Improving Zimbra Anti Spam on openSUSE

Beside another attack, spam would become top enemy in the mail server world. To prevent the spam and virus attack, Zimbra has a built-in anti spam and anti virus plugins. The plugins installed by default. The Zimbra anti spam using popular anti spam software : SpamAssasin for fighting spam and  ClamAV as default anti virus software.
Although SpamAssasin has smart enough to kill spam, Zimbra bundled it with a poor capability to prevent  a spam hit attack. We should improve it before launching the Zimbra mail server as fully production mail server.
We can improve the Zimbra anti spam by improving SpamAssasin capability, adding some plugins and change some configuration to meet with our requirement. Let’s improve Zimbra anti spam with the following task :

  1. Edit the spam percentage threshold in Zimbra Admin | Global Setting | AS/AV. The standard percentage threshold (33% for tagging a spam message and 75% for killing spam message. The percentage using standard SpamAssasin score : 100% are equal with score 20, so the default score are 6.6 for tagging and 15 for killing) looks too permissive for fighting the spam.
    `
    The best way to  setting up the correct percentage threshold that meets with your criteria are investigating the message source of some spam message. Take a look on spam identification score on the header of message source and compare it with others message. In my case, the tagging percentage threshold looks pretty good to identified the spam but the killing percentage seems to be less-restrictive, so I setting up the lower percentage, 50% that equivalent with score 10. Please be-aware to set up the killing percent in a lower percentage step by step to prevent any message loss caused by too restrictive setting.
  2. Installing SPF plugins. Mail::SPF is an object-oriented implementation of Sender Policy Framework (SPF). See http://www.openspf.org for more information about SPF. Install the plugins using the package built on openSUSE Build Service. Just typing SPF or Perl-Mail-SPF on the search text box. I found it from perl repository : http://download.opensuse.org/repositories/devel:/languages:/perl/.
  3. Installing Pyzor Plugins. Pyzor is a collaborative, networked system to detect and block spam using identifying digests of messages. Install the Pyzor plugins from openSUSE Build Service and then run the following command to configuring Pyzor :
    `
    as root :
    [code language=’cpp’]
    mkdir /opt/zimbra/amavisd/.pyzor; chown zimbra:zimbra /opt/zimbra/amavisd/.pyzor
    [/code]
    then open your firewall ports for pyzor (UDP/24441 outgoing) and finally activating the Pyzor by running the following command using Zimbra user :
    [code language=’cpp’]
    su – zimbra
    pyzor –homedir /opt/zimbra/amavisd/.pyzor discover
    [/code]
  4. Installing Razor Plugin.

    Vipul’s Razor is a distributed, collaborative, spam detection and filtering network. Razor establishes a distributed and constantly updating catalogue of spam in propagation. This catalogue is used by clients to filter out known spam. On receiving a spam, a Razor Reporting Agent (run by an end-user or a troll box) calculates and
    submits a 20-character unique identification of the spam (a SHA Digest) to its closest Razor Catalogue Server. The Catalogue Server echos this signature to other trusted servers after storing it in its database. Prior to manual processing or transport-level reception, Razor Filtering Agents (end-users and MTAs) check their incoming mail against a Catalogue Server and filter out or deny transport in case of a signature match. Catalogued spam, once identified and reported by a Reporting Agent, can be blocked out by the rest of the Filtering Agents on the network.

    Install Razor Agent and Perl-Razor-Agent from openSUSE Build Service and then configuring Razor with the following task :

    • Open your firewall ports for razor2 (TCP/2703 outgoing).
    • Run the following command as root :
      [code language=’cpp’]
      mkdir /opt/zimbra/amavisd/.razor; chown -Rf zimbra:zimbra /opt/zimbra/amavisd/.razor
      [/code]
      and then activating Razor by running the following command using Zimbra user :
      [code language=’cpp’]
      su – zimbra
      razor-admin -home=/opt/zimbra/amavisd/.razor -create
      razor-admin -home=/opt/zimbra/amavisd/.razor -discover
      razor-admin -home=/opt/zimbra/amavisd/.razor -register
      [/code]
    • Enable razor. Edit /opt/zimbra/conf/spamassassin/v310.pre and uncomment line
      loadplugin Mail::SpamAssassin::Plugin::Razor2
  5. Install DCC plugins. he DCC or Distributed Checksum Clearinghouse is an anti-spam content filter that runs on a variety of operating systems. Install DCC from openSUSE Build Service and then edit /etc/dcc/dcc_conf, set DCCUID=zimbra  and DCCD_ENABLE=off and then edit /opt/zimbra/conf/spamassassin/v310.pre, enable DCC line :
    [code language=’cpp’]
    loadplugin Mail::SpamAssassin::Plugin::DCC
    [/code]
  6. Enable SPF+Pyzor+Razor on the SpamAssasin configuration. Edit /opt/zimbra/conf/spamassassin/local.cf and add the following rules (modify it to meet your environment) at the end of configuration :
    [code language=’cpp’]
    ok_languages en es id
    ok_locales en es id
    trusted_networks 127. 192.168.
    use_bayes 1
    skip_rbl_checks 0
    use_razor2 1
    use_dcc 1
    use_pyzor 1
    dns_available yes
    ## Optional Score Increases
    ## Choose your preferred values…
    score DCC_CHECK 4.000
    score SPF_FAIL 10.000
    score SPF_HELO_FAIL 10.000
    score RAZOR2_CHECK 2.500
    score PYZOR_CHECK 2.500
    score BAYES_99 4.300
    score BAYES_90 3.500
    score BAYES_80 3.000
    bayes_ignore_header Received: from mail.vavai.net
    bayes_ignore_header Received: from localhost
    [/code]
  7. Activating Domain, User and Content Whitelist & Blacklist. Please refer to Zimbra Wiki here and here to see a complete configuration.
  8. Slow down the Simultaneous Connection Throttling to prevent spam attack.  I got this problem while setting up Zimbra in a government office in Jakarta. Spammer open up a large number of simultaneous connection and then send too many message. The message are fake and likely to be blocked by Zimbra but the message still hit the MTA and fill the queue. We could prevent this attack by setting a lower limit to simultaneous connection with the following command :
    [code language=’cpp’]
    su – zimbra
    postconf -e ‘smtpd_hard_error_limit = 3’
    postconf -e ‘smtpd_soft_error_limit = 2’
    exit
    cd /opt/zimbra/postfix/sbin
    ./postfix stop
    ./postfix start
    [/code]
    More info about Postfix Configuration Parameter regarding error limit, here.
  9. Adding RBL list to block the blacklisted SMTP IP. I’m currently using b.barracudacentral.org, zen.spamhaus.org, dnsbl.njabl.org, dnsbl.ahbl.org, cbl.abuseat.org and bl.spamcop.net. Daftar tersebut dimasukkan melalui menu Zimbra Admin | Global Setting | MTA
    `

The above configuration should improve Zimbra anti spam capability to block all incoming spam. Below is a screenshot of anti spam image on my client after improving the spam capability.

Please remember that the well-restrictive spam would impact our Zimbra mail server performance. It’s a trade-off between Zimbra performance and the anti spam capability. Adding more anti spam plugins means an increasing number of task for Zimbra anti spam. You may need to increase your hardware specification or separate the anti spam on another machine.
Note : The above configuration has been tested on Zimbra 5.0.21 on openSUSE 11.1

3 thoughts on “Improving Zimbra Anti Spam on openSUSE

Leave a Reply

Your email address will not be published. Required fields are marked *