zimbra drops all spam

[finth]

Hello all. I had a problem with zimbra antispam configuration. When i enable antispam service, zimbra drops all spam, but didn't deliver it to Junk folder. I set antispam setting through zimbra Admin UI to:

Kill percent - 100%
Tag percent - 33%

And no effect after restarting zimbra services. It writes into maillog "250 2.7.0 Ok, discarded, id=21590-11 - SPAM", and didn't deliver it to the user mailbox. What could be the problem here? Thanks.

UPD: Using Release 6.0.13_GA_2918.RHEL5_64_20110513152056 CentOS5_64 FOSS edition

[phoenix]

You should reset the Kill/Tag percentages to their original values. You need to give more information about your original problem before making any changes. Have you modified any of the ant-spam settings in Zimbra? Why were the services 'disabled' (you mention you've enabled them), what did you do to disable them? What do you mean by "zimbra drops all spam"? How are you determining that all spam is being 'dropped'? Do you have any RBLs in use and if so, which ones? Have you added (or modified) any of the Protocol or DNS checks in the Admin ui and if so, which ones? What settings do you have enabled in the Protocol or DNS checks?

Posting one message out-of-context from the log files isn't really much use.

[finth]

Quote:

Originally Posted by phoenix

Have you modified any of the ant-spam settings in Zimbra?

No, i keep the default settings.

Quote:

Originally Posted by phoenix

Why were the services 'disabled' (you mention you've enabled them), what did you do to disable them?

It was enabled by default, but i disable it later in the Admin UI, because i want to deliver all spam in the users mailboxes and when antispam enabled it didn't deliver (see topic title).

Quote:

Originally Posted by phoenix

What do you mean by "zimbra drops all spam"? How are you determining that all spam is being 'dropped'?

I wrote from external account to my zimbra account message that contains gtube test string and check it in the zimbra web UI. I do not see this message in any folder but i see in the maillog that zimbra receives this message and marks it as spam. This is equivalent to drop.

Quote:

Originally Posted by phoenix

Have you added (or modified) any of the Protocol or DNS checks in the Admin ui and if so, which ones? What settings do you have enabled in the Protocol or DNS checks?

It looks like this now:
X-Originating-IP: disabled
reject_invalid_hostname=enabled
reject_non_fqdn_hostname=disabled
reject_non_fdn_sender=enabled
reject_unknown_client=disabled
reject_unknown_hostname=disabled
reject_unknown_sender_domain=disabled

RBL: unused

Quote:

Originally Posted by phoenix

Posting one message out-of-context from the log files isn't really much use.

Ok. I must return to original settings and do some additional antispam checks.

[phoenix]

Quote:

Originally Posted by finth

I wrote from external account to my zimbra account message that contains gtube test string and check it in the zimbra web UI. I do not see this message in any folder but i see in the maillog that zimbra receives this message and marks it as spam. This is equivalent to drop.

So basically what you're basing this comment on is the fact that you sent a test spam message to your server and it got dropped? What would you have expected it to do? Anything that's spam will get dropped, anything that's possibly spam will go in the Junk folder - that's the way it works.

Reset your Kill/Tag percentages (or even set them to 66/25 respectively).

I have only the following set:

Code:

Protocol Checks:

Hostname in greeting violates RFC (reject_invalid_hostname)

Code:

DNS Checks:

none set

There are many misconfigured mail servers around and setting the DNS & Protocol check be too aggressive will get a lot of valid email rejected.

Code:

RBLs:

zen.spamhaus.org
psbl.surriel.com
dnsbl.dronebl.org
bl.spameatingmonkey.net

With those settings I see very little spam on my system, probably around 10 messages per month in my Junk folder and the rest of the spam gets dropped.

[LMStone]

Hi Bill,

Bit of a side bar comment, but... we had been getting some "false positives" from spameatingmonkey and so have dropped using it. Mostly due to their periodically listing major senders' servers like Postini as spam sources.

We do enable reject_unknown_sender_domain and find this to be effective. It does require access to a reliable nearby DNS server, but anything you can do to reject email before it is processed by Amavis reduces the load considerably on the MTA servers.

Hope that helps,
Mark