Question Are you using "DNS Blackhole Lists" ?

[tanasis]

Hello everyone,

I am currently reviewing the email security and anti-spam settings on my Plesk server and I am looking into the "Spam protection based on DNS blackhole lists" feature.

I would love to get some insights from the community's experience:

Do you generally keep this specific DNSBL feature enabled for your spam filtering, or do you rely on other tools/methods?

If you do use it, which specific DNS blackhole lists do you configure in this field?

Are the lists you recommend completely free to use?

I am looking for reliable options that effectively block spam but have a low rate of false positives, as avoiding the block of legitimate emails is a priority.

Thank you in advance for your time and recommendations!

 

[King555]

I use this feature for a long time now and I think it works good and is useful. I use this list:
[My DQS Key].zen.dq.spamhaus.net;bl.spamcop.net;b.barracudacentral.org

The first one needs a free account at Strengthening trust and safety across the internet | Spamhaus, the second and third one can be used without registering.

 

[tanasis]

Thank you for the answer... Lately on my server that has several websites, I have been receiving mass incoming emails on several domains.
e.g. from the email [email protected] , emails to 50 websites that I have on my server.
from the email [email protected], emails to 50 websites that I have on my server.
from the email [email protected], emails to 50 websites that I have on my server.

These emails are sent simultaneously. They stop for 1-2 days and then they change emails and send them again....

They do not have fixed homepages, but they are on 3-4 random ones on my server.

 

[tanasis]

How can I stop spammers?
I believe they scan the server IP, find the domains and send emails

 

[Maarten]

There are several layers you can add to reduce spam on a Plesk server. Here's what has worked well for us:

Postfix main.cf hardening
Add HELO restrictions and sender validation. This catches a surprising amount of bot traffic before SpamAssassin even sees it:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain

Postscreen
This sits in front of smtpd and handles the bulk of bot connections with minimal resources. It tests connections before spawning a full smtpd process. Highly recommended but requires master.cf changes.

Collaborative spam filtering
Install Razor2, Pyzor and/or DCC alongside SpamAssassin. These check message fingerprints against distributed spam databases. They're especially effective against bulk spam campaigns.

SpamAssassin tuning
The default config is very basic on Plesk. Consider adding KAM rules via sa-update channels and look into the Spamhaus DQS free tier for better DNSBL coverage within SpamAssassin.

Important note on DNSBLs
Be careful with aggressive blocklists (SpamCop, 0spam) at the SMTP reject level - they can block legitimate mail from large providers like Gmail. Barracuda (b.barracudacentral.org) is the safest choice for hard rejections. Keep aggressive lists inside SpamAssassin where they contribute to the score but don't hard-reject.

Start with the main.cf tweaks, they're low risk and high impact.
==> Always create a backup of the config files before changing them! <==

 

[tanasis]

There are several layers you can add to reduce spam on a Plesk server. Here's what has worked well for us:

Postfix main.cf hardening
Add HELO restrictions and sender validation. This catches a surprising amount of bot traffic before SpamAssassin even sees it:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain

Postscreen
This sits in front of smtpd and handles the bulk of bot connections with minimal resources. It tests connections before spawning a full smtpd process. Highly recommended but requires master.cf changes.

Collaborative spam filtering
Install Razor2, Pyzor and/or DCC alongside SpamAssassin. These check message fingerprints against distributed spam databases. They're especially effective against bulk spam campaigns.

SpamAssassin tuning
The default config is very basic on Plesk. Consider adding KAM rules via sa-update channels and look into the Spamhaus DQS free tier for better DNSBL coverage within SpamAssassin.

Important note on DNSBLs
Be careful with aggressive blocklists (SpamCop, 0spam) at the SMTP reject level - they can block legitimate mail from large providers like Gmail. Barracuda (b.barracudacentral.org) is the safest choice for hard rejections. Keep aggressive lists inside SpamAssassin where they contribute to the score but don't hard-reject.

Start with the main.cf tweaks, they're low risk and high impact.
==> Always create a backup of the config files before changing them! <==

Thank you @Maarten for your reply.

For now, I’ve only implemented the HELO restrictions in Postfix and enabled Spamhaus (spamhaus.net) for DNSBL checks.
I avoided applying more aggressive measures at this stage to minimize the risk of false positives.
Also, Barracuda (barracudacentral.org) is currently closed to new registrations, so it’s not a practical option at the moment.

 

[King555]

Barracuda (barracudacentral.org) is currently closed to new registrations

I did not know that there is a registration required. I use b.barracudacentral.org since many years. I just checked my logfiles and on 2026-03-01 and 2026-02-07 spam mails were blocked by using b.barracudacentral.org.

 

[tanasis]

I did not know that there is a registration required. I use b.barracudacentral.org since many years. I just checked my logfiles and on 2026-03-01 and 2026-02-07 spam mails were blocked by using b.barracudacentral.org.

You are lucky. Barracudacentral.org is currently closed to new registrations

 

[Maarten]

You are lucky. Barracudacentral.org is currently closed to new registrations

What were you trying to sign up for? Can you show us the link?

 

[tanasis]

What were you trying to sign up for? Can you show us the link?

The link http://www.barracudacentral.org/account/register
...and the result "403 Forbidden"

 

[Maarten]

The link http://www.barracudacentral.org/account/register
...and the result "403 Forbidden"

But how did you get there? There is no register option on the .org website.

 

[tanasis]

But how did you get there? There is no register option on the .org website.

I search it from ChatGPT and show me this link.

For now, I’ve only implemented the HELO restrictions in Postfix and enabled Spamhaus (spamhaus.net) for DNSBL checks.




I also use imunify360.








Spam emails continue to arrive en masse to many domains every 2-3 days, but I think that with the above, they have decreased a bit.

Do you have any other suggestion ?

 

[Maarten]

Add b.barracudacentral.org to the DNSBL checks.

Furthermore, install the KAM Ruleset for better spam detection (The McGrail Foundation - Projects):

wget https://mcgrail.com/downloads/kam.sa-channels.mcgrail.com.key
sa-update --import kam.sa-channels.mcgrail.com.key
sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com

And try to install DCC and Razor2.

One word of caution: be very careful with which DNSBLs you use at the SMTP rejection level. Aggressive lists like SpamCop and 0spam can block legitimate mail from large providers (Gmail, Outlook) because they sometimes list entire IP ranges. Barracuda is the safest choice for hard rejections. If you want to use more aggressive lists, do it inside SpamAssassin where they contribute to the score but don't hard-reject.