Zimbra 5.0 and Spam training?

[Miklos Kalman]

Hi,

In Zimbra 5.0 FOSS is spamassassin trained automatically? I setup the additional filters (pyzor and razor) so that the spam rating is better observed. Many users marked incoming mail as SPAM which got moved to their junk folder and the spam user got an email, however nothing actually happened.

When does the spam engine get trained? Do I have to run zmtrainsa all the time or do a cron job for it?

Does it get trained the second the user clickes on the JUNK button or does it wait for the "Spam Lifetime" to expire before anything really happens.

Please clarify.
Thanks,
Miklos

[mmorse]

Goes to the spam account, then gets trained daily - to see the schedule of when it runs:

Quote:

su - zimbra
crontab -e

Spam message lifetime -Number of days a message can remain in the Junk folder before it is automatically purged. The default is 30 days.
Trashed message lifetime - Number of days a message remains in the Trash folder before it is automatically purged. The default is 30 days.

There's also this but I doubt you're looking to set it, do be careful or you'll wipe everyone's email by setting it to 1 day etc:
Email message lifetime - Number of days a message can remain in any folder before it is automatically purged. The default is 0; email messages are not deleted.

Train about 200 SPAM & 200 HAM tokens (~200 emails each is what most people equate that too) and the bayes filter will enable - you can throw some mail at it with CLI zmtrainsa - Zimbra :: Wiki

[Miklos Kalman]

So if the users mark the messages that are spam correctly and ones that are not as ham then sooner or later the engine will be able to determine the difference correctly?

There have been spam coming in which were marked as junk, however the next day the same sender/content sent another spam which only got a spam level of 2.809.

This is what the header said:
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.809
X-Spam-Level: **
X-Spam-Status: No, score=2.809 tagged_above=-10 required=6.6
tests=[AWL=-0.250, BAYES_50=0.001, HTML_MESSAGE=0.001,
HTML_NONELEMENT_30_40=0.001, MIME_HTML_ONLY=1.457, RDNS_NONE=0.1, URIBL_SBL=1.499]

The log says this:
bayes: synced databases from journal in 1 seconds: 866 unique entries (1088 total entries)
20080105230013 Finished spamassassin training.
20080105234502 Starting spam/ham cleanup
[] INFO: Total messages processed: 12
[] INFO: Total messages processed: 1
20080105234506 Finished spam/ham cleanup

I followed the steps from the Wiki to get more effective spam filtering is there something else I can try as well?

Miklos

[mmorse]

In addition to pyzor & razor what else do you have set?

To cut down on emails to addresses you don't even have, you might also change the entry in /opt/zimbra/conf/zmmta.cf for smtpd_reject_unlisted_recipients to 'yes', save the file and restart postfix. (postfix reload)

You do any realtime blacklists? (Just remembered that their in a different doc than the improving anti-spam one.)
sbl.spamhaus.org (or zen.spamhaus.org contains 3 lists)
dnsbl.njabl.org
cbl.abuseat.org
bl.spamcop.net
dnsbl.sorbs.net
you can enable them by:

Code:

zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"

I also use dnsblcount to get some totals - nothing fancy on those summaries, but makes you feel like something's being done!

Graylisting (I'm a fan) Graylisting - Improving Anti-spam system - Zimbra :: Wiki

Host checks:
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
DNS checks:
reject_unknown_client
reject_unknown_hostname
reject_unknown_sender_domain
-careful with reject_unknown_client & reject_unknown_hostname as they can block more than you think sometimes...

Code:

zmprov mcf +zimbraMtaRestriction reject_invalid_hostname

Occasionally your ALW might need a kick if you got off on the wrong foot or something: Correcting poisoned Auto-Whitelist (AWL)