Issue Spam protection - DNS blackohole list does not work for one of domains

[mcyg]

I had a lot of incoming spam on my mail addresses hosted by Plesk Obsidian.
So I enabled ' Switch on spam protection based on DNS blackhole lists' in /plesk/server/mail/. It deffinitelly took effect for one of the domains and I get very low amount of spam now. However it does not tool any effect for other domain and I still getting lot of emails that I can manually verify are spam according to Blocklist Removal Center - The Spamhaus Project.
Configuration which I set is "zen.spamhaus.org;sbl.spamhaus.org;xbl.spamhaus.org"

Is there a way I can check this configuration is applied to given domain / email address ?

 

[mcyg]

Anyone has any idea how I can even start debugging / investigating it ? : )

 

[Bitpalast]

Maybe the other spammers are not listed on the blacklists you are using?

 

[mcyg]

They are listed I am checking individual domains, IPs of senders on Blocklist Removal Center - The Spamhaus Project .
So it looks to me like for one of the domains this setting from Plesk is not applied (as on the other domains I don't see such an emails anymore) - but my problem is I have no idea how I can check what settings are really applied for that domain...

 

[Bitpalast]

The blackhole lists that you configure in Plesk apply to all incoming mail. There is not difference to domains, because the mails are processed before they are assigned to a specific domain. What you describe as a symptom is not possible for that reason.

 

[mcyg]

OK, I don't know how this works internally - I just described how it looks from my point of view. Introducing this setting reduced number of spam emails in some of acconunts massivly but on others not at all.
Question - if I have value for field 'DNS zones for DNSBL service' in Plesk: "zen.spamhaus.org;sbl.spamhaus.org;xbl.spamhaus.org"
Do I expect correctly that none of those emails should be delivered into my email?

Received: from tent.eastbaz.com (tent.procars-shop-sk1.com [69.94.131.10])
Received: from tryout.smartstorellc.com (tryout.gratefulhope.com [208.186.113.28])
Received: from assay.shivbhumi.com (assay.jdmbrosllc.com [63.83.73.228])

Those are some fresh examples of senders that mails from are delivered to my account and which are listed here Blocklist Removal Center - The Spamhaus Project

 

[Bitpalast]

Yes, that is correct.The zen.spamhaus.org list incorporates the others, so there should be nothing going through. Have you checked the "Swith on spam protection..." checkbox? Have you tried to remove the setting and to then enter it again and save it again to make sure that the configuration on disk is the same as shown in the GUI?

Where do you see the "Received : from" lines? They don't seem to be lines from the mail log. Have you checked what is going on in the mail log of your server?

 

[mcyg]

Yes, I do checked 'Switch ...' checkbox.
If I uncheck this checkbox and remove value from the field , after clicking OK the old value seems to be there still - not sure if that is correct behaviour (as in attachement). But anyway I already was saving this field and whole form few times at least.
'Received: from ' I copied it from webmail headers view. How I can check mail log on server?

 

[Bitpalast]

On Linux console, for example on RHEL, CentOS:
# grep "69.94.131.10" /var/log/maillog
on Debian, Ubuntu:
# grep "69.94.131.10" /var/log/mail.log
to find the mail from 69.94.131.10. If it is not in the current log, it might be in maillog.processed instead or an archived (.zip, .gz) version of these. If you have activated anonymization of ip addresses, you might want to search for "69.94.131" instead, because the last octet will probably be 0 in that case. You will also find information similar to this, if the blackhole lists work, for several domains:
Jan 11 08:31:13 bode postfix/smtpd[28924]: NOQUEUE: reject: RCPT from unknown[69.94.131.10]: 554 5.7.1 Service unavailable; Client host [69.94.131.10] blocked using zen.spamhaus.org; ... ; from=<...@...> to=<[email protected]> proto=ESMTP helo=<...>

 

[mcyg]

Thank you. Those are logs which I can find for that IP from today

Jan 11 09:49:30 168 postfix/smtpd[23375]: connect from tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 09:49:30 168 postfix/smtpd[23375]: B630842A46: client=tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 09:49:30 168 postfix/smtpd[23375]: B630842A46: milter-reject: DATA from tent.procars-shop-sk1.com[69.94.131.10]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<##################> proto=ESMTP helo=<tent.tajindiatour.co>
Jan 11 09:49:30 168 postfix/smtpd[23375]: disconnect from tent.procars-shop-sk1.com[69.94.131.10] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5
Jan 11 09:56:51 168 postfix/anvil[23120]: statistics: max connection rate 1/60s for (smtp:69.94.131.10) at Jan 11 09:49:30
Jan 11 09:56:51 168 postfix/anvil[23120]: statistics: max connection count 1 for (smtp:69.94.131.10) at Jan 11 09:49:30
Jan 11 10:03:50 168 postfix/smtpd[23617]: connect from tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 10:03:51 168 postfix/smtpd[23617]: 1F1AE42D10: client=tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 10:03:51 168 postfix/smtpd[23617]: 1F1AE42D10: milter-reject: DATA from tent.procars-shop-sk1.com[69.94.131.10]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<###################> proto=ESMTP helo=<tent.eastbaz.com>
Jan 11 10:03:51 168 postfix/smtpd[23617]: disconnect from tent.procars-shop-sk1.com[69.94.131.10] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5
Jan 11 10:07:11 168 postfix/anvil[23619]: statistics: max connection rate 1/60s for (smtp:69.94.131.10) at Jan 11 10:03:50
Jan 11 10:07:11 168 postfix/anvil[23619]: statistics: max connection count 1 for (smtp:69.94.131.10) at Jan 11 10:03:50
Jan 11 10:34:20 168 postfix/smtpd[24713]: connect from tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 10:34:20 168 postfix/smtpd[24713]: 9CBA042A46: client=tent.procars-shop-sk1.com[69.94.131.10]
Jan 11 10:34:21 168 postfix/smtpd[24713]: disconnect from tent.procars-shop-sk1.com[69.94.131.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

 

[Bitpalast]

These are outgoing mails, not incoming.

When you see the "Received: from" line in the mail header, is it really the last hop before reception? Maybe the spam is not coming directly from there but is a forward through another server that is not blocked.

 

[mcyg]

Full received header for another (also listed on blacklist) IP is:

Received: from cap.onepwaa.com (cap.gratefulhope.com [208.187.167.8])
by ####MY IP###### (Postfix) with ESMTP id 9C3C042B58
for <###MY EMAIL ADDRESS####>; Sat, 11 Jan 2020 13:52:17 +0100 (CET)

 

[Bitpalast]

Maybe we should stick to one IP address first. There could be different cases with different IP addresses.

For a spam received from 69.94.131.10 it would be helpful to find the corresponding log lines in your mail log and also check the mail header in full.

 

[eilko]

Have you checked the Spamhaus Project FAQ? Especially the one about the DNS servers you are using?

The Spamhaus Project - Frequently Asked Questions (FAQ)

 

[mcyg]

@Peter Debik Those emails are aready removed - but I will show another example:
https://www.spamhaus.org/query/ip/45.82.32.142

Received: from bee.bpdaswss.com (bee.oliviertylczak.com [45.82.32.142])
by 1xxxxxxxxxx (Postfix) with ESMTP id 775473F059
for <xxxxxxxxxx>; Fri, 17 Jan 2020 23:32:54 +0100 (CET)

I do not have /var/log/mail.log so I am looking i maillog.processed

root@168:/var/log# grep "45.82.32.142" maillog.processed
Jan 17 22:56:58 168 postfix/smtpd[26400]: connect from bee.oliviertylczak.com[45.82.32.142]
Jan 17 22:56:58 168 postfix/smtpd[26400]: A2CAC3F059: client=bee.oliviertylczak.com[45.82.32.142]
Jan 17 22:56:58 168 postfix/smtpd[26400]: A2CAC3F059: milter-reject: DATA from bee.oliviertylczak.com[45.82.32.142]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<xxxxxxxxxxxxxxxx> proto=ESMTP helo=<bee.bpdaswss.com>
Jan 17 22:56:58 168 postfix/smtpd[26400]: disconnect from bee.oliviertylczak.com[45.82.32.142] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5
Jan 17 23:11:11 168 postfix/smtpd[27830]: connect from bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:11:11 168 postfix/smtpd[27830]: D88D33F059: client=bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:11:11 168 postfix/smtpd[27830]: D88D33F059: milter-reject: DATA from bee.oliviertylczak.com[45.82.32.142]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<xxxxxxxxxxxxxxxx> proto=ESMTP helo=<bee.bpdaswss.com>
Jan 17 23:11:11 168 postfix/smtpd[27830]: disconnect from bee.oliviertylczak.com[45.82.32.142] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5
Jan 17 23:14:59 168 postfix/anvil[27832]: statistics: max connection rate 1/60s for (smtp:45.82.32.142) at Jan 17 23:11:11
Jan 17 23:14:59 168 postfix/anvil[27832]: statistics: max connection count 1 for (smtp:45.82.32.142) at Jan 17 23:11:11
Jan 17 23:26:58 168 postfix/smtpd[28998]: connect from bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:26:58 168 postfix/smtpd[28998]: DF1613F059: client=bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:26:59 168 postfix/smtpd[28998]: disconnect from bee.oliviertylczak.com[45.82.32.142] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 17 23:32:54 168 postfix/smtpd[29700]: connect from bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:32:54 168 postfix/smtpd[29700]: 775473F059: client=bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:32:54 168 postfix/smtpd[29700]: disconnect from bee.oliviertylczak.com[45.82.32.142] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5



Also I found other related issues:
Question - DNSBL configuration
Resolved - Spamassasin with DNSBL, avoiding URIBL_BLOCKED

 

[Bitpalast]

It does not look right for me.

The lines

Jan 17 23:32:54 168 postfix/smtpd[29700]: connect from bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:32:54 168 postfix/smtpd[29700]: 775473F059: client=bee.oliviertylczak.com[45.82.32.142]
Jan 17 23:32:54 168 postfix/smtpd[29700]: disconnect from bee.oliviertylczak.com[45.82.32.142] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

are the relevant lines according to the received-header. However, there should be a "delivered to" line, too, like

Jan 17 23:32:54 [hostname] postfix/pipe[29700]: 775473F059: to=<xxxxxxxxxxx>, relay=plesk_virtual, delay=0.65, delays=0.2/0/0/0.45, dsn=2.0.0, status=sent (delivered via plesk_virtual service)

that indicates delivery of the message into the mailbox. The lines you are providing in my opinion show nothing but a connect from an external server with no further information on what's been done to the mail finally. And indeed, instead of the "delivered via plesk_virtual service" line that is missing, there should be something like "status=deferred (Message can not be delivered at this time )" or "blocked using zen.spamhaus.org" or similar. This is missing, too. Have the configuration files of the mail server been altered outside Plesk? Is this an authentic (default) Plesk installation?

I am afraid I am no good help in this case. The log entries look strange to me as if these are only part of what should have been logged.

 

[mcyg]

Yes, it is default plesk installation - quite fresh one installed on new fresh server less than month ago.

• OS: ‪Ubuntu 18.04.3 LTS‬
• Product: Plesk Obsidian 18.0.21 Update #5 , last updated at Dec 28, 2019 09:20 PM

I changed one configuration outside Plesk which was hostname of emails that are outgoing - since it was not possible to do via Plesk. Did not change anything else outside Plesk.