Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Fighting Spam (Kerio filters no longer effective it seems. )
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
We are seeing more and more spam bypassing Kerio Filters over the past few months and we are at a loss what else to do.

Right now we have it set where a score of 2 or more gets it labeled as spam.

All major spam features are on and configured except Caller-ID (Even Microsoft gave up on this)

A dozen major spam .tlds are blocked.

Multiple other custom rules based off of key words.

We are starting to look at an outside filter solution with Xeams.


Any suggestions, Ideas, or tricks out there?

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Take a look at my post about implementing your own Spam Assassin custom rules. That is one of the great features of spam assassin that Kerio barely breaks the surface of. I have also posted in that thread a custom rule file that you can try out.

Cost you nothing to try except a restart of the Kerio service. My Spam threshold is set at 5 to mark, and 8 to delete; so that is what the scores are based on in my custom rule set.

http://forums.kerio.com/t/27477//

Mark K
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Mark,

Your post is more of a patch then a solution. Many of the replies note that such custom rules may stem the tide for a month or so, but then spam changes and you are right back where you started. I would like to find a longer term solution that I do not need to regularly babysit.

(BTW - While not well documented perl regular expressions can be added right into Kerio. No need to dig into .cf files. See http://kb.kerio.com/product/kerio-connect/server-configurati on/antispam/creating-custom-rules-for-spam-control-in-kerio- connect-1174.html)

As noted elsewhere the base Kerio spamassasian rules included with Kerio seem dated a few versions behind and some users have resorted to pulling the latest rules from the official spam assasian install and importing into Kerio. Also Caller-ID has been abandoned by even Microsoft but Kerio still included it makes it look like Kerio has put spam prevention low on its list. I'd love to see Kerio focus its next major update on spam prevention.

Back to my original question though, has anyone else found any good spam prevention tricks or software?

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Just my .02 experience.

I would debate implementing custom rules is a patch versus a solution. Been a solution in my case. Yes, I do update it from time to time, but not often any more.

I have downloaded and updated the SA rules before with the latest from SA's web site. Those helped, but what really helped was custom scores and then custom rules. SA is designed to be customized with add-on or personalized rules. Some of the default scores are .001, which will not do anything for adding up a real spam score.

Hiring a service is certainly a very viable option. You are just paying them to baby sit the updates. Nothing wrong with that.

I agree too that some additional spam features would be nice. A quick search online showed Anti-Spam SMTP Proxy (ASSP) Server project getting good reviews as to its effectiveness. And it is actively being maintained. I'll have to take a look at it.
  •  
freakinvibe

Messages: 1496
Karma: 58
Send a private message to this user
Spam prevention is - unfortunately - not "fire and forget". If you don't want to use any time on anti-spam, you have to purchase a third-party service that does it for you.

Nevertheless, lowering the score to 2 or even below it no solution. We have it at the standard 5 (flag) and 9.9 (reject) and it works good for us. We don't have any custom rules or scores.

The most spam is caught by spam repellent (16 seconds) and the custom black lists (We are using about 8 black lists, zen.spamhaus.org is rejecting directly, the others use various scores.)

I agree that it would be good if Kerio would update the .cf rules more often.

I sometimes check headers of non-detected spam to see why it has not been detected. I can then update the server-wide filter rules.

But your mileage might vary completely as spam tends to be different with countries and your area of business.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Well then maybe something is wrong with my install, if I put the spam score to 5 nothing would go to spam. The score of 2 was chosen not by simply lowering the score, but by hand checking about 250 random messages both spam and non-spam and comparing the scores to find the spot were most would spam would be rejected and most real mail would go through. How long have you had your install? Years ago flagging at 5 and rejecting at 9 worked for us, but over the years we had to slowly keep lowering it to get results.

Spam repellent is set to 15 seconds currently for us and it does stop about 10 to 30 spams a minute, Blacklists are set to require 2 hits to put it in spam.

I know spam protection is not fire and forget, trust me I've been doing this for a long time. But recently we are to the point that if We don't spend an hour every day writing new rules the spam count would easily out number real email for the normal user. When you look at the cost of our time the third party option is a steal and I never said I was against it.

Is everyone except us finding the Kerio Spam filter works? If not what do you use?

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Not trying to talk you out of a 3rd party service, just offering help with Connect's built in features.

What does your Bayes scoring look like? If the Bayes database is poisoned, it can issue negative scores to everything, causing you to have to set your thresholds very low.

What version of Connect are you running?

My spam repellent is set at 21 seconds.

I do really understand the frustration about spam passing by the filter. I was there a few months ago with my mail server, and am still there with my wife's web site and the web host's implementation of spam assassin. I can at least do something about the Connect server that I control.

I'll post my most recent custom rule file later today, if you want to give it a try.
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Connect Version is 8.3.4 patch 1, we are scheduled to upgrade to latest version tonight.

I have noticed a few negative scores (all at greater then 1) and lots of scores like 0.01 and even 0.001. You can see some in the examples below.


Here are a few random emails both flagged and not flagged but ALL SPAM: (Note at a flag score of 5 very few of these would be marked as Spam) Starting to think it has been poisoned.

X-Spam-Status: No, hits=0.7 required=3.0
tests=BAYES_40: -0.276,CUSTOM_RULE_TO: 1.00,TOTAL_SCORE: 0.724,autolearn=ham


X-Spam-Status: Yes, hits=3.5 required=3.0
tests=BAYES_50: 1.567,HTML_MESSAGE: 0.001,T_REMOTE_IMAGE: 0.01,
UNPARSEABLE_RELAY: 0.001,CUSTOM_RULE_TO: 1.00,CUSTOM_RULE_FROM: 1.00,
TOTAL_SCORE: 3.579,autolearn=no


X-Spam-Status: Yes, hits=3.8 required=3.0
tests=AWL: -1.252,BAYES_99: 4.07,CUSTOM_RULE_TO: 1.00,
TOTAL_SCORE: 3.818,autolearn=no


X-Spam-Status: Yes, hits=5.5 required=3.0
tests=BAYES_99: 4.07,HTML_MESSAGE: 0.001,CUSTOM_RULE_TO: 1.00,
CUSTOM_BODY_RULE_NUMBER_26: 0.5,TOTAL_SCORE: 5.571,autolearn=no


X-Spam-Status: No, hits=0.0 required=3.0
tests=BAYES_05: -0.925,LOTS_OF_MONEY: 0.001,CUSTOM_RULE_TO: 1.00,
TOTAL_SCORE: 0.076,autolearn=ham


X-Spam-Status: No, hits=2.5 required=3.0
tests=BAYES_50: 1.567,HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,
CUSTOM_RULE_TO: 1.00,TOTAL_SCORE: 2.569,autolearn=no


X-Spam-Status: Yes, hits=5.5 required=3.0
tests=BAYES_99: 4.07,HTML_MESSAGE: 0.001,CUSTOM_RULE_TO: 1.00,
CUSTOM_BODY_RULE_NUMBER_26: 0.5,TOTAL_SCORE: 5.571,autolearn=no


X-Spam-Status: Yes, hits=3.5 required=3.0
tests=BAYES_50: 1.567,HTML_MESSAGE: 0.001,T_REMOTE_IMAGE: 0.01,
UNPARSEABLE_RELAY: 0.001,CUSTOM_RULE_TO: 1.00,CUSTOM_RULE_FROM: 1.00,
TOTAL_SCORE: 3.579,autolearn=no

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
freakinvibe

Messages: 1496
Karma: 58
Send a private message to this user
While Bayes seems ok, the rest of the headers show that hardly any spam rules apply in your setup, except your own custom rules.

It is strange that no SURBL rules and no DNSBL rules apply.

What Blacklists have you configured and do they reject or score?

Most of the spams we receive look like this:

X-Spam-Status: Yes, hits=6.9 required=5.0
tests=BAYES_50: 1.567,DRUGS_ERECTILE: 1.994,HTML_MESSAGE: 0.001,
URIBL_BLACK: 1.725,URIBL_DBL_SPAM: 1.7,TOTAL_SCORE: 6.987,autolearn=no
X-Spam-Flag: YES

[Updated on: Mon, 15 December 2014 17:20]


Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Blacklists & Scores:

bl.spamcop.net +3
zen.spamhaus.org +3
dnsbl.sorbs.net +2
db.wpbl.info +2
rhsbl.sorbs.net +2
cbl.abuseat.org +3
dnsbl-1.uceprotect.net +3
b.barracudacentral.org +3

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
freakinvibe

Messages: 1496
Karma: 58
Send a private message to this user
Do they ever trigger? Non of your headers show it.

cbl.abuseat.org is included in zen.spamhaus.org, so you can remove the cbl.abuseat.org list.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Well I have tons of logs entries every minute like this:
[15/Dec/2014 11:49:52] IP address 192.111.145.82 found in DNS blacklist Barracuda, mail from <Blood_Pressure_Solution@jfhjskf.com> to <user<_at_>domain.com>

But most of them I assumed get scored above 6 and thrown out, I raised reject score to 9 to try and get more in Spam folders.

If I'm reading it right this shows a trigger, but where the 1.7 score came from I have no idea:

X-Spam-Status: Yes, hits=5.2 required=3.0
tests=BAYES_50: 1.567,HTML_MESSAGE: 0.001,T_REMOTE_IMAGE: 0.01,
URIBL_DBL_SPAM: 1.7,CUSTOM_RULE_TO: 1.00,CUSTOM_RULE_FROM: 1.00,


- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
freakinvibe

Messages: 1496
Karma: 58
Send a private message to this user
No.

URIBL_DBL_SPAM: 1.7

is a detection of a blacklisted domain within your mail body text, it has nothing to do with the IP address blacklists you can configure. A triggered IP blacklist would look like this:

DNSBL_ZEN.SPAMHAUS.ORG: 3.00

if you have called your blacklist ZEN.SPAMHAUS.ORG. So they should all start with DNSBL_

But if you find lots of entries in your security log, I guess that they trigger.

What you should check:

- Do you see anything in the "Warnings" or "Error" log, that indicates that something Spam related is not working? For example, if you use public DNS for blacklist lookups, they might not work. Use your own DNS.

- Did you switch on "Block if client's IP address has no reverse DNS entry (DNS)"? This rejects tons of Spam for us

- Did you switch on "Block if sender's mail domain was not found in DNS"?

- Do you use SPF?

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
In your mailserver.cfg file, what is your spam assassin size limit set to? Is it maybe set to a small value, causing SA not to be used? Here is my setting.

<table name="SpamFilter">
<variable name="MessageSizeLimit">2048</variable>

To change it, you have to stop Connect first, then edit the file, and restart Connect. Also, if you want to try the attached custom rules file, that needs to be put in place while Connect is not running. Again, my thresholds are based on mark @ 5, block <_at_> 8.

The ridiculously low spam assassin scores that you see at .01 and .001 are part of the spam assassin idea of customizing it to fit your particular needs. For example, I work in the financial industry, so LOTS_OF_MONEY rule is something that I can not score to high since we sometimes have emails about lots of money. If I worked for an animal shelter or popcorn store, Lots_Of_Money would be something that I would rate much higher.

Some of the other rules I have changed are ones such as the HTML_MESSAGE (mine 0.5) and T_REMOTE_IMAGE (0.5). Then there are some default SA rules that just don't make sense, such as FROM_12LTRDOM (email from a domain that has 12 letters in the domain name) that rates at either a 2 or 3.8. I have changed the score for this to a 0, since not all 12 character domain names are spam, at least in our case.

In the Connect custom spam rules, I have added a number of the other country domain extensions that we see only spam come from, and that we will not be doing business with. The flat out reject include .cn>, .ru>, .in>, .me>, .eu>, .tw>, .hk>, .tk>, .pw>, .asia>, .club>.
.uk> increase by 2.0. .us> increase by 0.6.
And .info I reject because I never saw any good emails come from one of those, and no one has complained that they haven't gotten something from a .info domain.

  • Attachment: zMyCustom.cf
    (Size: 4.71KB, Downloaded 173 times)
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Barracuda fails about 10 to 20 times a day, and we query it directly so no idea why:

[11/Dec/2014 15:03:02] DNS failure while trying to find address 249.147.192.50.b.barracudacentral.org in blacklist Barracuda

Otherwise nothing in logs showing errors.

Yes to all your other questions about Reverse DNS, SPF, and Senders DNS found. We see tons of logs confirming these are working.

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
Previous Topic: Kerio Outlook connector
Next Topic: Finding public address book entries
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jun 24 02:08:08 CEST 2017

Total time taken to generate the page: 0.00535 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.