Articles in this section

See more

Blacklisting for spam protection does not work

Avatar
Julian Bonpland Mignaquy
Updated
Follow
Plesk for Windows Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

The system does not block mail from IP’s listed at DNSBL providers configured in Tools & Settings > Mail Server Settings > DNS zones for DNSBL service, for example, zen.spamhaus.org.

Cause

Some public DNS providers implement non-hijacked responses for known DNSBL zones like Spamhaus.

Resolution

Check what DNS resolvers you are using: If free DNS servers like Google Public DNS are used, in most cases you will receive a not listed (NXDOMAIN) reply from Spamhaus’ public DNSBL servers. Use your own DNS servers when doing DNSBL queries to Spamhaus.

Reference: spamhaus FAQ

In other words, commonly used public resolvers such as Google’s 8.8.8.8 / 8.8.4.4 and 4.2.2.1 – 4.2.2.6 would not work with Spamhaus.

Proper DNS response:

# dig +short TXT 2.0.0.127.zen.spamhaus.org
"http://www.spamhaus.org/sbl/query/SBL233"
"http://www.spamhaus.org/query/bl?ip=127.0.0.2"

As a workaround, you can specify other DNS servers. For example, OpenDNS Home :

CONFIG_TEXT: 208.67.222.222
208.67.220.220

Comments

3 comments

Sort by Date Votes
  • Avatar
    Dan Wright

    I believe I found resolution. In my main.cf file, one of my entries smtpd_client_restrictions had the directive "permit" in front of the rbls for some reason. Placing that directive at the end of the line appears to have re-activated my bl's!

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Dan

    These are limitations on the side of DNS provider. Postfix is using nameservers configured on the system.

    Thank you for sharing the information regarding the issue. Indeed, the Postfix decides whether to block the message on not based on the first applicable directive, therefore directive order matters.

    0
    Comment actions Permalink
  • Avatar
    Dan Wright (Edited )

    A couple of things:

    1) There should be a way to direct Postfix to use an alternate resolver instead of having to make a change system-wide like this from resolv.conf or named.conf.

    2) Regardless, I changed to OpenDNS as suggested and get the proper dig +short response, but still failing the nelson-sbl-test @ crynwr.com test as outlined here https://support.plesk.com/hc/en-us/articles/213416729-How-to-check-whether-spam-protection-based-on-spamhaus-org-blacklists-is-working

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles