Results 1 to 7 of 7

Thread: Poor antispam filtering

  1. #1
    shankwc is offline Senior Member
    Join Date
    Dec 2005
    Posts
    72
    Rep Power
    9

    Default Poor antispam filtering

    Recently our spam load has gone up dramatically. I'm not sure why the spam filters are letting so much spam in. Sometimes DSPAM tags it but it get's allowed anyway. Yesterday I fed satrain 5000 messages from my junk folder. It seems to work ok for the rest of the day - but this morning a bunch got through again. Also, there was an error message about connecting to the MySQL database, so I'm not sure what effect if any that woudl have had.

    I'm frustrated because I don't know where to start looking for the problem. Can someone explain the chain of events for the spam filter so that I can start troubleshooting effectively? Also, if you need any log info let me know.

    Thanks

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    hi, the default settings for zimbra are ok but can be improved. the chain of events is basically postfix->amavisd-new->spamassassin(->dspam)->postfix. the easiest way to quickly improve things is to enable three 'additions' to spamassassin:

    rules_du_jour which updates the spamassassin rulesets: http://www.exit0.us/index.php?pagename=RulesDuJour

    razor (http://razor.sourceforge.net) - there's also pyzor but i haven't tried that.

    dcc (http://www.rhyolite.com/anti-spam/dcc/)

    search on the forums/wiki for how to install these, but they're quick to install and quite non-intrusive to zimbra.

    dspam scoring is currently very low due to it's recent introduction to zimbra, also the default scoring is quite pessemistic - the kill rate can be upped somewhat at the risk of false positives - again, search the forums for answers to this.

    sometimes, it happens that dspam and spamassassin has learnt spam badly - in this case just delete the dspam/sa bayesian databases and start again - i've recently done this on one of my installs and it has made an instant improvement.

  3. #3
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    ps - make sure your machine is resolving dns properly so sa can access rbls - they are becoming increasingly useful scoring mechanism as vast majority of spam comes from zombie machines on dynamic ranges. greylisting is also a very powerful weapon although it requires a little more surgery to get it working.

  4. #4
    shankwc is offline Senior Member
    Join Date
    Dec 2005
    Posts
    72
    Rep Power
    9

    Default

    Oddly enough most of the spam problem i'm seeing happened after we brought new internal DNS servers on-line. I thought it might have been related to that, but i seem to be able to resolve names just fine.

    regarding the RBLs, I can only run about 3 of the 6 zimbra supports. If I run all 6 then i got lots of complaints that mails from comcast, att, hotmail, etc are being rejected.

  5. #5
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    generally speaking genuine emails should be sent through isp relays which should not be blacklisted, at least on the rbls that have the high scoring, rather the isp dynamic ranges used for dialup/dsl/cable should score highly.

    you are letting amavis/sa use the rbls for scoring, not postfix, right? using rbls for pre-handoff postfix lookups is bound to cause lots of false rejects at least in my experience.

    if you're happy with dspam accuracy, increase it's score to something like 3 - this will give it much bigger chance of influencing the outcome, by default i think it's only 0.5.

  6. #6
    shankwc is offline Senior Member
    Join Date
    Dec 2005
    Posts
    72
    Rep Power
    9

    Default

    I am using postfix I think because I setup the RBLs like so:

    zmprov zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" ...(more RBLs).

    I can only use 3 of the 6 or the rejections get too high.

    How can I do this in amavis/sa instead of postfix?

  7. #7
    iceruam is offline Special Member
    Join Date
    Oct 2006
    Posts
    124
    Rep Power
    8

    Default

    Quote Originally Posted by dijichi2 View Post
    ....
    sometimes, it happens that dspam and spamassassin has learnt spam badly - in this case just delete the dspam/sa bayesian databases and start again - i've recently done this on one of my installs and it has made an instant improvement.
    How do you delete the dspam/sa datbases?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Improving spam filtering
    By inigoml in forum Administrators
    Replies: 67
    Last Post: 09-10-2009, 12:23 AM
  2. Spam filtering on POP accounts?
    By dwmtractor in forum Administrators
    Replies: 8
    Last Post: 01-09-2009, 10:43 AM
  3. Filtering issues
    By Skip_Reed in forum Users
    Replies: 3
    Last Post: 03-30-2007, 06:31 AM
  4. Replies: 2
    Last Post: 12-20-2006, 08:07 AM
  5. Disabling Spam Filtering
    By plan9 in forum Administrators
    Replies: 1
    Last Post: 10-25-2006, 07:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •