After formerly i am doing email blacklist based on subject, now i am often receive email spam who ask to me to fill the information of username and password. Besides, he claimed as administrator account of email server. Whereas, i am is an administrator of email and never sending email like that 😀 . The following is example email that received by me
Many of my users got similar email and ask to me as administrator email whether this email from me or not. I am say and sending email to all my users for not give any information if receive email like that and always ask to me firstly. Because many similar email received from random sender, finally i am blacklist email based on body email. This is what i do on my email server
# Open file salocal.cf.in
vi /opt/zimbra/conf/salocal.cf.in
adding on the bottom the following line
body LOCAL_RULE1 /Your email has/i score LOCAL_RULE1 40.0 body LOCAL_RULE2 /System Administrator/i score LOCAL_RULE2 40.0
Note : LOCAL_RULE1/2 is a rule/acl which is contains “your email has” and “system administrator” and “score 40.0” is value that given if body email meet rule on acl. If you want to blacklist other words on the body of email, you must create another name of acl.
# Save and restart service of Amavis
zmamavisdctl restart
please try to sending email with contains of body email “your email has” or “system administrator” and check on your zimbra.log
Feb 12 12:40:44 mail amavis[26679]: (26679-01) Blocked SPAM {DiscardedInbound}, [209.85.216.50]:52623 [209.85.216.50] <imanudin.linux@gmail.com> -> <admin@imanudin.net>, Queue-ID: 34F0A6E579, Message-ID: <CA+m7d0d9BQV1KtVT7uqV8Dd24OoW-QjsHOBtpG_0PnT+06HPVw@mail.gmail.com>, mail_id: j6BxTkvRg4zb, Hits: 39.431, size: 2834, dkim_sd=20120113:gmail.com, 3241 ms Feb 12 12:40:44 mail postfix/smtp[26385]: 34F0A6E579: to=<admin@imanudin.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7, delays=1.5/0/0.06/3.2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26679-01 - spam)
On my log, i got information Blocked SPAM, value of Hits more/less than 39 and discarded email for every receive email which contains “your email has” or “system administrator” on the body of email.
Good luck and hopefully useful 😀
Source : http://wiki.zimbra.com/wiki/Improving_Anti-spam_system
Great work;
Question why do you use one file to do subject and a different file for body?
Hello,
Because first time i know blacklist email based on body is configured on salocal.cf.in 😀
I have a version of zimbra 8.7.2. In the file can block spam mail addresses and domains?
Hi Flash,
You can perform BL/WL from this guidance : https://wiki.zimbra.com/wiki/Improving_Anti-spam_system#Blacklists_and_Whitelists
Hi Iman ,
As per your guidance I done Blacklist Email Based on Body Email
but when send through go-daddy email to my domain email s are Discarded but when I send through gmail email are getting my domain.
gts
Hi Iman,
Resolved the issue thanks for support
Gts
Hi Gts,
Glad to hear that 😉
Is there a way to not discard the email and send spam email to certain email address in our domain ?So that the administrator can filter it for future.
Hi Anil Maharjan,
Maybe you can try checking discard or another options configuration in /opt/zimbra/conf/amavisd.con.in
Dear Iman,
I have tested and it working fine. Just wanted to know if the mail is detected and spam ,can we divert that mail to system generated zimbra spam email id.
Hi sandeep,
I am never try that 🙂
You might can check and try to combine with postfix_header_check like this one : https://serverfault.com/questions/663956/how-to-redirect-spam-to-a-different-email-address-spamassassin-postfix
Does this still work for 8.8.15 FOSS
Yes, it does
worked like a charm, thanks man you saved my day
Hi Immanudin,
I got this warning after restarting Amavis –>
Starting amavisd…Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <– HERE in m/^(.{ <– HERE ,200}).*$/ at /opt/zimbra/common/lib/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 921, line 755.
done.
Amavis service can start, but is it normal or something wrong ?
Hi Herdian,
Its normal and you can ignore it
Hi,
This is not working for me when sending from gmail. Please help.
Works perfectly thanks for sharing