[SOLVED] increase of spam

[Plurnay]

I general our spam well controled...

I got rid of almost all email comming with different from/return path and
the fake email coming from our domain

thanks to the great help from the poeple on this forum...


but lately I have seen and increase in spam and I am just wondering if you guys know how to get rid of them...

a lot of spam email lately comes with
they all have a .rtf attachement to them???

here is to example...

Return-Path: genericness@idcol.org
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
18:52:30 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id D22252DC005;
Mon, 14 Jun 2010 18:52:30 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
X-Spam-Flag: NO
X-Spam-Score: 5.038
X-Spam-Level: *****
X-Spam-Status: No, score=5.038 tagged_above=-10 required=6.6
tests=[BAYES_60=1, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
RDNS_DYNAMIC=0.1] autolearn=no
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4j0accI0bgzk; Mon, 14 Jun 2010 18:52:29 -0300 (ADT)
Received: from awaydy.kabel-badenwuerttemberg.de (HSI-KBW-078-043-178-048.hsi4.kabel-badenwuerttemberg.de [78.43.178.48])
by mail.redballinternet.com (Postfix) with SMTP id 901B32DC004
for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 18:52:29 -0300 (ADT)
Message-ID: <4C16A3B4.7020802@idcol.org>
Date: Mon, 14 Jun 2010 23:54:53 +0200
From: Linebaugh Digiouanni <genericness@idcol.org>
MIME-Version: 1.0
To: Pais Donah <customerprivacy@redballinternet.com>
Subject: Same seat in a buggy: if the white ma
Content-Type: application/octet-stream; name="moralisingly.rtf"
Content-Transfer-Encoding: base64


Return-Path: flowered@kantipur.com.np
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
13:54:42 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id 007332DC005
for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 13:54:42 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
X-Spam-Flag: NO
X-Spam-Score: 3.568
X-Spam-Level: ***
X-Spam-Status: No, score=3.568 tagged_above=-10 required=6.6
tests=[BAYES_60=1, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877,
RDNS_DYNAMIC=0.1, SPF_NEUTRAL=0.686] autolearn=no
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DDszhuh3dSvg for <xxxxxx@redballinternet.com>;
Mon, 14 Jun 2010 13:54:40 -0300 (ADT)
Received: from mpuk.telepac.pt (bl5-34-23.dsl.telepac.pt [82.154.34.23])
by mail.redballinternet.com (Postfix) with SMTP id 0BDFB2DC004
for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 13:54:39 -0300 (ADT)
Message-ID: <4C165E0F.1060302@kantipur.com.np>
Date: Mon, 14 Jun 2010 17:56:59 +0100
From: Lynetta Szostak <flowered@kantipur.com.np>
MIME-Version: 1.0
To: Adriene Valine <xxxxxx@redballinternet.com>
Subject: He was poisoned by his wife Ethelburga daughter vnto Offa king of M
Content-Type: application/octet-stream; name="homemaker.rtf"
Content-Transfer-Encoding: base64




i also have have what i call real spam...
email with the same from/return path that just dont get pick up as spam




Return-Path: myqehuci5634@superkabel.de
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Tue, 15 Jun 2010
08:45:52 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id 5CECE2DC005
for <xxxxxx@redballinternet.com>; Tue, 15 Jun 2010 08:45:52 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
X-Spam-Flag: NO
X-Spam-Score: 5.964
X-Spam-Level: *****
X-Spam-Status: No, score=5.964 tagged_above=-10 required=6.6
tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
MISSING_MID=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1] autolearn=no
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LtCy1MDPSe9S for <xxxxxx@redballinternet.com>;
Tue, 15 Jun 2010 08:45:51 -0300 (ADT)
Received: from superkabel.de (95-91-154-28-dynip.superkabel.de [95.91.154.28])
by mail.redballinternet.com (Postfix) with ESMTP id 4AA9C2DC004
for <xxxxxxx@redballinternet.com>; Tue, 15 Jun 2010 08:45:51 -0300 (ADT)
From: TopViagra WebPharmacy <myqehuci5634@superkabel.de>
To: careers@redballinternet.com
Subject: To careers. 80% off Wholesale. by FL In German
Date: Tue, 15 Jun 2010 13:48:10 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <20100615114552.5CECE2DC005@mail.redballinternet.c om>




Return-Path: accessw8@rayholtz.com
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 14 Jun 2010
04:36:22 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id 1CEB32DC005
for <xxxxxxx@redballinternet.com>; Mon, 14 Jun 2010 04:36:22 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
X-Spam-Flag: NO
X-Spam-Score: 5.857
X-Spam-Level: *****
X-Spam-Status: No, score=5.857 tagged_above=-10 required=6.6
tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905,
RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pm15aQP+QVT4 for <xxxxxx@redballinternet.com>;
Mon, 14 Jun 2010 04:36:21 -0300 (ADT)
Received: from SJKWJSIVPW (unknown [94.51.176.157])
by mail.redballinternet.com (Postfix) with ESMTP id 547302DC004
for <xxxxxx@redballinternet.com>; Mon, 14 Jun 2010 04:36:21 -0300 (ADT)
Received: from 94.51.176.157 by mailstore1.secureserver.net; Mon, 14 Jun 2010 11:38:33 +0300
Date: Mon, 14 Jun 2010 11:38:33 +0300
From: "Russel Mcdowell" <accessw8@rayholtz.com>
X-Mailer: The Bat! (v3.71.01) Educational
Reply-To: accessw8@rayholtz.com
X-Priority: 3 (Normal)
Message-ID: <697484003.79122794904937@rayholtz.com>
To: xxxxxx@redballinternet.com
Subject: 2 Girls Show Tits and Pussy in a Home Movie
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------410FF7D1F130AA"

------------410FF7D1F130AA
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Dam that girl works a strapon

Open attached file to watch video

------------410FF7D1F130AA
Content-Type: text/html; name="open.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="open.html"

[uxbod]

Search the forums for SaneSecurity.

[Plurnay]

Quote:

Originally Posted by uxbod

Search the forums for SaneSecurity.

I found this tread on the forum.. is this the best on how to implement sanesecurity???

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

thanks

[raj]

required=6.6 is a little on higher side
we have our servers between 5.5 - 5.8 and we rarely get any false positive at 5+ score..if there is any there will be a reason.

so i suggest you lower your "required" spam score in admin

Raj

[Plurnay]

Hi uxbod,

I have try to add the sanesecurity signatures last night...
I did the step you told bhickey a couple years ago but like him I dont see the sanes entries when i select show originals...

Here are the step I did till now

Quote:

Originally Posted by uxbod

Okay here we go!

Update /opt/zimbra/conf/amavisd.conf.in with

Code:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters!
    [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
    [ qr'^Sanesecurity(\.[^., ]*)*\.'                             => 0.1 ],
    [ qr'^Sanesecurity_PhishBar_'                                 => 0   ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.'        => 0   ],
    [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'                           => 0.1 ],
    [ qr'^MBL_'                                 => undef ],  # keep as infected
    [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'                   => 0.1 ],
    [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
    [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'                 => 0.1 ],
    [ qr'-SecuriteInfo\.com(\.|\z)'             => undef ],  # keep as infected
  ));

ensure this is before 1; # insure a defined return
at the end of the file. Then ...

And then to update SA you need to edit /opt/zimbra/conf/salocal.cf.in with

Code:

################################################################################
# SaneSecurity & MSRBL Signatures
################################################################################
header L_AV_Phish       X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i
header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish    X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_Malware  X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam     X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|****|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img      X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.}
header L_AV_SS_Bounce   X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
header __L_AV_SS        X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.}
meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)
header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b}
header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL         X-Amavis-AV-Status =~ m{\bAV:MBL_}
header L_AV_SecInf      X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b}

score  L_AV_Phish       14
score  L_AV_SS_Phish    5
score  L_AV_SS_PhishBar 0.5
score  L_AV_SS_Scam     8
score  L_AV_SS_Spam     8
score  L_AV_SS_Hdr      6
score  L_AV_SS_Img      3.5
score  L_AV_SS_Bounce   0.1
score  L_AV_SS_other    1
score  L_AV_SS_Malware  14
score  L_AV_MBL         14
score  L_AV_MSRBL_Img   3.5
score  L_AV_MSRBL_Spam  6
score  L_AV_SecInf      8

at the end of the file. You will then need to restart ZCS. Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask enjoy.

Find the section keep_decoded_original_maps and change to

Code:

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  qr'^Zip archive data',     # don't trust Archive::Zip
));

The only different I did change all the score to 0.1 for testing...

I restart the server after doing that...

And here i am... but like I said I don't see any entries in my original with a sanes signatures


Thanks for you help
Paul-Rene

[uxbod]

have you downloaded the Sane signatures and where are they being stored ?

[Plurnay]

Quote:

Originally Posted by uxbod

have you downloaded the Sane signatures and where are they being stored ?

I did not... hehehe
how do i do that...

i am trying to find some info on the internet.. there isn't much?

[uxbod]

Down the tarball from Index of /pub and follow the INSTALL document. You will need to set a few parameters in the configuration to allow it to work with Zimbra. Below is a diff of the values I set

Code:

< PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
---
> PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/zimbra/clamav/bin"
40,41c40,41
< clam_user="clamav"
< clam_group="clamav"
---
> clam_user="zimbra"
> clam_group="zimbra"
45c45
< clam_dbs="/var/lib/clamav"
---
> clam_dbs="/opt/zimbra/data/clamav/db"
48c48
< clamd_pid="/var/run/clamd.pid"
---
> clamd_pid="/opt/zimbra/log/clamd.pid"
65c65
< #reload_opt="kill -USR2 `cat $clamd_pid`"
---
> reload_opt="kill -USR2 `cat $clamd_pid`"
219c223
< work_dir="/usr/unofficial-dbs"   #Top level working directory
---
> work_dir="/opt/zimbra/data/clamav/db/unofficial-dbs"   #Top level working directory
256c260
< user_configuration_complete="no"
---
> user_configuration_complete="yes"

[Plurnay]

Thank you so much...

So just to be sure

I made the changes to the clamav-unofficial-sigs.conf
to your spec

Code:

< PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
---
> PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/zimbra/clamav/bin"
40,41c40,41
< clam_user="clamav"
< clam_group="clamav"
---
> clam_user="zimbra"
> clam_group="zimbra"
45c45
< clam_dbs="/var/lib/clamav"
---
> clam_dbs="/opt/zimbra/data/clamav/db"
48c48
< clamd_pid="/var/run/clamd.pid"
---
> clamd_pid="/opt/zimbra/log/clamd.pid"
65c65
< #reload_opt="kill -USR2 `cat $clamd_pid`"
---
> reload_opt="kill -USR2 `cat $clamd_pid`"
219c223
< work_dir="/usr/unofficial-dbs"   #Top level working directory
---
> work_dir="/opt/zimbra/data/clamav/db/unofficial-dbs"   #Top level working directory
256c260
< user_configuration_complete="no"
---
> user_configuration_complete="yes"

now in the install file its says to
Make sure script files are executable and have the appropriate UID/GID set:
chmod 755 *.sh
chown <user>:<group> *.sh

the chown would it be zimbra:zimbra?


next it says to
Install:
cp clamav-unofficial-sigs.sh /path/to/script_dir (usually something like /usr/local/bin)
cp clamav-unofficial-sigs.conf /path/to/config_dir (/etc & usually something like /usr/local/etc)
cp clamav-unofficial-sigs.8 /path/to/man/man8 (usually something like /usr/local/man/man8)

i dont have a folder man8 in man... do i just create it???

cp clamav-unofficial-sigs-cron /path/to/cron.d (usually something like /etc/cron.d)
cp clamav-unofficial-sigs-logrotate /path/to/logrotate.d (usually something like /etc/logrotate.d)


After I copied the file in there appropriate folder...
Is there anything else I have to do... do I need to run something?

Thanks again for your help
Paul-Rene Hebert

[uxbod]

I would put the .sh in /usr/local/bin and the .conf in /usr/local/etc. I put the cron file into /etc/cron.d with the following entry

Code:

45 * * * * root /usr/local/bin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf

You can test it first by running the .sh and pointing to the conf file as above. Then check in /opt/zimbra/data/clamav/db/unofficial-dbs to make sure the files have been downloaded and have the correct permissions.