Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Trouble with SPAM
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
Hello,

One of the key domains I manage has always had issues with SPAM - recently the spam has been unbelievable - I even have their Likely Spam turned down to 1.2 points in Spam Assassin.

Here is a header of a repeated message coming through as valid email despite multiple users clicking the Spam button in KOC. Can anyone tell me what I'm missing? Users getting disgruntled and I am taking the heat...

I DO have Grey Listing turned on, running Connect 8.1.1

Return-Path: <ladling<_at_>oipzz.com>
X-Spam-Status: No, hits=0.0 required=1.2
tests=BAYES_00: -1.665,HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,
T_URIBL_SEM_FRESH_15: 0.01,URIBL_BLACK: 1.725,TOTAL_SCORE: 0.072,autolearn=no
X-Spam-Level:
Received: from pile.oipzz.com ([151.237.180.38])
by mailserver removed for privacy (Kerio Connect 8.1.1)
for valid email removed for privacy;
Sun, 4 Aug 2013 12:37:18 -0400
To: removed for privacy
From: "TFXdrive" <ladling<_at_>oipzz.com>
Reply-To: <30418-2790359<_at_>oipzz.com>
Subject: ATTENTION MEN: Save 60% NOW on The New Clinically Proven Testosterone Booster!.
Date: Sun, 04 Aug 2013 09:42:59 -0700
Message-ID: <I9V6SYC5T.bdhpjP44960J06<_at_>oipzz.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MRDTMTYEYEBKJPYNYZUATIIOCCONJEWVVZPJUNN"
Content-Transfer-Encoding: 7bit
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
It looks like your Bayes filter needs to be reset, since it is handing out a 00 scoring with -1.665 score. Delete the files in the ..\MailServer\store\spamassassin\bayes\ folder and restart the server.

Also, consider creating your own local scoring for the Spam Assassin filter. Some of the default scores in SA are just too low, such as .001.
In the folder:
\MailServer\plugins\spamserver\spamassassin\rules\
make a copy of the local.cf file and name it zlocal.cf. (I believe that SA processes the files in the order of the file name.)

In that zlocal.cf file, at the bottom, enter in your new higher scores for the rules that are getting hit. Such as
score HTML_MESSAGE 0.5
score MIME_HTML_ONLY 0.5
etc...

BE CAREFUL not to go to high on some scores since valid emails are also HTML based.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
P.S. Once you clear the Bayes filter, that 1.2 Spam setting score will most likely be too low. You will want to raise it back up so that you don't start getting good emails falsely marked as spam.

I have my threshold set at Tag at 5, and Block at 8.
  •  
hberm001

Messages: 30
Karma: 0
Send a private message to this user
My server has also recently started to show intense amounts of spam in the inbox in the past couple of weeks. My first thought was the bayes database being poisoned. I have since reset it and retrained it (it shows active) but the issue has not backed away. Nearly every spam message that gets through now has actual web articles or recipes inserted in the body, presumably to trick or poison the filter. 270 mailboxes. Any ideas?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Well, here is the contents of my zlocal.cf file. Feel free to use at your own risk. It is kind of geared towards the good emails we get in my particular industry. I have the thresholds set at 5 & 8.

==========
# My score modifications

ok_languages en es

score ACT_NOW_CAPS 1.1
score ADVANCE_FEE_2 3.6
score ADVANCE_FEE_3 5.0
score ADVANCE_FEE_4 5.5
score BAD_CREDIT 1.5
score BAYES_50 1.0
score BAYES_60 2.0
score BAYES_80 4.0
score BAYES_95 5.0
score BAYES_99 5.5
score DATE_IN_PAST_03_06 1.5
score DATE_IN_PAST_06_12 1.6
score DATE_IN_PAST_12_24 1.7
score DATE_IN_PAST_24_48 2.0
score DATE_IN_PAST_96_XX 2.3
score DEAR_EMAIL 1.5
score DEAR_FRIEND 3.6
score DEAR_SOMETHING 3.5
score DIET_1 2.0
score DNS_FROM_RFC_DSN 2.9
score DNSBL_ZEN.SPAMHAUS.ORG 7.0
score DRUGS_ANXIETY_EREC 5.0
score DRUGS_ANXIETY_OBFU 5.0
score DRUGS_DIET 1.6
score DRUGS_DIET_OBFU 2.3
score DRUGS_ERECTILE 5.0
score DRUGS_ERECTILE_OBFU 5.0
score DRUGS_SLEEP_EREC 2.7
score EMPTY_MESSAGE 1.8
score EM_ROLEX 2.5
score FAKE_HELO_MAIL_COM 2.1
score FM_SUBJ_APPROVE 2.0
score FORGED_IMS_HTML 2.3
score FORGED_IMS_TAGS 2.1
score FORGED_MSGID_AOL 1.6
score FORGED_MSGID_MSN 2.1
score FORGED_YAHOO_RCVD 3.7
score FORGED_MUA_EUDORA 2.5
score FORGED_MUA_IMS 2.1
score FORGED_MUA_THEBAT_BOUN 2.3
score FORGED_OUTLOOK_HTML 2.8
score FORGED_OUTLOOK_TAGS 3.2
score FROM_12LTRDOM 0
score FSL_HELO_NON_FQDN_1 2.0
score HELO_DYNAMIC_DHCP 3.7
score HELO_NO_DOMAIN 2.0
score HS_INDEX_PARAM 3.0
score HTML_EXTRA_CLOSE 3.0
score HTML_FONT_LOW_CONTRAST 1.5
score HTML_FONT_SIZE_LARGE 1.3
score HTML_IMAGE_ONLY_04 3.0
score HTML_IMAGE_ONLY_28 0.5
score HTML_IMAGE_RATIO_02 1.5
score HTML_IMAGE_RATIO_04 1.2
score HTML_IMAGE_RATIO_06 1.0
score HTML_IMAGE_RATIO_08 0.8
score HTML_MESSAGE 0.5
score HTML_OBFUSCATE_05_10 1.3
score HTML_SHORT_CENTER 2.1
score HTML_SHORT_LINK_IMG_2 2.1
score HTML_TITLE_SUBJ_DIFF 1.4
score HTTP_77 2.5
score INVALID_DATE_TZ_ABSURD 1.4
score INVESTMENT_ADVICE 3.0
score IP_LINK_PLUS 1.2
score KOREAN_UCE_SUBJECT 2.5
score LOTS_OF_MONEY 1.5
score MILLION_USD 3.0
score MIME_BASE64_BLANKS 0.5
score MIME_BOUND_MANY_HEX 2.2
score MIME_HEADER_CTYPE_ONLY 1.1
score MIME_HTML_MOSTLY 1.5
score MIME_HTML_ONLY 1.5
score MISSING_DATE 1.0
score MISSING_HEADERS 2.0
score MISSING_MID 0.5
score MISSING_MIMEOLE 1.6
score MISSING_SUBJECT 2.5
score MSGID_MULTIPLE_AT 2.0
score MSGID_SHORT 3.5
score MSGID_SPAM_LETTERS 2.5
score MSGID_YAHOO_CAPS 2.5
score NO_PRESCRIPTION 3.2
score NORMAL_HTTP_TO_IP 1.0
score NUMERIC_HTTP_ADDR 1.2
score OBFUSCATING_COMMENT 1.5
score OBSCURED_EMAIL 1.7
score ONLINE_PHARMACY 2.5
score RATWARE_OUTLOOK_NONAME 2.2
score RATWARE_RCVD_AT 2.5
score RCVD_HELO_IP_MISMATCH 3.4
score RCVD_ILLEGAL_IP 4.6
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_WEB 1.3
score RCVD_IN_XBL 3.1
score RDNS_NONE 0.5
score REMOVE_BEFORE_LINK 2.5
score REPTO_QUOTE_YAHOO 2.4
score SPOOF_COM2COM 2.1
score STOX_REPLY_TYPE 1.0
score SUBJ_ALL_CAPS 2.1
score SUBJ_BUY 1.5
score SUBJECT_DRUG_GAP_C 2.0
score SUBJECT_NEEDS_ENCODING 1.25
score SUBJ_DOLLARS 0.3
score SUBJ_ILLEGAL_CHARS 4.0
score SUBJ_YOUR_DEBT 3.0
score T_AXB_MIME_IMG830 0.2
score T_DOS_OUTLOOK_TO_MX_IMAGE 2.0
score T_FILL_THIS_FORM_SHORT 2.9
score T_OBFU_JPG_ATTACH 0.2
score T_REMOTE_IMAGE 0.75
score T_URIBL_BLACK_OVERLAP 1.0
score T_URIBL_SEM 0.2
score T_URIBL_SEM_RED 0.2
score TO_NO_BRKTS_NORDNS 0.5
score TVD_RCVD_IP 2.5
score TVD_RCVD_IP4 2.5
score TVD_RCVD_SINGLE 2.5
score UNPARSEABLE_RELAY 0.25
score URI_NO_WWW_INFO_CGI 3.4
score URIBL_BLACK 2.1
score URIBL_AB_SURBL 2.0
score URIBL_BLACK 2.0
score URIBL_JP_SURBL 2.8
score URIBL_OB_SURBL 2.2
score URIBL_PH_SURBL 2.0
score URIBL_RED 0.5
score URIBL_RHS_DOB 2.0
score URIBL_WS_SURBL 2.2
score US_DOLLARS_3 2.0
score VIA_GAP_GRA 2.5
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Don't include the ===== signs, and you have to restart Kerio after putting the file in place.
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
I implemented MarkK's suggestions and it is helping - one problem I am facing and hopefully someone can give me some guidance is the following message in my warning log:

DNS failure while trying to find address 107.51.86.192.2.0.0.127.b.barracudacentral.org in blacklist Barracuda


I have 1000's of these in the log and I have read (and tested successfully as instructed) here: http://www.barracudacentral.org/rbl/how-to-use

I have also read these threads:
http://forums.kerio.com/m/60671/?#msg_60671
http://forums.kerio.com/index.php?t=msg&goto=50461

I am still confused why if I manually test my connection to Barracuda from the command line (and it is a success) why the Warning Log is indicating that it's not working?

I have found False Negatives from different IP's that are listed in the Barracuda BRBL and there is no mention of that list in the email header.

Thanks for any help!
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Couple of questions:
Are you running the manual test from your email server itself?
Have you turned on the DNS logging in Kerio's Debug log to see what is happening there?
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
I am running manual test from the command line on the actual mailserver (through Putty).

Yes, I had DNS Resolver turned on and didn't see anything negative - things like valid answer arrived.

Not sure what else I should be looking for in there.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Good question. If you have a current paid license, you get 2 free support calls a year.
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
Thanks Mark - I'll probably be giving them a call, was hoping that Pavel or one of the other Kerio peeps lurking here would be able to help.
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Did you register your IP with Barracuda ? http://www.barracudacentral.org/account/register. They tends to rate limit queries from non-registered IPs.

Petr Dobry
Product Development Manager | Kerio
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
Yes, and the manual test from the server's command line is successful.
  •  
camisy

Messages: 114
Karma: 12
Send a private message to this user
As I think you have not written this; Your server is receiving via MX and not d/l messages from another MTA?
The mentioned IP is not on many BL: http://multirbl.valli.org/lookup/151.237.180.38.html

Did you try any Domain BL?

[Updated on: Fri, 13 December 2013 22:46]

Machete

Messages: 262
Karma: 5
Send a private message to this user
I'm not sure that I follow you - you are correct, the IP listed in my example is not listed on Barracuda, but that's not my question.

Why do I get 1000's of these messages in my Warning Log?

I didn't get to call Kerio this week, hopefully next - unless they can help through here.
Previous Topic: Phones receiving messages more quickly than desktops
Next Topic: Kerio Installation on network Homefolder
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 00:37:04 CEST 2017

Total time taken to generate the page: 0.00484 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.