Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam protection
  •  
r1sh

Messages: 91
Karma: -3
Send a private message to this user
Hello!

I've got some trouble with spam protection.

My Kerio Connect server recieves mail for domain, that not exists on my mail server.

For, example, server gokoza.ru with no PTR record for IP 31.24.30.207 sent email for jan<_at_>romanovcapital.ru and my email server with domain example.com has recieved it.

In server settings \ smtp server \ security settings I set to block sender if it doesn't have ptr or no domain in dns.

But it still comest to us.

How can I fix it?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Fix your security settings. Either you have an open relay (accepting any message) or you read the message wrongly and To: email address is not from your emai domain but the real recipient in RCPT TO is. This can be solved by Sender Policy setting.
  •  
r1sh

Messages: 91
Karma: -3
Send a private message to this user
as I see, our mailbox was in hidden copy. I marked 6 letters from one domain as "spam" but spamfilter doesn't recognize it as spam, why??
  •  
Jonn

Messages: 23
Karma: 3
Send a private message to this user
One of the biggest problems with the spam engine in KC is that they use SA 3.3.2 which is old and outdated. It is also NOT supported any more and is not betting updates. The other thing is that a lot of features in SA have been turned off and the perl modules removed to save space.

wiki.apache.org/spamassassin/ReleaseGoals

I have had long discussion with Kerio support about this. I was told to either build my own or out source the spam filtering.

So, our solution was to find a 3rd party package that would do what Kerio tried to do. We found that mailcleaner fit that bill. We did have to add some scripts to make things work but this was all published on the mailcleaner forums.

I can share what I did if anyone is interested.
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
john

would very much like to hear about your experiences and setup with mailcleaner

thanks

yukioMishima
  •  
Jonn

Messages: 23
Karma: 3
Send a private message to this user
We have been running mailcleaner as a VM for about 8 months now with great success. We are running the community edition of spamcleaner.

Our setup is like this. Mailcleaner has 2 itherfaces, one public and one private. Our KC setup is the same. Our MX records point only to mailcleaner. Incoming mail gets delivered to mailcleaner then scanned and tagged and then sent to KC via the private interface. This was we can tell KC that all mail from that IP should not be scanned by the internal SA of KC. We virus scan ALL email that goes through our server.

KC moves spam into the junk folder based on a header that they add. So wee needed to modify this file.

/usr/mailcleaner/etc/mailscanner/MailScanner.conf_template

Now to deal with spam and ham messages we have a service desk email that we added 2 mailboxes to called ham and spam that we shared to all users. This was mailcleaner can pull those meaases and lean from the. Now this does not happen automatically. There are 3 mailcleaner forum pages that I followed.

Here is the script that I found to learn spam from the shared folders on the MC server.

http://forum.mailcleaner.org/viewtopic.php?f=3&t=836

This gets sa-update working.

http://forum.mailcleaner.org/viewtopic.php?f=15&t=964

This gets NiceBayes working.

http://forum.mailcleaner.org/viewtopic.php?f=15&t=734

That's about it. The rest of the settings in mailcleaner are personal preferences. You will want to edit the DNS blacklists as there are some that were removed at the beginning of 2015.

Hope this helps.

[Updated on: Thu, 20 August 2015 18:09]

  •  
vomsupport

Messages: 136
Karma: 2
Send a private message to this user
Don't expect any help from Kerio they are 10 years behind the SPAM curve..

You will just get the company line "Put a suggestion in the suggestion box"

You will have to buy a 3rd party device such as a Barracuda to protect your server..

For every dollar we spend on licenses we spend 2 on SPAM protection.


  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
john.. awesome stuff.... thanks

vomSupport... couldn't agree more... seems a shame to include all of the tools... but then have them be antiquated/ineffectual seems a real shame

they should either sort it out (ideal)... or.. pull the plug.. and let us fend for ourselves.... seems all a bit "fence-sitting" the way it is

yukioMishima

[Updated on: Sat, 22 August 2015 18:48]

  •  
r1sh

Messages: 91
Karma: -3
Send a private message to this user
that's sad Sad

for example right now our mail server recieves mail addressed to foreign domain but our mail box in hidden copy.

I've marked theese letters as spam for 50 times, but it still doesn't think that it's spam!!!

Crap!!!
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Spam Assassin is designed to be customized to your needs. Simple to write some rules that will catch a majority of your spams. Right now, mine catches around 99.99% of spams.
  •  
r1sh

Messages: 91
Karma: -3
Send a private message to this user
MarkK wrote on Tue, 22 September 2015 07:19
Spam Assassin is designed to be customized to your needs. Simple to write some rules that will catch a majority of your spams. Right now, mine catches around 99.99% of spams.


how did you do this? what rules?

I recieve letters from different domains and user's mailbox is in hidden copy, I have no Idea how to filter it out...
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I got sick of the spams coming through to my end users, edited some of the spam assassin scores that were getting hits, still didn't like the amount of spams coming through, and looking at the individual spams started to see the patterns in them. So I looked up how to write some simple rules of my own, and spam results went from disappointing to extremely good. My current spam stats (10 months worth) are:

803904 Messages Rec'd
720744 Messages Chk'd
134207 Spams detected (tagged)
492573 Spams detected (rejected)
2754 Messages marked by users as spam
319 Messages marked by users as not spam

Those are levels that we can live with. I'm not shooting to catch ALL spams, for fear of starting to catch too many good emails.

The current custom SA rule file I am using is attached. Put it in the .MailServer\plugins\spamserver\spamassassin\rules folder,
go in to Admin Panel > Configuration > Spam Filter > SpamAssassin tab
Uncheck the box "Check every incoming message in Spam URI Realtime Blocklist (SURBL) database" and click APPLY
Check the box "Check every incoming message in Spam URI Realtime Blocklist (SURBL) database" and click APPLY
The new rules are now being used, all without having to restart your server.
Don't like the results? Remove the file and do the steps above again.


r1sh,
Post the headers from the a couple of your different domains spams, and we will see what can be done.

  •  
r1sh

Messages: 91
Karma: -3
Send a private message to this user
MarkK wrote on Tue, 22 September 2015 20:35
I got sick of the spams coming through to my end users, edited some of the spam assassin scores that were getting hits, still didn't like the amount of spams coming through, and looking at the individual spams started to see the patterns in them. So I looked up how to write some simple rules of my own, and spam results went from disappointing to extremely good. My current spam stats (10 months worth) are:

803904 Messages Rec'd
720744 Messages Chk'd
134207 Spams detected (tagged)
492573 Spams detected (rejected)
2754 Messages marked by users as spam
319 Messages marked by users as not spam

Those are levels that we can live with. I'm not shooting to catch ALL spams, for fear of starting to catch too many good emails.

The current custom SA rule file I am using is attached. Put it in the .MailServer\plugins\spamserver\spamassassin\rules folder,
go in to Admin Panel > Configuration > Spam Filter > SpamAssassin tab
Uncheck the box "Check every incoming message in Spam URI Realtime Blocklist (SURBL) database" and click APPLY
Check the box "Check every incoming message in Spam URI Realtime Blocklist (SURBL) database" and click APPLY
The new rules are now being used, all without having to restart your server.
Don't like the results? Remove the file and do the steps above again.


r1sh,
Post the headers from the a couple of your different domains spams, and we will see what can be done.


Thank you very much for your help!!!!!

I've applied rules today and tomorrow I'll see how is it going, beacuse most of spam comes to us at night.

In one of letters I looked up Header and noticed that X-Spam-Status contains autolearn=no. Does it mean that our spamfilter doesn't learn?

Also as I understand, because of spam filter message size limit it passes spamassasin scan...

I've created custom rules:

Header To Contains ^((?!( our | domains )).)* 


I thought that all letters with field "to" addressed not to my domain will be rejected, but it doesn't work:( What I did wrong?



I just don't understand how do spamers find out our email, because spam letters recieve even new users that were created some weeks or even days ago...

Headers for spam messages:

Return-Path: <bolabtonrp<_at_>unionprint.co.ua>
X-Spam-Status: No, hits=0.0 required=4.0
	tests=TOTAL_SCORE: 0.000
X-Spam-Level: 
Received: from unionprint.co.ua ([217.172.183.15])
	by mail.rostherm.ru (Kerio Connect 8.5.1)
	for glebedeva<_at_>rostherm.ru;
	Thu, 24 Sep 2015 14:11:03 +0300
Received: from unionprint.co.ua (unknown [93.171.159.117])
	by unionprint.co.ua (Postfix) with ESMTPA id F2727ACB68D;
	Thu, 24 Sep 2015 04:13:13 +0300 (EEST)
Message-ID: <1db401d0f67f$555e3060$a9971f45@bolabtonrp>
Reply-To: "=?windows-1251?B?we7r/CDiIO3u4+D1?=" <bolabtonrp<_at_>unionprint.co.ua>
From: "=?windows-1251?B?we7r/CDiIO3u4+D1?=" <bolabtonrp<_at_>unionprint.co.ua>
To: <zakupki<_at_>ro12.fss.ru>
Subject: =?windows-1251?B?y+X35e3o5SDi4PDo6u7n4CDoIPLw7uzh7vTr5eHo8uAg4eXnIO7v5fDg9ujp?=
Date: Thu, 24 Sep 2015 04:13:14 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0018_01D0F67F.07BADA70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01D0F67F.07BADA70
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0019_01D0F67F.07BADA70"

------=_NextPart_000_0019_01D0F67F.07BADA70
Content-Type: text/plain;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable


Return-Path: <akaodrinzv<_at_>adretionse.co.ua>
X-Spam-Status: No, hits=0.0 required=4.0
	tests=TOTAL_SCORE: 0.000
X-Spam-Level: 
Received: from adretionse.co.ua ([85.25.159.16])
	by mail.rostherm.ru (Kerio Connect 8.5.1)
	for glebedeva<_at_>rostherm.ru;
	Thu, 24 Sep 2015 10:20:56 +0300
Received: from adretionse.co.ua (unknown [93.171.159.117])
	by adretionse.co.ua (Postfix) with ESMTPA id C1907F43FBC;
	Thu, 24 Sep 2015 05:39:52 +0300 (EEST)
Message-ID: <08e701d0f68b$745e5290$4dce1c52@akaodrinzv>
From: "=?windows-1251?B?0ODh7vLg8vwgx+Agyu7s7/z+8uXw7uw=?=" <akaodrinzv<_at_>adretionse.co.ua>
To: <zakupki<_at_>ro12.fss.ru>
Subject: =?windows-1251?B?wOrg5OXs6P8gyu7s7/z+8uXw7fv1IMft4O3o6Q==?=
Date: Thu, 24 Sep 2015 05:40:00 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0018_01D0F688.CCD683A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01D0F688.CCD683A0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0019_01D0F688.CCD683A0"

------=_NextPart_000_0019_01D0F688.CCD683A0
Content-Type: text/plain;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

[Updated on: Fri, 25 September 2015 08:05]

  •  
irow

Messages: 56
Karma: 4
Send a private message to this user
R1sh:

X-Spam-Status contains autolearn=no does not mean that SpamAssissin is not learning. It means that it is not learning that particular message is spam or ham.

The default auto learn threshold for learning spam is 12. That means that a message will need to score at least 12 in order for it to be learned as spam; also the message but have a header score of at least 3 and a body score of at least 3. On the ham side, the message must have a score of 0.1 to be learned as ham.

Based upon your comments in this thread, I agree with Pavel that you probably have some security settings to correct. An easy way to know whether you are operating an open relay is to use the tools at mxtoolbox.com.
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Is ro12.fss.ru your domain? If so, is that in the list of "( our | domains )"?
Header To Contains ^((?!( our | domains )).)*

Unless I'm missing something here (it has been a busy week, so I might be), since you are receiving spams, they are addressed to user<_at_>ro12.fss.ru, so that rule wouldn't do anything to catch spam.

I see the spams coming from .ua domain, or the Ukraine. Do you do business with Ukraine based people / businesses?

I'm more concerned that you spam score is 0.0. though that can happen, it shouldn't happen very often. There should be some sort of score, whether it be positive or negative value.

Do you have Spam Assassin enabled? I would try enabling the DEBUG log's "Spam Filtering" and "SpamAssassin Processing" options and see what is happening there.
Previous Topic: Kerio log information
Next Topic: Sending Emails over secondary Mac Pro ethernet port
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Sep 19 13:41:50 CEST 2017

Total time taken to generate the page: 0.00576 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.