Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 09:23:27

Author Topic: Added to SPAMHAUS  (Read 6410 times)

0 Members and 1 Guest are viewing this topic.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #15 on: 2019-07-04, 17:13:41 »
Select one of your domains and then click 'Email Auth'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #16 on: 2019-07-04, 17:27:37 »
Thank you, I knew for Email Auth. Both options SPF and DMARC were already enabled for all domains.

You don't think that multiple HELO is the problem? Can I manually disabled/handchange just for testing purpose?
Is there anything else I'm missing?
« Last Edit: 2019-07-04, 17:50:17 by idove »

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #17 on: 2019-07-04, 21:03:16 »
No. DMARC didn't existed.

Now I remembered that I changed my domain name registration from name.com > namesilo.com, and DMARC, SPF and DKIM TXT dns data aren't on my server but must be on namesilo. Namesilo record edited.

Dmarc record should now be ok.

[!] DMARC Policy Not Enabled   DMARC Quarantine/Reject policy not enabled   
[OK] DMARC Record Published   DMARC Record found   
[OK] DNS Record Published   DNS Record found

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #18 on: 2019-07-05, 13:03:26 »
OK,
DMARC fixed,
and sendmail, all emails currently BANNED:

But still, today I get blacklisted again :(.

Code: [Select]
This IP address was detected and listed 56 times in the past 28 days, and 2 times in the past 24 hours. The most recent detection was at Fri Jul 5 09:25:00 2019 UTC +/- 5 minutes
I can't figure it out what was the trigger today at Fri Jul 5 09:25:00 2019 UTC +/- 5.


Is there possibility and reason that my server is sending multiple HELO for different domains on the same IP address?

Thank you.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #19 on: 2019-07-05, 13:16:25 »
I am not sure for latest version, but old version of roundcube have a trouble.

Try uninstall roundcube with 'yum remove kloxomr-webmail-roundcube -y'.

But, inform 'yum list kloxomr-webmail*'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #20 on: 2019-07-05, 17:57:36 »
I'm not sure why you are ignoring my problem, please assist, thank you.
Anyway here is again reply from abuseat.org why my IP address is blacklisted:

--
Hello,

77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 6, FQDNs: 6, list:
de**ic.com,e**s.hr,me**al.hr,mo**er.info,mo**ka.net,mo**md.hr);

In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.

--

What can you advice? I have tested, and they are correct, I'm sending different HELO for different domain on the same IP server. How can I fix that? Is that a way Kloxo MR works? Is this wrong? Is this new feature (I recently upgraded server and Kloxo MR).


Here is how to test HELO:
https://www.abuseat.org/helocheck.html

And here there are suggestion for other panels:
PLESK >> https://www.abuseat.org/PleskAvoid.html
CPANEL >> https://www.abuseat.org/cPanel.html


Please assist,
thank you.

And for the end:
--
Strictly speaking, using different names in the HELO/EHLO from the same
IP address is not a violation of the Email RFC standards. However, it is
clear that the RFCs are intending that the HELO/EHLO identifies who owns
the mail server. Furthermore, using multiple HELO/EHLO names is highly
frowned upon in many mail sender Best Current Practise (BCP) documents,
such as those from the OECD and M3AAWG.

It is sometimes claimed that using a common name for the HELO/EHLO causes
problems with SPF/SenderID. Nothing could be further from the truth, as
witnessed by the fact that the very largest multi-domain hosters (such as
gmail, yahoo etc) use the same domains for all of their mail servers.

--
« Last Edit: 2019-07-05, 18:02:40 by idove »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #21 on: 2019-07-05, 18:19:15 »
Check all cron job. Googling to know where all cron files exists and then investigate them.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #22 on: 2019-07-05, 19:02:14 »
Check all cron job. Googling to know where all cron files exists and then investigate them.

What do you assuming, that there is something in cron sending SPAM?!
I've checked all the cron files and nothing is suspicious.

Why do you ignore my previous post about HELO? You think that this is irrelevant?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #23 on: 2019-07-06, 05:02:56 »
Try 'rkhunter --check' and 'maldet -a'. And then check their log files (also from 'log manager' in panel).
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #24 on: 2019-07-09, 12:32:37 »
Thank you, rkhunter and maldet, nothing suspicious :(.

Anyway, I think I found it how to define HELO to be only from the main server address for qmail.
/var/qmail/control/outgoingips
should be empty.

If its empty then it sends to HELO settings which is in mail server settings in Kloxo,
otherwise this file looks like this

domain1.com 1.2.3.4
domain2.com 1.2.3.4
domain3.com 1.2.3.4

And it sends HELO for every domain on the same IP address as it is clients domain name, and that can be marked as spam at SPAMHAUS.


More info here:
https://github.com/mamapitufo/qmail-outgoingips

You can check with sending email to helocheck@abuseat.org,
also some info here:
https://www.abuseat.org/qmailhelp.html


Now I will see in few days if it will be ok also by Spamhaus and Abuseat.
« Last Edit: 2019-07-09, 19:10:38 by idove »

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.027 seconds with 22 queries.

web stats analysis