[qmailtoaster] Re: Spam Help Plz

[Eric Shubert]

Kent Busbee wrote:
Did anyone else notice that he is missing spam_hits in his config file? 
Does it default to something without it?

Yes.
[r...@doris documentation]# rpm -qi simscan-toaster
Name        : simscan-toaster              Relocations: (not relocatable)
Version     : 1.4.0                             Vendor: (none)
Release     : 1.3.8                         Build Date: Sat 03 Oct 2009 
09:50:36 AM MST
Install Date: Sat 03 Oct 2009 10:03:58 AM MST      Build Host: doris.shubes
Group       : Networking/Other              Source RPM: 
simscan-toaster-1.4.0-1.3.8.src.rpm
Size        : 113364                           License: GPL
Signature   : (none)
Packager    : Jake Vickers <j...@qmailtoaster.com>
URL         : http://www.inter7.com/vpopmail
Summary     : Simscan for qmail-toaster
Description :

SimScan is a simplified scanner for qmail similar to qmail-scanner and 
qscand.
It uses clamav, trophie, and/or spamassassin.  It also supports attachment
blocking by extension.  Simscan is written entirely in C to ensure maximum
speed.  There are several options to allow simscan to scan per domain, and
reject spam mail.


                Current settings
     ---------------------------------------
     user                  = clamav
     qmail directory       = /var/qmail
     work directory        = /var/qmail/simscan
     control directory     = /var/qmail/control
     qmail queue program   = /var/qmail/bin/qmail-queue
     clamdscan program     = /usr/bin/clamdscan
     clamav scan           = ON
     trophie scanning      = OFF
     attachement scan      = ON
     ripmime program       = /usr/bin/ripmime
     custom smtp reject    = ON
     drop message          = OFF
     regex scanner         = OFF
     quarantine processing = OFF
     domain based checking = ON
     add received header   = ON
     spam scanning         = ON
     spamc program         = /usr/bin/spamc
     spamc arguments       =
     spamc user            = OFF
     authenticated users scanned = OFF
     spam passthru         = OFF
     spam hits             = 40

                Current simcontrol config
     ----------------------------------------------------------
     :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif
[r...@doris documentation]#



HIS:
cat /var/qmail/control/simcontrol
:clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.wmv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p
l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:.
idw:.ipt

MINE:
# cat /var/qmail/control/simcontrol
:clam=yes,spam=yes,spam_hits=7,attach=.mp3:.src:.bat:.pif:.exe:.com:.cmd:.dll:.msi:.msp:.reg:.vbe:.vbs:.vxd:.wsc:.wsf:.wsh


See response above; Michael Colvin wrote:
Like Eric mentioned, at this point, you need to take a look at the headers
of the spam e-mails that your users are getting.  You need to find
something
in the type of e-mails you're getting that you can filter on...

Or, as also mentioned, it might be an internal user that is bypassing some
of the filtering because they are authenticated...

At this point, you need to look at the specific spam, and use specific
techniques to filter it, not simply add more RBL's, or blacklists, etc.
It's likely that just making one small tweak will eliminate most of your
spam.

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 



-----Original Message-----
From: Rafael Andrade [mailto:raf...@riosulense.com.br]
Sent: Tuesday, November 03, 2009 8:50 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Re: Spam Help Plz

Hello, Eric and all list,

First thank u for the answer

My users receiving lots of spams dont have a specific sender domain, or
default spam type.

My spamdyke is running see:

spamdyke-stats /var/log/maillog
Allowed: 35619
Denied : 140729
Sum: 176348
% Spam : 79.80%

in logfile:
Nov  3 13:48:42 net spamdyke[20038]: DENIED_RBL_MATCH from:
misdirecti...@hamiltoncompany.com to: cristi...@domain.com origin_ip:
84.153.125.187 origin_rdns: p54997dbb.dip.t-dialin.net auth: (unknown)

I`m using lots of Rbls to try reduce the spam numbers but not working
correctly.

Does anybody have some idea?


Thanks so much

Rafael

Eric Shubert escreveu:
Rafael Andrade wrote:
Hello all,

Im using qmailtoaster two years a go, and i`m very satisfied...
some days a go my users receiving lots of spams, Tagged in subjects
(spamassassin) or not.

What could I be making to get better?

Actually im using Qmailtoaster + Spamdyke with greylist.

Excuse for english.

My confs below:

cat /etc/tcprules.d/tcp.smtp
127.:allow,RELAYCLIENT=""

192.168.1.:allow,RELAYCLIENT="",BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_R
CPTLIMIT="120",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJ

Kfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/con
trol/domainkeys/%/private",NOP0FCHECK="1"

xxx.xx.xx.xx:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="120
",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUE

UE="/var/qmail/bin/simscan",DKQUEUE="",DKSIGN="/var/qmail/control/domainke
ys/%/private",NOP0FCHECK="1"

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRO
NGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIG
N="/var/qmail/control/domainkeys/%/private",NOP0FCHECK="1"

cat /var/qmail/control/simcontrol

:clam=yes,spam=yes,attach=.zip:.rar:.com:.vbs:.bat:.lnk:.scr:.pif:.mpeg:.w
mv:.reg:.asx:.mpg:.txt.scr:.pif.scr:.adb:.asp:.dbx:.php:.p

l:.scs:.sht:.tbb:.uin:.vbs:.wab:.txt.bat:.txt.scr:.mpe:.flv:.pps:.exe:.dwr
:.mp3:.wav:.cda:.iso:.avi:.mpeg:.mp4:.bak:.dwg:.ipj:.iam:.
idw:.ipt

cat /etc/spamdyke/spamdyke.conf
# rbl
dns-blacklist-entry=bl.spamcop.net
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=dnsbl.sorbs.net
dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=ix.dnsbl.manitu.net
dns-blacklist-entry=cbl.abuseat.org
dns-blacklist-entry=dnsbl.njabl.org


# graylist
#graylist-dir=/etc/spamdyke/graylist.d
graylist-dir=/home/vpopmail/graylist.d
graylist-level=always
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=5


local-domains-file=/var/qmail/control/rcpthosts
#log-level=debug
log-level=info
log-target=syslog
#log-target=stderr
max-recipients=50
#policy-url=http://my.policy.explanation.url/
reject-empty-rdns
#reject-ip-in-cc-rdns
reject-missing-sender-mx
reject-unresolvable-rdns
tls-certificate-file=/var/qmail/control/servercert.pem
# blacklist and whitelist ip
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-whitelist-file=/etc/spamdyke/whitelist_ip

# blacklist and whitelist keywords
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords

# blacklist and whitelist senders
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders

# blacklist and whitelist rdns
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns

# whitelist dns
dns-whitelist-file=/etc/spamdyke/whitelist_dns

# blacklist and whitelist recipients
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients


-----------------------------------------------------------------------
----------

(Wow - that's a lot of RBLs)

Are you sure that spamdyke's running?
I like to use
log-target=stderr
so I can see spamdyke's messages in the smtp log along with the other
related messages. Make sure spamdyke is running.

Looks to me like you have the screws turned down pretty tight spam
wise.  I think the next step would be to look at a representative
sample of the spam you're receiving, to see why it's getting through.

Perhaps there is a workstation or server on your network that's been
compromised and is sending out the spam. Examining the headers of the
spams you're receiving to see where they originate.

--------------------------------------------------------------------------
-------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and
installations.
      If you need professional help with your setup, contact them today!
--------------------------------------------------------------------------
-------
     Please visit qmailtoaster.com for the latest news, updates, and
packages.

      To unsubscribe, e-mail: qmailtoaster-list-
unsubscr...@qmailtoaster.com
     For additional commands, e-mail: qmailtoaster-list-
h...@qmailtoaster.com



---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and
installations.
      If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
     Please visit qmailtoaster.com for the latest news, updates, and
packages.

      To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
     For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com





Kent Busbee
Director of Technology
Northlake Christian School



--
-Eric 'shubes'


---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.
    
     To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com