Spam Filter - a few questions

[sternfan]

Hi all,

A few Q's about the spam filter.

- Is it OK to shut it off? Will shutting it off make Zimbra unstable?

- Does shutting it off require a reboot or restart of services? I already have a spam appliance.

- Where do emails go that are marked as spam? If I get a "false-positive" - how do I find, then move that email to where it should go?

Thanks,
Rob

[mmorse]

Is it OK to shut it off? Will shutting it off make Zimbra unstable?

Nope, though I honestly recomend that you don't shut spamassassin/AV off all together.
You can never have too much insturance!
The checkbox in global settings > as/av tab turns off both. If you click servers > services you can select them individually.

Here's a method some use when they just want it as extra insurance:
-Set clam av updates to x hrs. (heck if you want it on as fallback insurance set it for like 24hrs or something)
-Set kill rate at 100% -SpamAssassin score of 20points is considered 100%
(something marked 20+ will definately be spam)
-Set your tag rate to 99% (it will complain if their both using 100%)
and you have 'effectively' kept spamassisn on the zimbra box from actually deleting spam-unless somehow something marked 20points slips through-but I doubt it will.

check current settings:
zmprov gacf | grep zimbraMtaRestriction

dns checks:
reject_unknown_client
reject_unknown_hostname
reject_unknown_sender_domain
host checks:
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
RBL's - Real Time Black Lists:
reject_rbl_client dnsbl.njabl.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client sbl.spamhaus.org (or zen.spamhaus.org)
reject_rbl_client relays.mail-abuse.org

-----
for those who find this later:
To turn them ON you would do something like:
zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non_fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”

[sternfan]

Thanks. I set the Spam Kill Percent at 100 and the Tag Percent at 99. I hope this is correct...

One other thing - where can I go to get the emails that have already been treated as spam? Can I get them back?

Rob

[alivebyscience]

mmorse

In your example text from the zimbraMtaRestrictions the DNS Checks are listed (reject_unknown_client, etc). But in the paragraph you show listing the command to enable RBL feature you don't include the DNS Checks.

Is that an oversight in the details? Or is that because they're a bit obscure, and not common practice to set? IE, you'll get rejections from... who... netadmins who don't set up reverse dns?

I've been reviewing the forum trying to find mention of problems when these are set, but few show examples that they've set them, and no one mentions the DNS Checks are giving them problems.

So what is best practice for these three settings? Yes, no, some, YMMV?

Cheers,
Jim

[mmorse]

That paragraph was copied from the wiki- there's even have a misplaced "-" in that (reject_non-fqdn_hostname should be reject_non_fqdn_hostname)

for the dns checks-sometimes you need to be a little more careful

netadmins who don't set up reverse dns?

yup for instance:
reject_unknown_client the official postfix docs read: "Reject the request when the client IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record."

reject_unknown_hostname -Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).
If there's no external dns record for that host...

Personally I don't use the above two but I do use:
reject_unknown_sender_domain -Reject the request when the sender mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

btw a bunch of the rbl's overlap, and mail-abuse.org may now be a trendmicro service
I've also found that graylisting cuts down on spam quite nicely

[alivebyscience]

Sorry man, call me dumb, but graylisting? Is that the same as RBLs?

mmorse, you've made mention of the RBLs being redundant, and the one referred to as mail-abuse.org is now Trend Micro premium service.

Questions about RBLs...
Someone else mentioned that spamassassin uses the "RBL DNS lists" already. Uhhh... Which one of this list of RBLs is that?

The list...
dnsbl.njabl.org
cbl.abuseat.org
bl.spamcop.net
dnsbl.sorbs.net
sbl.spamhaus.org (or zen.spamhaus.org)
relays.mail-abuse.org (no longer in service - now trend micro owned)

I guess my bottom line question - if you or anyone knows - which RBLs are valid to use on a system that doesn't get a lot of training by its users, but is several months old?

The Trend Micro RBL... Any experience, or feedback as to how effective it is for folk? We're a Trend Micro reseller and I've submitted a request for use of their service. Thought I'd check it out and do some tests, unless it's been reviewed and rated by a knowledgeable and credible source.

I believe adding more RBLs is an overhead to the email server and increases our bandwidth. I just want what's effective, not taxing and redundant.

[mmorse]

Sorry man, call me dumb, but graylisting? Is that the same as RBLs?

Basically, graylisting means only mail from senders who are persistent (attempt delivery twice) get through right away. Other email gets held for a bit/extra points added/extra hard spam processing etc.

The server looks at any combination of from address, from IP, and TO address then puts the mail in a 'queue' and it sends a a temporary delivery failure. -which tells most servers to retry in say 5 minutes

Greylisting.org - Postfix implementations

Connecting with SQLGrey - ZimbraWiki

Greylisting - Wikipedia, the free encyclopedia - "If the mail is legitimate, the originating server will try again to send it later, at which time the destination will accept it. If the mail is from a spammer, it will probably not be retried. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will attempt to connect again later on to deliver the e-mail."

Now I'm sure your asking what happens if a server doesn't retry?
Several methods could be used:
-You might compare against any other emails (sent to other accounts in the same domain) from that IP/from: address that have re-tried and delivered.
-You might run the email through a stricter spam filter process.
-Deliver the email after x timeperiod, but give the email x amount of points if a re-send never occurred.

(of course you an always have a whitelist of domains and IP ranges that always go through)

For RBL's it's all about personal preference-and how you like their practices.

For instance I'm a fan of spamhaus's sbl and xbl but I don't use zen (their combined list) because I don't agree with their pbl policies.
-we might occasionally deal with a client who might fall under:
"Spamhaus's Policy Block List (PBL) is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

Obviously with all the spammers out there things do overlap-for instance:
"NJABL.org will be working with Spamhaus on the PBL"
or
spamcop might copy some of abuseat's definitions every so often etc

Yup, mail-abuse.org is now a trend micro paid service.
Personally, I'd try out the major free one's first-if they don't do the job well enough for you then maybe consider a paid service. Though you said your a reseller-if you can get it for cheap that's a plus.

A lot of them-even the free one's-sometimes also allow you to get a copy of their lists via rsync so the lookups can be performed against a machine on your network instead of using your internet bandwidth.

there are other's out there too-hunt for 'RBL providers compatible with spamassassin'

Visit their respective sites, check their stats, policies on identifying spammers, IP removal policies for accidental blocks, etc.
dnsbl.njabl.org
cbl.abuseat.org
bl.spamcop.net
dnsbl.sorbs.net
sbl.spamhaus.org (or zen.spamhaus.org also xbl.spamhaus.org)

[jeepville]

To turn them ON you would do something like:
zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”

This doesnt work in the latest version does it? I am getting an error when I try to add any of the rbl listings to mine.
I get this
zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org”
usage: modifyConfig(mcf) attr1 value1 [attr2 value2...]

That is just trying to add one if i add them all i get and LDAP Error Code 17

[mmorse]

Bet it's because of the dash in reject_non-fqdn_hostname
su zimbra
zmprov mcf reject_non_fqdn_hostname

(the dns and hostname checks are also easily set with checkboxes in the admin console > global settings > mta tab)

[jeepville]

Thank you that worked great!

You are a lifesaver. Too bad cut and past changed all of the " to . but once I fixed that it took it.