Regarding spam protection strategies in Zimbra, a mention deserves SpamAssassin, an Open Source anti-spam platform that can provide system administrators with a filter that can classify emails and block spam.
Anti spam Strategies
We have analyzed, through various articles, the different strategies to use, both as a user and as a system administrator, to reduce as much as possible the risk of spam, intrusions and external threats related to your mail. To learn more about these topics, we recommend reading the following articles: ” Zimbra Best Practices: Incoming Mail Protection “, to learn about how to manage mail protection as a sys admin, “ Zimbra Collaboration Suite and Anti-Phishing “, to learn about Phishing and how to block it, and “ Zimbra User Guide: Managing SPAM “ which is a useful guide for end users to learn how to manage spam in Zimbra.
In this article we are going to see some interesting aspects related to the configuration in Zimbra of SpamAssassin, which together with ClamAV and Amavis forms the basic bundle for spam protection.
How SpamAmmassin works?
SpamAssassin uses a robust scoring framework and various plug-ins to integrate a variety of advanced heuristic and statistical analysis tests on email headers and body, including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. This allows for pretty significant filtering of emails that arrive at your address.
Two simple rules to grow the score
An interesting possibility, to increase your score, is to enable automatic rule updates for SpamAssassin. To do this we will act on two keys that control the automatic update,
antispam_enable_restarts. By default they are set to “
false”, but to check it we can use the following commands:
$ zmlocalconfig antispam_enable_rule_updates antispam_enable_rule_updates = false $ zmlocalconfig antispam_enable_restarts antispam_enable_restarts = false
If, like in the above example, they are both set to false, you can turn them to “
true” with the commands:
$ zmlocalconfig -e antispam_enable_rule_updates=true $ zmlocalconfig -e antispam_enable_restarts=true
After doing that, restart
amavisd and MTA:
$ zmamavisdctl restart $ zmmtactl restart
Automatic rule compilation
By enabling automatic updates, starting with ZCS 8.5 you can enable automatic rule compilation. This option helps decrease the amount of time it takes to score emails, via a localconfig key. The localconfig parameter to change is
antispam_enable_rule_compilation, and by default is set to “
zmlocalconfig -e antispam_enable_rule_compilation=true
Some good Customization
Now we would like to introduce you to some interesting tweaks that can help you improve SpamAssassing score and also give you some other benefits.
Increase Amavis’s Log Level
This first tweak is going to increase from 1 to 2 the Amavis log level in
It is very interesting and useful to get clarity from SpamAssassin on why spam is being blocked, so that if a user is wondering about that, the admin can easily find information by simply grep the log.
To customize the Amavis loglevel, you can use the following command:
zmprov modifyConfig zimbraAmavisLogLevel 2
Please note that If you are on ZCS 8.0.5 or later,
zmconfigdwill automatically restart Amavis for you when you change the loglevel.
Tweak Selected SpamAssasin Scores with Pyzor and Razor
An interesting way to significantly increase the amount of spam filtered by SpamAssassin is to use Razor and Pyzor, two plugins that improve the performance of SpamAssassin.
Installing Pyzor and Razor
To install Pyzor and Razor, you can proceed as follows.
On Ubuntu you have to use the command:
apt install razor pyzor
On CentOS / RHEL / Oracle , first you have to install epel repository:
$ sudo dnf install -y epel-release
or downloading it from fedora project:
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm $ sudo rpm -Uvh epel-release-latest-8.noarch.rpm
Please note that EPEL repository file is located under ‘
/etc/yum.repos.d/epel.repo’. If you can’t find it, you can create it, with the following lines in it:
[epel] name=EPEL repository baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/ enabled=1 gpgcheck=0
then you can install Pyzor and Razor:
yum updateyum install pyzor perl-Razor-Agent
To configure Pyzor, after installing it, as zimbra user type:
pyzor --homedir /opt/zimbra/data/amavisd/.pyzor discover
# pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor # DNS lookups for pyzor can time out easily. Set the following line IF you want to give pyzor up to 20 seconds to respond # may slow down email delivery pyzor_timeout 20
To configure Razor, after installing it, log in as Zimbra user, then type:
razor-admin -home=/opt/zimbra/data/amavisd/.razor -create razor-admin -home=/opt/zimbra/data/amavisd/.razor -discover razor-admin -home=/opt/zimbra/data/amavisd/.razor -register -user firstname.lastname@example.org
Then again we are going to update
# razoruse_razor2 1
Update SpamAssassin scoring
When the configuration of Pyzor and Razor is completed, as zimbra user, restart Amavis:
One last customization to improve SpamAssassin
Let’s go over, now, many SpamAssasin default scores could be too high or too low for your environment or maybe you need to specify custom scores, to achieve this create a new file
and let’s go edit it, adding the lines that we report below:
score DOS_OUTLOOK_TO_MX 0 score RCVD_IN_PBL 0.1 score RDNS_NONE 0.1 score FREEMAIL_FORGED_REPLYTO 4.0 score MALFORMED_FREEMAIL 4.0 score FORGED_GMAIL_RCVD 4.0 internal_networks 10.7.57.15/32
The first lines that contain SpamAssassin’s “_MX” and “_PBL” tests have default scores that are very high, and they go off when a user with Zimbra Connector for Outlook sends email. They should then be adjusted down to zero, otherwise, emails sent from Outlook using the Connector for Outlook will often be flagged as spam. On the other hand, the PBL test is used by other tests, so we will set it to a small value.
The next test, for Reverse DNS, has a high score by default, with among other things a high false positive rate. To get around this, we can set its score to a very low value.
The mail forgery tests return a higher score than the default SpamAssassin score, because spammers send junk mail from a “real” mail server, but fake the response so that it points to a gmail, hotmail, etc. mailbox. This way the spammer can receive replies to an email account that was not the source of the spam.
SpamAssassin also comes with a Bayes filtering engine. Bayes works great for some but not for others. You can turn Bayes filtering off by setting “
use_bayes” to zero.
You can whitelist you server using the internal_networks parameter.
In general you can use this file to increase and decrease scores or define you own.
In a multi-server Zimbra infrastructure this file and in general all the settings must be copied on all the MTA server where you need filtering.