Question DNSBL Protection giving away my Spamhaus DQS key

[abanico]

Server operating system version

Almalinux 9.7

Plesk version and microupdate number

Plesk Obsidian 18.0.74 #3

Hi everyone!

I am using Spamhaus DQS as DNSBL in Plesk 18.0.74 #3 and I am encountering a problem: when the system rejects a request if it is listed in Spamhaus, the server responds with:

554 5.7.1 Service unavailable; Client host [XX.XX.XX.XX] blocked using f15cx3pfrsh6njmmz5gv6emgrn.zen.dq.spamhaus.net; Listed by XBL, see https://check.spamhaus.org/query/

and that includes the DQS key! (the key pasted here is not my real key for security reasons!) I cannot find anywhere to modify the message that is returned to the rejected system. Can anyone assist me?

Thank you all!

 

[Kaspar]

The Spamhaus documentation describes how you can modify the Postfix configuration to hide your DQS key.

 

[King555]

Is it really a problem that the key is revealed? I guess I have the same problem then.

 

[mow]

Is it really a problem that the key is revealed? I guess I have the same problem then.

"Pricing is based on users and query volume," so if your key leaks I guess that key's query volume and therefore the price goes through the roof ...

 

[abanico]

The Spamhaus documentation describes how you can modify the Postfix configuration to hide your DQS key.

Thank you Kaspar! But... it is safe to edit the main.cf file in Plesk? It is not overwritten by plesk?

Is it really a problem that the key is revealed? I guess I have the same problem then.

It may be a problem, even if you use the free DQS service, as the spammer can use it so you can be banned for overusing, or if it is the paid one, to inflate your bill.

 

[Kaspar]

Thank you Kaspar! But... it is safe to edit the main.cf file in Plesk? It is not overwritten by plesk?

Not usually, but no guarantees this won't ever happen.

The alternative is to configure SH DQS for use with SpamAssassin instead of using it as a DNSBL. That way spam won't be rejected, but SpamAssassin will filter email based on the DQS lists. Documentation for configuring SpamAssassin is available here on GitHub.

 

[ChristophRo]

The "rbl_reply_maps" parameter does not get touched/changed by Plesk on upgrades or mail repairs and so far we've never ever had this setting overwritten or deleted on any of our servers.
So i'ts save to assume, that unless something extraordinary happens, you're save.

 

[Kaspar]

By the way, if you're using the free tier of Spamhaus DQS I can recommend using the Guardian Mail from Abusix too (or perhaps even instead of Spamhaus). It's a similar blocklist service as Spamhaus, but I've found Abusix's block lists to be slightly better. It's not a huge difference, but enough to keep me impressed.

 

[abanico]

The "rbl_reply_maps" parameter does not get touched/changed by Plesk on upgrades or mail repairs and so far we've never ever had this setting overwritten or deleted on any of our servers.
So i'ts save to assume, that unless something extraordinary happens, you're save.

Great! thank you for the info. I did the modifications as recommended using the rbl_reply_maps, fingers crossed!

By the way, if you're using the free tier of Spamhaus DQS I can recommend using the Guardian Mail from Abusix too (or perhaps even instead of Spamhaus). It's a similar blocklist service as Spamhaus, but I've found Abusix's block lists to be slightly better. It's not a huge difference, but enough to keep me impressed.

Oh! great, I didn't know Abusix. I will take a look. These days I'm doing fine tuning of the servers because the spam is becoming increasingly sophisticated, and last week a client sent me samples of a phishing email that worried me greatly, so anything that hardens the server is welcome.

Cheers!