Zimbra anti-spam improvements

Last modified date

Comments: 2

The built in Zimbra anti-spam system is quite a neat bundle of Amavisd-new, SpamAssassin and ClamAV with some fancy automated ham/spam training based on messages being moved in and out of a “Junk” mailbox under each user’s account, but it lacks a few nice to have extra features. Luckily, it’s quite easy to enhance the Zimbra Amavisd and SpamAssassin with a new plugins such as DCC, Pyzor and Razor as well as enabling SPF record checking and turning on DSPAM.

Zimbra includes DSPAM as well, but doesn’t use it by default. You can change this quite simply by updating the Zimbra LDAP configuration with the following:

zmlocalconfig -e amavis_dspam_enabled=true

I’d recommend upgrading to 6.0.5 if you are going to use DSPAM as there are annoying bugs in earlier versions such as needing to chown the DSPAM folder as zmfixperms used to set the permissions incorrectly. There is also an updated version of DSPAM in Zimbra 6.0.5.
The beauty of DSPAM with Zimbra is that the zmtrainsa utility run nightly on the spam/ham mailboxes also trains DSPAM from the same messages.

Now I’m presuming that you don’t already have the RPMforge (formerly Dag Wieers) and Atomic Rocket Turtle yum repositories installed on your Zimbra server and that you’re using CentOS/Red Hat like I am. We will install these two repositories but restrict them to only provide the packages that we are interested in so that they don’t clash with each other or the base vendor repositories.

wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

Now you need to edit /etc/yum.repos.d/rpmforge.repo to add the line includepkgs=perl-Error perl-NetAddr-IP perl-version perl-Mail-SPF as well as /etc/yum.repos.d/atomic.repo to have includepkgs=dcc pyzor razor-agents under the [atomic] section
Now the packages we need are available through a normal yum install:

yum install dcc pyzor razor-agents perl-Mail-SPF

Now we just need to create a custom SpamAssassin configuration file to tweak the settings for the plugins that we just installed. To do this, go to /opt/zimbra/conf/spamassassin/ and create a new .cf file with the following:

loadplugin Mail::SpamAssassin::Plugin::DCC

score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score DCC_CHECK 4.000
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500

The Zimbra SpamAssassin configurations already load the Pyzor and Razor plugins if present, but don’t load DCC by default (even if it is present) as it isn’t open source. Rather than edit files that Zimbra will then reset on an upgrade, we create a new .cf file that does this as well as settings the scores given by DCC, Pyzor, Razor and SPF. You might want to tweak these depending on how much you trust each service/test or you might want to skip these lines altogether and leave the scores set as the SpamAssassin defaults.
Remember to chown the file to zimbra:zimbra and chmod it to 0444 to be in line with the other SpamAssassin .cf configuration files.

The last thing that you need to do is restart the Zimbra MTA and Amavisd-new so that it loads the new configuration.

su – zimbra
zmantispamctl reload

If you want to test your new SpamAssassin setup then run the following (test and Debug mode) on the GTUBE sample provided by SpamAssassin

wget http://spamassassin.apache.org/gtube/gtube.txt
/opt/zimbra/zimbramon/bin/spamassassin -D -t < gtube.txt

Like the EICAR signiture for anti-virus scanners, GTUBE is a signature for anti-spam systems that will always show as spam so you can easily test your anti-spam setup. Among others, you should see RAZOR2_CHECK, PYZOR_CHECK and DCC_CHECK flagged with their appropriate scores if everything is working properly.
You will need to test DSPAM in the same way as you would with SpamAssassin’s bayesian filtering as well as checking SPF failures manually by sending a message from a server not designated in the SPF records.

Share