- Whitelist 1 16 – Prevent False Spam Positives In Mail Settings
- Whitelist 1 16 – Prevent False Spam Positives In Mail As A
- Whitelist 1 16 – Prevent False Spam Positives In Mailchimp
Advanced Malware Prevention (AMP)
A whitelist blocks spam using a system almost exactly opposite to that of a blacklist. Rather than letting you specify which senders to block mail from, a whitelist lets you specify which senders to allow mail from; these addresses are placed on a trusted-users list. For example, if contoso.com is your domain, and the IP address for the third-party cloud service is 10.10.10.1, the SPF record for contoso.com should be: v=spf1 ipv4: 10.10.10.1 include:spf.protection.outlook.com –all. Also refer to the following article to prevent false positive email marked as spam. More and more mail services are treating domains without SPF and other authentication mechanisms as likely spam. Some very aggressively. Office 365 is not the only one. If you want your mail delivered reliably in future, you should adopt the domain authentication standards that the industry is standardising on. A spam trap is a mail address that should practically never receive legitimate mail, and that treats any mail that it does receive as spam. A spam trap might be a common name such as user1 that has never been valid and is discovered by unsolicited bulk email advertisers by dictionary attacks or guessing. No you misunderstood me the smtp whitelist works at two stages: 1. Sender server connects to pmg 2. Pmg checks the ip of the sender server against the whitelist (which is the only reliable information available here), then the ip against the rbl (this is postscreen; does also some other sanity checks against spam, see man postscreen for more details).
Advanced Malware Prevention inspects HTTP file downloads through an MX Security Appliance and blocks or allows file downloads based on threat intelligence retrieved from the AMP cloud. For more information about AMP, please see this article.
You can enable AMP by setting the Mode option to Enabled in the Security & SD-WAN > Configure > Threat protection page.
When traffic is filtered, the URL or ID and the action taken are logged in the Security Center.
Malware protection is powered by the Advanced Malware Protection engine in MX 12.20 and higher. Previous releases leverage Kaspersky Lab as the malware protection engine.
To review the firmware versions of MX appliances in your organization and to schedule firmware upgrades, please see the Organization > Monitor > Firmware upgrades page.
Dealing with False Positives
Occasionally the MX appliance may block a file or a URL that is deemed safe by the administrator. In that case, you can tell MX to allow the download of the content or web page by whitelisting the content.
Whitelisting URLs
Find the URL that was blocked in the Event log page and enter it in the Whitelisted URLs section to allow that URL in the future.
Whitelisting IDs
For files, javascripts, and other objects that are not URLs, the MX appliance assigns a unique ID. You can see the blocked items in the Event log page. By entering the ID of the object you want to allow in the Whitelisted IDs section you can instruct the appliance to allow the detected signature, even if the URL is different.
- 1Improving Anti-SPAM System
- 1.1sauser.cf
- 1.2Razor2
- 1.2.1Installing Razor
- 1.2.1.1CentOS
- 1.2.1Installing Razor
- 1.3Pyzor
- 1.3.1Installing Pyzor
- 1.4Spamassassin Config
- 1.4.1Externally-Maintained Whitelists
- 1.8Implementing Whitelist/Blacklist
- 1.8.3Postfix 'access' control for whitelisting and blacklisting
- 1.9Postfix Tweaks
- 1.10Greylisting
- 1.10.1Postgrey
KB 1718 | Last updated on 2016-03-28 | Last updated by Quanah | (0 votes) | Verified in: ZCS 8.0 | |
- This article is a Community contribution and may include unsupported customizations. |
KB 1718 | Last updated on 2016-03-28 | |
---|---|---|
(0 votes) | ||
- This article is a Community contribution and may include unsupported customizations. |
- This article is a Work in Progress, and may be unfinished or missing sections.
Please see Anti-spam_Strategies for a supported way to do customizations!
Many of these instructions are WRONG for 8.5 and later. DO NOT USE THEM. Also see New_Features_ZCS_8.5 for updated information on much of this
sauser.cf
The easiest way to 'tweak' your spamassassin filtering setup is to edit your sauser.cf file, which is designed specifically for 'local' (ie user) configuration. Modifying only this file makes for easier upgrades, and protects your spamassasin installation from inadvertant destruction. The location of the file depends on the version of Zimbra you are running. See http://wiki.zimbra.com/wiki/SpamAssassin_Customizations#Customizing_SpamAssassin for more information.
Blacklists and Whitelists
The simplest filtering methods for spamassasin are the blacklist and whitelist. Blacklist entries block all email from an address or domain, and whitelist entries bypass all filtering for an address or domain. To add blackist or whitelist entries to your salocal.cf.in file, simply add lines in the following format:
Note that * is a wildcard. In this example *@emn-mysavingsnow.net indicates all email from any user at emn-mysavingsnow.net.
When you are finished editing the salocal.cf.in file, restart Zimbra spamassassin by issuing the following command at the server prompt (as the zimbra user):
Rejecting emails at SMTP level: Irfan-Notes#Rejecting_Emails_at_SMTP_Level
Basic Rules
Spamassasin works by reading the headers and content of an email, and applying rules to that content. Rules can be in the form of a particular word or phrase, as well as a variety of built in functions. When a rule is 'hit' while evaluating an email, a point score is added to that email's total score. When an emails total score exceeds a certain threshold (typically 5 on a Zimbra system) the email is either marked as spam, or, if the score is high enough, deleted automatically.
Rules are in the form of a test followed by a score. The rule mechanism typically uses perl regular expressions to search for specific content within an email. Custom rules should be added to the salocal.cf.in file in the following format:
The above text creates a rule called LOCAL_RULE that searches the body of the message for the word 'sale' in lower case. If it finds the word 'sale' anywhere in the body, it adds 0.5 to the total score of the email. Note that the score is only applied once - multiple instances of the word 'sale' in the same email will not be scored separately. Also note that you should always precede the name of your own rules with the word LOCAL, as in the example above, to distinguish them from built in spamassasin rules, and prevent accidental duplicate names.
Perl regular expressions are quite a powerful mechanism for locating text. Some additional examples of perl regular expression based rules:
performs a case-insensitive search for the word 'sale' searches for a line that starts with the words 'hot stock tip' in any case searches for any 4 capital letters in a row (generally a stock symbol) searches for 3 digits, a decimal point, and 2 more digits, and treats as a wordGoogle for 'perl regular expressions' for help constructing your spamassassin rules.
You can also search headers for values, and assign a score to them, using the following format:
where 'LOCAL_LOCALHOST' is the rule name and 'reply-to' is the header field name. The above rule would generate a 'hit' if '@localhost' exists anywhere in the header field 'reply-to.' You can easily view several header options in Zimbra by right clicking on an email in the message list, and choosing 'Show Original' from the context menu.
URIs can be detected as well in the content of an email. URI rules are in the following format:
The above would generate a 'hit' only in a URI that has the word 'sales' in it, but would not hit on the word 'sales' if it does not appear in a URI.
Meta Rules
You can also search for a combination of rules, and apply a score to that combination by creating a 'meta' rule, in the following format:
The above rule would add 1 to an email's score only if both 'LOCAL_FOUR_CAPS' AND 'LOCAL_MONEY' were hits. Be careful when creating meta rules, as it is easy to 'over-score' and email,' such as in the case of the following:
The above could add 3 points to the email score, if the meta rule hits.
When you are finished editing the salocal.cf.in file, restart Zimbra spamassassin by issuing the following command at the server prompt (as the zimbra user):
Class A IP Address Blocks
For mail servers in Unites States, below is a list of Class 'A' blocks of IP's registered to non-ARIN entities.I also have US ISP's that have been bad in the past, so have added IP's using format examples below.Since it's one of those YMMV things, am only including the Non-ARIN Class 'A' blocks below for starters.Arin's Website
As 'root' :vi /opt/zimbra/conf/salocal.cf.in
Copy and paste below in salocal.cf.in and save.Then,
Razor2
Second, we added Razor2 in order to improve score.
Installing Razor
CentOS
There are several ways to install Razor-Agent. Two common ways are listed below:
Yum / RPM package
The perl-Razor-Agent is available through Dag Wiers apt/yum repository:
You will need to configure yum to use Dag Wiers repository for your Release and Architecture which is outside the scope of this document (google rpmforge-release). Enable Dag's repository and append the following line to Dag's repository section:
Install the Razor-Agnet and its dependencies:
Alternatively you can download the specific packages directly from Dag's mirrors and install manually with the rpm command. The downside is you are not notified if there is a patch or update to these packages.
Open your firewall ports for razor2 (TCP/2703 outgoing).
Compile
As root: Get razor-agents-sdk from razor.sourceforge.net, untar it and
Get also razor-agents from razor.sourceforge.net, untar it and
Copy clip 2 9 3 – clipboard manager resume. Open your firewall ports for razor2 (TCP/2703 outgoing).
Fedora
Configuring Razor
Create .razor folder in /opt/zimbra/amavisd and give zimbra user permissions
As zimbra user, create your razor account:
And finally enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line
Pyzor
Now we are going to add pyzor support for increase (again) spam score
Installing Pyzor
CentOS
As root, install python support.
Get pyzor package from pyzor.sourceforge.net, untar it and:
Set perms according with pyzor readme.
Set perms for RHEL 5 x86_64 slightly different than above
Fedora
As root, install pyzor RPM. It's included in the extra Repository of Fedora.
SUSE 10
As root, install python and python-devel via yast2 Software -> Software Management menu.
Get pyzor package from pyzor.sourceforge.net, untar it and:
Set perms according with pyzor readme.
Configuring Pyzor
Create .pyzor folder into zimbra-amavisd home and set perms
Open your firewall ports for pyzor (UDP/24441 outgoing)
And ready to go, as zimbra user, with:
Spamassassin Config
Now we have PYZOR + RAZOR + SPF. But it would be advisable to enable it and give SPF a higher score. Those admins with wrong SPF entries should be punished since it's not mandatory and so, if you enable it, do it well. So open your spamassassin config at /opt/zimbra/conf/spamassassin/local.cf and add this rules at the end (customize it at your own):
Note that these numbers can be made even higher if you want the particular filter to have more weight. Check your headers and adjust as needed to achieve the desired result.
required_score
To tweak the required_score parameter in Zimbra you don't need to edit any config file. This value is calculated from a setting in Zimbra admin page. Enter administration, go to Global Settings >> AV/AS. The required_score is tag percent * 0,2. So a tag percent value of 25 will result in a required score of 5 (25*0,2=5).
Externally-Maintained Whitelists
Even with the Bayes configurations above, some messages with high Bayes scores get through due to the existence of several externally-maintained whitelists. Essentially these are programs whereby those who subscribe to the program--for a price and agreement to follow certain rules of conduct--get a pass to send unsolicited messages. Spamassassin uses these trusted lists to REDUCE your spam score by assigning a negative point score to the message, which offsets the positive (i.e. 'spammy') scores that might result from other filters in your system.
Some of these lists, such as dnswl.org, are maintained by an all-volunteer group; others, such as the Bonded Sender Program (now known as SenderScoreCertified at www.senderscorecertified.com) and Habeas (www.habeas.com) are commercial enterprises. Each describes their standards on their website; one can, of course, find plenty of heated discussion as to the extent to which the commercial ones enforce their standards.
Without engaging in the debate as to the motives or purity of one list or another, the administrator needs to evaluate each list and determine whether he/she is comfortable having that list's maintainers influence the performance of local spam filters. This section is intended to help the administrator adjust the relative scoring influences of these whitelists if so desired.
As with any technology, the services change with time. It is probably a good discipline to review your SpamAssassin configuration files from time to time (after an update in particular) looking for anything that gives your messages a negative score, so you can evaluate if you want to accept that scoring for your local system.
Bonded Sender Program (BSP)
The Bonded Sender Program is described at www.senderscorecertified.com. Spamassassin gives BSP hits a -4.5 score, which pretty well overrides everything else you've done and makes the message come through anyhow (BSP's own website actually advocates a -100 score!). The following adjustment in your local.cf file can reduce, or if you wish, neutralize, the effect of BSP on your spam scores:
Change these values to zero and it goes away completely!
Habeas
Habeas, at www.habeas.com, is another such subscription-based whitelisting program. Habeas also recommends a -100 score for the most highly-rated senders in their list, although Spamassassin gives them the more conservative score of -8.0 for the highest-rated senders. A reduced impact score for Habeas (again in local.cf) might look like this:
Again, all zeros would completely negate these scores
ISIPP's SuretyMail (IADB)
The Institute for Spam and Internet Public Policy (ISIPP) is another for-profit whitelister whose stated purpose in its marketing materials (www.suretymail.com) is to 'Send Legitimate E-mail in a Spam-Filtered World.' The ISIPP settings appear in SpamAssassin as IADB, and can be modified as follows:
And of course zeros work as well.
dnswl.org
DNSWL is different from the lists described above, in that it is deliberately a noncommercial list, and its maintainers recognize the potential conflict of interest in having an economic incentive to let senders off the hook (see their 'background' page to hear it in their own words. Nevertheless, it is conceivable that administrators will find DNSWL's judgment to be allowing messages through local filters in contravention of local policy. DNSWL's default scores in Spamassassin are -1, -4, and -8. Administrators wishing to reduce these could use the following settings:
Amavisd Config
Some notes about this: In zimbra, by default, spam with 15 score of higher is discarded by amavisd. If you want your user receive these mails, you have to modify amavisd.conf settings (/opt/zimbra/conf/amavisd.conf) in order to pass this email.
Integrate the Cloudmark Authority Milter for AS/AV Protection
The following steps have been shown to work on Release 6.0.3_GA, 7.1.1_GA, 8.0.9_GA, and 8.6.0_GA
1) Become the Zimbra user
2) [Optional] Disable the built-in SpamAssassin and ClamAV virus services (swapping these out for the Cloudmark Authority engine will improve throughput significantly).
2a) Verify that you don't see the following two lines in the enabled services list
3) Add your Milter to the Postfix configuration file (by way of zmmtaconf, which writes the main.cf during startup using zmmta.cf as a template file):
(the format of Postfix's milter option value is 'inet:<host or IP of milter>:<port of milter>')
4) Configure the destination email addresses for 'Spam' and 'Not Spam' buttons within the Zimbra webmail UI to delivery missed spam and false positive reports to Cloudmark-provided addresses:
5) Validate your missed spam and false positive reporting addresses
6) Restart the Zimbra installation:
7) Become the super user:
8) Configure the Cloudmark Authority Milter to tag message headers for detected Spam and Virus with the 'X-Spam-Flag', but also replace the body & attachments of Virus messages. Edit the Authority Milter configuration file 'cmfilter.cfg' with the following settings:
9) Restart the Cloudmark Authority Milter:
10) Send a test message through and verify that your milter has received the file.
Your Milter callout from Postfix should now be configured.
Enabling DCC
To setup DCC: Download dcc from DCC Site
I compile on different system to build an rpm to install in production environment. Use this spec file (rename it to .spec) to build an rpm with the command:
install it on the production server:
Change /etc/dcc/dcc_conf to read:
Change /opt/zimbra/conf/spamassassin/v310.pre to enable the DCC plugin:
Enable DCC on firewall (UDP/6277 outgoing)
Have fun. I use sqlgrey as greylist server, so I don't need another one. As to me the standard value DCC 2.5 Spamassassin point is ok, so I do not change it. With SA 3.xx you do not need to use enable_dcc in local.cf. That's the same for razor2 indeed..
Implementing Whitelist/Blacklist
Domain white/black list
This can be accomplished by modifying /opt/zimbra/conf/amavisd.conf.in and adding a score for the domain that you want to change.
When scoring the domain, remember that negative scores whitelist, positive scores blacklist
Here's a whitelisting example:
Edit the file /opt/zimbra/conf/amavisd.conf.in and look for this section:
At the top, add the domain you want to whitelist (eg, zimbra.com), with a strong negative score:
Remember, if you want to blacklist a domain, make the score positive
Then restart amavis:
Remember - you're trusting the sender's domain to be valid, so any email sent with an address in that domain will receive the score weighting - the address is not verified.
This can also be used with individual sender email addresses, as seen above.
User white/black list
It very simple changing amavis config:
put in /opt/zimbra/conf/amavis.conf.in
In /etc/zimbra/* put sender address or domain, one per line. Wildcards allowed.Example:
A spamlovers list is for that accounts that always need to receive all messages, even if spam. According to rfc 2822 postmaster, abuse and other account of this kind should be spam lovers. [However, instead of hacking amavis.conf.in to create a spamlovers list, it's probaby better now to use zmprov <account> amavisSpamLover TRUE amavisBypassSpamChecks TRUE. It's possible that other recommendations on this page are similarly out of date--Ewilen 13:41, 9 August 2012 (PDT).]
I think we should prepare a script to save and restore this config changes upon zimbra updates..
Postfix 'access' control for whitelisting and blacklisting
The following method works for both whitelisting (for example, to allow IPs that may be blocked by RBLs) and blacklisting. Also reference: http://www.postfix.org/access.5.html
The method of configuration is slightly different for ZCS 7.x and earlier, and 8.x and later:
7.x and earlier
1. Edit /opt/zimbra/conf/postfix_recipient_restrictions.cf and add these lines:check_recipient_access hash:/opt/zimbra/conf/accesscheck_client_access hash:/opt/zimbra/conf/access
result:
2. Edit /opt/zimbra/conf/access
Example:
3. Rebuild the access.db:
4. Confirm access.db:
8.x and later
1. Edit /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add these lines:check_recipient_access hash:/opt/zimbra/conf/accesscheck_client_access hash:/opt/zimbra/conf/access
result:
2. Edit /opt/zimbra/conf/access
Example:
3. Rebuild the access.db:
4. Confirm access.db:
Postfix whitelist when using RBL's
--Bertie uk 09:32, 4 May 2010 (UTC)
If you are using RBLs (such as zen.spamhaus.org) to block spam, the whitelist method above does not work, because it is for spamassasin not postfix.
Postfix will check incoming messages against the RBL first, and allow/reject accordingly. So if you have a sender listed on a RBL, you need to whitelist them in Postfix.
To do this in Zimbra: {commands in italics}
Login and change to zimbra user
vi /opt/zimbra/conf/postfix_rbl_override
list all IP addresses or host names (one per line!) that you want to whitelist:
postmap /opt/zimbra/conf/postfix_rbl_override
Whitelist 1 16 – Prevent False Spam Positives In Mail Settings
vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
in 8.0.x the file to edit is /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
under:
reject_unauth_destination
add:
e.g.:
zmmtactl restart
Each time you add a new one, you need to do the postmap command then zmmtactl restart(Also, this may be removed after a Zimbra upgrade)
Postfix Tweaks
(Added by L. Mark Stone 12 May 2007)
Postfix itself features a number of anti-UCE capabilities. Some of them are available via the admin console, but some are not.
Simultaneous Connection Throttling
If your Zimbra system gets targeted by spammers, you'll notice that a spammer's email server can open up a large number of simultaneous connections to Zimbra's Postfix.
Most of these connections will fail, often because the recipients don't actually exist on the system. But, these connections still use resources.
So, we have for years on our other Postfix mail servers been taking advantage of two Postfix configuration settings that have reduced this problem significantly. We have now updated our Zimbra installations with the same settings, so I thought I would pass them on.
The two settings we add to main.cf are:
We do this by becoming the zimbra user and then running:
We then restart Postfix to implement the changes. To restart Postfix, you need to be root and to run the Zimbra-supplied Postfix binary:
Documentation from Postfix is here:http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit
Greylisting
In the forums, you'll probably get the most support for postgrey (below) as it's the fastest to setup.
followed by http://wiki.zimbra.com/index.php?title=Connecting_with_SQLGrey
then http://wiki.zimbra.com/index.php?title=Postfix_Policyd
Google or see http://Greylisting.org for some examples & see all sorts of ideas. There are tons of different greylist programs, for example: Some can be configure so that you hold the mail for up to 30min, (unless they get a reattempt response sooner), and then deliver it anyway with an additional spam score tacked on etc.
Postgrey
OS | When | Who |
---|---|---|
Ubuntu 6.06LTS (Dapper) | 2007.07.25 | K. Diebold |
Debian 5.04 | 2010.05.19 | 24pm |
Postfix Greylisting Policy Server-the original authors site http://postgrey.schweikert.ch/
When a request for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP / SENDER / RECIPIENT is built. If it is the first time that this triplet is seen, or if the triplet was first seen less than 5 minutes ago, then the mail gets rejected with a temporary 450 deffer error.
It auto-remembers valid senders for up to xdays (default 35days) who are auto-whitelisted to skip the delivery delay. You can also define permanent whitelist based on clients/email addresses.
Installing Postgrey:
The package adds the appropriate init scripts (update-rc.d postgrey defaults) and is configured to answer on localhost:60000.
On Debian the port is 10023
To figure out the port on your system run postgrey and see parameters:
Configuring the Zimbra Postfix:
..and add the following above any lines started with '%%'(Consider your port number). The final line should contain only 'permit':
..then restart (as the user zimbra) Postfix (which will re-create /opt/zimbra/postfix/main.cf)
Notes:See the stuff that get's added to smtpd_recipient_restrictions?
Changing the delay
-The default is 5/10 minutes depending on where you get your download so if you wanted it 10 minutes:/etc/default/postgreyDepending on your version/if you download the package and manually edit before you install:
Whitelists allow you to specify client addresses or recipient address, forwhich no greylisting should be done. Per default postgrey will read thefollowing files:
Whitelist 1 16 – Prevent False Spam Positives In Mail As A
Add-ons:p0f - passive OS detection and white-listing based on detected OS
taRgrey (tarpit + greylist) - a patch that makes postgrey into a tarpitting policy server.
Discarding Emails Sent to Invalid Addresses
For ZCS 8.x and above, the correct way to do this is:
This is a persistent (accross upgrades) change.
Below is what you have to do for ZCS < 8.x.
To reject email to accounts that don't exist on your server you need to make the following change to zmmta.cf (this change does not persisst and will need to be done after each Zimbra upgrade):
-The setting above is the default and it needs to be changed to 'yes' as per the folling line:
-This rejects the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. (ie: there's no such user account on the server), you'll also see entries in your log file showing that the message has been rejected.
Whitelist 1 16 – Prevent False Spam Positives In Mailchimp
If 5.0.12+ using alias domains enable set postfix_enable_smtpd_policyd=yes instead.ManagingDomains#Email_to_non-existant_accounts
One email server I administered got 400,000 messages a day. 99.2% of them were sent to addresses that didn't exist on my domain. However, my server happily scanned all of them for spam, viruses, etc. You can configure Zimbra to reject such messages with 450, saying the address doesn't exist. In addition, once an RCPT TO: command is sent specifying an invalid address, Zimbra delays about 5 seconds before it accepts another command, slowing down the spammer.
Add the following lines to /opt/zimbra/conf/postfix_recipient_restrictions.cf:
-Which rejects when:
a) the RCPT TO address has no DNS A or MX record
Videoder. b) when Postfix is not final destination for the recipient address
c) or when it has a malformed MX record such as a record with a zero-length MX hostname
-Rejects the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable.
I add these lines just after the first line, which should be reject_non_fqdn_recipient.
Restart Zimbra and enjoy. :)
--BJ Quinn
Caveat: There is a possible downside to this. These mass e-mailings to non-existant addresses at your domain are often part of a directory harvesting attack. By enabling this feature you will reveal legitimate addresses at your domain (through process of elimination). These will then be sold to spammers, or worse used as sender addresses by spammers.
--CG
References
Verified Against: Zimbra Collaboration 8.0, 7.0 | Date Created: 12/14/2006 |
Article ID:https://wiki.zimbra.com/index.php?title=Improving_Anti-spam_system | Date Modified: 2016-03-28 |
Try Zimbra
Try Zimbra Collaboration with a 60-day free trial.
Get it now »
Get it now »
Want to get involved?
You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »
Find out more. »
Other help Resources
User Help Page »
Official Forums »
Zimbra Documentation Page »
Official Forums »
Zimbra Documentation Page »
Looking for a Video?
Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »
Go to the YouTube channel »
Retrieved from 'https://wiki.zimbra.com/index.php?title=Improving_Anti-spam_system&oldid=61561'
Jump to: navigation, search