Results 1 to 9 of 9

Thread: Help with spam filtering

  1. #1
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default Help with spam filtering

    The spam filtering in Zimbra is a bit perplexing to me. I find it often lets very obvious spam pass through, while blocking legitimate emails from my bank or newsletters I subscribe to or whatever. I've done some poking about, and was hoping someone could answer some questions for me.

    First, here is an example of a message I just received, which passed through (I've removed some of the irrelevant headers and personal data):

    Code:
    X-DSPAM-Class: Innocent
    X-DSPAM-Confidence: 0.73
    X-DSPAM-Probability: 0.0000
    X-Virus-Scanned: amavisd-new at xxx
    X-Spam-Flag: NO
    X-Spam-Score: 3.542
    X-Spam-Level: ***
    X-Spam-Status: No, score=3.542 tagged_above=-10 required=4
    	tests=[BAYES_50=0.8, RDNS_NONE=0.793, SPF_PASS=-0.001,
    	URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, DSPAM.Innocent=-1.000]
    	autolearn=no
    X-DSPAM-Result: Innocent
    Received: from xxx ([127.0.0.1])
    	by localhost (xxx [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id ZlF3lfdvBaCp for <xxx>;
    	Fri, 11 Oct 2013 10:41:27 -0400 (EDT)
    Received: from mx4.lowrateoportunity.com (unknown [209.144.31.107])
    	by xxx (Postfix) with ESMTP id 866F62281DBB
    	for <xxx>; Fri, 11 Oct 2013 10:41:17 -0400 (EDT)
    Message-ID: <522058190@mx4.lowrateoportunity.com>
    Subject: Fresh rule change
    From: "Alert" <Alert@lowrateoportunity.com>
    Date: Fri, 11 Oct 2013 09:11:29 -0500
    Mime-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    
    - - - - - - - - - start of notice - - - - - - - - -
    
    =======================
    Notification #1945213748538568929
    =======================
    
    Re: Obama reduces the amount homeowners owe
    
    
    Fantastic News for Current U.S. Homeowners: The FHA has reduced-the REFl-Requirements.  
    
    This new reduction cuts your current monthly home-payments in HALF.
    
    
    Go here now to see what your new payment will be: 
    http://mx4.lowrateoportunity.com/1260a1413016179611268
    
    - - - - - - - - - end of notice- - - - - - - - -
    My first question is, how can I disable DSPAM? I've never seen it correctly identify anything - it typically will mark messages like this as innocent and often marks legitimate emails as spam, which greatly throws off the score. In the above example, this email would have scored enough to be flagged as spam were it not for DSPAM.

    Second, for my settings, i have Kill/Tag set at 66/20, and here are my MTA settings:

    Untitled-1.png

    Are these good settings? The RHSBLs are new with Zimbra 8, can someone recommend some good values for those? What are they for?

    Finally, I wanted to make sure that the settings were being set in Postfix properly, but when I dump the values with postconf, I see this:

    Untitled-2.jpg

    It looks like the setting is getting truncated due to some character limit... is this a limitation of the postconf command, or is the actual setting within Postfix being chopped?

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    First of all you don't need all those DNS & Protocol checks, with the setting you have you're likely to be rejecting legitimate mail. There are misconfigured genuine mail servers that will get rejected by those setting, I never use any of them. Secondly, you don't need five entries in your RBL list and I'd suggest they should be in descending order of effectiveness (yes, that does actually work) and only have two or three good ones. You also need to provide us with your ZCS version & release when posting questions, post the output of the following command (also update your forum profile with that information):

    Code:
    zmcontrol -v
    If you're not on the current release 8.0.5 of ZCS I'd suggest you upgrade, there have been some improvement made to the anti-spam system.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    First of all you don't need all those DNS & Protocol checks, with the setting you have you're likely to be rejecting legitimate mail. There are misconfigured genuine mail servers that will get rejected by those setting, I never use any of them. Secondly, you don't need five entries in your RBL list and I'd suggest they should be in descending order of effectiveness (yes, that does actually work) and only have two or three good ones. You also need to provide us with your ZCS version & release when posting questions, post the output of the following command (also update your forum profile with that information):

    Code:
    zmcontrol -v
    If you're not on the current release 8.0.5 of ZCS I'd suggest you upgrade, there have been some improvement made to the anti-spam system.
    Sorry, here is my version string: Release 8.0.5.GA.5839.UBUNTU10.64 DEBIAN6_64 FOSS edition.

    I don't really know which RBLs are most effective, could you recommend an ordered list? Also, what are the RHBLs?

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by amnesia View Post
    I don't really know which RBLs are most effective, could you recommend an ordered list?
    You'll find them in your daily Admin email, it lists them and shows the reject count for each RBL.

    Quote Originally Posted by amnesia View Post
    Also, what are the RHBLs?
    It's Right Hand Side Block List, it means the domain name portion of an email address but I'm not really sure how effective they are.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Ok thank you. What about disabling DSPAM?

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by amnesia View Post
    Ok thank you. What about disabling DSPAM?
    I wouldn't recommend that, why would you want to disable it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    I wouldn't recommend that, why would you want to disable it.
    Because it is highly inaccurate. I'm regularly getting emails that are pushed under the score threshold because DSPAM marks them as innocent. Conversely, it regularly marks emails I've elected to receive from vendors as spam. I had to modify the scoring factor because it adds 10 points to the score if DSPAM thinks it's spam... which was essentially putting all of my good emails in the junk folder, and allowing only spam in my inbox. As far as I'm concerned, it's doing more harm than good.

  8. #8
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Bumping again, I still want to disable DSPAM. Every piece of spam I get when I view source it shows that DSPAM marked it as innocent, regardless of how obviously spammy it is. IMO, this is a worthless program, and in many cases the extra point removed from the SA score because of the DSPAM_Innocent test is all that is preventing a message from being properly delivered to the junk folder.

    When I look at the amavisd.conf.in, I see DSPAM configuration lines prefixed with %%uncomment LOCAL:amavis_dspam_enabled%% which leads me to believe there is a configuration option for this, but I can't figure out how to set it.

  9. #9
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Just to further illustrate my point, here's the score header from a very obvious spam mail:

    Code:
    X-Spam-Status: Yes, score=11.126 tagged_above=-10 required=4
    	tests=[BAYES_99=3.5, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,
    	MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7,
    	RDNS_NONE=0.793, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01,
    	URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, DSPAM.Innocent=-1.000]
    	autolearn=no
    X-DSPAM-Result: Innocent
    I realize DSPAM doesn't check blacklists, but in spite of SA's Bayesian filter being 99% sure it was spam, DSPAM still thinks it's innocent - thankfully it still made it to junk due to SA scoring it so high. I randomly checked about 20 really obvious junk emails and DSPAM had marked them all as innocent. To date, I've not actually been able to find an email that DSPAM flagged correctly.

    Here's a header from my Xbox newsletter, which gets stuck in Junk thanks to DSPAM:

    Code:
    X-Spam-Status: Yes, score=7.913 tagged_above=-10 required=4
    	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    	DKIM_VALID_AU=-0.1, HTML_IMAGE_RATIO_02=0.437, HTML_MESSAGE=0.001,
    	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
    	RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.504, SPF_PASS=-0.001,
    	DSPAM.Spam=10.000] autolearn=no
    X-DSPAM-Result: Spam
    This a valid-format newsletter that I subscribe to that scored into the negative with SA, but... here comes SA's retarted cousin DSPAM junking it for me.

    This program is completely asinine.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 01-10-2010, 02:10 AM
  2. Spam Filtering
    By Bernardo in forum Administrators
    Replies: 7
    Last Post: 03-12-2008, 09:17 AM
  3. Replies: 2
    Last Post: 12-20-2006, 08:07 AM
  4. Disabling Spam Filtering
    By plan9 in forum Administrators
    Replies: 1
    Last Post: 10-25-2006, 07:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •