How spam filtering works in Zimbra

Spam and unsolicited mailings are a real headache for a specialist who administers a mail server in an organization. In addition to direct threats to information security, a large amount of spam loads the server and creates inconvenience for employees of the enterprise. Protecting Zimbra OSE from spam allows its filtering – recognition of unwanted messages even before they reach the recipient’s Inbox. Let’s figure out how spam is filtered in Zimbra.

image

A whole security system is responsible for filtering spam in Zimbra OSE, which includes the ClamAV antivirus, the SpamAssassin spam filter and the interface for connecting them to Postfix: new-amavisd. Each of these components solves a different problem, and together they provide protection against unwanted messages. This security system works as follows:

  1. New incoming mail arrives in Postfix
  2. Postfix passes the letter to new-amavisd
  3. new-amavisd forwards the letter to ClamAV and SpamAssassin
  4. ClamAV checks the message for viruses and makes a verdict on whether the message is infected or not
  5. SpamAssassin checks the email for spam and gives it a grade based on self-learning algorithms
  6. new-amavisd accepts data from ClamAV and SpamAssassin, and tells Postfix the final verdict on this email
  7. Based on this verdict, the letter can be delivered to the user, it can go to the “Spam” folder, it can go to the anti-virus quarantine mailbox, or it can be completely deleted.

Despite the seeming simplicity of the security system design, there are many nuances hidden in it, which are mainly related to the operation of antispam. The built-in ClamAV antivirus automatically updates the virus signature database regularly and works great immediately after installation. Messages that ClamAV recognized as infected are sent to a special quarantine mailbox. In our case it is virus-quarantine.1js1jqtmkn@madegirah.ru… You can enter this mailbox and see the contents of the blocked letters.

In the administrator’s console, you can configure the frequency of updating the anti-virus databases, blocking messages with encrypted archives, and sending notifications to users that messages intended for them have been blocked. The default settings are visible in the screenshot.

SpamAssassin, on the other hand, is installed without any databases and in order for it to start recognizing spam, it must be trained or manually set up a ready-made set of rules. This is due to the fact that training the anti-spam system implies direct access to the contents of the correspondence and the publication of the results of training the spam filter can lead to leakage of confidential data. In order to install a ready-made set of rules for SpamAssassin, you need to copy the file with them to the / opt / zimbra / data / spamassassin / rules / folder and restart SpamAssassin. We recommend using Russian-language rules to filter spam from Ru_Wentor… For self-study SpamAssassin Bayesian spam filtering, it is recommended to use at least 200 spam emails and at least 200 non-spam emails.

To train Bayesian spam filtering with SpamAssassin, two system mailboxes with obfuscated names are created during the Zimbra OSE installation phase. In our case it is ham.iuu9hzkmsj@madegirah.ru and spam.nao0yu9s@madegirah.ru… The spam system mailbox receives all emails that are marked as spam by server users. This works with both the Zimbra OSE web client and the IMAP protocol. By analyzing the messages contained in this mailbox, SpamAssassin learns and then more effectively detects messages containing spam.

The ham system mailbox contains emails that SpamAssassin has detected as spam, but are not. Emails end up in the ham mailbox when users manually move them from the Spam folder to another mail folder. This works with both the Zimbra OSE web client and the IMAP protocol. By analyzing the contents of messages in this mailbox, SpamAssassin also learns and further more effectively detects messages that do not contain spam. Quota is disabled for both of these mailboxes. This is done to ensure that all emails that are marked by users are guaranteed to get into them.

Based on the existing rules, the letters are evaluated. Matches with existing spam filters will increase the email score, while matches with existing ham filters will lower it. The rating of an email can vary from -20 to 20. The higher the rating, the more likely it is that the email will actually turn out to be spam. In the administration console, you can configure actions for emails with different ratings. By default, messages that get 75% (corresponds to 15 points) or more are automatically deleted, and those that get 33% (corresponds to 6.6 points) or more are marked as spam and go to the corresponding user’s mail folder. You can also specify a prefix in the administrator console that will appear in the headers of spam messages.

You can see the rating received from SpamAssassin by right-clicking on it in the web client and selecting “Show original” from the context menu. In fields with X-SPAM headers, for example:

X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score = -0.8 required = 6.6 tests =[ALL_TRUSTED=-1, DKIM_INVALID=0.1, DKIM_SIGNED=0.1] autolearn = no autolearn_force = no

Also, in the source code of the letter, you can see a mark about the passage of the virus check:

X-Virus-Scanned: amavisd-new at madegirah.ru

New-amavisd supports the creation of black and white lists. An email that has been whitelisted by new-amavisd will not be scanned for viruses or spam, but will be immediately sent to the recipient’s inbox. The letter added to the blacklist will also not be scanned and will be immediately deleted. The process of creating such lists is described in detail in one of our previous articles.

Thus, the Zimbra OSE administrator at the server level has three ways to block spam:

  1. Formation of black lists
  2. SpamAssassin training
  3. Regulating the ratings of emails

Nowadays, spammers have learned to use authoritative domains for their mailings, which makes blacklisting useless, and the use of strong filters based on message ratings carries the risk of missing an important business email. That is why the most reliable, but at the same time, the most labor-intensive way is to train SpamAssassin.

So that every time you deploy a new Zimbra OSE server not to start the SpamAssassin training again, you must regularly create backups of the algorithms developed during the training process. This is done using a command of the form / opt / zimbra / common / bin / sa-learn –dbpath /opt/zimbra/data/amavisd/.spamassassin –backup >> /tmp/sa.db… You can then restore the database from a backup using a command like / opt / zimbra / common / bin / sa-learn –dbpath /opt/zimbra/data/amavisd/.spamassassin –restore /tmp/sa.db… Do not forget to restart new-amavisd or the entire mail server after restoring the backup using the commands zmamavisdctl restart or zmcontrol restart respectively.

Zimbra OSE users themselves can block spammers. To do this, in the “Mail” section in the Zimbra OSE web client settings, you can add up to 100 addresses and domains to the black list. There is also zimlet, which allows you to block senders of unwanted emails directly from the context menu of the letter. This extension is compatible with Zimbra OSE versions 8.8.15 and 9, but is developed and supported by the community, and therefore it is not guaranteed to work in future versions of Zimbra.

In order to install it, you need to download the zimlet distribution kit as a .zip file, go to the folder with the downloaded file and install it using the command zmzimletctl deploy com_cloudtemple_senderblocker.zip… After that, all that remains is to execute the command zmprov fc zimletto reload the zimlet settings to start using this zimlet.

For all questions related to Zextras Suite Pro and Team Pro, you can contact the Representative of Zextras Technology Ekaterina Triandafilidi by e-mail ekaterina.triandafilidi@zextras.com

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *