Navigation

Custom SpamAssassin Rules in Zimbra

By on March 13, 2024 in Product News, PowerTips – Admins, Security & Privacy

In this article you will learn how to add custom SpamAssassin Rules to Zimbra. This way you can filter email that may have fooled your spam filtering or mitigate vulnerabilities such as CVE-2024-21413 where file:// hyperlinks cause problems in MS Outlook.

SpamAssasin localrules

In this example we are going to filter email that contains the text file:// and move it into the Junk folder. Create the file /opt/zimbra/data/spamassassin/localrules/filelink.cf with the following content:

body FILE_URL_RULE /file:\/\//
score FILE_URL_RULE 10.0
describe FILE_URL_RULE Email contains file:// in the body

Then as the user zimbra restart SpamAssasing:

zmamavisdctl restart

Now send an email from an external email address to your Zimbra server and put file:// in the body, it should end up in the Junk folder, you can open the email and show the original message or message headers which should look like:

X-Virus-Scanned: amavis at zimbra.tech
X-Spam-Flag: YES
X-Spam-Score: 7.893
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.893 required=3 tests=[DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 DMARC_PASS_REJECT=-1.2, FILE_URL_RULE=10, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
 URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
 URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no

As you can see FILE_URL_RULE=10 is added to the score of the email, causing it to go into the Junk folder, if you increase the score in the filelink.cf at some point you will reach the kill percentage and then the email will be discarded. Take a look at: X-Spam-Status: Yes, score=7.893 required=3 in this example it means the email will go into the Junk folder if the score is 3 or higher. In your case the value can be something other than 3. If your score is just a little above the required level you should consider increasing the score in the filelink.cf. Don’t forget to restart using zmamavisdctl restart after making changes.

Sieve

Zimbra Sieve is based on org.apache.jsieve which unfortunately cannot filter file://. Because regex is not implemented. For reference in a vanilla Postfix/Dovecot/Sieve scenario you would be able to filter as follows:

require ["fileinto","body","editheader", "regex"];

# Check if the message body contains "file://"
if body :raw :regex "file://" {
   # Move the message to the "Junk" folder
   fileinto "Junk";
   stop;
}

Further reading

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures