Spam filtering and dnsbl

L

leksand

Member
Aug 28, 2020
77
0
11
37
Trying to defeat spam, I started setting up DNSBL - I didn't find any other way to fight spam. But too many useful emails and good servers end up in DNSBL. Setting score level = 6 otherwise too much gets into spam.
There are explicit spam emails (which were delivered to users, explicit mailings, a lot of such emails), there is feedback from users, but I don't see a tool that would help improve spam filtering.
If there is training in spamassassin, can it make it possible to see the subject of an email through the tracking center and mark an already received message as spam with training? Or are there other ways to improve spam filtering? (custom rule did not fit, and it is also not recommended to use them - there are a lot of false positives)
 
What is your DNSBL list and threshold?
Did you customize mail filter rule?
 
hata_ph said:
What is your DNSBL list and threshold?
Did you customize mail filter rule?
Click to expand...
bl.0spam.org,dnsbl.sorbs.net,bl.suomispam.net,ips.backscatterer.org,dnsbhsl-3.uceprotect.net,dnsbl-2.uceprotect.net,dnsbl-1.uceprotect.netzen.spamhaus.org,psbl.surriel.com,noptr.spamrats.com,bl.score.senderscore.com,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com,dnsbl.dronebl.org,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

threshold=1

I 've turned everything off so far - too many useful emails are getting in - even gmail.com (letters from partners are 100% good) and the domain gmail.com entered in the global whitelist - dnsbl ignores it.

From the settings, I can only manage addresses and domains - blacklist/whitelist and actions based on score level (plus viruses, attachments).

I haven't been able to figure out how to manage filters more flexibly yet - that's why I got into dnsbl, although I consider them dangerous from the point of view of blocking useful emails/domains/mail servers
 
Last edited:
hata_ph said:
Too much DNSBL site and only 1 threshold could lead to false positive. Try use less DNSBL site or increase the threshold.
Below is my DNSBL setting.

View attachment 38209

For mail filter, create custom mail filter to quarantine suspicious mails.

https://forum.proxmox.com/threads/mail-filter-example.71904/
Click to expand...
I don't understand exactly how the threshold value works - is it a priority over score level? How to do to increase the level score of the letter, and not immediately complete blocking (so that there is no such - rejected: blocked using dnsbl.sorbs.net )
 
Last edited:
hata_ph said:
check out

https://forum.proxmox.com/threads/dnsbl-threshold.58535/
https://forum.proxmox.com/threads/dnsbl.89624/
Click to expand...
I read the topics on the link above, before that I got acquainted with all the information on the topic in the manual, I also tried to search on the forum.

There are still questions:
1) the order of mail passing: is the global whitelist higher in priority than dnsbl or lower?
2) Is it possible not just to drop the letter, but simply to increase the score level if the letter is in dnsbl?
3) I still didn't understand the mathematics of threshold - how much does it take for the letter not to be rejected? Is 1-2-3 a lot or a little?
 
1. Global whitelist (Configuration -> Mail Proxy - Whitelist) will disable all SMTP checking include greylist, SPF and DNSBL.

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

2. Disable DNSBL and spamassassin should able to detect blacklisted IP (with the included DNSBL list) and add to total SA score.

https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklists

Code: 
X-SPAM-LEVEL: Spam detection results:  4
    AWL                    -1.564 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    CLICK_BAIT                  1 Possible click bait
    DKIMWL_WL_MED          -0.001 DKIMwl.org - Medium trust sender
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_IMAGE_RATIO_08     0.001 HTML has a low ratio of text to image area
    HTML_MESSAGE            0.001 HTML included in message
    KAM_INFOUSMEBIZ          0.75 Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
    LIST_UNSUB                  1 Mailinglist/Newsletter emails
    POISEN_SPAM_PILL          0.1 Meta: its spam
    POISEN_SPAM_PILL_2        0.1 random spam to be learned in bayes
    RCVD_IN_BL_SPAMCOP_NET  1.347 Received via a relay in bl.spamcop.net
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SUBJ_SPAM1                  1 Subject start with highly possible spam phrase
    SUBJ_UTF8                   1 Subject with UTF-8 encoding
    T_SCC_BODY_TEXT_LINE    -0.01 -
    T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)
    URIBL_GREY              0.424 Contains an URL listed in the URIBL greylist [mktomail.com]
    URI_NO_WWW_INFO_CGI         1 CGI in .info TLD other than third-level "www"

3. Example, email from 209.250.5.98 get blocked by DNSBL due to ranked 3, over my DNSBL threshold of 2.
Every hit of DNSBL site will give 1 score, multiply by custom site score.

Code: 
Jun 22 08:58:37 pmg postfix/postscreen[131063]: CONNECT from [209.250.5.98]:45303 to [192.168.40.106]:26
Jun 22 08:58:38 pmg postfix/dnsblog[131254]: addr 209.250.5.98 listed by domain zen.spamhaus.org as 127.0.0.3
Jun 22 08:58:38 pmg postfix/dnsblog[131065]: addr 209.250.5.98 listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
Jun 22 08:58:43 pmg postfix/postscreen[131063]: DNSBL rank 3 for [209.250.5.98]:45303
Jun 22 08:58:45 pmg postfix/postscreen[131063]: NOQUEUE: reject: RCPT from [209.250.5.98]:45303: 550 5.7.1 Service unavailable; client [209.250.5.98] blocked using zen.spamhaus.org; from=<713F52@prd-bd-8QVAPO.cloud-apps-services.com>, to=<user@mydomain.com>, proto=SMTP, helo=<prd-bd-8QVAPO.cloud-apps-services.com>

1655860265393.png
 
If you plan to use spamassassin only, create custom rules for DNSBL blacklist.

https://support.cpanel.net/hc/en-us...Adding-Custom-RBL-DNS-Lookups-To-SpamAssassin

Code: 
# DNSBL custom blacklist
header DNSBL_UCEPROTECT1      eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe DNSBL_UCEPROTECT1    sender listed in dnsbl-1.uceprotect.net
score DNSBL_UCEPROTECT1 2

header DNSBL_SPAMHAUS      eval:check_rbl('spamhaus', 'zen.spamhaus.org.')
describe DNSBL_SPAMHAUS    sender listed in zen.spamhaus.org
score DNSBL_SPAMHAUS 2

header DNSBL_SURRIEL      eval:check_rbl('surriel', 'psbl.surriel.com.')
describe DNSBL_SURRIEL    sender listed in psbl.surriel.com
score DNSBL_SURRIEL 2

header DNSBL_SPAMRATS      eval:check_rbl('spamrats', 'all.spamrats.com.')
describe DNSBL_SPAMRATS    sender listed in all.spamrats.com
score DNSBL_SPAMRATS 2

header DNSBL_MAILSPIKE      eval:check_rbl('mailspike', 'bl.mailspike.net.')
describe DNSBL_MAILSPIKE    sender listed in bl.mailspike.net
score DNSBL_MAILSPIKE 2

Code: 
Spam detection results:  3
AWL                    -2.816 Adjusted score from AWL reputation of From: address
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DNSBL_MAILSPIKE             2 sender listed in bl.mailspike.net
DNSBL_SPAMHAUS              2 sender listed in zen.spamhaus.org
DNSBL_SPAMRATS              2 sender listed in all.spamrats.com
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
SPF_PASS               -0.001 SPF: sender matches SPF record
SUBJ_ALL_CAPS             0.5 Subject is all capitals
SUBJ_UTF8                   1 Subject with UTF-8 encoding
TOO_POLITE                  1 Hey/Hi/Hai/Hello greetings
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
T_SCC_BODY_TEXT_LINE    -0.01 -
T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)
 
hata_ph said:
If you plan to use spamassassin only, create custom rules for DNSBL blacklist.

https://support.cpanel.net/hc/en-us...Adding-Custom-RBL-DNS-Lookups-To-SpamAssassin

Code: 
# DNSBL custom blacklist
header DNSBL_UCEPROTECT1      eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe DNSBL_UCEPROTECT1    sender listed in dnsbl-1.uceprotect.net
score DNSBL_UCEPROTECT1 2

header DNSBL_SPAMHAUS      eval:check_rbl('spamhaus', 'zen.spamhaus.org.')
describe DNSBL_SPAMHAUS    sender listed in zen.spamhaus.org
score DNSBL_SPAMHAUS 2

header DNSBL_SURRIEL      eval:check_rbl('surriel', 'psbl.surriel.com.')
describe DNSBL_SURRIEL    sender listed in psbl.surriel.com
score DNSBL_SURRIEL 2

header DNSBL_SPAMRATS      eval:check_rbl('spamrats', 'all.spamrats.com.')
describe DNSBL_SPAMRATS    sender listed in all.spamrats.com
score DNSBL_SPAMRATS 2

header DNSBL_MAILSPIKE      eval:check_rbl('mailspike', 'bl.mailspike.net.')
describe DNSBL_MAILSPIKE    sender listed in bl.mailspike.net
score DNSBL_MAILSPIKE 2

Code: 
Spam detection results:  3
AWL                    -2.816 Adjusted score from AWL reputation of From: address
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DNSBL_MAILSPIKE             2 sender listed in bl.mailspike.net
DNSBL_SPAMHAUS              2 sender listed in zen.spamhaus.org
DNSBL_SPAMRATS              2 sender listed in all.spamrats.com
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
SPF_PASS               -0.001 SPF: sender matches SPF record
SUBJ_ALL_CAPS             0.5 Subject is all capitals
SUBJ_UTF8                   1 Subject with UTF-8 encoding
TOO_POLITE                  1 Hey/Hi/Hai/Hello greetings
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
T_SCC_BODY_TEXT_LINE    -0.01 -
T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)
Click to expand...
1) Is it possible to check for the presence of whitelists in the same scheme - which will improve the rating and significantly (as far as I'm in the mood, but I think more than blacklists) reduce the score level?
2) Is this the way I can change the score level?
 
Last edited:
leksand said:
1) Is it possible to check for the presence of whitelists in the same scheme - which will improve the rating and significantly (as far as I'm in the mood, but I think more than blacklists) reduce the score level?
2) Is this the way I can change the score level?
Click to expand...
1. I am not sure what whitelist you referring to. Pls explain more.
2. You can set custom SA score under Spam Detectors -> Custom Scores.
 
hata_ph said:
1. I am not sure what whitelist you referring to. Pls explain more.
2. You can set custom SA score under Spam Detectors -> Custom Scores.
Click to expand...
For example: wl.mailspike.net, ips.whitelisted.org, list.dnswl.org. The goal is to use whitelists to lower the score level
 
hata_ph said:
1. Global whitelist (Configuration -> Mail Proxy - Whitelist) will disable all SMTP checking include greylist, SPF and DNSBL.

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration
Click to expand...
Domains explicitly added to the global whitelist received reject (gmail.com domain in global whitelist)
Jun 21 10:04:43 mail postfix/postscreen[833]: NOQUEUE: reject: RCPT from [209.85.219.181]:35802: 550 5.7.1 Service unavailable; client [209.85.219.181] blocked using dnsbl.sorbs.net; from=<mail.jiv@gmail.com>, to=<mail@mydomain>, proto=ESMTP, helo=<mail-yb1-f181.google.com>

And this is about a letter from our partner - definitely a good one (gmail.com domain in global whitelist):
Jun 21 11:03:37 mail postfix/postscreen[5944]: NOQUEUE: reject: RCPT from [209.85.210.51]:33360: 550 5.7.1 Service unavailable; client [209.85.210.51] blocked using zen.spamhaus.org; from=<name@gmail.com>, to=<mail@mydomain>, proto=ESMTP, helo=<mail-ot1-f51.google.com>
 
Last edited:
hata_ph said:
If you plan to use spamassassin only, create custom rules for DNSBL blacklist.

https://support.cpanel.net/hc/en-us...Adding-Custom-RBL-DNS-Lookups-To-SpamAssassin

Code: 
# DNSBL custom blacklist
header DNSBL_UCEPROTECT1      eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe DNSBL_UCEPROTECT1    sender listed in dnsbl-1.uceprotect.net
score DNSBL_UCEPROTECT1 2

header DNSBL_SPAMHAUS      eval:check_rbl('spamhaus', 'zen.spamhaus.org.')
describe DNSBL_SPAMHAUS    sender listed in zen.spamhaus.org
score DNSBL_SPAMHAUS 2

header DNSBL_SURRIEL      eval:check_rbl('surriel', 'psbl.surriel.com.')
describe DNSBL_SURRIEL    sender listed in psbl.surriel.com
score DNSBL_SURRIEL 2

header DNSBL_SPAMRATS      eval:check_rbl('spamrats', 'all.spamrats.com.')
describe DNSBL_SPAMRATS    sender listed in all.spamrats.com
score DNSBL_SPAMRATS 2

header DNSBL_MAILSPIKE      eval:check_rbl('mailspike', 'bl.mailspike.net.')
describe DNSBL_MAILSPIKE    sender listed in bl.mailspike.net
score DNSBL_MAILSPIKE 2

Code: 
Spam detection results:  3
AWL                    -2.816 Adjusted score from AWL reputation of From: address
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DNSBL_MAILSPIKE             2 sender listed in bl.mailspike.net
DNSBL_SPAMHAUS              2 sender listed in zen.spamhaus.org
DNSBL_SPAMRATS              2 sender listed in all.spamrats.com
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
SPF_PASS               -0.001 SPF: sender matches SPF record
SUBJ_ALL_CAPS             0.5 Subject is all capitals
SUBJ_UTF8                   1 Subject with UTF-8 encoding
TOO_POLITE                  1 Hey/Hi/Hai/Hello greetings
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
T_SCC_BODY_TEXT_LINE    -0.01 -
T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)
Click to expand...
Only through configuration files, through proxmox GUI not to do?
 
hata_ph said:
Code: 
X-SPAM-LEVEL: Spam detection results:  4
    AWL                    -1.564 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%

[/QUOTE]
Click to expand...
Where can I see the details Spam detection results? I found it in the notification letters, is it possible to view this data in the tracking center or elsewhere via proxmox gui?
 
Last edited:
leksand said:
Where can I see the details Spam detection results? I found it in the notification letters, is it possible to view this data in the tracking center or elsewhere via proxmox gui?
Click to expand...
Toggle spam info under Spam Quarantine.

1655896639848.png
 
leksand said:
Is it possible to see the same for emails that have passed antispam, were delivered to users and were not quarantined?
Click to expand...
no spam info, only via log? (C225A62B2F7476B75A: SA score=0/5 time=4.006 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.311),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DNSBL_SORBS(2),DNSBL_SPAMHAUS(2),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_RATIO_04(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MAILING_LIST_MULTI(-1),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back