SPAM issues

[ZAM]

Hi,

I'm fairly new at zimbra and have been trying to address our SPAM issues.

I've been reading through the various threads on the SPAM trainer, and one of the issues that needed to be corrected was that no junk mail was being logged to the SPAM trainer accounts. I corrected that by correcting the account that they were pointing to using:

zmprov mcf zimbraSpamIsNotSpam account
zmprov mcf zimbraSpamIsSpam account

However, since the SPAM trainer accounts have been activated, more emails are passing through.

The Kill Percent is set at 40 and the Tag percent is set to 20. I've setup RBLs and they don't seem to have any effect. Any help would be appreciated.

[dwmtractor]

Have you gone through this wiki article yet?

Improving Anti-spam system - Zimbra :: Wiki

It addresses the tweaks and adjustments in a great deal of detail. Also, you may or may not have seen in the documentation, but until the spam and ham systems have seen a minimum of about 200 messages of each type (spam & ham) the Bayesian filters don't accomplish much.

[phoenix]

Quote:

Originally Posted by ZAM

I've been reading through the various threads on the SPAM trainer, and one of the issues that needed to be corrected was that no junk mail was being logged to the SPAM trainer accounts. I corrected that by correcting the account that they were pointing to using:

zmprov mcf zimbraSpamIsNotSpam account
zmprov mcf zimbraSpamIsSpam account

You shouldn't have to do that, those accounts are set during the install unless you've modified them before your post today?

Quote:

Originally Posted by ZAM

However, since the SPAM trainer accounts have been activated, more emails are passing through.

I find that hard to believe unless you've set the ham/spam accounts to something other than their default installation settings.

Quote:

Originally Posted by ZAM

The Kill Percent is set at 40 and the Tag percent is set to 20. I've setup RBLs and they don't seem to have any effect. Any help would be appreciated.

You're quite likely to see false positives getting removed when the Kill percentage is set that low, you really shouldn't need it set below 60%.

[ZAM]

I needed to modify the accounts because nothing was being sent to them
They were just changed from spam@mail.xxx.com and ham@mail.xxx.com to spam@xxx.com and ham@xxx.com. Once I made this change, items started to route into the SPAM and HAM accounts.

When a user right-clicks on an email, they only have an option to send to Junk, is there a way to label it as not junk so they go to the HAM account trainer?

Here is a sample of the result from a SPAM that constantly passes though. It is a classic "male enhancement" SPAM email that many users have classified as junk already.

X-Quarantine-ID: <pS2Z4Q0wX0Oj>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char 92 hex):
X-Spam-Report: ...uy software that you\n\tdon\222t even have to [...]
X-Spam-Flag: NO
X-Spam-Score: 1.84
X-Spam-Level: *
X-Spam-Status: No, score=1.84 tagged_above=-10 required=4
tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001,
RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619]

[ZAM]

Thanks for all the replies.

In regards to the wiki, I have read through it but have not installed the extra levels such as Pyzor and razor.

As well, I was hopiing not to have to manually enter flags as outlined in the basic and meta rules section.

I did not know about the 200 message count. Looking in the SPAM account there are well over 200 messages but none in the HAM account. Is there a way I can manually add emails into the HAM account?

[phoenix]

Quote:

Originally Posted by ZAM

I needed to modify the accounts because nothing was being sent to them
They were just changed from spam@mail.xxx.com and ham@mail.xxx.com to spam@xxx.com and ham@xxx.com. Once I made this change, items started to route into the SPAM and HAM accounts.

So you changed the default domain?

Quote:

Originally Posted by ZAM

When a user right-clicks on an email, they only have an option to send to Junk, is there a way to label it as not junk so they go to the HAM account trainer?

You're missing the point of the 'Not Junk' button (or menu option), that's only used to send a message that's gone to the Junk folder (a False Positive) to the Ham folder to be retrained. You should not need to train the Zimbra as/av system other than through using the Junk button.

Are you rejecting mail for unknown users on your system? Do you have a catchall account on your system?

Quote:

Originally Posted by ZAM

Here is a sample of the result from a SPAM that constantly passes though. It is a classic "male enhancement" SPAM email that many users have classified as junk already.

X-Quarantine-ID: <pS2Z4Q0wX0Oj>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char 92 hex):
X-Spam-Report: ...uy software that you\n\tdon\222t even have to [...]
X-Spam-Flag: NO
X-Spam-Score: 1.84
X-Spam-Level: *
X-Spam-Status: No, score=1.84 tagged_above=-10 required=4
tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001,
RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619

That message hasn't got a high enough score to be classified as spam, I'd suggest you research through the forums for the reason that's happening.

[ZAM]

Users have only been using the Junk button. I just don't see anything in the HAM account and from the above post it sounded like there needed to be 200+ messages in each of the SPAM and the HAM accounts inorder for spamassassin to work correctly.

There is no catchall account, and I guess my next step would be to reject mail from unknown users.

Which comes to your third point and my main dilemma, I can't figure out why emails which are classified as Junk by users are still passing through with low scores. There have been quite a number of instances where they are identical emails and they still pass through.