DNSBL is not working as well as expected

jlar310

New Member
Jun 27, 2007
28
0
1
I have DNSBL Sites set to b.barracudacentral.org,zen.spamhaus.org with DNSBL Threshold set to 1. Yet we continue to get spam from IP addresses that, according to mxtoolbox.com are on one or both of those lists.

We are seeing a lot of spammers out there now that have legitimate DKIM and SPF, so blacklists are the last defense.

What could be wrong with my setup?

Sometimes there is no X-SPAM-LEVEL header, in other cases the score is only 2. Here are some example headers from IPs that are blacklisted:

Code:
X-SPAM-LEVEL: 2, hits=HTML_ENTITY_ASCII,HTML_MESSAGE,KAM_SHORT,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS
X-SPAM-LEVEL: 2, hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_PSBL,SPF_PASS,T_REMOTE_IMAGE,URIBL_RED
X-SPAM-LEVEL: 2, hits=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_DBL_SPAM,URI_TRY_3LD
 

jlar310

New Member
Jun 27, 2007
28
0
1
Maybe I figured this out. Does DNSBL Threshold of 1 mean that there must be 2 BL positives to count as spam?
 

jlar310

New Member
Jun 27, 2007
28
0
1
We have Windows DNS as part of Active Directory. A sample query from the mailgateway command line seems to work just fine. I think I just need more blacklist sources if I am correct on the meaning of the threshold number above.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
13,765
442
103
command line seems to work just fine
If you have bad scores, maybe not. But just check your Spam Email slipping through by reading the Email header.

If you BL are working, you should see URI BL scores similar to this example:

Code:
X-SPAM-LEVEL: Spam detection results:  8
    ...
    URIBL_BLACK               1.7 Contains an URL listed in the URIBL blacklist
    URIBL_DBL_SPAM            2.5 Contains a spam URL listed in the Spamhaus DBL blocklist
(Windows DNS can be configured in several ways, so maybe you just have to adapt it).
 

jlar310

New Member
Jun 27, 2007
28
0
1
I am seeing URIBL tags in quarantined emails, so it seems to be working. I think I just need to work on my collection of black list providers. Thanks.
 

heutger

Active Member
Apr 25, 2018
700
191
43
Fulda, Hessen, Germany
www.heutger.net
I am seeing URIBL tags in quarantined emails, so it seems to be working. I think I just need to work on my collection of black list providers. Thanks.
See my advancing thread on my recommended set and my blacklist optimization thread on how to choose your best blacklists. And yes, threshold 2 means you need a minimum of one factor 2 or 2 factor 1 lists.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!