Results 1 to 5 of 5

Thread: How to check about correct work of antispam system?

  1. #1
    VGusev2007 is offline Junior Member
    Join Date
    Aug 2013
    Posts
    7
    Rep Power
    1

    Question How to check about correct work of antispam system?

    Hi all!

    I have a fresh installation of zimbra:
    Code:
    Release 8.0.4.GA.5737.UBUNTU12.64 UBUNTU12_64 FOSS edition.
    It works fine (AD (samba4), imapsync and so on).

    The last of my check was about spam protect and it was suprised for me...

    There is a log of my check:


    Code:
    $ postconf |grep /24
    mynetworks = 127.0.0.0/8 192.168.2.0/24
    My host has 192.168.11.43 address, so let's try to send mail from telnet from my host

    Code:
    # telnet mail-zimbra 25
    Trying 192.168.2.54...
    Connected to mail-zimbra.tokk.local.
    Escape character is '^]'.
    220 mail-zimbra.tokk.local ESMTP Postfix
    ehlo spamer
    250-mail-zimbra.tokk.local
    250-PIPELINING
    250-SIZE 21474836480
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    mail from: spamer@nonexistdomain.spam
    250 2.1.0 Ok
    rcpt to: gusevvs@mycompany.ru
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    spam
    .
    250 2.0.0 Ok: queued as E89AC441949

    /var/log/zimbra.log has records:

    Code:
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: NOQUEUE: filter: RCPT from unknown[192.168.11.43]: <spamer@nonexistdomain.spam>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<spamer@nonexistdomain.spam> to=<gusevvs@mycompany.ru> proto=ESMTP helo=<spamer>
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: NOQUEUE: filter: RCPT from unknown[192.168.11.43]: <spamer@nonexistdomain.spam>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<spamer@nonexistdomain.spam> to=<gusevvs@mycompany.ru> proto=ESMTP helo=<spamer>
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: E89AC441949: client=unknown[192.168.11.43]
    Aug 25 13:05:19 mail-zimbra postfix/cleanup[32194]: E89AC441949: message-id=<20130825090513.E89AC441949@mail-zimbra.tokk.local>
    Aug 25 13:05:19 mail-zimbra postfix/qmgr[16533]: E89AC441949: from=<spamer@nonexistdomain.spam>, size=335, nrcpt=1 (queue active)
    Aug 25 13:05:19 mail-zimbra amavis[16193]: (16193-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20130825T130519-16193-_UU1sJLH: <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru> SIZE=335 Received: from mail-zimbra.tokk.local ([127.0.0.1]) by localhost (mail-zimbra.tokk.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <gusevvs@mycompany.ru>; Sun, 25 Aug 2013 13:05:19 +0400 (MSK)
    Aug 25 13:05:19 mail-zimbra amavis[16193]: (16193-01) Checking: zv_GqB5GtiT2 [192.168.11.43] <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>
    Aug 25 13:05:20 mail-zimbra postfix/amavisd/smtpd[32199]: connect from localhost[127.0.0.1]
    Aug 25 13:05:20 mail-zimbra postfix/amavisd/smtpd[32199]: 1F0F244194C: client=localhost[127.0.0.1]
    Aug 25 13:05:20 mail-zimbra postfix/cleanup[32194]: 1F0F244194C: message-id=<20130825090513.E89AC441949@mail-zimbra.tokk.local>
    Aug 25 13:05:20 mail-zimbra postfix/qmgr[16533]: 1F0F244194C: from=<spamer@nonexistdomain.spam>, size=1097, nrcpt=1 (queue active)
    Aug 25 13:05:20 mail-zimbra amavis[16193]: (16193-01) FWD from <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1F0F244194C
    Aug 25 13:05:20 mail-zimbra amavis[16193]: (16193-01) Passed CLEAN {RelayedInbound}, [192.168.11.43]:50708 [192.168.11.43] <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>, Queue-ID: E89AC441949, Message-ID: <20130825090513.E89AC441949@mail-zimbra.tokk.local>, mail_id: zv_GqB5GtiT2, Hits: 5.315, size: 335, queued_as: 1F0F244194C, 282 ms
    Aug 25 13:05:20 mail-zimbra postfix/smtp[32196]: E89AC441949: to=<gusevvs@mycompany.ru>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0.01/0.28, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1F0F244194C)
    So, my host don't have a valid DNS lookup, and a mail from telnet was sent correct without reject it... What about the behavior?

    The next is check of status spam protection:
    Code:
    zimbra@mail-zimbra:~$ zmantispamctl restart
    Stopping amavisd... done.
    Starting amavisd...done.
    zimbra@mail-zimbra:~$ zmantispamctl status
    zimbra@mail-zimbra:~$
    It returns nothing...

    But grep look like fine:

    Code:
    zimbra@mail-zimbra:~$ ps aux|grep amavis
    postfix   4852  0.0  0.0  56396  3392 ?        S    13:16   0:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20
    zimbra    5494  1.2  1.2 213240 96924 ?        Ss   13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (master)
    zimbra    5631  0.1  1.2 219960 100468 ?       S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (ch1-avail)
    zimbra    5632  0.0  1.1 213240 95260 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5633  0.0  1.1 213240 95248 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5634  0.0  1.1 213240 95248 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5635  0.0  1.1 213240 95248 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5636  0.0  1.1 213240 95244 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5637  0.0  1.1 213240 95244 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5638  0.0  1.1 213240 95244 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5639  0.0  1.1 213240 95244 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    zimbra    5640  0.0  1.1 213240 95244 ?        S    13:16   0:00 /opt/zimbra/amavisd/sbin/amavisd (virgin child)
    postfix   5994  0.0  0.0 100680  5348 ?        S    13:17   0:00 smtpd -n [127.0.0.1]:10025 -t inet -u -o content_filter= -o local_recipient_maps= -o virtual_mailbox_maps= -o virtual_alias_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_milters= -o smtpd_sender_restrictions= -o smtpd_reject_unlisted_sender=no -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8,[::1]/128 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings -o local_header_rewrite_clients= -o syslog_name=postfix/amavisd
    zimbra    5999  0.0  0.0   6512   624 pts/1    S+   13:17   0:00 grep amavis
    I have doubt about key value: disable_dns_lookups=yes is it normal? And what about zmantispamctl status?

    So, I'm not shure about spam protect works fine...

    Thank for you answers.
    Last edited by VGusev2007; 08-25-2013 at 06:02 AM. Reason: remove a private information

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    This is posted in the worng forum, it's not a question about installing Zimbra so I'll move it to the correct forum.

    Quote Originally Posted by VGusev2007 View Post
    My host has 192.168.11.43 address, so let's try to send mail from telnet from my host

    Code:
    # telnet mail-zimbra 25
    Trying 192.168.2.54...
    Connected to mail-zimbra.tokk.local.
    Escape character is '^]'.
    220 mail-zimbra.tokk.local ESMTP Postfix
    ehlo spamer
    250-mail-zimbra.tokk.local
    250-PIPELINING
    250-SIZE 21474836480
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    mail from: spamer@nonexistdomain.spam
    250 2.1.0 Ok
    rcpt to: gusevvs@tokkcompany.ru
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    spam
    .
    250 2.0.0 Ok: queued as E89AC441949
    I'm assuming that you're domain is "tokkcompany.ru", if that's the case then there's no reason the amil would be rejectred - you're submitting mail for your domain on port 25 and a mail server is supposed to accept mail on that port wherever it comes from.


    Quote Originally Posted by VGusev2007 View Post
    /var/log/zimbra.log has records:

    Code:
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: NOQUEUE: filter: RCPT from unknown[192.168.11.43]: <spamer@nonexistdomain.spam>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<spamer@nonexistdomain.spam> to=<gusevvs@mycompany.ru> proto=ESMTP helo=<spamer>
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: NOQUEUE: filter: RCPT from unknown[192.168.11.43]: <spamer@nonexistdomain.spam>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<spamer@nonexistdomain.spam> to=<gusevvs@mycompany.ru> proto=ESMTP helo=<spamer>
    Aug 25 13:05:13 mail-zimbra postfix/smtpd[31956]: E89AC441949: client=unknown[192.168.11.43]
    Aug 25 13:05:19 mail-zimbra postfix/cleanup[32194]: E89AC441949: message-id=<20130825090513.E89AC441949@mail-zimbra.tokk.local>
    Aug 25 13:05:19 mail-zimbra postfix/qmgr[16533]: E89AC441949: from=<spamer@nonexistdomain.spam>, size=335, nrcpt=1 (queue active)
    Aug 25 13:05:19 mail-zimbra amavis[16193]: (16193-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20130825T130519-16193-_UU1sJLH: <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru> SIZE=335 Received: from mail-zimbra.tokk.local ([127.0.0.1]) by localhost (mail-zimbra.tokk.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <gusevvs@mycompany.ru>; Sun, 25 Aug 2013 13:05:19 +0400 (MSK)
    Aug 25 13:05:19 mail-zimbra amavis[16193]: (16193-01) Checking: zv_GqB5GtiT2 [192.168.11.43] <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>
    Aug 25 13:05:20 mail-zimbra postfix/amavisd/smtpd[32199]: connect from localhost[127.0.0.1]
    Aug 25 13:05:20 mail-zimbra postfix/amavisd/smtpd[32199]: 1F0F244194C: client=localhost[127.0.0.1]
    Aug 25 13:05:20 mail-zimbra postfix/cleanup[32194]: 1F0F244194C: message-id=<20130825090513.E89AC441949@mail-zimbra.tokk.local>
    Aug 25 13:05:20 mail-zimbra postfix/qmgr[16533]: 1F0F244194C: from=<spamer@nonexistdomain.spam>, size=1097, nrcpt=1 (queue active)
    Aug 25 13:05:20 mail-zimbra amavis[16193]: (16193-01) FWD from <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1F0F244194C
    Aug 25 13:05:20 mail-zimbra amavis[16193]: (16193-01) Passed CLEAN {RelayedInbound}, [192.168.11.43]:50708 [192.168.11.43] <spamer@nonexistdomain.spam> -> <gusevvs@mycompany.ru>, Queue-ID: E89AC441949, Message-ID: <20130825090513.E89AC441949@mail-zimbra.tokk.local>, mail_id: zv_GqB5GtiT2, Hits: 5.315, size: 335, queued_as: 1F0F244194C, 282 ms
    Aug 25 13:05:20 mail-zimbra postfix/smtp[32196]: E89AC441949: to=<gusevvs@mycompany.ru>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0.01/0.28, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1F0F244194C)
    So, my host don't have a valid DNS lookup, and a mail from telnet was sent correct without reject it... What about the behavior?
    For the reason I've mentioned above. Why don't you use a valid domain name and FQDN for your Zimbra server?

    Quote Originally Posted by VGusev2007 View Post
    The next is check of status spam protection:
    Code:
    zimbra@mail-zimbra:~$ zmantispamctl restart
    Stopping amavisd... done.
    Starting amavisd...done.
    zimbra@mail-zimbra:~$ zmantispamctl status
    zimbra@mail-zimbra:~$
    It returns nothing...
    If you wish to check the status of the services the run the follwoing:

    Code:
    zmcontrol status
    Are the services running?

    But grep look like fine:

    Quote Originally Posted by VGusev2007 View Post
    I have doubt about key value: disable_dns_lookups=yes is it normal?
    You can change it if you want, why is that a problem?

    If you wish toi check the efficacy of ZCS the run one of the open relay tests or the spam checking services that are available on the internet.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    VGusev2007 is offline Junior Member
    Join Date
    Aug 2013
    Posts
    7
    Rep Power
    1

    Default

    This is posted in the worng forum, it's not a question about installing Zimbra so I'll move it to the correct forum.
    I'm sorry. It was so hard for me to choise a correct forum. Thank for you job.

    I'm assuming that you're domain is "tokkcompany.ru"
    Yeah, I'm afraid a lot of spam on my address because of this I have changed tokkcompany.ru to mycompany.ru. It just my mistake.

    Are the services running?
    $ zmcontrol status
    Host mail-zimbra.tokk.local
    antispam Running
    Yes. It works.

    I'm assuming that you're domain is "tokkcompany.ru", if that's the case then there's no reason the amil would be rejectred - you're submitting mail for your domain on port 25 and a mail server is supposed to accept mail on that port wherever it comes from.
    Wow... I really sorry, but I have a poor expirience with e-mail services... PLEASE tell me how about e-mail works in Internet? I think my mail server except a connect from any other mail server on port 25. I think it looks like this one: Alice MUA -> Alice MTA -> Bob MTA+MDA -> Bob MUA. What about a connect beetwen MTA? It don't use port 25 to talk with tougether?

    If you wish toi check the efficacy of ZCS the run one of the open relay tests
    No, my ZCS not a relay this is proof:

    root@w7:~# telnet mail-zimbra 25
    Trying 192.168.2.54...
    Connected to mail-zimbra.tokk.local.
    Escape character is '^]'.
    220 mail-zimbra.tokk.local ESMTP Postfix
    ehlo lo
    250-mail-zimbra.tokk.local
    250-PIPELINING
    250-SIZE 21474836480
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    mail from: gusevvs@spam.spam
    250 2.1.0 Ok
    rcpt to: spam@spam.spam
    554 5.7.1 <spam@spam.spam>: Relay access denied

    the spam checking services that are available on the internet.
    Wow, I don't know about this services. Thank you.

    So in summary, please tell me (like for a baby) why a my mail server accept mail from anywhere to my domain from port 25 without any check? And what about coonect beetwen MTA in Internet.

    Thank for you response to me!

  4. #4
    VGusev2007 is offline Junior Member
    Join Date
    Aug 2013
    Posts
    7
    Rep Power
    1

    Default

    I'm assuming that you're domain is "tokkcompany.ru", if that's the case then there's no reason the amil would be rejectred - you're submitting mail for your domain on port 25 and a mail server is supposed to accept mail on that port wherever it comes from.
    Yeah, but I try to be a spammer! I send a mail from non exist domain! Zimbra does not a call back for check of a sender?

    Why don't you use a valid domain name and FQDN for your Zimbra server?
    Because the zimbra behind a NAT and it is a test server now. I have split DNS now for test.

  5. #5
    VGusev2007 is offline Junior Member
    Join Date
    Aug 2013
    Posts
    7
    Rep Power
    1

    Default

    This is posted in the worng forum, it's not a question about installing Zimbra so I'll move it to the correct forum.
    I'm sorry. It was so hard for me to choise a correct forum. Thank for you job.

    I'm assuming that you're domain is "tokkcompany.ru"
    Yeah, I'm afraid a lot of spam on my address because of this I have changed tokkcompany.ru to mycompany.ru. It just my mistake.

    Are the services running?
    $ zmcontrol status
    Host mail-zimbra.tokk.local
    antispam Running
    Yes. It works.

    I'm assuming that you're domain is "tokkcompany.ru", if that's the case then there's no reason the amil would be rejectred - you're submitting mail for your domain on port 25 and a mail server is supposed to accept mail on that port wherever it comes from.
    Yes, but I submit an email from non exist domain... And zimbra store the mail to my inbox... I think it is a very very strange and bad... I suggest zimbra could to check sender via call back (for example) and any other way.

    If you wish toi check the efficacy of ZCS the run one of the open relay tests
    No, my ZCS not a relay this is proof:

    root@w7:~# telnet mail-zimbra 25
    Trying 192.168.2.54...
    Connected to mail-zimbra.tokk.local.
    Escape character is '^]'.
    ....
    mail from: gusevvs@spam.spam
    250 2.1.0 Ok
    rcpt to: spam@spam.spam
    554 5.7.1 <spam@spam.spam>: Relay access denied

    the spam checking services that are available on the internet.
    Wow, I don't know about this services. Thank you.


    Thank for you response to me!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 6
    Last Post: 09-10-2010, 07:34 AM
  2. Replies: 13
    Last Post: 07-20-2007, 03:21 AM
  3. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 03:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •