Zimbra AS/AV for Users from the same Server

[tkramis]

We use, the lastest Zimbra 6.0.7 NE edition on Mac OS X 10.4.

For about 3 weeks zimbra is marking mails sent from users on this server to other users on the same server as SPAM.

Additionally:
Although the mailserver is not listed on any blacklist, external receipients often get the users from this Zimbra Servers marked as SPAM.

What is going wrong here?

[phoenix]

Quote:

Originally Posted by tkramis

We use, the lastest Zimbra 6.0.7 NE edition on Mac OS X 10.4.

You need to update your forum profile with the output of the following command:

Code:

zmcontrol -v

Quote:

Originally Posted by tkramis

For about 3 weeks zimbra is marking mails sent from users on this server to other users on the same server as SPAM.

Additionally:
Although the mailserver is not listed on any blacklist, external receipients often get the users from this Zimbra Servers marked as SPAM.

What is going wrong here?

That would depend on what the problem is, you need to provide some information such as the headers from an email marked as spam before anyone can advise you.

[tkramis]

Ok. Profile is updated.

AS/AV-Settings:
- Limit for elimination 25
- Limit for spam-marking 10

Here are some header informations, what could be the problem?:
X-Virus-Scanned: amavisd-new at ....
X-Spam-Flag: YES
X-Spam-Score: 2.23
X-Spam-Level: **
X-Spam-Status: Yes, score=2.23 tagged_above=-10 required=2 tests=[BAYES_00=-1.9, HELO_NO_DOMAIN=0.001, RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793] autolearn=no
Message-Id: <18236478.155.1277398002188.JavaMail...@....loca l>
In-Reply-To: <9ED46D2D-5205-4C27-AAD9-F17C11A4B332@...>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-Ip: [...]
X-Mailer: Zimbra 6.0.7_GA_2470.MACOSXx86 (Zimbra Desktop/2.0_10479_Mac)

[phoenix]

Quote:

Originally Posted by tkramis

Ok. Profile is updated.

Thanks.

Quote:

Originally Posted by tkramis

AS/AV-Settings:
- Limit for elimination 25
- Limit for spam-marking 10

I assume you mean the Kill/Tag percentages? They are remarkable low and might be causing part of this problem of false positives. I'd suggest you reset them to a slight more strict level than the original defaults. I currently have my settings at 66/25 for the Kill/Tag settings, try that for a while and see how you get on.

Quote:

Originally Posted by tkramis

Here are some header informations, what could be the problem?:
X-Virus-Scanned: amavisd-new at ....
X-Spam-Flag: YES
X-Spam-Score: 2.23
X-Spam-Level: **
X-Spam-Status: Yes, score=2.23 tagged_above=-10 required=2 tests=[BAYES_00=-1.9, HELO_NO_DOMAIN=0.001, RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793] autolearn=no
Message-Id: <18236478.155.1277398002188.JavaMail...@....loca l>
In-Reply-To: <9ED46D2D-5205-4C27-AAD9-F17C11A4B332@...>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-Ip: [...]
X-Mailer: Zimbra 6.0.7_GA_2470.MACOSXx86 (Zimbra Desktop/2.0_10479_Mac)

The problem is the highlighted entry and because you have the Kill/Tag so low it's exceeding the required score and marking it as spam i.e. it's a False Positive. As I said above, try the settings I've mentioned and see how you get on.

[tkramis]

OK, I've set the values to 66/25. But this is only part of the problem. The other problem is that mails from this Zimbra server sent to an other server are also marked as SPAM on a frequent basis. As we're not listed on a Blacklist, I'm unsure where this problem comes from.

There are correct reverse DNS settings, etc. for this Zimbra Server.

[phoenix]

Quote:

Originally Posted by tkramis

OK, I've set the values to 66/25. But this is only part of the problem. The other problem is that mails from this Zimbra server sent to an other server are also marked as SPAM on a frequent basis. As we're not listed on a Blacklist, I'm unsure where this problem comes from.

Where is the other server located and can you get the headers from one of the emails that show a message from you is marked as spam. Would it be an email sent via the Web UI or via a fat client sent via your server.

Without the headers it's impossible to tell why you're email is being marked as spam.

[tkramis]

I will check wether I can get one mail with headers, but as these servers are out of my reach it will be difficult.

[sdrury]

Hi,

I've started getting this to happen on our server also, particularly my own email address to other users on the system are now being flagged as spam.
Below is a test email I did to a small dist list which includes my own address and I received it in the Junk folder - is this because a smart cookie/s has been flagging my emails as junk on our system?

Return-Path: seand@bartonsholden.com.au
Received: from mail.bartongroup.net.au (LHLO mail.bartongroup.net.au)
(10.50.50.106) by mail.bartongroup.net.au with LMTP; Fri, 2 Jul 2010
13:20:11 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
by mail.bartongroup.net.au (Postfix) with ESMTP id 84282261A002;
Fri, 2 Jul 2010 13:20:11 +1000 (EST)
X-Virus-Scanned: amavisd-new at mail.bartongroup.net.au
X-Spam-Flag: YES
X-Spam-Score: 9.177
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.177 tagged_above=-10 required=6.6
tests=[BAYES_50=0.8, HELO_NO_DOMAIN=0.001, HTML_IMAGE_ONLY_20=1.546,
HTML_MESSAGE=0.001, RCVD_IN_PBL=3.335, RCVD_IN_RP_RNBL=1.31,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
SHORT_HELO_AND_INLINE_IMAGE=1.39] autolearn=no
Received: from mail.bartongroup.net.au ([127.0.0.1])
by localhost (mail.bartongroup.net.au [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kTEtDupcmRUX; Fri, 2 Jul 2010 13:20:10 +1000 (EST)
Received: from mail.bartongroup.net.au (localhost [127.0.0.1])
by mail.bartongroup.net.au (Postfix) with ESMTP id A1048261A001
for <itfax@bartonsholden.com.au>; Fri, 2 Jul 2010 13:20:10 +1000 (EST)
Date: Fri, 2 Jul 2010 13:20:10 +1000 (EST)
From: Sean Drury <seand@bartonsholden.com.au>
To: itfax <itfax@bartonsholden.com.au>
Message-ID: <134808888.2334.1278040810191.JavaMail.root@mail >
Subject: [SPAM]test
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_2332_1714756751.1278040810188"
X-Originating-IP: [124.171.186.138]
X-Mailer: Zimbra 6.0.7_GA_2476.RHEL4 (ZimbraWebClient - FF3.0 (Win)/6.0.7_GA_2473.UBUNTU8_64)

------=_Part_2332_1714756751.1278040810188
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

just a test

Regards,
Sean.



Sean Drury | Information Technology Manager

[sdrury]

Meant to mention our kill/tag is 75/33 (default)

Regards,
Sean.

[phoenix]

Quote:

Originally Posted by sdrury

I've started getting this to happen on our server also, particularly my own email address to other users on the system are now being flagged as spam.
Below is a test email I did to a small dist list which includes my own address and I received it in the Junk folder - is this because a smart cookie/s has been flagging my emails as junk on our system?

The problem is that the IP that submitted the emails is on a PBL, see the highlighted sections below. Unless you specifically need it, I'd suggest you disable the 'X-Originating-IP' header.

Quote:

Originally Posted by sdrury

Return-Path: seand@bartonsholden.com.au
Received: from mail.bartongroup.net.au (LHLO mail.bartongroup.net.au)
(10.50.50.106) by mail.bartongroup.net.au with LMTP; Fri, 2 Jul 2010
13:20:11 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
by mail.bartongroup.net.au (Postfix) with ESMTP id 84282261A002;
Fri, 2 Jul 2010 13:20:11 +1000 (EST)
X-Virus-Scanned: amavisd-new at mail.bartongroup.net.au
X-Spam-Flag: YES
X-Spam-Score: 9.177
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.177 tagged_above=-10 required=6.6
tests=[BAYES_50=0.8, HELO_NO_DOMAIN=0.001, HTML_IMAGE_ONLY_20=1.546,
HTML_MESSAGE=0.001, RCVD_IN_PBL=3.335, RCVD_IN_RP_RNBL=1.31,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
SHORT_HELO_AND_INLINE_IMAGE=1.39] autolearn=no
Received: from mail.bartongroup.net.au ([127.0.0.1])
by localhost (mail.bartongroup.net.au [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kTEtDupcmRUX; Fri, 2 Jul 2010 13:20:10 +1000 (EST)
Received: from mail.bartongroup.net.au (localhost [127.0.0.1])
by mail.bartongroup.net.au (Postfix) with ESMTP id A1048261A001
for <itfax@bartonsholden.com.au>; Fri, 2 Jul 2010 13:20:10 +1000 (EST)
Date: Fri, 2 Jul 2010 13:20:10 +1000 (EST)
From: Sean Drury <seand@bartonsholden.com.au>
To: itfax <itfax@bartonsholden.com.au>
Message-ID: <134808888.2334.1278040810191.JavaMail.root@mail >
Subject: [SPAM]test
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_2332_1714756751.1278040810188"
X-Originating-IP: [124.171.186.138]
X-Mailer: Zimbra 6.0.7_GA_2476.RHEL4 (ZimbraWebClient - FF3.0 (Win)/6.0.7_GA_2473.UBUNTU8_64)

------=_Part_2332_1714756751.1278040810188
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

just a test

Regards,
Sean.



Sean Drury | Information Technology Manager