spam: how to block by sender alias

[sangamc]

I have a unique spam issue that is giving me grey hair. Several of my users keep getting similar spam from many different addresses that the zimbra server just cant seem to train to block.
The only consistent thing about the spam is the alias of the email address. for example:

"Facebook Surveys" facebooksurvey@shopsnomi.com
"Facebook Surveys" facebooksurvey@xc-vi.com
"Facebook Surveys" facebook@dvragents.com
...
there are hundreds of combinations like this. And not only Facebook, this is just an example. we have "email fax", "discount airfare", "credit score check" and a laundry list of others.

I have tried:
Going to individuals mailboxes and marking 100s of messages as spam and then running zmtrainsa manually (which by the way doesn't work on any users mailbox, only on the system spam box). i am met with the following result 99% of the time

[test: spam ] /tmp/spam.PDR6214/12fc062862f-21 result: PASS

Configuring additional RBLs hoping that some of these spammers are tagged already and would be on one of these lists. I am using 7 RBLs

Creating blacklists for email domains, but it seems the more i add to the list the more creative they get with their domain names!

Creating spamassasin rules to block by subject, but the subject lines are almost never the same, and change fast enough to make this an excercise in futility.

So now id like to find a way to block by email address alias since this seems to be the most consistent thing about these spam messages. Anyone that has some pointers please help.

PS i am also open to any other general pointers for blocking spam. Its at the point now that my boss is concerned and hes been campaigning to move back to exchange for several months now! i cant let that happen


Release 7.0.1_GA_3105.RHEL5_20110304210448 RHEL5 FOSS edition.

[sangamc]

after a week of trying out several different suggestions from the forum i still can not find a solution. Sadly it seems this problem is getting worse :/ If anyone has any additional suggestions i am open to trying anything.

thx

[phoenix]

Quote:

Originally Posted by sangamc

after a week of trying out several different suggestions from the forum i still can not find a solution.

You need to give some details about what you've actually tried and what the results were.

Quote:

Originally Posted by sangamc

Sadly it seems this problem is getting worse :/ If anyone has any additional suggestions i am open to trying anything.

Some headers from some of the 'spam' might give an idea about what's wrong. Anything in the log files for these emails?

FWIW, you really shouldn't need seven RBLs - between one and three should suffice.

[sangamc]

thanks Phoenix for the replies, sadly i wont be able to find out what was causing the problem. Last night i took a backup of all the user mailboxes and reinstalled the entire server from scratch.

testing from my yahoo address that i marked as spam it now works without a hitch! So i believe i may have had some misconfiguration or corruption in the old zimbra instance.

i still cant run zmtrainsa directly on a users mailbox, but it does work for the system account so i will leave this question for another post at a future date.