Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: katumba on March 28, 2012, 08:32:08 PM

Title: SPAM settings
Post by: katumba on March 28, 2012, 08:32:08 PM

Anyone noticing a big uptick in the amount of spam their getting?  I've tried all the settings here:
http://www.sonoracomm.com/index.php?option=com_content&task=view&id=49&Itemid=32
and
http://wiki.contribs.org/Email
I've got spam settings set to 'very high' under 'email settings'
and still all users get a ton of spam.

Any help? are these RBL sites out of date: zen.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org  ??
Thanks!
Kat

Title: Re: SPAM settings
Post by: cactus on March 29, 2012, 07:18:20 PM

Did you already anyalze the message headers? Are the messages more or less the same or do thet differ a lot? Are they long or very short? Do they contain text or only/mainly images?

Title: Re: SPAM settings
Post by: katumba on March 29, 2012, 11:16:09 PM

Thanks for replying.  They really seem to be all over the map.  Some are embedded jpegs, yes. Most are the lovely viagra crap.  A bunch of the african rich dude. etc etc.  I have been adding them to the blacklist, but since the addresses are always so different, doesn't seem to help.

Title: Re: SPAM settings
Post by: chris burnat on March 30, 2012, 12:37:15 AM

Have you checked your logs to see how spams mail are being handle? 
Take a couple of them and track them down.

It would also be useful seeing the headers of a couple of sample as suggested by Cactus:
X-Spam-Level:
X-Spam-Status:
tests=

Title: Re: SPAM settings
Post by: katumba on March 30, 2012, 01:37:25 AM

This is one that got through:

From:    Harri Nyhagen <harrihpkmva@hotmail.com>
Importance:    Normal
In-Reply-To:    <BLU161-W46ED46B06C8B17B7EB602ED84B0@phx.gbl>
MIME-Version:    1.0
Message-ID:    <BAY163-W341DD8750B0B9E28CEFA3EA6480@phx.gbl>
Received:    
(qmail 20221 invoked by alias); 29 Mar 2012 21:35:33 -0000
(qmail 20218 invoked by uid 453); 29 Mar 2012 21:35:33 -0000
from bay0-omc3-s5.bay0.hotmail.com (HELO bay0-omc3-s5.bay0.hotmail.com) (65.54.190.143) by lvd.local (qpsmtpd/0.83) with ESMTP; Thu, 29 Mar 2012 14:35:30 -0700
from BAY163-W34 ([65.54.190.189]) by bay0-omc3-s5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 29 Mar 2012 14:35:28 -0700
References:     <201203040820.q23D7EbD020422@po1.oninet.ne.jp>,<SNT141-W114BA4428FBB27C4DB5BCABA530@phx.gbl>,<BAY151-W6A6400250F99DD62E01A2A3550@phx.gbl>,<SNT136-W19D797B2526A7CF134926ECA5B0@phx.gbl>,<SNT139-W291B09056A58AB5A8DB154BE5B0@phx.gbl>,<COL103-W14015CE476899CAB74502DC35E0@phx.gbl>,<BLU153-W52E474DEDA5FF91BEBA66CC5F0@phx.gbl>,<COL102-W143E79AC5B6772AD059E5BC75F0@phx.gbl>,<BLU153-W32376E3C616829F305EAE4CC5C0@phx.gbl>,<COL102-W655CD4C26D45BEC88D2F15C75C0@phx.gbl>,<BLU153-W557A8C1E1ABABDD1177DB7CC5C0@phx.gbl>,<COL102-W59C0DC07A7C8EDED02B2BEC75C0@phx.gbl>,<BLU153-W1848D9EDD43C4DFE737E71CC5D0@phx.gbl>,<COL102-W9991DFF4A96286301590AC75D0@phx.gbl>,<BLU153-W44EE62A1C933C95B35E84BCC5D0@phx.gbl>,<COL102-W31D5D798CFA06986628B52C75D0@phx.gbl>,<BLU153-W517919C6DF9C1BCABC25C7CC420@phx.gbl>,<COL102-W55114BC05653143D601DB0C7420@phx.gbl>,<BLU153-W33A978C077EB0C3580C4DFCC420@phx.gbl>,<COL102-W6576CC07D2B6F245DB434C7420@phx.gbl>,<BLU153-W5AC0020B0BBE555346A94CC430@phx.gbl>,<COL102-W277C6B8417C64BEC6FAFE6C741 ,,0@phx.gbl>,<BAY154-W6010A361D25AC9FD31F1B9A64A0@phx.gbl>,<BLU161-W46ED46B06C8B17B7EB602ED84B0@phx.gbl>
Return-Path:    
<harrihpkmva@hotmail.com>
harrihpkmva@hotmail.com
Subject:    Оl' Gооd Сiаls - Маkеs Yоu Frеvеr Yоung!
To:    cabello@lastudio.es
X-OriginalArrivalTime:    29 Mar 2012 21:35:28.0324 (UTC) FILETIME=[DC068040:01CD0DF3]
X-Originating-IP:    [189.166.129.88]
X-Spam-Check-By:    lvd.local
X-Spam-Level:    *
X-Spam-Status:    No, hits=-98.6 required=1.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS,T_RP_MATCHES_RCVD,USER_IN_WHITELIST
X-Virus-Checked:    Checked by ClamAV on lvd.local

I'm not familiar with how the X-Spam level works...

Here is one that got flagged into junkmail folder:

To:    mail@kaspervankooten.nl
X-Accept-Language:    en-us
X-Antivirus:    avast! (VPS 120329-1, 29/03/2012), Outbound message
X-Antivirus-Status:    Clean
X-Spam-Check-By:    lvd.local
X-Spam-Flag:    YES
X-Spam-Level:    **
X-Spam-Status:    Yes, hits=2.5 required=1.0 tests=BAYES_50,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY
X-Virus-Checked:    Checked by ClamAV on lvd.local

Title: Re: SPAM settings
Post by: katumba on March 30, 2012, 02:30:02 AM

Another that got through:

ubject:    Rаlizе Yоurеlf Аs Тhе Rеаl Реsоn With Suреr Vigrа.
To:    angel@lasttourinternational.com
X-OriginalArrivalTime:    30 Mar 2012 00:27:43.0190 (UTC) FILETIME=[EC15E760:01CD0E0B]
X-Originating-IP:    [189.214.152.240]
X-Spam-Check-By:    lvd.local
X-Spam-Level:    *
X-Spam-Status:    No, hits=-101.0 required=1.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS,T_RP_MATCHES_RCVD,USER_IN_WHITELIST
X-Virus-Checked:    Checked by ClamAV on lvd.local

Title: Re: SPAM settings
Post by: janet on March 30, 2012, 02:57:26 AM

katumba

Quote

Any help? are these RBL sites out of date: zen.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org  ??

These are conservative safe lists.
You could add more RHSBL & DNSBL lists, but only add one at a time and wait for while eg a week or a month to see the effects that additional list has on email/spam.
Then add more lists if still necessary.
Read about each list at their respective web site to see what they exclude etc. Some are VERY aggressive and block whole domains eg all of hotmail & so on.

See the FAQ (Email section) starting here
http://wiki.contribs.org/Updating_to_SME_7.2#RHSBL_Servers

Title: Re: SPAM settings
Post by: chris burnat on March 30, 2012, 03:15:37 AM

For mail trapped as spam:
X-Spam-Status:    Yes, hits=2.5 required=1.0

For mail going thru:
X-Spam-Status:    No, hits=-101.0 required=1.0
X-Spam-Status:    No, hits=-98.6 required=1.0

Noticed the negative hit?  this type of -100 score AFAIK is the result of whitelisting or suchlike. Question is what have you done to your system recently and just before spams started to swamp you?  If you did nothing, then it may be a bug, Bugzilla is your friend. Open a bug report.

Title: Re: SPAM settings
Post by: katumba on March 30, 2012, 04:13:52 PM

Quote from: mary on March 30, 2012, 02:57:26 AM

katumba

These are conservative safe lists.
You could add more RHSBL & DNSBL lists, but only add one at a time and wait for while eg a week or a month to see the effects that additional list has on email/spam.
Then add more lists if still necessary.
Read about each list at their respective web site to see what they exclude etc. Some are VERY aggressive and block whole domains eg all of hotmail & so on.

See the FAQ (Email section) starting here
http://wiki.contribs.org/Updating_to_SME_7.2#RHSBL_Servers

Thank you. Will try that.

Title: Re: SPAM settings
Post by: katumba on March 30, 2012, 04:15:13 PM

Quote from: chris burnat on March 30, 2012, 03:15:37 AM

For mail trapped as spam:
X-Spam-Status:    Yes, hits=2.5 required=1.0

For mail going thru:
X-Spam-Status:    No, hits=-101.0 required=1.0
X-Spam-Status:    No, hits=-98.6 required=1.0

Noticed the negative hit?  this type of -100 score AFAIK is the result of whitelisting or suchlike. Question is what have you done to your system recently and just before spams started to swamp you?  If you did nothing, then it may be a bug, Bugzilla is your friend. Open a bug report.

Nothing changed on system.  Just slow progression of more and more spam.  Will research the x-spam score. Know what i'm looking for now. Thanks.