Preventing Spamming: Difference between revisions
Amolmistry (talk | contribs) |
Amolmistry (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
=Preventing Spamming= | =Preventing Spamming= | ||
{{KB|{{ZC}}|{{ZCS 8.8}}||||}} | |||
{{KB|{{ | {{WIP}} | ||
====Problem==== | ====Problem==== | ||
* Huge and unresponsive mail queue due to Incoming Spams and NDRs | * Huge and unresponsive mail queue due to Incoming Spams and NDRs | ||
Line 11: | Line 10: | ||
The solution divided into 2 parts. | The solution divided into 2 parts. | ||
* | :* Fix | ||
* Prevention | :* Prevention | ||
==== | =====Fix===== | ||
In this section let's check how we can identify the spammer, control the spamming and clear the queue. | In this section let's check how we can identify the spammer, control the spamming and clear the queue. | ||
Line 117: | Line 116: | ||
'''We can also blacklist all these IPs on Zimbra as well by following the below mentioned steps.''' | '''We can also blacklist all these IPs on Zimbra as well by following the below mentioned steps.''' | ||
i) Create a file /opt/zimbra/conf/postfix_blacklist and add all the IPs in the following format <br> | |||
<pre> | <pre> | ||
177.71.83.241 REJECT | 177.71.83.241 REJECT | ||
Line 179: | Line 178: | ||
===Prevention -=== | ===Prevention -=== | ||
=====Prevention has divided into 2 parts===== | |||
*User level | |||
*Server Level <br><br> | |||
'''1) User level precaution, all end users should take care of the following:-''' | |||
:*Keep the workstation infection and malware-free with updated AS/AV. | |||
:*Do not access Webmail on public PCs as most of them are infected and the virus may steal login information and can provide it to the spammer. | |||
:*Keep the strong password, include at least 1 Upper case and 1 Lower case letter, 1 special character and 1 number. | |||
:*Keep changing the password frequently, due to which If there any brute-force happening on the account, the script either will take time or won’t be able to crack the password. | |||
:*Keep the workstation and the outlook updated with all the patches and security updates. | |||
:*Keep upgrading ZCO. | |||
:*Do not share login credentials with anyone. | |||
:*Using 2FA will be added advantage. | |||
:*Do not open any unknown email or attachment which has not sent by a trusted source. | |||
:*Mainly do not open any executable files like (.exe, .bat etc) those could be virus/malware which may harm your system badly. <br> | |||
'''2) Server level precautions:-'''<br> | |||
:*Keep updated ZCS to the latest version and patch since it included all performances and security-related updates which will keep the server safe with the major attack. | |||
:*Keep the strong password policy so users can’t set the weak password and it will prevent hacking the password by brute-force attack. | |||
:*Set the password expiry as well so users can’t keep the password for long. | |||
:*Keep updated the OS as well, because if there any vulnerability In the old version it may affect the complete server resulting ZCS as well. | |||
:*Secure the network with the help of a Network engineer so that nobody can login to the server and change the password of the admin or any user for further spamming.<br> | |||
:'''2A) Following are some basic ways by which we can prevent spamming at a considerable level.'''<br><br> | |||
:i) Implementing the following wikis will prevent hacker relaying mails using server MTA, without the following setting, MTA will act like Open-Relay and spammer can use our MTA to send mails. After the implementation, all the users have to authenticate their accounts to send the mails else, connection to the MTA itself won’t initiate. | |||
<pre>https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5</pre> | |||
:ii) Implementing the following from the similar wiki will restrict Unlisted sender and recipient (Users which are not hosted or not there in the LDAP will be prevented sending and receiving mails . | |||
<pre>https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5#Update_zimbraMtaSmtpdRejectUnlistedRecipient_.26_zimbraMtaSmtpdRejectUnlistedSender</pre> | |||
: iii) Implementing the below wiki, will notify the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. | |||
<pre>https://wiki.zimbra.com/wiki/Zmauditswatch</pre> | |||
Hence once you receive the alert mail you can block those IPs in your firewall or you can implement 3rd party application like fail2ban (fail2ban is the 3rd party application which is not supported by Zimbra hence take assistance from system admin or forums) | |||
: Alternately, we can block those IPs on the Zimbra MTA as well, please refer below wiki for the implementation. | |||
:<pre>https://wiki.zimbra.com/wiki/Specific_Whitelist/Blacklist_per_IP</pre> | |||
: iv) Also it is important to have updated AntiSpam Rules, updated rules will prevent the spams more effectively hence make sure to enable below setting if it is not enabled. | |||
<pre>$ zmlocalconfig -e antispam_enable_rule_updates=true | |||
$ zmlocalconfig -e antispam_enable_restarts=true </pre> | |||
: v) Restrict executable files. | |||
<pre>zmprov mcf +zimbraMtaBlockedExtension exe | |||
zmprov mcf +zimbraMtaBlockedExtension bat </pre> | |||
: vi) Tune the SpamTag and SpamKill percentage. | |||
<pre>zmprov mcf zimbraSpamKillPercent 75 | |||
zmprov mcf zimbraSpamTagPercent 25 {default is 33, it means 33% of 20 = 6.6} </pre> | |||
::'''Example''' | |||
<pre> | |||
Return-Path: <mail.tnvsbeqphrnatrhmpem@email.techtrnd.com> | |||
Received: from edge03e.zimbra.com (LHLO edge03e.zimbra.com) (10.43.0.13) by | |||
mbs03e.zimbra.com with LMTP; Fri, 20 Sep 2019 10:10:05 -0400 (EDT) | |||
Received: from localhost (localhost [127.0.0.1]) | |||
by edge03e.zimbra.com (Postfix) with ESMTP id CC65160327A | |||
for <amistry@zimbra.com>; Fri, 20 Sep 2019 10:07:22 -0400 (EDT) | |||
X-Virus-Scanned: amavisd-new at zimbra.com | |||
X-Spam-Flag: YES | |||
X-Spam-Score: 5.888 | |||
X-Spam-Level: ***** | |||
X-Spam-Status: Yes, score=5.888 required=3 tests=[BAYES_00=-0.05, | |||
DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, DKIMWL_WL_MED=-0.001, | |||
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, | |||
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=2.75, | |||
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, | |||
T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] | |||
autolearn=no autolearn_force=no | |||
Authentication-Results: edge03e.zimbra.com (amavisd-new); | |||
dkim=pass (1024-bit key) header.d=msgfocus.com header.b=Ch2nGc4z; | |||
dkim=pass (1024-bit key) header.d=email.techtrnd.com header.b=SuHyv5M/ | |||
Received: from edge03e.zimbra.com ([127.0.0.1]) | |||
by localhost (edge03e.zimbra.com [127.0.0.1]) (amavisd-new, port 10024) | |||
with ESMTP id 5-s4ZPnNKenv for <amistry@zimbra.com>; | |||
Fri, 20 Sep 2019 10:07:21 -0400 (EDT) | |||
Received: from mail116-79.us2.msgfocus.com (mail116-79.us2.msgfocus.com [185.187.116.79]) | |||
by edge03e.zimbra.com (Postfix) with ESMTP id E35BA603278 | |||
for <AMISTRY@ZIMBRA.COM>; Fri, 20 Sep 2019 10:07:20 -0400 (EDT) | |||
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=msgf; d=msgfocus.com; | |||
h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From:Date:MIME-Version:Content-Type; | |||
bh=ikFEdVyAQq1WoIdBffZJ3tLeMEo=; | |||
b=Ch2nGc4zxw2AThxqqqZiYD5W11Tr94h89D6JfBltYbrsb8yfF17pC0EC4+1cJptO4RypAKYa2MMN | |||
fZVYTbABSRKrTCIXT0R/el8uF6lpWzJwGy3FEf8HwWcKO3M0y0IvgxKhysCJD+aw/ECT/4kx0UHe | |||
+yFKtORN0GP3z+jFwfk= | |||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.techtrnd.com; s=msgf; | |||
t=1568988596; bh=/JDQ0rvggKcM0iK+5qAd2BC7aLE18wvm2WnlonkYQK8=; | |||
h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From: | |||
Date:MIME-Version:Content-Type; | |||
b=SuHyv5M/gWhikMWkKhiQYxbG41AcDmxQQhJf7FsBTlfDKqrxDavvdObgMUpz4IhEB | |||
3io2Uf+h1qaO+W/K4SulUaqZ6ZBwuxyxSnOn7HYnX4OLqKM9MBcRvUZ/Cz3eA5IwgB | |||
2Eu+OsSF5BYyz1RWb06/qHGMUhayA+dEjWDgvbLU= | |||
Subject: Join IEEE, get the rest of 2019 free | |||
X-Mailer: MessageFocus v2 launch | |||
Message-ID: <YTYb3-7BWvIDJ96-atnB-18k7sjoQe25Z99nr@email.techtrnd.com> | |||
Reply-To: mail.tnvsbeqphrnatrhmpem@email.techtrnd.com | |||
To: AMISTRY@ZIMBRA.COM | |||
List-Unsubscribe: | |||
<mailto:mail.tnvsbeqphrnatrhmpem@email.techtrnd.com?subject=Unsubscribe> | |||
From: IEEE <IEEE@email.techtrnd.com> | |||
Date: Fri, 20 Sep 2019 15:09:56 +0100 | |||
MIME-Version: 1.0 | |||
Content-Type: multipart/alternative; boundary="--1C593B4808655498F3042C88CC" | |||
</pre> | |||
: vii) Along with the updated spam rules, it is more important to check from which server mail has received, a legitimate email server taking all the possible precaution to keep their server genuine hence while receiving the mails, following parameters will checked and if any of the parameter does not meet, that mail may consider as spam. | |||
<pre> | |||
zmprov mcf \ | |||
zimbraMtaRestriction reject_invalid_hostname \ | |||
zimbraMtaRestriction reject_non_fqdn_hostname \ | |||
zimbraMtaRestriction reject_non_fqdn_sender \ | |||
zimbraMtaRestriction reject_invalid_helo_hostname \ | |||
zimbraMtaRestriction reject_unknown_client_hostname \ | |||
zimbraMtaRestriction reject_unknown_helo_hostname \ | |||
zimbraMtaRestriction reject_unknown_sender_domain \ | |||
</pre> | |||
: viii) Implementing SPF, DKIM and DMARC for better protection also it has become the universal standard check while accepting mails by the remote server. so the chances of getting a poor SPAM score at the remote end will become less. | |||
<pre>https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC</pre> | |||
: ix) Also, along with the local AntiSpam rule it is also important to refer rules developed by some reputed and effective RBLs, | |||
: RBL is Real-time Blackhole list which is maintaining various data collected globally like global IPs which are tends to send spams, new spamming trend, already blacklisted domains, email addresses etc. which will help to identify spams easily and immediately before scanned by local AS/AV hence no need to maintain local rules and spams can eliminate more effectively, | |||
: Thus, including such most effective and reputed RBLs in our configuration will help to control the spamming more effectively. | |||
: Below are some selected RBLs I’ve used, you can also include your favorite RBLs as per your choice. | |||
<pre> | |||
zmprov mcf zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \ | |||
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \ | |||
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \ | |||
zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \ | |||
zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \ | |||
zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \ | |||
zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \ | |||
zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \ | |||
zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \ | |||
zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \ | |||
zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \ | |||
zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net" | |||
</pre> | |||
Revision as of 22:37, 22 June 2021
Preventing Spamming
Problem
- Huge and unresponsive mail queue due to Incoming Spams and NDRs
- Observing excessive spamming activity on the server.
- MTA IP blacklisting in the Global RBLs resulting huge impact on outgoing mails.
Solution
The solution divided into 2 parts.
- Fix
- Prevention
Fix
In this section let's check how we can identify the spammer, control the spamming and clear the queue.
- First of all hold the queue
su - zimbra
~/common/sbin/postsuper -h ALL
- To release the queue once done with the work.
~/common/sbin/postsuper -r ALL
- Additionally, we can hold all the incoming mails on MTA level by following below wiki.
There are 2 ways to check the mail queue A) From the admin panel B) Server CLI.
- We will first check the queue from the Admin Control Panel.
Open your Admin Panel and in Left pane go to > Monitor > Mail Queues and you will see the window something like this,
This Mail Queue section containing mainly 4 Tabs. i) Deferred ii) Incoming iii) Active iv) Held v) Corrupt.
And Each tab Containing a summary of accumulated mails, which are summarized between 6 columns,
i) Receiver Domain ii) Origin IP iii) Sender Domain iv) Receiver Address v) Sender Address vi) Error.
Because of load on the server sometimes you may experience difficulty accessing the Admin panel hence we will check the CLI method to find out the spammer
We are going to use the following commands which will give almost a similar result as the admin panel.
$sudo ~/libexec/zmqstat
Thus, by referring to the queue, we can easily identify which email Address has compromised and from which IP addresses spam mails are receiving and you can take the further action.
$qshape -s deferred | head
- For detailed analysis please do the following, check which user has compromised and used that email address for spamming.
$ grep sasl_user /var/log/zimbra.log | sed 's/.*sasl_username=//g' | sort | uniq -c | sort -nr | head
The Output will show something like this,
12289 user1@domain.tld 13 user2@domain.tld 10 user3@domain.tld 7 user4@domain.tld 7 user5@domain.tld 4 user6@domain.tld 1 user7@domain.tld 1 user8@domain.tld
Thus, by the above stats, we can easily guess user1@domain.tld has compromised since no other users authenticated as much as user1.
To cross-verify, we can grep the user1@doamin.tld in /var/log/zimbra.log and we may find thousands of entries like this
Sep 21 17:34:11 zmta1 postfix/smtps/smtpd\[12679\]: ACDBA60F68: filter: RCPT from unknown\[177.39.32.97\]: <user1@domain.tld>: Sender address triggers FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld> to=<greenxyso333@aol.com> proto=ESMTP helo=<\[127.0.0.1\]> Sep 21 17:34:12 zmta1 postfix/smtps/smtpd\[14032\]: B6A3860C53: filter: RCPT from unknown\[191.242.246.133\]: <user1@domain.tld>: Sender address triggers FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld> to=<ssrkettlecasdaorn@aol.com> proto=ESMTP helo=<\[127.0.0.1\]> Sep 21 17:34:12 zmta1 postfix/smtps/smtpd\[12700\]: 56C3960F69: filter: RCPT from 6-48-130-177.redewsp.com.br\[177.130.48.6\]: <user1@domain.tld>: Sender address triggers FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld> to=<dtgadsadulf@yahoo.com> proto=ESMTP helo=<\[127.0.0.1\]>
By referring to a few mails we will notice
1) Mails are going to all junk recipient (those probably do not exist).
2) Originating IPs are all different.
By this we can confirm that all those are spam mails, hence change the password of the affected user and/or disable the user to prevent further authentication and spamming.
Since we found there are several authentications happened hence let’s find out the originating IPs
Just grep and find out from which IP address, authentication and mails are originated. here we can use 2 ways
i) By “from address”
ii) By Authentication
- Finding originating IP using “From Address”
grep "from=<user1@domain.tld>" /var/log/zimbra.log | awk '{print $10}' |sort -nr -k 1 | sed -rn 's/.*\[//;s/\].*//p' | uniq -c | sort -nr -k 1
The output will show something like this.
- Finding originating IP using Authentication.”
# grep sasl_user /var/log/zimbra.log | grep user1@domain.tld | awk '{print $7}' |sed -rn 's/.*\[//;s/\].*//p' | sort -nr -k 1 | uniq -c |sort -nr -k 1
The output will show something like this.
In above example we have found a bunch of IPs from which thousands of mails are originated hence it gives us a clear picture that all those are spam mails. Hence we will go ahead and ask the customer to block all these IPs in their firewall so that further authentication won’t happen from these IP.
We can also blacklist all these IPs on Zimbra as well by following the below mentioned steps.
i) Create a file /opt/zimbra/conf/postfix_blacklist and add all the IPs in the following format
177.71.83.241 REJECT 191.37.158.10 REJECT 177.39.32.97 REJECT 177.53.74.33 REJECT 177.71.23.64 REJECT
ii) Now do postmap and it will create DB file.
postmap /opt/zimbra/conf/postfix_blacklist
iii) Now add this file in the zimbra mta restriction so that postfix will refer this file while accepting the connection and reject all the mentioned IPs.
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
iv) Now restart the MTA services.
zmmtactl restart
v) We are done the with initial phase, by this we can rest assured that now no more new spam will hit nor any authentication will happen. Still just to cross-check whether still there is any brute force attack happening, just check the zimbra.log for auth failures by executing below command.
$ grep “authentication failure” /var/log/zimbra.log
And the output
If you find more such entries with new email addresses, please follow similar processes mentioned in point no. 4.
5) Since we have stopped the further authentication and held the queue, Let’s move further and delete all deferred and spam mails from the queue.
5-A) From the Admin panel – >> Monitor >> Mail Queue. Here right click on either originating IP or sender domain/email address and click on delete.
5-B) If Admin panel is not accessible we will have to do the same process from CLI.
Let’s first delete all the deferred mails from the queue, these mails are usually throttled by the recipient server due to spamming complained from the sender’s MTA
/opt/zimbra/common/sbin/postsuper -d ALL deferred
The safest method is to delete using from the email address that has compromised, and the email address from which NDR has received,
Thus, first, execute the below command and check which mails we are going to delete, here we are mentioning from email address that has compromised, and later you can change the NDR email addresses as well.
/opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld") print $1} ' | tr -d '*!'
Here replace user1@domain.tld with your actual affected email address. After executing above command, it will give you list of the mails which we are going to delete, later you can check all the list just to verify we are on the right path.
Now execute the final command by adding -d at the end to delete all the mails.
/opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld") print $1} ' \ | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d -
6) Once all the mails are deleted now we can check the queue again,
$ sudo ~/libexec/zmqstat
hold=125 corrupt=0 deferred=0 active=0 incoming=0
7) Since all the queue is clear and junk and deferred mail are already deleted, we can now release the hold queue.
~/common/sbin/postsuper -r ALL
Prevention -
Prevention has divided into 2 parts
- User level
- Server Level
1) User level precaution, all end users should take care of the following:-
- Keep the workstation infection and malware-free with updated AS/AV.
- Do not access Webmail on public PCs as most of them are infected and the virus may steal login information and can provide it to the spammer.
- Keep the strong password, include at least 1 Upper case and 1 Lower case letter, 1 special character and 1 number.
- Keep changing the password frequently, due to which If there any brute-force happening on the account, the script either will take time or won’t be able to crack the password.
- Keep the workstation and the outlook updated with all the patches and security updates.
- Keep upgrading ZCO.
- Do not share login credentials with anyone.
- Using 2FA will be added advantage.
- Do not open any unknown email or attachment which has not sent by a trusted source.
- Mainly do not open any executable files like (.exe, .bat etc) those could be virus/malware which may harm your system badly.
2) Server level precautions:-
- Keep updated ZCS to the latest version and patch since it included all performances and security-related updates which will keep the server safe with the major attack.
- Keep the strong password policy so users can’t set the weak password and it will prevent hacking the password by brute-force attack.
- Set the password expiry as well so users can’t keep the password for long.
- Keep updated the OS as well, because if there any vulnerability In the old version it may affect the complete server resulting ZCS as well.
- Secure the network with the help of a Network engineer so that nobody can login to the server and change the password of the admin or any user for further spamming.
- 2A) Following are some basic ways by which we can prevent spamming at a considerable level.
- i) Implementing the following wikis will prevent hacker relaying mails using server MTA, without the following setting, MTA will act like Open-Relay and spammer can use our MTA to send mails. After the implementation, all the users have to authenticate their accounts to send the mails else, connection to the MTA itself won’t initiate.
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5
- ii) Implementing the following from the similar wiki will restrict Unlisted sender and recipient (Users which are not hosted or not there in the LDAP will be prevented sending and receiving mails .
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5#Update_zimbraMtaSmtpdRejectUnlistedRecipient_.26_zimbraMtaSmtpdRejectUnlistedSender
- iii) Implementing the below wiki, will notify the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information.
https://wiki.zimbra.com/wiki/Zmauditswatch
Hence once you receive the alert mail you can block those IPs in your firewall or you can implement 3rd party application like fail2ban (fail2ban is the 3rd party application which is not supported by Zimbra hence take assistance from system admin or forums)
- Alternately, we can block those IPs on the Zimbra MTA as well, please refer below wiki for the implementation.
https://wiki.zimbra.com/wiki/Specific_Whitelist/Blacklist_per_IP
- iv) Also it is important to have updated AntiSpam Rules, updated rules will prevent the spams more effectively hence make sure to enable below setting if it is not enabled.
$ zmlocalconfig -e antispam_enable_rule_updates=true $ zmlocalconfig -e antispam_enable_restarts=true
- v) Restrict executable files.
zmprov mcf +zimbraMtaBlockedExtension exe zmprov mcf +zimbraMtaBlockedExtension bat
- vi) Tune the SpamTag and SpamKill percentage.
zmprov mcf zimbraSpamKillPercent 75 zmprov mcf zimbraSpamTagPercent 25 {default is 33, it means 33% of 20 = 6.6}
- Example
Return-Path: <mail.tnvsbeqphrnatrhmpem@email.techtrnd.com> Received: from edge03e.zimbra.com (LHLO edge03e.zimbra.com) (10.43.0.13) by mbs03e.zimbra.com with LMTP; Fri, 20 Sep 2019 10:10:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by edge03e.zimbra.com (Postfix) with ESMTP id CC65160327A for <amistry@zimbra.com>; Fri, 20 Sep 2019 10:07:22 -0400 (EDT) X-Virus-Scanned: amavisd-new at zimbra.com X-Spam-Flag: YES X-Spam-Score: 5.888 X-Spam-Level: ***** X-Spam-Status: Yes, score=5.888 required=3 tests=[BAYES_00=-0.05, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=2.75, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: edge03e.zimbra.com (amavisd-new); dkim=pass (1024-bit key) header.d=msgfocus.com header.b=Ch2nGc4z; dkim=pass (1024-bit key) header.d=email.techtrnd.com header.b=SuHyv5M/ Received: from edge03e.zimbra.com ([127.0.0.1]) by localhost (edge03e.zimbra.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-s4ZPnNKenv for <amistry@zimbra.com>; Fri, 20 Sep 2019 10:07:21 -0400 (EDT) Received: from mail116-79.us2.msgfocus.com (mail116-79.us2.msgfocus.com [185.187.116.79]) by edge03e.zimbra.com (Postfix) with ESMTP id E35BA603278 for <AMISTRY@ZIMBRA.COM>; Fri, 20 Sep 2019 10:07:20 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=msgf; d=msgfocus.com; h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From:Date:MIME-Version:Content-Type; bh=ikFEdVyAQq1WoIdBffZJ3tLeMEo=; b=Ch2nGc4zxw2AThxqqqZiYD5W11Tr94h89D6JfBltYbrsb8yfF17pC0EC4+1cJptO4RypAKYa2MMN fZVYTbABSRKrTCIXT0R/el8uF6lpWzJwGy3FEf8HwWcKO3M0y0IvgxKhysCJD+aw/ECT/4kx0UHe +yFKtORN0GP3z+jFwfk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.techtrnd.com; s=msgf; t=1568988596; bh=/JDQ0rvggKcM0iK+5qAd2BC7aLE18wvm2WnlonkYQK8=; h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From: Date:MIME-Version:Content-Type; b=SuHyv5M/gWhikMWkKhiQYxbG41AcDmxQQhJf7FsBTlfDKqrxDavvdObgMUpz4IhEB 3io2Uf+h1qaO+W/K4SulUaqZ6ZBwuxyxSnOn7HYnX4OLqKM9MBcRvUZ/Cz3eA5IwgB 2Eu+OsSF5BYyz1RWb06/qHGMUhayA+dEjWDgvbLU= Subject: Join IEEE, get the rest of 2019 free X-Mailer: MessageFocus v2 launch Message-ID: <YTYb3-7BWvIDJ96-atnB-18k7sjoQe25Z99nr@email.techtrnd.com> Reply-To: mail.tnvsbeqphrnatrhmpem@email.techtrnd.com To: AMISTRY@ZIMBRA.COM List-Unsubscribe: <mailto:mail.tnvsbeqphrnatrhmpem@email.techtrnd.com?subject=Unsubscribe> From: IEEE <IEEE@email.techtrnd.com> Date: Fri, 20 Sep 2019 15:09:56 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--1C593B4808655498F3042C88CC"
- vii) Along with the updated spam rules, it is more important to check from which server mail has received, a legitimate email server taking all the possible precaution to keep their server genuine hence while receiving the mails, following parameters will checked and if any of the parameter does not meet, that mail may consider as spam.
zmprov mcf \ zimbraMtaRestriction reject_invalid_hostname \ zimbraMtaRestriction reject_non_fqdn_hostname \ zimbraMtaRestriction reject_non_fqdn_sender \ zimbraMtaRestriction reject_invalid_helo_hostname \ zimbraMtaRestriction reject_unknown_client_hostname \ zimbraMtaRestriction reject_unknown_helo_hostname \ zimbraMtaRestriction reject_unknown_sender_domain \
- viii) Implementing SPF, DKIM and DMARC for better protection also it has become the universal standard check while accepting mails by the remote server. so the chances of getting a poor SPAM score at the remote end will become less.
https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC
- ix) Also, along with the local AntiSpam rule it is also important to refer rules developed by some reputed and effective RBLs,
- RBL is Real-time Blackhole list which is maintaining various data collected globally like global IPs which are tends to send spams, new spamming trend, already blacklisted domains, email addresses etc. which will help to identify spams easily and immediately before scanned by local AS/AV hence no need to maintain local rules and spams can eliminate more effectively,
- Thus, including such most effective and reputed RBLs in our configuration will help to control the spamming more effectively.
- Below are some selected RBLs I’ve used, you can also include your favorite RBLs as per your choice.
zmprov mcf zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \ zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \ zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \ zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \ zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \ zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \ zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \ zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \ zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \ zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \ zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \ zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net"
Submitted by: Amol Mistry |