received from an IP listed by SEM-BLACK
    score           RCVD_IN_SEMBLACK       0.5
    
    urirhssub       SEM_URI                uribl.spameatingmonkey.net. A 2
    body            SEM_URI                eval:check_uridnsbl('SEM_URI')
    describe        SEM_URI                Contains a URI listed by SEM-URI
    tflags          SEM_URI                net
    score           SEM_URI                0.5
    
    urirhssub       SEM_URIRED             urired.spameatingmonkey.net. A 2
    body            SEM_URIRED             eval:check_uridnsbl('SEM_URIRED')
    describe        SEM_URIRED             Contains a URI listed by SEM-URIRED
    tflags          SEM_URIRED             net
    score           SEM_URIRED             0.5
    
    urirhssub       SEM_FRESH              fresh.spameatingmonkey.net. A 2
    body            SEM_FRESH              eval:check_uridnsbl('SEM_FRESH')
    describe        SEM_FRESH              Contains a domain registered less than 5 days ago
    tflags          SEM_FRESH              net
    score           SEM_FRESH              0.5
    You should also search the forums for SaneSecurity signatures.

  7. #7
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    We are also seeing a lot more spam ending up in the inbox since upgrading from 5.018 to 6.05 a few weeks ago. We are not doing any DNSBL checks ahead of SA as we had too many issues with FPs. Server load/bandwidth is not really any issue, so we'd rather just score the DNSBL checks. I've added your code to salocal.cf.in as follows - how can I check that it is working correctly?

    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ###########################################################################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock
    
    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5
    
    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5
    
    %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
    %%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%
    
    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
    
    # SLS changes 
    score FORGED_MUA_OUTLOOK 0
    
    # below is from http://www.zimbra.com/forums/administrators/38209-more-spam-after-upgrading-6-0-5-a.html
    # 7/Apr/2010 9:02
    ################################################################################
    # SpamRats RBL (www.spamrats.com)
    ################################################################################
    header     RCVD_IN_SPAMRATS_DYNA  eval:check_rbl('spamratsdyna','dyna.spamrats.com.')
    describe   RCVD_IN_SPAMRATS_DYNA  Sender listed in SpamRats DYNA
    tflags     RCVD_IN_SPAMRATS_DYNA  net
    score      RCVD_IN_SPAMRATS_DYNA  2
    
    header     RCVD_IN_SPAMRATS_NOPTR  eval:check_rbl('spamratsnoptr','noptr.spamrats.com.')
    describe   RCVD_IN_SPAMRATS_NOPTR  Sender listed in SpamRats NOPTR
    tflags     RCVD_IN_SPAMRATS_NOPTR  net
    score      RCVD_IN_SPAMRATS_NOPTR  2
    
    ################################################################################
    # JunkEMailFilter RBL (www.junkemailfilter.com)
    ################################################################################
    header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
    describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
    tflags          __RCVD_IN_JMF         net
    
    header          RCVD_IN_JMF_W         eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
    describe        RCVD_IN_JMF_W         Sender listed in JMF-WHITE
    tflags          RCVD_IN_JMF_W         net nice
    score           RCVD_IN_JMF_W         -1.5
    
    header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
    describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
    tflags          RCVD_IN_JMF_BL        net
    score           RCVD_IN_JMF_BL        1.5
    
    header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
    describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
    tflags          RCVD_IN_JMF_BR        net
    score           RCVD_IN_JMF_BR        0.6
    
    ################################################################################
    # SPAMEatingMonkey RBL (www.spameatingmonkey.net)
    ################################################################################
    header          RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
    tflags          RCVD_IN_SEMBACKSCATTER net
    describe        RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
    score           RCVD_IN_SEMBACKSCATTER 0.5
    
    header          RCVD_IN_SEMBLACK       eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
    tflags          RCVD_IN_SEMBLACK       net
    describe        RCVD_IN_SEMBLACK       Received from an IP listed by SEM-BLACK
    score           RCVD_IN_SEMBLACK       0.5
    
    urirhssub       SEM_URI                uribl.spameatingmonkey.net. A 2
    body            SEM_URI                eval:check_uridnsbl('SEM_URI')
    describe        SEM_URI                Contains a URI listed by SEM-URI
    tflags          SEM_URI                net
    score           SEM_URI                0.5
    
    urirhssub       SEM_URIRED             urired.spameatingmonkey.net. A 2
    body            SEM_URIRED             eval:check_uridnsbl('SEM_URIRED')
    describe        SEM_URIRED             Contains a URI listed by SEM-URIRED
    tflags          SEM_URIRED             net
    score           SEM_URIRED             0.5
    
    urirhssub       SEM_FRESH              fresh.spameatingmonkey.net. A 2
    body            SEM_FRESH              eval:check_uridnsbl('SEM_FRESH')
    describe        SEM_FRESH              Contains a domain registered less than 5 days ago
    tflags          SEM_FRESH              net
    score           SEM_FRESH              0.5

  8. #8
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Right click on one of the emails in the Junk folder and select "Show Original" ... take a look at the headers and it should show which rules and RBLs have been hit. Once you added to the salocal.cf.in did you perform a restart ?

  9. #9
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    Quote Originally Posted by uxbod View Post
    Right click on one of the emails in the Junk folder and select "Show Original" ... take a look at the headers and it should show which rules and RBLs have been hit. Once you added to the salocal.cf.in did you perform a restart ?
    I did do a zmamavisdctl reload - is that enough? I have not had any spam show up in junk since then. Below are headers from a spammy message in the inbox:

    X-Spam-Flag: NO
    X-Spam-Score: 1.958
    X-Spam-Level: *
    X-Spam-Status: No, score=1.958 tagged_above=-10 required=4
    tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MISSING_MID=0.001,
    URIBL_BLACK=1.955] autolearn=no

    I've also seen this:

    X-Spam-Status: No, score=-1.885 tagged_above=-10 required=4 tests=[AWL=0.713,
    BAYES_00=-2.599, HTML_MESSAGE=0.001] autolearn=unavailable

    and:

    X-Spam-Status: No, score=-3.738 tagged_above=-10 required=4
    tests=[ALL_TRUSTED=-1.8, AWL=0.660, BAYES_00=-2.599,
    HTML_MESSAGE=0.001] autolearn=ham

    What is the significance of the 'autolearn' tag?

  10. #10
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Would you be able to post one of the SPAM emails here :- Spamalyser and send me the link so I can run it through my system ?

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 02-18-2010, 02:44 AM
  2. Most of mails showing SPAM & discarded
    By siw919 in forum Administrators
    Replies: 27
    Last Post: 01-12-2010, 01:53 PM
  3. Replies: 5
    Last Post: 04-27-2009, 04:02 AM
  4. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  5. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •