| Trouble with SPAM [message #105252] |
Mon, 05 August 2013 15:45  |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
Hello,
One of the key domains I manage has always had issues with SPAM - recently the spam has been unbelievable - I even have their Likely Spam turned down to 1.2 points in Spam Assassin.
Here is a header of a repeated message coming through as valid email despite multiple users clicking the Spam button in KOC. Can anyone tell me what I'm missing? Users getting disgruntled and I am taking the heat...
I DO have Grey Listing turned on, running Connect 8.1.1
Return-Path: <ladling<_at_>oipzz.com>
X-Spam-Status: No, hits=0.0 required=1.2
tests=BAYES_00: -1.665,HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,
T_URIBL_SEM_FRESH_15: 0.01,URIBL_BLACK: 1.725,TOTAL_SCORE: 0.072,autolearn=no
X-Spam-Level:
Received: from pile.oipzz.com ([151.237.180.38])
by mailserver removed for privacy (Kerio Connect 8.1.1)
for valid email removed for privacy;
Sun, 4 Aug 2013 12:37:18 -0400
To: removed for privacy
From: "TFXdrive" <ladling<_at_>oipzz.com>
Reply-To: <30418-2790359<_at_>oipzz.com>
Subject: ATTENTION MEN: Save 60% NOW on The New Clinically Proven Testosterone Booster!.
Date: Sun, 04 Aug 2013 09:42:59 -0700
Message-ID: <I9V6SYC5T.bdhpjP44960J06<_at_>oipzz.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MRDTMTYEYEBKJPYNYZUATIIOCCONJEWVVZPJUNN"
Content-Transfer-Encoding: 7bit
|
|
|
|
| Re: Trouble with SPAM [message #105267 is a reply to message #105252] |
Tue, 06 August 2013 02:02  |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
It looks like your Bayes filter needs to be reset, since it is handing out a 00 scoring with -1.665 score. Delete the files in the ..\MailServer\store\spamassassin\bayes\ folder and restart the server.
Also, consider creating your own local scoring for the Spam Assassin filter. Some of the default scores in SA are just too low, such as .001.
In the folder:
\MailServer\plugins\spamserver\spamassassin\rules\
make a copy of the local.cf file and name it zlocal.cf. (I believe that SA processes the files in the order of the file name.)
In that zlocal.cf file, at the bottom, enter in your new higher scores for the rules that are getting hit. Such as
score HTML_MESSAGE 0.5
score MIME_HTML_ONLY 0.5
etc...
BE CAREFUL not to go to high on some scores since valid emails are also HTML based.
|
|
|
|
| Re: Trouble with SPAM [message #105269 is a reply to message #105267] |
Tue, 06 August 2013 02:07 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
P.S. Once you clear the Bayes filter, that 1.2 Spam setting score will most likely be too low. You will want to raise it back up so that you don't start getting good emails falsely marked as spam.
I have my threshold set at Tag at 5, and Block at 8.
|
|
|
|
| Re: Trouble with SPAM [message #105321 is a reply to message #105269] |
Thu, 08 August 2013 00:05 |
hberm001
Messages: 20
Registered: August 2012
Location: United States
|
|
|
|
|
My server has also recently started to show intense amounts of spam in the inbox in the past couple of weeks. My first thought was the bayes database being poisoned. I have since reset it and retrained it (it shows active) but the issue has not backed away. Nearly every spam message that gets through now has actual web articles or recipes inserted in the body, presumably to trick or poison the filter. 270 mailboxes. Any ideas?
|
|
|
|
| Re: Trouble with SPAM [message #105322 is a reply to message #105321] |
Thu, 08 August 2013 00:46 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
Well, here is the contents of my zlocal.cf file. Feel free to use at your own risk. It is kind of geared towards the good emails we get in my particular industry. I have the thresholds set at 5 & 8.
==========
# My score modifications
ok_languages en es
score ACT_NOW_CAPS 1.1
score ADVANCE_FEE_2 3.6
score ADVANCE_FEE_3 5.0
score ADVANCE_FEE_4 5.5
score BAD_CREDIT 1.5
score BAYES_50 1.0
score BAYES_60 2.0
score BAYES_80 4.0
score BAYES_95 5.0
score BAYES_99 5.5
score DATE_IN_PAST_03_06 1.5
score DATE_IN_PAST_06_12 1.6
score DATE_IN_PAST_12_24 1.7
score DATE_IN_PAST_24_48 2.0
score DATE_IN_PAST_96_XX 2.3
score DEAR_EMAIL 1.5
score DEAR_FRIEND 3.6
score DEAR_SOMETHING 3.5
score DIET_1 2.0
score DNS_FROM_RFC_DSN 2.9
score DNSBL_ZEN.SPAMHAUS.ORG 7.0
score DRUGS_ANXIETY_EREC 5.0
score DRUGS_ANXIETY_OBFU 5.0
score DRUGS_DIET 1.6
score DRUGS_DIET_OBFU 2.3
score DRUGS_ERECTILE 5.0
score DRUGS_ERECTILE_OBFU 5.0
score DRUGS_SLEEP_EREC 2.7
score EMPTY_MESSAGE 1.8
score EM_ROLEX 2.5
score FAKE_HELO_MAIL_COM 2.1
score FM_SUBJ_APPROVE 2.0
score FORGED_IMS_HTML 2.3
score FORGED_IMS_TAGS 2.1
score FORGED_MSGID_AOL 1.6
score FORGED_MSGID_MSN 2.1
score FORGED_YAHOO_RCVD 3.7
score FORGED_MUA_EUDORA 2.5
score FORGED_MUA_IMS 2.1
score FORGED_MUA_THEBAT_BOUN 2.3
score FORGED_OUTLOOK_HTML 2.8
score FORGED_OUTLOOK_TAGS 3.2
score FROM_12LTRDOM 0
score FSL_HELO_NON_FQDN_1 2.0
score HELO_DYNAMIC_DHCP 3.7
score HELO_NO_DOMAIN 2.0
score HS_INDEX_PARAM 3.0
score HTML_EXTRA_CLOSE 3.0
score HTML_FONT_LOW_CONTRAST 1.5
score HTML_FONT_SIZE_LARGE 1.3
score HTML_IMAGE_ONLY_04 3.0
score HTML_IMAGE_ONLY_28 0.5
score HTML_IMAGE_RATIO_02 1.5
score HTML_IMAGE_RATIO_04 1.2
score HTML_IMAGE_RATIO_06 1.0
score HTML_IMAGE_RATIO_08 0.8
score HTML_MESSAGE 0.5
score HTML_OBFUSCATE_05_10 1.3
score HTML_SHORT_CENTER 2.1
score HTML_SHORT_LINK_IMG_2 2.1
score HTML_TITLE_SUBJ_DIFF 1.4
score HTTP_77 2.5
score INVALID_DATE_TZ_ABSURD 1.4
score INVESTMENT_ADVICE 3.0
score IP_LINK_PLUS 1.2
score KOREAN_UCE_SUBJECT 2.5
score LOTS_OF_MONEY 1.5
score MILLION_USD 3.0
score MIME_BASE64_BLANKS 0.5
score MIME_BOUND_MANY_HEX 2.2
score MIME_HEADER_CTYPE_ONLY 1.1
score MIME_HTML_MOSTLY 1.5
score MIME_HTML_ONLY 1.5
score MISSING_DATE 1.0
score MISSING_HEADERS 2.0
score MISSING_MID 0.5
score MISSING_MIMEOLE 1.6
score MISSING_SUBJECT 2.5
score MSGID_MULTIPLE_AT 2.0
score MSGID_SHORT 3.5
score MSGID_SPAM_LETTERS 2.5
score MSGID_YAHOO_CAPS 2.5
score NO_PRESCRIPTION 3.2
score NORMAL_HTTP_TO_IP 1.0
score NUMERIC_HTTP_ADDR 1.2
score OBFUSCATING_COMMENT 1.5
score OBSCURED_EMAIL 1.7
score ONLINE_PHARMACY 2.5
score RATWARE_OUTLOOK_NONAME 2.2
score RATWARE_RCVD_AT 2.5
score RCVD_HELO_IP_MISMATCH 3.4
score RCVD_ILLEGAL_IP 4.6
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_WEB 1.3
score RCVD_IN_XBL 3.1
score RDNS_NONE 0.5
score REMOVE_BEFORE_LINK 2.5
score REPTO_QUOTE_YAHOO 2.4
score SPOOF_COM2COM 2.1
score STOX_REPLY_TYPE 1.0
score SUBJ_ALL_CAPS 2.1
score SUBJ_BUY 1.5
score SUBJECT_DRUG_GAP_C 2.0
score SUBJECT_NEEDS_ENCODING 1.25
score SUBJ_DOLLARS 0.3
score SUBJ_ILLEGAL_CHARS 4.0
score SUBJ_YOUR_DEBT 3.0
score T_AXB_MIME_IMG830 0.2
score T_DOS_OUTLOOK_TO_MX_IMAGE 2.0
score T_FILL_THIS_FORM_SHORT 2.9
score T_OBFU_JPG_ATTACH 0.2
score T_REMOTE_IMAGE 0.75
score T_URIBL_BLACK_OVERLAP 1.0
score T_URIBL_SEM 0.2
score T_URIBL_SEM_RED 0.2
score TO_NO_BRKTS_NORDNS 0.5
score TVD_RCVD_IP 2.5
score TVD_RCVD_IP4 2.5
score TVD_RCVD_SINGLE 2.5
score UNPARSEABLE_RELAY 0.25
score URI_NO_WWW_INFO_CGI 3.4
score URIBL_BLACK 2.1
score URIBL_AB_SURBL 2.0
score URIBL_BLACK 2.0
score URIBL_JP_SURBL 2.8
score URIBL_OB_SURBL 2.2
score URIBL_PH_SURBL 2.0
score URIBL_RED 0.5
score URIBL_RHS_DOB 2.0
score URIBL_WS_SURBL 2.2
score US_DOLLARS_3 2.0
score VIA_GAP_GRA 2.5
|
|
|
|
|
|
| Re: Trouble with SPAM [message #109091 is a reply to message #105346] |
Thu, 12 December 2013 18:24 |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
I implemented MarkK's suggestions and it is helping - one problem I am facing and hopefully someone can give me some guidance is the following message in my warning log:
DNS failure while trying to find address 107.51.86.192.2.0.0.127.b.barracudacentral.org in blacklist Barracuda
I have 1000's of these in the log and I have read (and tested successfully as instructed) here: http://www.barracudacentral.org/rbl/how-to-use
I have also read these threads:
http://forums.kerio.com/m/60671/?#msg_60671
http://forums.kerio.com/index.php?t=msg&goto=50461
I am still confused why if I manually test my connection to Barracuda from the command line (and it is a success) why the Warning Log is indicating that it's not working?
I have found False Negatives from different IP's that are listed in the Barracuda BRBL and there is no mention of that list in the email header.
Thanks for any help!
|
|
|
|
| Re: Trouble with SPAM [message #109096 is a reply to message #109091] |
Thu, 12 December 2013 19:07 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
Couple of questions:
Are you running the manual test from your email server itself?
Have you turned on the DNS logging in Kerio's Debug log to see what is happening there?
|
|
|
|
| Re: Trouble with SPAM [message #109099 is a reply to message #109096] |
Thu, 12 December 2013 19:32 |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
I am running manual test from the command line on the actual mailserver (through Putty).
Yes, I had DNS Resolver turned on and didn't see anything negative - things like valid answer arrived.
Not sure what else I should be looking for in there.
|
|
|
|
|
|
| Re: Trouble with SPAM [message #109109 is a reply to message #109102] |
Fri, 13 December 2013 00:15 |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
|
Thanks Mark - I'll probably be giving them a call, was hoping that Pavel or one of the other Kerio peeps lurking here would be able to help.
|
|
|
|
|
|
|
|
|
|
| Re: Trouble with SPAM [message #109148 is a reply to message #109140] |
Sat, 14 December 2013 08:51 |
Machete
Messages: 187
Registered: February 2012
Location: United States
|
|
|
|
I'm not sure that I follow you - you are correct, the IP listed in my example is not listed on Barracuda, but that's not my question.
Why do I get 1000's of these messages in my Warning Log?
I didn't get to call Kerio this week, hopefully next - unless they can help through here.
|
|
|
|
Members
Search
Help
Register
Login
Home
