Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: Challenge/Response for 100% spam reduction?

  1. #21
    CatiaL is offline Active Member
    Join Date
    Dec 2006
    Posts
    38
    Rep Power
    8

    Default

    the line trusted_networks in /opt/zimbra/conf/salocal.cf is commented out:

    #trusted_networks

  2. #22
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Talking 66/20

    Kill percent: 66
    Tag percent: 20

    excellent should be default!!

  3. #23
    scottnelson is offline Special Member
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    Well, I wouldn't agree with that really.
    As a "default" out-of-the-box setting, I think it is a good starting point for a new install.
    Once the system has been trained a bit and the the mail-admin gets some or already has some knowledge under their belt, then they can tune the system a little lower. Not everyone who is going to load this or any e-mail server is going to be an expert. Better to start at the default 75/33 and gradually tune it lower.
    All IMHO of course but, better to accept a little spam than drop legit mail when someone is learning their way around a new system..... ;-)

    Scotty

  4. #24
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Default misunderstood the setting

    thanks ScottNelson,
    i think i misunderstood the setting would you mind explaining
    what Kill percent and Tag percent are exactly and how the work

  5. #25
    scottnelson is offline Special Member
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

  6. #26
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Question has this happened to anyone

    when i set the av/as to 66/20
    the av/as graph in the admin console fails


    it happens in 4.51 & 4.53 RHEL64

    see:
    http://bugzilla.zimbra.com/show_bug.cgi?id=15449

  7. #27
    bobby is offline Zimbra Employee
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    catia

    spamassassin has a page with descriptions of their tests. the message probably triggered more blacklist tests the second time through because the headers from the original message were in the body of the second message.

  8. #28
    alivebyscience is offline Active Member
    Join Date
    Oct 2006
    Location
    St Louis
    Posts
    27
    Rep Power
    8

    Default Server Statistics: Spam Activity Graph

    See chart below... Can anyone explain the chart contents? But first, here's my results after making the changes found in this discussion.

    Before
    Tag %: 30
    Kill %: 70
    No RBL, no protocol checks, no dns checks (these got disabled from the installed defaults somehow).

    After
    Tag %: 27 (can't change too much at once)
    Kill %: 70
    All protocol checks enabled
    DNS check only enabled for reject_unknown_sender_domain
    RBLs enabled:
    reject_rbl_client dnsbl.njabl.org
    reject_rbl_client cbl.abuseat.org
    reject_rbl_client bl.spamcop.net
    reject_rbl_client dnsbl.sorbs.net
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client relays.mail-abuse.org
    DSPAM score increment is 1.5 (it was that already)
    Added SARE rules for stocks, adult and BML
    Modified the GIF attach and stox values (4.75 and 4.66)

    Results are here:


    The Admin manual describes this chart:
    green: # messages checked
    blue: # messages tagged
    red: # virus identified

    Beginning at 1600 yesterday the spam count dropped when I enabled everything I could. You can see me enable and disable combinations until I settled on the above values around 2300. Then starting this morning around 5am you see the ratio of messages to spam widen greatly!!! Especially in contrast to previous hours. You see most hours showing a much higher message to spam ratio, and they track each other. Until I changed the settings.

    Chart observations...
    What's the flow of a message as it enters the server... postfix to spamassassin to clamav to zimbra mta? There's probably a flow chart in the admin manual.

    Since the changes I made at 1600 presumably caused spamassassin to reject more emails, and the count of checked messages in the chart drops at 1600 - That tells me this chart only counts messages that made it through spamassassin. Virus emails and all. So it's not really as the admin guide indicates - it's not messages checked. It's really messages spamassassin didn't kill. The green is the total count of all non-killed emails. The blue is the count of tagged emails (of the total these were tagged). The chart is showing the relationship/ratio between all messages and tagged messages and virus infected messages. It's a theory.

    Extending that theory - then the count of tagged messages is lower because the quality (or is it quantity) of kills is better after making changes. Spamassassin is killing emails because it fails a protocol check, or it fails an RBL test, or it fails a SARE rule. So of the emails not killed the ratio of good vs tagged is larger. This is a good sign. But... Good news, bad news. We're now killing a lot of emails that previously scored below the kill factor. Good news. But (damn the bad news), this means users don't have a chance of finding false positives from these additional tests in their Junk folder. Is that really a bad thing? Hmmm. Time will tell if we get a lot of complaints about missing emails that are not in the webmail junk folder.

    You can't really see virus counts on this chart - there is some from time to time. Lucky us, huh? (knock on wood).

    Thought you might enjoy the view. I think this chart proves the real world value of these changes. My thanks to ScottNelson, and mmorse, and others who have contributed. This stuff is getting us some relief, and results!!! Right on!
    Last edited by alivebyscience; 07-09-2007 at 03:37 PM. Reason: Text needed to be clarified.

  9. #29
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    It should be the "Number of unique messages processed by the AS/AV system."

    relays.mail-abuse.org may no longer be in existance, it was moved to .com then trendmicro
    hold on need to do some hunting

    EDIT: yes, it seems that it's now a paid service, there's a 30 day trial that requires registration of your ip(s) with trendmicro.
    Seems to be called "Email Anti-Spam Network Reputation Services"
    Last edited by mmorse; 07-09-2007 at 04:11 PM.

  10. #30
    alivebyscience is offline Active Member
    Join Date
    Oct 2006
    Location
    St Louis
    Posts
    27
    Rep Power
    8

    Default TrendMicro Email Reputation Services

    Email Reputation Services - Trend Micro USA

    They're offering two levels of service.

    Here are their setup instructions for the advanced service. Would this work w/Zimbra since they want us to edit main.cf?



    Postfix

    Note: Insert your unique valid "activation code" to replace the instructional text example; do not include any dashes.

    Follow the steps below to configure your Postfix to use Trend Micro Network Reputation Services DNSBL zone with a custom error message

    Postfix 2.x

    1. Find out if your OS supports hash or dbm tables.
    type postconf -m

    If you see hash, use hash in steps 2 and 3 below.
    If you see dbm, use dbm in steps 2 and 3 below.

    2. Edit main.cf and add our RBL and rbl_reply_maps entries.

    While it's really a client check, we have it in
    "smtpd_recipient_restrictions" (as is recommended by many experts) as that is needed if you want to whitelist any recipients (e.g. Postmaster). Putting it as a recipient restriction only affects the timing (after the RCPT TO command), not the effect.

    NOTE: Be sure the smtpd_recipient_restrictions = is one really long line. We had to add line breaks to show you the example.

    rbl_reply_maps = hash:/$config_directory/rbl_reply
    smtpd_recipient_restrictions = permit_mynetworks,
    reject_rbl_client activationcode.r.mail-abuse.com,
    reject_rbl_client activationcode.q.mail-abuse.com,
    reject_unauth_destination

    3. Create the rbl_reply map and "postmap" it.

    NOTE: Be sure each line is one really long line. Also be sure there are no leading spaces in front of the activationcode lines.

    ....contents of rbl_reply file....
    activationcode.r.mail-abuse.com 550 Service unavailable; $rbl_class [$rbl_what] blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=$rbl_what${rbl_reason?; $rbl_reason}
    activationcode.q.mail-abuse.com 450 Service temporarily unavailable; $rbl_class [$rbl_what] blocked using Trend Micro Network Anti-Spam Service. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=$rbl_what${rbl_reason?; $rbl_reason}
    ....contents of rbl_reply file....

    Save and then type 'postmap hash:rbl_reply' to create the hash table.

    NOTE: If postmap complains about unknown "hash", type postconf -m
    If you do not see hash, but you do see dbm, then change the words hash to dbm in steps 2 and 3 above.

    4. Reload postfix by typing "postfix reload"

Page 3 of 4 FirstFirst 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  2. Spam question (all related)
    By dlochart in forum Administrators
    Replies: 3
    Last Post: 07-24-2007, 08:58 AM
  3. Spam Training: How to properly train DSPAM?
    By Tenshi in forum Installation
    Replies: 14
    Last Post: 05-23-2007, 04:08 AM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •