How Do Antispam and Antivirus Protection Works in Zimbra OSE?

These days the world is dealing with a different kind of threat. You may have heard the term called “Mail borne threat”. Usually a network/system administrator is concerned about end user workstation’s security. Therefore, they use various security mechanism as filter to secure their user’s workstations. These traditional end point security may secure the user workstation from all entrances (internet, peripheral, etc) but it still leaves one entrance unchecked. That is the email.

If any unwanted malware, spam, virus, threat come to a user via email and the users accidentally opens it, then a very few end point security appliance can stop the damage. And it inevitable that despite of continuous end user awareness campaign, sometimes users fall for the trap of spam/phishing email.

On that note, if we could just filter out these threats at the entrance of our email system it would be more convenient and effective. Here Zimbra makes the differences from all other open-source email solutions.

For antispam and antivirus, Zimbra uses SpamAssassin and ClamAV engines respectively. We will come to them one by one into our later discussions.

How Antispam Works

First let’s try to understand the way Zimbra antispam (SpamAssassin) works.

SpamAssassin is an open-source software that comes with Zimbra. It checks each email with various patterns/points and adds positive or negative score to them. At the end it sums up all scores to get the combined score of that email. Then these scores are compared to the pre set threshold scores which than determines the next action for the respective email. Based on the comparison, the email can land into user’s inbox/ junk or even the mail can be rejected.

The threshold value of SpamAssassin points can be adjusted as per the administrator’s convenience. By default, anything over 5 is moved to junk and anything over 15 is not delivered to the users email account

SpamAssassin uses various tests to identify spam signatures. SpamAssassin settings are stored in plain text which makes it easier to configure and manage.

The supported location for customization of SpamAssassin for ZCS 8.5 and later is /opt/zimbra/data/spamassassin/localrules

Initially SpamAssassin scans for all *.cf files in /opt/Zimbra/conf/ and loads them into alphabetical order.

If we have a SpamAssassin working setup, then we might not need any custom rules. But if we want to tweak SpamAssassin to match our personal expectations.

Lets take a look how a basic local rule can be written:

body LOCAL_DEMONSTRATION_RULE /password
body LOCAL_DEMONSTRATION_RULE /password/
score LOCAL_DEMONSTRATION_RULE 0.5
describe LOCAL_DEMONSTRATION_RULE This is a simple test rule

This rule does a simple case-sensitive search of the body of the email for the string “password” and adds a 0.5 to the score of the email if it finds it.

In Zimbra 8.0.5 and later two options were added to the product to enable SpamAssassin rule updates via sa-update.

antispam_enable_rule_updates
antispam_enable_restarts

Check that these are set to true, and if not, set them to true and restart amavisd and the MTA:

$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = false
$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = false
$ zmlocalconfig -e antispam_enable_rule_updates=true
$ zmlocalconfig -e antispam_enable_restarts=true
$ zmamavisdctl restart
$ zmmtactl restart

In a Zimbra server, you may find Antivirus & Antispam service is disabled. Please enable them before doing any further modification.

$ zmprov -l gs <mail.example.com> | egrep -i 'serviceen|servicein'
$ zmprov -l ms <mail.example.com> -zimbraServiceEnabled antispam

Moreover, to train Bayesian spam filtering with SpamAssassin, two system mailboxes with obfuscated names are created during the Zimbra OSE installation phase.

In our case, it is ham.iuu9hzkmsj@madegirah.ru and spam.nao0yu9s@madegirah.ru… The spam system mailbox receives all emails that are marked as spam by server users. This works with both the Zimbra OSE web client and the IMAP protocol.

By analyzing the messages contained in this mailbox, SpamAssassin learns and then more effectively detects messages containing spam.

The ham system mailbox contains emails that SpamAssassin has detected as spam, but are not. Emails end up in the ham mailbox when users manually move them from the Spam folder to another mail folder. This works with both the Zimbra OSE web client and the IMAP protocol. By analyzing the contents of messages in this mailbox, SpamAssassin also learns and furthermore effectively detects messages that do not contain spam. Quota is disabled for both of these mailboxes. This is done to ensure that all emails that are marked by users are guaranteed to get into them.

Thus, the Zimbra OSE administrator at the server level has three ways to block spam:

  1. Formation of black lists
  2. SpamAssassin training
  3. Regulating the ratings of emails

How Antivirus Works

ClamAV is powerful antivirus software that can scan your email and your server for malicious files. It works like an antivirus program on your computer, but ClamAV scans your server. Specifically, ClamAV looks for malicious email attachments and malicious server files.

Basic features of ClamAV:

  1. ClamAV is designed to scan files quickly.
  2. Real time protection (Linux only). The ClamOnAcc client for the ClamD scanning daemon provides on-access scanning on modern versions of Linux. This includes an optional capability to block file access until a file has been scanned (on-access prevention).
  3. ClamAV detects millions of viruses, worms, trojans, and other malware, including Microsoft Office macro viruses, mobile malware, and other threats.
  4. ClamAV’s bytecode signature runtime, powered by either LLVM or our custom bytecode interpreter, allows the ClamAV signature writers to create and distribute very complex detection routines and remotely enhance the scanner’s functionality.
  5. Signed signature databases ensure that ClamAV will only execute trusted signature definitions.
  6. ClamAV scans within archives and compressed files but also protects against archive bombs

To enable antivirus service in Zimbra:

$ zmprov -l ms <mail.example.com> -zimbraServiceEnabled antivirus

To configure virus definition update frequency:

$ zmprov mcf zimbraVirusDefinitionsUpdateFrequency 2h

As like an end-user workstation, an email server also needs some security. Antispam and Antivirus service provides essential support in this regard. Someone may compare it with other paid antispam or antivirus solutions, but so far these two are our best options to protect the Zimbra OSE server from any email-borne threat.

Have a good day.

To read more on this subject please refer to

ClamAV Documentation

SPAMASSASSIN WritingRules

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zextras announces Carbonio, open-source email and collaboration software
French Administration boosts open source in the Public Sector