DNSBL is not working as well as expected

[jlar310]

I have DNSBL Sites set to b.barracudacentral.org,zen.spamhaus.org with DNSBL Threshold set to 1. Yet we continue to get spam from IP addresses that, according to mxtoolbox.com are on one or both of those lists.

We are seeing a lot of spammers out there now that have legitimate DKIM and SPF, so blacklists are the last defense.

What could be wrong with my setup?

Sometimes there is no X-SPAM-LEVEL header, in other cases the score is only 2. Here are some example headers from IPs that are blacklisted:

X-SPAM-LEVEL: 2, hits=HTML_ENTITY_ASCII,HTML_MESSAGE,KAM_SHORT,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS
X-SPAM-LEVEL: 2, hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_PSBL,SPF_PASS,T_REMOTE_IMAGE,URIBL_RED
X-SPAM-LEVEL: 2, hits=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_DBL_SPAM,URI_TRY_3LD

 

[jlar310]

Maybe I figured this out. Does DNSBL Threshold of 1 mean that there must be 2 BL positives to count as spam?

 

[tom]

Do you use a non-forwarding caching nameserver?

(check https://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block)

 

[jlar310]

We have Windows DNS as part of Active Directory. A sample query from the mailgateway command line seems to work just fine. I think I just need more blacklist sources if I am correct on the meaning of the threshold number above.

 

[tom]

command line seems to work just fine

If you have bad scores, maybe not. But just check your Spam Email slipping through by reading the Email header.

If you BL are working, you should see URI BL scores similar to this example:

X-SPAM-LEVEL: Spam detection results:  8
    ...
    URIBL_BLACK               1.7 Contains an URL listed in the URIBL blacklist
    URIBL_DBL_SPAM            2.5 Contains a spam URL listed in the Spamhaus DBL blocklist

(Windows DNS can be configured in several ways, so maybe you just have to adapt it).

 

[jlar310]

I am seeing URIBL tags in quarantined emails, so it seems to be working. I think I just need to work on my collection of black list providers. Thanks.

 

[heutger]

I am seeing URIBL tags in quarantined emails, so it seems to be working. I think I just need to work on my collection of black list providers. Thanks.

See my advancing thread on my recommended set and my blacklist optimization thread on how to choose your best blacklists. And yes, threshold 2 means you need a minimum of one factor 2 or 2 factor 1 lists.

 

[magicpeter]

Moin,

ich nutze die DNSBL vom Heutger und komme damit seht gut zurecht.

14 DNSBlacklistserver mit einem Treshold von 3

zen.spamhaus.org,bl.spamcop.net,psbl.surriel.com,spamrbl.imp.ch,noptr.spamrats.com,escalations.dnsbl.sorbs.net,bl.score.senderscore.com,bl.spameatingmonkey.net,rbl.realtimeblacklist.com,dnsbl.dronebl.org,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

Mit Treshold 3 müssen mindestens 3 Listen matchen, das sorgt bei mir für eine sehr gute Trefferrate und keine False Positiv Ergebnis.

DNSBL Treshold (Schwellwert): 3

Das kannst du ganz einfach in der GUI einstellen:

Proxmox Mail Gateway / Konfiguration / Mail Proxy / Optionen

DNSBL Seiten:
zen.spamhaus.org,bl.spamcop.net,psbl.surriel.com,spamrbl.imp.ch,noptr.spamrats.com,escalations.dnsbl.sorbs.net,bl.score.senderscore.com,bl.spameatingmonkey.net,rbl.realtimeblacklist.com,dnsbl.dronebl.org,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

DNS Schwellenwert: 3

Fertig und der Tag ist dein Freund