SpamAssassin

Regarding spam protection strategies in Zimbra, a mention deserves SpamAssassin, an Open Source anti-spam platform that can provide system administrators with a filter that can classify emails and block spam.

Anti spam Strategies

We have analyzed, through various articles, the different strategies to use, both as a user and as a system administrator, to reduce as much as possible the risk of spam, intrusions and external threats related to your mail. To learn more about these topics, we recommend reading the following articles: ” Zimbra Best Practices: Incoming Mail Protection “, to learn about how to manage mail protection as a sys admin, “ Zimbra Collaboration Suite and Anti-Phishing “, to learn about Phishing and how to block it, and “ Zimbra User Guide: Managing SPAM “ which is a useful guide for end users to learn how to manage spam in Zimbra.

In this article we are going to see some interesting aspects related to the configuration in Zimbra of SpamAssassin, which together with ClamAV and Amavis forms the basic bundle for spam protection.

How SpamAmmassin works?

SpamAssassin uses a robust scoring framework and various plug-ins to integrate a variety of advanced heuristic and statistical analysis tests on email headers and body, including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. This allows for pretty significant filtering of emails that arrive at your address.

Two simple rules to grow the score

An interesting possibility, to increase your score, is to enable automatic rule updates for SpamAssassin. To do this we will act on two keys that control the automatic update, antispam_enable_rule_updates and antispam_enable_restarts. By default they are set to “false”, but to check it we can use the following commands:

$ zmlocalconfig antispam_enable_rule_updates 
antispam_enable_rule_updates = false
$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = false

If, like in the above example, they are both set to false, you can turn them to “true” with the commands:

$ zmlocalconfig -e antispam_enable_rule_updates=true
$ zmlocalconfig -e antispam_enable_restarts=true

After doing that, restart amavisd and MTA:

$ zmamavisdctl restart
$ zmmtactl restart

Automatic rule compilation

By enabling automatic updates, starting with ZCS 8.5 you can enable automatic rule compilation. This option helps decrease the amount of time it takes to score emails, via a localconfig key. The localconfig parameter to change is antispam_enable_rule_compilation, and by default is set to “false“.

zmlocalconfig -e antispam_enable_rule_compilation=true

Some good Customization

Now we would like to introduce you to some interesting tweaks that can help you improve SpamAssassing score and also give you some other benefits.

Increase Amavis’s Log Level

This first tweak is going to increase from 1 to 2 the Amavis log level in /var/log/zimbra.log.
 It is very interesting and useful to get clarity from SpamAssassin on why spam is being blocked, so that if a user is wondering about that, the admin can easily find information by simply grep the log.
To customize the Amavis loglevel, you can use the following command:

zmprov modifyConfig zimbraAmavisLogLevel 2

Please note that If you are on ZCS 8.0.5 or later, zmconfigd will automatically restart Amavis for you when you change the loglevel.

Tweak Selected SpamAssasin Scores with Pyzor and Razor

An interesting way to significantly increase the amount of spam filtered by SpamAssassin is to use Razor and Pyzor, two plugins that improve the performance of SpamAssassin.

Installing Pyzor and Razor

To install Pyzor and Razor, you can proceed as follows.

On Ubuntu you have to use the command:

apt install razor pyzor

On CentOS / RHEL / Oracle , first you have to install epel repository:

$ sudo dnf install -y epel-release

or downloading it from fedora project:

$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo rpm -Uvh epel-release-latest-8.noarch.rpm

Please note that EPEL repository file is located under ‘/etc/yum.repos.d/epel.repo’. If you can’t find it, you can create it, with the following lines in it:

[epel]
name=EPEL repository
baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/
enabled=1
gpgcheck=0

then you can install Pyzor and Razor:

yum update yum install pyzor perl-Razor-Agent

Configuring Pyzor

To configure Pyzor, after installing it, as zimbra user type:

pyzor --homedir /opt/zimbra/data/amavisd/.pyzor discover

Then update /opt/zimbra/conf/sa/sauser.cf

# pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
# DNS lookups for pyzor can time out easily.  Set the following line IF you want to give pyzor up to 20 seconds to respond
# may slow down email delivery
pyzor_timeout 20

Configuring Razor

To configure Razor, after installing it, log in as Zimbra user, then type:

razor-admin -home=/opt/zimbra/data/amavisd/.razor -create
razor-admin -home=/opt/zimbra/data/amavisd/.razor -discover
razor-admin -home=/opt/zimbra/data/amavisd/.razor -register -user admin@mydomain.com

Then again we are going to update /opt/zimbra/conf/sa/sauser.cf

# razoruse_razor2 1

Update SpamAssassin scoring

When the configuration of Pyzor and Razor is completed, as zimbra user, restart Amavis:

zmantispamctl restart

One last customization to improve SpamAssassin

Let’s go over, now, many SpamAssasin default scores could be too high or too low for your environment or maybe you need to specify custom scores, to achieve this create a new file

nano ~/data/spamassassin/localrules/zzsauser.cf

and let’s go edit it, adding the lines that we report below:

score DOS_OUTLOOK_TO_MX 0
score RCVD_IN_PBL 0.1
score RDNS_NONE 0.1
score FREEMAIL_FORGED_REPLYTO 4.0
score MALFORMED_FREEMAIL 4.0
score FORGED_GMAIL_RCVD 4.0
internal_networks 10.7.57.15/32

The first lines that contain SpamAssassin’s “_MX” and “_PBL” tests have default scores that are very high, and they go off when a user with Zimbra Connector for Outlook sends email. They should then be adjusted down to zero, otherwise, emails sent from Outlook using the Connector for Outlook will often be flagged as spam. On the other hand, the PBL test is used by other tests, so we will set it to a small value.

The next test, for Reverse DNS, has a high score by default, with among other things a high false positive rate. To get around this, we can set its score to a very low value.
The mail forgery tests return a higher score than the default SpamAssassin score, because spammers send junk mail from a “real” mail server, but fake the response so that it points to a gmail, hotmail, etc. mailbox. This way the spammer can receive replies to an email account that was not the source of the spam.

SpamAssassin also comes with a Bayes filtering engine.  Bayes works great for some but not for others.  You can turn Bayes filtering off by setting “use_bayes” to zero. 

You can whitelist you server using the internal_networks parameter.

In general you can use this file to increase and decrease scores or define you own.

In a multi-server Zimbra infrastructure this file and in general all the settings must be copied on all the MTA server where you need filtering.

Technical writer at Zextras. Linux and technology enthusiast. He describes himself as an atypical and polyhedric IT expert, thanks to a creative and open minded attitude, and to the experience gained over time as an IT technician, system engineer and developer.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hypervisor
Split Domain