Koozali.org: home of the SME Server

Increase in Spam

Offline dave simmons

  • ***
  • 125
  • +0/-0
Increase in Spam
« on: March 31, 2014, 12:03:09 PM »
In the last couple of weeks the amount of incoming spam getting passed through our server has increased noticeably.  By this I mean that users are receiving spam from senders which used to be blocked by the spam filter. 

I have looked in the junkmail folders and there are examples of the same sort of mail from the same sender which used to score 6 or more (spam level is set at 5 in server-manager) and which are now scoring 0.4 - 0.6

Server is 8 without extra contribs, all updates applied.

Not a big problem, but has anyone else noticed this?  What could have changed?  Or is it something the spammers have changed?

Edit:  I've been looking in the documentation to see how I can block particular domains (all the spam is coming from 3 domains).  It's not clear to me how to do this.

I've also seen the Email Whitelist/Blacklist contrib but note that it is no longer supported so haven't wanted to risk installing.

If someone could post the correct syntax to block all mail from a domain, I would be very grateful  :)
« Last Edit: March 31, 2014, 01:59:32 PM by dave simmons »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Increase in Spam
« Reply #1 on: April 01, 2014, 05:45:34 AM »
For what it's worth -

I've (twice in 10 - 12 years) seen an improvement in spam filtering after deleting the bayes database and letting it rebuild -- presumably due to some sort of bayes poisoning.

Other than that, I've recently (the last 6 - 12 months) seen an increase in SPAM with correct SPF and DKIM information -- presumably relayed by a spammer through a "real" mail server that's been compromised.

And, if you haven't done so recently you may want to review your RBL List selections - some of the servers that are configured by default in SME 8 are no longer active.

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Increase in Spam
« Reply #2 on: September 10, 2014, 09:46:50 PM »
where is the bayes database located? looking to delete it, but don't know where it is.
TAI

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Increase in Spam
« Reply #3 on: September 11, 2014, 12:17:23 AM »
Check your bayes stats using:
Code: [Select]
sa-learn --dump magic
The database is in /var/spool/spamd/.spamassassin/bayes

Turn bayes OFF , delete your database, create an empty database, and turn bayes back on:
Code: [Select]
config setprop spamassassin UseBayes 0
signal-event email-update
#
'rm' /var/spool/spamd/.spamassassin/bayes*
config setprop spamassassin UseBayes 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_*
signal-event email-update

Note: I don't know if all of the 'disable'/'recreate'/'enable' stuff is necessary, and I haven't tested this exact command.

Most of the above command was taken from http://wiki.contribs.org/Email#Bayesian_Autolearning

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Increase in Spam
« Reply #4 on: September 11, 2014, 01:13:17 AM »
Thanks. Now i will wait and see what happens
If you think you know whats going on, you obviously have no idea whats going on!

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Increase in Spam
« Reply #5 on: September 11, 2014, 03:37:36 AM »
dave simmons

Quote
I've also seen the Email Whitelist/Blacklist contrib but note that it is no longer supported so haven't wanted to risk installing.

The Email WBL contrib installs OK on sme8 or 8.1.
It's effectiveness has been reduced somewhat by changes/improvements in sme server, but you can still use it safely & it may assist you to reduce the spam by blocking certain groups of senders etc.

Edit: Remember this contrib is just a GUI interface to the config files that exist in sme server, so you can change these files directly at the command line followed by signal-event email-update or signal-event post-upgrade,signal-event reboot.
Looking at http://wiki.contribs.org/Email_Whitelist-Blacklist_Control
You are probably wanting to edit the qmail badmailfrom file
which is located at
/var/qmail/control/...
edit it to include
@spamdomain.com
one entry per line
end of edit:

Remember it's a game of cat chasing the dog or dog chasing the cat, you block & spammers change their tactics etc, but the WBL contrib can help if you want to do the chasing. These comments apply to any type of blocking mechanism.

Also look at this
http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Block_incoming_IP_address
« Last Edit: September 11, 2014, 04:06:30 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Increase in Spam
« Reply #6 on: September 11, 2014, 02:48:19 PM »
The situation has improved greatly after following mmccarns' instructions.

Thanks to all
If you think you know whats going on, you obviously have no idea whats going on!