Resolved Email Domain Blacklisting not working 100%

[propz]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.56 #4

Hi guys,

I'm having some issues with the email anti spam features.
I've already added 100s of domains to my blocklist, but some emails stil come trough and I don't know where to look or what I'm doing wrong.

1. Plesk native "Tools & Settings > Mail Server Settings > Black List" handles the server-wide domian blacklist settings. I've added 100s of domains there to block some incoming spam.
- domain.com
- another.com ...

2. Plesk SpamAssassin Extension "Tools & Settings > Spam Filter > Black List" handles email adresses and respective domains. Also added every domain there just in a different format:
- *@domain.com
- *@*.another.com
- *@*different.com
- *@*.xyz

But there are one or two domains that never get blocked. Why is that? Is there some setting that I'm missing or how are these feratures supposed to work?

The email header is:
smtp.from=eu-west-1.amazonses.com
header.from=spamdomain.com

Any hints or tips for me why it's not working properly?
Should I turn on the protection based on DNS blackhole lists as well?

Mail server settings:
- "Enable DMARC for incoming mail" is on
- "Enable SPF spam protection to check incoming mail" is on
- "SPF checking continues when there are DNS lookup problems" is on
- SPF checking mode: "Reject mail when SPF resolves to fail (deny)"

Thanks in advance!

 

[Kaspar]

Any hints or tips for me why it's not working properly?

The black list on "Tools & Settings > Mail Server Settings > Black List" is blocking (rejecting) emails based on the envelope sender (also known as Return-Path) of an email. Not the specified From address of an email. Which, as you've already noticed, can both be different.

If emails don't get caught by SpamAssassin even tough you've blacklisted the domain, look at the headers of the email to see if the blacklist rule actually got applied. Which should look something like:

X-Spam-Status: No, score=100.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,T_KAM_HTML_FONT_INVALID, T_SPF_PERMERROR,URIBL_BLOCKED,USER_IN_BLACKLIST,USER_IN_BLOCKLIST autolearn=no

Should I turn on the protection based on DNS blackhole lists as well?

Yes, that would be recommended. See this post for recommended blacklists.

 

[propz]

The black list on "Tools & Settings > Mail Server Settings > Black List" is blocking (rejecting) emails based on the envelope sender (also known as Return-Path) of an email. Not the specified From address of an email. Which, as you've already noticed, can both be different.

If emails don't get caught by SpamAssassin even tough you've blacklisted the domain, look at the headers of the email to see if the blacklist rule actually got applied. Which should look something like:

X-Spam-Status: No, score=100.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,T_KAM_HTML_FONT_INVALID, T_SPF_PERMERROR,URIBL_BLOCKED,USER_IN_BLACKLIST,USER_IN_BLOCKLIST autolearn=no

Yes, that would be recommended. See this post for recommended blacklists.

Hi @Kaspar and thanks for the quick answer.

I've actually found an old post from you where the original poster had similar problems: Issue - email blacklist not working

I've checked the incoming email header fomr the undesirable sender and I can't find the X-Spam-Status header.
Here are the full header information of that specific email, it's coming in via amazon and send via sendy.co, and all the security measures seem to pass.

Authentication-Results: xyz.myserver.com; dmarc=fail (p=NONE sp=NONE) smtp.from=eu-west-1.amazonses.com header.from=spamdomain.com; dkim=pass header.d=amazonses.com; spf=pass (sender IP is 54.240.4.6) smtp.mailfrom=0102018c5aa2eec5-02d1d39a-9e0b-42e3-8e9b-6cb19bda543a-000000@eu-west-1.amazonses.com smtp.helo=a4-6.smtp-out.eu-west-1.amazonses.com
Mime-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Ses-Outgoing: 2023.12.11-54.240.4.6
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; t=1702327676; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=FGrdZHAhaKdj+D2hFfI3+JVNAoj/WGZkGLSyY17/Hd8=; b=rtFbZcAeN0JXYb2ktOolGNAeNquFX6IV+i1841KHpxP6d+cpPsvNDjlMMJ+4X9NX XdlskNNO/eLADWx3lmYgWbiRjoU74HQD93OqdX9CKCd9jgxtr6IwJEwWg7SZ94FGaet ynqG4FC+CM2SdMLY1uG1Popk5wofIEAd/Xr6zFP0=
Return-Path: <0102018c5aa2eec5-02d1d39a-9e0b-42e3-8e9b-6cb19bda543a-000000@eu-west-1.amazonses.com>
X-Mailer: Sendy (https://sendy.co)
Feedback-Id: 1.eu-west-1.d1XGL/eFLadV8Zq8KX4Dg9wc6uhDSXUlfCDOuyj6+Jk=:AmazonSES
List-Unsubscribe: <https://email.spamdomain.com/unsubscribe/>
X-Original-To: [email protected]
<0102018c5aa2eec5-02d1d39a-9e0b-42e3-8e9b-6cb19bda543a-000000@eu-west-1.amazonses.com>
Received: from a4-6.smtp-out.eu-west-1.amazonses.com (a4-6.smtp-out.eu-west-1.amazonses.com [54.240.4.6]) by s1.propz.de (Postfix) with ESMTPS id 726AA14000C for <[email protected]>; Mon, 11 Dec 2023 21:47:57 +0100 (CET)
Delivered-To: [email protected]
Received-Spf: pass (xyz.myserver.com: domain of eu-west-1.amazonses.com designates 54.240.4.6 as permitted sender) client-ip=54.240.4.6; envelope-from=0102018c5aa2eec5-02d1d39a-9e0b-42e3-8e9b-6cb19bda543a-000000@eu-west-1.amazonses.com; helo=a4-6.smtp-out.eu-west-1.amazonses.com;

Could the missing spam header be the problem? So reconfigure spamassassin or something similar?

And as you've said, the smtp.from is different then header.from.
Is it possible to block the header.from via plesk backend (somewhere)?

 

[Kaspar]

If the X-Spam-Status header isn't present in the headers it means that the email message wasn't checked by SpamAssassin. Which usually means that spamfiltering isn't enabled for the receiving email account or that the email messages size is larger then the maximum threshold (because it contains an attachment for example).

Did you check if spam filtering was enabled for the email account? If spam filtering is already enabled, does the email have a attachment or is the email message itself larger than 256 kB (the default SpamAssassin file size threshol)?

 

[propz]

If the X-Spam-Status header isn't present in the headers it means that the email message wasn't checked by SpamAssassin. Which usually means that spamfiltering isn't enabled for the receiving email account or that the email messages size is larger then the maximum threshold (because it contains an attachment for example).

Did you check if spam filtering was enabled for the email account? If spam filtering is already enabled, does the email have a attachment or is the email message itself larger than 256 kB (the default SpamAssassin file size threshol)?

Thanks, that was actually a very good hint.

The server side option was enabled but also the "Apply individual settings to spam filtering".
I checked every account and none of them had the spam filter option active.

I turned the individual settings of and will check if any of the blocked domains comes through.
I hope it fixed it.

Just to be clear:
SpamAssassin does the Job that I want (header.from) and the native plesk option just works for the smtp.from?

 

[Kaspar]

SpamAssassin does the Job that I want (header.from) and the native plesk option just works for the smtp.from?

That's correct.

 

[propz]

Thank you so much @Kaspar , you really helped me.
That was the important piece of information I was looking for, should also be the reason why it worked for 99% of the blocked domains but not for some specific ones with different FROM headers.

 

[Kaspar]

Glad I could help