Poor antispam filtering
Recently our spam load has gone up dramatically. I'm not sure why the spam filters are letting so much spam in. Sometimes DSPAM tags it but it get's allowed anyway. Yesterday I fed satrain 5000 messages from my junk folder. It seems to work ok for the rest of the day - but this morning a bunch got through again. Also, there was an error message about connecting to the MySQL database, so I'm not sure what effect if any that woudl have had.
I'm frustrated because I don't know where to start looking for the problem. Can someone explain the chain of events for the spam filter so that I can start troubleshooting effectively? Also, if you need any log info let me know.
hi, the default settings for zimbra are ok but can be improved. the chain of events is basically postfix->amavisd-new->spamassassin(->dspam)->postfix. the easiest way to quickly improve things is to enable three 'additions' to spamassassin:
rules_du_jour which updates the spamassassin rulesets: http://www.exit0.us/index.php?pagename=RulesDuJour
razor (http://razor.sourceforge.net) - there's also pyzor but i haven't tried that.
search on the forums/wiki for how to install these, but they're quick to install and quite non-intrusive to zimbra.
dspam scoring is currently very low due to it's recent introduction to zimbra, also the default scoring is quite pessemistic - the kill rate can be upped somewhat at the risk of false positives - again, search the forums for answers to this.
sometimes, it happens that dspam and spamassassin has learnt spam badly - in this case just delete the dspam/sa bayesian databases and start again - i've recently done this on one of my installs and it has made an instant improvement.
ps - make sure your machine is resolving dns properly so sa can access rbls - they are becoming increasingly useful scoring mechanism as vast majority of spam comes from zombie machines on dynamic ranges. greylisting is also a very powerful weapon although it requires a little more surgery to get it working.
Oddly enough most of the spam problem i'm seeing happened after we brought new internal DNS servers on-line. I thought it might have been related to that, but i seem to be able to resolve names just fine.
regarding the RBLs, I can only run about 3 of the 6 zimbra supports. If I run all 6 then i got lots of complaints that mails from comcast, att, hotmail, etc are being rejected.
generally speaking genuine emails should be sent through isp relays which should not be blacklisted, at least on the rbls that have the high scoring, rather the isp dynamic ranges used for dialup/dsl/cable should score highly.
you are letting amavis/sa use the rbls for scoring, not postfix, right? using rbls for pre-handoff postfix lookups is bound to cause lots of false rejects at least in my experience.
if you're happy with dspam accuracy, increase it's score to something like 3 - this will give it much bigger chance of influencing the outcome, by default i think it's only 0.5.
I am using postfix I think because I setup the RBLs like so:
zmprov zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" ...(more RBLs).
I can only use 3 of the 6 or the rejections get too high.
How can I do this in amavis/sa instead of postfix?
How do you delete the dspam/sa datbases?
Originally Posted by dijichi2