Zimbra Tips : Blacklist Email Based on Body Email

Posted by

After formerly i am doing email blacklist based on subject, now i am often receive email spam who ask to me to fill the information of username and password. Besides, he claimed as administrator account of email server. Whereas, i am is an administrator of email and never sending email like that 😀 . The following is example email that received by me

spam-phising

Many of my users got similar email and ask to me as administrator email whether this email from me or not. I am say and sending email to all my users for not give any information if receive email like that and always ask to me firstly. Because many similar email received from random sender, finally i am blacklist email based on body email. This is what i do on my email server

# Open file salocal.cf.in

vi /opt/zimbra/conf/salocal.cf.in

adding on the bottom the following line

body     LOCAL_RULE1     /Your email has/i
score    LOCAL_RULE1     40.0
body     LOCAL_RULE2     /System Administrator/i
score    LOCAL_RULE2     40.0

Note : LOCAL_RULE1/2 is a rule/acl which is contains “your email has” and system administrator” and “score 40.0” is value that given if body email meet rule on acl. If you want to blacklist other words on the body of email, you must create another name of acl.

# Save and restart service of Amavis

zmamavisdctl restart

please try to sending email with contains of body email “your email has” or “system administrator” and check on your zimbra.log

Feb 12 12:40:44 mail amavis[26679]: (26679-01) Blocked SPAM {DiscardedInbound}, [209.85.216.50]:52623 [209.85.216.50] <imanudin.linux@gmail.com> -> <admin@imanudin.net>, Queue-ID: 34F0A6E579, Message-ID: <CA+m7d0d9BQV1KtVT7uqV8Dd24OoW-QjsHOBtpG_0PnT+06HPVw@mail.gmail.com>, mail_id: j6BxTkvRg4zb, Hits: 39.431, size: 2834, dkim_sd=20120113:gmail.com, 3241 ms
Feb 12 12:40:44 mail postfix/smtp[26385]: 34F0A6E579: to=<admin@imanudin.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7, delays=1.5/0/0.06/3.2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26679-01 - spam)

On my log, i got information Blocked SPAM, value of Hits more/less than 39 and discarded email for every receive email which contains “your email has” or “system administrator” on the body of email.

Good luck and hopefully useful 😀

Source : http://wiki.zimbra.com/wiki/Improving_Anti-spam_system

18 comments

  1. Hi Iman ,
    As per your guidance I done Blacklist Email Based on Body Email
    but when send through go-daddy email to my domain email s are Discarded but when I send through gmail email are getting my domain.

    gts

  2. Is there a way to not discard the email and send spam email to certain email address in our domain ?So that the administrator can filter it for future.

  3. Dear Iman,

    I have tested and it working fine. Just wanted to know if the mail is detected and spam ,can we divert that mail to system generated zimbra spam email id.

  4. Hi Immanudin,
    I got this warning after restarting Amavis –>

    Starting amavisd…Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <– HERE in m/^(.{ <– HERE ,200}).*$/ at /opt/zimbra/common/lib/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 921, line 755.
    done.

    Amavis service can start, but is it normal or something wrong ?

Leave a Reply to iman Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.