Backscatter / Message Delivery Failure Spam -- Please help!

[AndrewOC]

Hi All

Sorry to bother, but I've got a massive problem with message failure spam

I can't find anything directly relating to 6.x in the forums and it's driving me mad

I've got the following ticked in the MTA admin console

Hostname in greeting violates RFC (reject_invalid_hostname)
Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
Sender address must be fully qualified (reject_non_fqdn_sender)
Sender's domain (reject_unknown_sender_domain)

And the RBLs below entered and saved

bl.spamcop.net
zen.spamhaus.org
dnsbl.sorbs.net
relays.mail-abuse.org
cbl.abuseat.org
dnsbl.njabl.org
ix.dnsbl.manitu.net
combined.njabl.org

And I've added the line

whitelist_bounce_relays xxxx.xxxxxx.xxx

/opt/zimbra/conf/spamassassin/local.cf

I've restarted zimbra totally, but still get the problem

I've found this file

/opt/zimbra/conf/spamassassin/20_vbounce.cf

which looks like it's the sort of thing I need, but I've no idea what I need to do to get it working

I'm not even convinced vbounce is enabled?

Please help!

[phoenix]

Please update your forum profile with the output of the following command (do not post the output in this thread):

Code:

zmcontrol -v

I can't find anything directly relating to 6.x in the forums and it's driving me mad

The anti-spam system isn't specific to a version of Zimbra and the forum threads should (in general) apply to all versions of Zimbra.

I've got the following ticked in the MTA admin console

Hostname in greeting violates RFC (reject_invalid_hostname)
Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
Sender address must be fully qualified (reject_non_fqdn_sender)
Sender's domain (reject_unknown_sender_domain)

You have too many of thise settings applied, in my opinion, adn you will sometimes block incorrectly set-up servers and clients.

I only use the following and don't have any great problems with spam:

Code:

Hostname in greeting violates RFC (reject_invalid_hostname)

And the RBLs below entered and saved

bl.spamcop.net
zen.spamhaus.org
dnsbl.sorbs.net
relays.mail-abuse.org
cbl.abuseat.org
dnsbl.njabl.org
ix.dnsbl.manitu.net
combined.njabl.org

You also, again in my opinion, have too many RBLs in your config and you'll waste time doing DNS look-ups,

I use the following:

Code:

zen.spamhaus.org
psbl.surriel.com
dnsbl.dronebl.org
bl.spameatingmonkey.net

You want the most effective RBL first and I find the zen.spamhause.org one to catch most of my spam.

And I've added the line

whitelist_bounce_relays xxxx.xxxxxx.xxx

Why, what do you think that gives you?

I've found this file

/opt/zimbra/conf/spamassassin/20_vbounce.cf

which looks like it's the sort of thing I need, but I've no idea what I need to do to get it working

I'm not even convinced vbounce is enabled?

That's a spamassassin rule and you don't need to do anything with it, vbounce is enabled in current versions.

You need to give some sample of the errors you're seeing in the log files and the headers of one of the messages you've received so we can see what the problem is.

Did you also search the forums, there are several threads on how to improve the handling of backscatter and other anti-spam techniques such as not accepting mail sent to invalid addresses.

What are your Kill/Tag percentages set to, have you made any modifications to the anti-spam system other than the ones you mentioned above?

[AndrewOC]

Please update your forum profile with the output of the following command (do not post the output in this thread):

Code:

zmcontrol -v

Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition


The anti-spam system isn't specific to a version of Zimbra and the forum threads should (in general) apply to all versions of Zimbra.

You have too many of thise settings applied, in my opinion, adn you will sometimes block incorrectly set-up servers and clients.

I only use the following and don't have any great problems with spam:

Code:

Hostname in greeting violates RFC (reject_invalid_hostname)

All except the last one are defaults from the install from what I remember, I've added the last one in a desperate attempt to find a cure


You also, again in my opinion, have too many RBLs in your config and you'll waste time doing DNS look-ups,

I use the following:

Code:

zen.spamhaus.org
psbl.surriel.com
dnsbl.dronebl.org
bl.spameatingmonkey.net

You want the most effective RBL first and I find the zen.spamhause.org one to catch most of my spam.



Thanks for the tip


Why, what do you think that gives you?

Post #2 here

[SOLVED] Spam Backscatter

You need to give some sample of the errors you're seeing in the log files and the headers of one of the messages you've received so we can see what the problem is.


There's a lot of messages, what info do you specifically need as I'm a bit weary about pasting stuff on a public forum


What are your Kill/Tag percentages set to, have you made any modifications to the anti-spam system other than the ones you mentioned above?

No I haven't changed anything else other than the RBLs

percentages are still set to defaults i.e. 75/33

[phoenix]

The information on your installed version of Zimbra really does need to go in your forum profile otherwise we have to keep asking you which version is installed every time you ask a question in the forums.

No I haven't changed anything else other than the RBLs

percentages are still set to defaults i.e. 75/33

You might find that 66/25 are slightly better, if you change them you should monitor it for a while to see if you get any (or many) false positives.

We really need to see the headers from one of these email to see what's going on, you can obfuscate any sensitive data (I'm not interested in the body of the email).

The "whitelist_bounce_relays xxxx.xxxxxx.xxx" line isn't needed in current versions of spamassassin and as I mentioned above, vbounce is enabled by default in spamassassin (I'd suggest you remove that line).

I'd also suggest you implement the feature for 'not accepting mail sent to invalid addresses' as mentioned in the anti-spam wiki article.

[AndrewOC]

See attached file

if you can help me i would be extremely grateful

[AndrewOC]

Bump bump bump