Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Still too much spam getting through...
  •  
russb

Messages: 8
Karma: 0
Send a private message to this user
Can someone have a look at these spam settings & tell my why I am still getting 20 - 30 spam in my inbox every morning?
Spam stats:
Messages checked: 287114
Spam detected (tagged): 50 863
Spam detected (rejected): 151 287
Messages marked by users as spam: 19110
Messages marked by users as not spam: 311

SpamAssassin, Caller ID, SPF & Spam Repellant all used as well.

Any thoughts?

[Updated on: Tue, 03 March 2009 23:06]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
7% of the mails weren't caught by the spam filters? Wow! That sounds like a small number, but imagine yourself at the wrong end of two million connections a day ... Shocked

First of all, stop using the dsbl.org blacklists. They are long dead and only contributes to slowing down your mail queue. Second: stop using sbl-xbl.spamhaus.org and use zen.spamhaus.org instead. You'll catch much more with the latter since it contains the Spamhaus PBL zone in addition to the two you already use.

Third, take a closer look at the headers of the spam that slips through the filters. Are there any triggered rules that are common between them? What is the overall score? Are you using Bayesian scoring?

Be aware that the SpamAssassin variant (3.0.x) in KMS 6.6.x is at around three years old, and some rules are pretty useless in today's mail environment, while the attributes of some of today's common spam runs aren't recognized at all.

I spent every night for a week just looking at unfiltered spam so I could pad the KMS rule set with my own SpamAssassin custom rules, since my situation was just like yours. The custom rules in the admin GUI is a joke. The spam filtering in KMS fair enough, I guess, but exceedingly hard to maintain.

  •  
monkeymissile

Messages: 126
Karma: 1
Send a private message to this user
I noticed a big difference between your TAG+BLOCK scores. Basically you're tagging a lot, but only blocking the ones with a high rating. For instance, my TAG score is 2.8, but my BLOCK is 4.2 and we don't seem to get a huge amount of spam or block wanted mail. It takes some fiddling and I find that every few months the settings need to be tweaked and more whitelists made.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
something else. i'm seeing that messages with attachments are not getting looked at by spamassassin with kerio. check out this message below and look at the X-Spam-Status. every spam message with an attachment like this doesn't get any hits at all unless there is something found in a custom blacklist or custom rules section from within kerio. this isn't good at all because over half of the spam emails you will get are actually image attachments and whatnot. kerio isn't scoring them at all unless you've setup custom filters for the ip or subject etc etc...not good.


Return-Path: <stopv<_a.t_>eshoppersite.com>
X-Envelope-To: misty<_a.t_>mysite.com
Received: from smtp.mysite.com ([xxx.xxx.xxx.xxx])
by smtp.mysite.com.com
for misty<_a.t_>mysite.com;
Wed, 11 Mar 2009 20:21:45 -0500
Received: by zeus.mysite.com (Postfix)
id 73AB539C284; Wed, 11 Mar 2009 20:21:41 -0500 (CDT)
Delivered-To: mthomas<_a.t_>mysite.com
Received: from smtp.mysite.com (smtp.mysite.com [xxx.xxx.xxx.xxx])
by zeus.mysite.com (Postfix) with ESMTP id 5DA3339C23D
for <mthomas<_a.t_>mysite.com>; Wed, 11 Mar 2009 20:21:41 -0500 (CDT)
X-Spam-Status: Yes, hits=5.0 required=5.0
tests=CUSTOM_BLACKLIST: 5.00,TOTAL_SCORE: 5.000
X-Spam-Flag: YES
X-Spam-Level: *****
Received: from mx12.eshoppersite.com ([64.18.134.111])
by smtp.mysite.com
for mthomas<_a.t_>mysite.com;
Wed, 11 Mar 2009 20:21:29 -0500
X-KWF-FilterProgress: **
From: "DIY Loan Modification DVD" <whanglsstior<_a.t_>eshoppersite.com>
To: <mthomas<_a.t_>mysite.com>
X-Original-Subject: Treasury Announces Mortgage Rates As Low As 2%!
Subject: *Spam Alert* Treasury Announces Mortgage Rates As Low As 2%!
Date: Wed, 11 Mar 2009 21:21:05 -0500
Message-ID: <20090311212105.gjgqpvnnstc<_a.t_>mx12.eshoppersite.com>
MIME-Version: 1.0
X-mailer:http://eshoppersite.com/gbqgp/wlbepydwnnotedr/
Content-Type: multipart/related;
boundary="----=_NextPart_000_02E9_01C9A1BE.3FD59570"
X-Mailer: Microsoft Office Outlook 12.0
Content-Language: en-us

This is a multipart message in MIME format.

------=_NextPart_000_02E9_01C9A1BE.3FD59570
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_02EA_01C9A1BE.3FD59570"


------=_NextPart_001_02EA_01C9A1BE.3FD59570
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

This is An ad

To view it content, activate your images.

------=_NextPart_001_02EA_01C9A1BE.3FD59570
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
<_a.t_>font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
<_a.t_>font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
MsoChpDefault
{mso-style-type:export-only;}
<_a.t_>page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->

</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><a
href=3D"http://eshoppersite.com/qjqgdw/nbedkdvlnstcdy/"><span =
style=3D'color:windowtext;text-decoration:
none'><img border=3D0 width=3D746 height=3D773 id=3D"Picture_x0020_1"
src=3D"cid:image001.png<_a.t_>01C9A1BE.3CCA0320"></span> </a><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><a
href=3D"http://eshoppersite.com/qjq/gpwnjodydvlnozepb/"><span =
style=3D'color:windowtext;text-decoration:
none'><img border=3D0 width=3D746 height=3D126 id=3D"Picture_x0020_2"
src=3D"cid:image002.png<_a.t_>01C9A1BE.3CCA0320"></span> </a><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

<p class=3DMsoNormal><o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_02EA_01C9A1BE.3FD59570--

------=_NextPart_000_02E9_01C9A1BE.3FD59570
Content-Type: image/png;
name="image001.png"
Content-Transfer-Encoding: base64
Content-ID: <image001.png<_a.t_>01C9A1BE.3CCA0320>

/9j/4AAQSkZJRgABAQEAeAB4AAD/4QCARXhpZgAATU0AKgAAAAgABQESAAMA
AAABAAEAAAEaAAUAAAABAAAASgEbAAUAAAABAAAAUgEoAAMAAAABAAIAAIdp
AAQAAAABAAAAWgAAAAAAAAB4AAAAAQAAAHgAAAABAAKgAgAEAAAAAQAAAuSg
AwAEAAAAAQAAAw8AAAAA/9sAQwADAgICAgIDAgICAwMDAwQHBAQEBAQIBgYF
BwoJCgoKCQkJCwwPDQsLDwwJCQ0SDg8QEBEREQoNExQTERQPERER/9sAQwED
AwMEBAQIBAQIEQsJCxERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERER/8AAEQgDDwLkAwEiAAIRAQMRAf/EAB8AAAEF
AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAAB









[Updated on: Thu, 12 March 2009 18:38]

  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Spamassissin doesn't check mails that are bigger than a certain size (I don't know the limit off by heart). How big are these mails?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
http://www.kerio.com/manual/kms/en/sect-spamassassin.html says it is 128k. The email in question seems to be about 264k.

[Updated on: Fri, 13 March 2009 13:29]

  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
sgongola wrote on Fri, 13 March 2009 07:22

http://www.kerio.com/manual/kms/en/sect-spamassassin.html says it is 128k. The email in question seems to be about 264k.


damn, that really sucks. and yes 264k is in fact the size of the message. hmm, that's truly pathetic because over half of the spam emails are way over 128k and whatnot. that needs to be addressed and corrected because far too much spam is getting bypassed this way.
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
There must be a file where it can be changed for Spamassassin even if kerio does not provide for it in their admin console.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
i do have one suggestion for the developers here at kerio regarding custom rules etc etc.
instead of relying on a text file to store custom rules, change that junk and put it in a database....an actual storage facility designed for large file sizes and queries. since bayes filtering won't work on spam messages over 128k (which includes over half of spam messages), this makes us have to put custom spam rules in place. for instance, clicking the custom rules tab and entering the spam domain in the "from" header and marking it as rejected. if you put hundreds or thousands in there, obviously this is not good because it takes a LONG time to save the file. i know this because i've done it in the past. so why doesn't kerio use some common sense and have these rules stored in a mysql or msql database or SOME database format where we can easily add rules to them manually and not even have to rely on the kerio application to add them? a person could easily add hundreds of multiple rules via a script into the database and kerio wouldn't even need to be restarted. i dunno. just makes sense to me because i've written many apps that use sql databases and this could easily be done with kerio if the developers just gave it a chance. i simply don't see the logic in accepting spam emails over 128k in file size!?! makes zero sense. i mean, if spamassassin and bayes isn't learning those spam messages then what options do you have? well, quite simply, custom rules and that's about it. SURBL isn't catching these domains so again, with this situation, you have no real options. that is sad. it's like saying, "here spammers, this is all you have to do to get your spam emails through.."
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
sgongola wrote on Fri, 13 March 2009 08:48

There must be a file where it can be changed for Spamassassin even if kerio does not provide for it in their admin console.


haha, yea i would imagine BUT, i wonder if i should search for the phrase "128" throughout all files in the plugins folder and it's subfolders : )

wonder how many times the phrase 128 is used : )
i for one would like to know where this is if it exists and change it to 300 just to see what kind of server load it causes.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
My experience is that most of the spam is under 128kB. This is because the spammer wants to distribute as many mails as possible in a short time. So if the mail is 10kB he can send ten times more spam than if it's 100kB.

If you get image spam, bayes doesn't work anyway.

But you are right, it would of course be nice, if you could change the maximum size.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
freakinvibe wrote on Fri, 13 March 2009 09:15

My experience is that most of the spam is under 128kB. This is because the spammer wants to distribute as many mails as possible in a short time. So if the mail is 10kB he can send ten times more spam than if it's 100kB.

If you get image spam, bayes doesn't work anyway.

But you are right, it would of course be nice, if you could change the maximum size.



oh trust me, it just depends on who is sending it. i could show you thousands and thousands of emails with this:

X-Spam-Status: No, hits=0.0 required=5.0

all due to the spam being image attachments that are over 128K.

kerio needs to focus on this and THINK about it. and the database deal i mentioned would be a HUGE improvement over their system as it exists. storing this data in text files is a huge mistake and horrible plunder. all it does is slows everything down.
  •  
bmdv

Messages: 110

Karma: 0
Send a private message to this user
freakinvibe wrote on Fri, 13 March 2009 15:15


If you get image spam, bayes doesn't work anyway.



Therefore it would be very nice, when kerio pushes every mail trough the av plugin.
i use here clamav with sanesecurity sigs (http://www.sanesecurity.com)
this combination grabs a lot of phishing and image spam, but only mails with attachment are going trough the av plugin.
so they can not catch as many as it can Wink

[Updated on: Fri, 13 March 2009 16:04]

  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
is there still no way to override the 128K size limit on testing messages for spam???
TorW

Messages: 769
Karma: 9
Send a private message to this user
No.

I wonder what Kerio's rationale is for changing this (and apparently hardcoding the value in the process) from the default 500KB in SpamAssassin to as low as 128. Limits like these should have a reasonable default and be configurable in my opinion.

In any case: the size test is done before the message is sent away to be spamchecked, and in the vanilla SpamAssassin this happens via a command line switch in the spamc client. Kerio is likely doing the size check somewhere else since there's no trace of the usual SpamAssassin client, server and utilities on a KMS installation.
Previous Topic: Mercur Mailserver + Kerio Mailserver
Next Topic: Message looping
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 20:22:56 CET 2017

Total time taken to generate the page: 0.00519 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.