Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-29, 07:18:25

Author Topic: Added to SPAMHAUS  (Read 6418 times)

0 Members and 1 Guest are viewing this topic.

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Added to SPAMHAUS
« on: 2019-07-03, 14:47:46 »
I have been added in last 28 days, 47 times to spamhaus, and I was unable to detect the problem until today.
I was doing update one month ago (yum update, started clean and fix scripts), maybe is this reason, and something is disconfigured, but I can't detect problem till today.

Can I get some assist, I can send domain or/and IP as PM.

For cPanel and Plesk they recommanding following links,
https://www.abuseat.org/PleskAvoid.html
https://www.abuseat.org/cPanel.html

Code: [Select]
RESULTS OF LOOKUP (from abuseat.org)
77.81.x.x is listed

This IP address was detected and listed 47 times in the past 28 days, and 6 times in the past 24 hours. The most recent detection was at Wed Jul 3 10:15:00 2019 UTC +/- 5 minutes

This IP address was self-removed 1 times in the past week.

New: many of these listings are caused by a MikroTik Router compromise. If you have a Microtik router, please consult this entry on the MikroTik Support Forum

If this IP address is NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan traffic and needs to be fixed. Find and remove the virus/spamware problem then use the CBL delisting link below.

CRITICALLY IMPORTANT, Read Carefully: In some unusual cases, IP addresses used in shared hosting (especially those using IPSwitch Imail, Plesk or Cpanel/WHM) can trigger CBL listings. If this is an IP address shared amongst many customers, make sure that your mail server software is set up to identify _itself_ in its mail connections, not each of your customers.

Many of these packages contain features that attempt to assign each customer a dedicated virtual IP address, so that each customer's stream of email comes from a different IP address. However, in many cases the package is unable to actually bind to a virtual address (and hence uses the server's primary IP address regardless), or, there are more customers than there are IP addresses, and the customers without dedicated IP address all end up using the same IP address - the server primary IP address.

To the receiving systems, an IP address that appears unable to decide what it's own name is hence highly suspect, and is in fact imitating malicious spamware.

Strictly speaking, using different names in the HELO/EHLO from the same IP address is not a violation of the Email RFC standards. However, it is clear that the RFCs are intending that the HELO/EHLO identifies who owns the mail server. Furthermore, using multiple HELO/EHLO names is highly frowned upon in many mail sender Best Current Practise (BCP) documents, such as those from the OECD and M3AAWG.

It is sometimes claimed that using a common name for the HELO/EHLO causes problems with SPF/SenderID. Nothing could be further from the truth, as witnessed by the fact that the very largest multi-domain hosters (such as gmail, yahoo etc) use the same domains for all of their mail servers.

The following web pages will give you an assist in ensuring the configuration is set up correctly.

If you are using Plesk, see this link.

If you are using cPanel, see this link.

SELF REMOVAL:
Normally, you can remove the CBL listing yourself. If no removal link is given below, follow the instructions, and come back and do the lookup again, and the removal link will appear.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #1 on: 2019-07-03, 16:23:09 »
Check 'Mail Queue' to know what's domain to send emails. And got 'clients > (client)' and then click 'Sendmail to bans'.

With this action, client/domains can't send email.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #2 on: 2019-07-03, 16:52:22 »
Thank you, how do you mean, sorry don't understand.
In qmail queue there is only 1 mail that have not been delivered. Only one. I checked that email via maillog and content of message is normal, unencrypted so I can see it look like normal email.

All I know from spahaus/abuseat.org that some problem are 6 times occurred in last 24hours, and last suspicious mail was allegedly sent today at 10:15 UTC (+/-5 min). But from maillog I can't detect suspicious one at all.

From spamhaus nor abuseat org I don't get more details about that matter, just one that I sent in previous email.

Can I somehow detect that from QMail Queue? Did I misunderstand you?
Thank you.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #3 on: 2019-07-03, 17:29:45 »
Add '/' and enable 'As Absolute Path' for 'Sendmail to bans' under 'admin' and then investigate a couple of days in 'mail queue'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #4 on: 2019-07-03, 18:11:16 »
Like that?

Do you think that sendmail (php script) sends those emails?
What do I get with that?

I noticed that now I can't send anymore via sendmail.

Tnx.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #5 on: 2019-07-03, 18:55:10 »
With '/' for '/home/admin' with 'As Absolute Path' mean all sendmail (with php code for example) under '/home' make all sendmail from '/home' (and under it) will 'ban'.

So, go to certain client to make 'sendmail to ban' if you want.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #6 on: 2019-07-04, 07:54:24 »
Thank you for reply, with that option, yes, all sendmail are banned. I can't send none of them via sendmail, that's ok. But, they aren't also showed in Mail Queue.

Anyway, today I received reply from abuseat.org, so there is more info why I'm keep blacklisted.

My server is sending different HELO for different domains on.
Here is the reply from abuseat.org.

Code: [Select]
Hello,

77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 5, FQDNs: 5, list:
ab**ro.hr, ce**ic.hr, mo**er.info, mo**ka.net, te**ma.hr);

In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.

If you don't have such a mail server, there is most likely a spam sending
infection.

Most recent detection was at 2019/07/03 18:50:00 (UTC) (+/- 5 minutes)

You will need to examine the machine for a spam trojan or open proxy.
Up-to-date anti-virus tools are essential.

If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.

Useful links:

  1.  The Basics of Securing your Server - Australian Communications and
    Media Authority (ACMA)[1]

  2.  Web Server Security and Database Server Security - Acunetix[2]

  3.  A comprehensive list of Information Security Resources from SANS[3]

For more information on securing NAT firewalls/gateways, please see The
CBL on NATs[4]

Full lookup page included below for completeness.

77.81.*.* has been removed.

Note: the IP address is subject to relisting again if the problem recurs.


Also note: this removal will have taken effect immediately
within our database and for the most part the now-removed listing
will no longer affect you within half an hour.  However, with
some receiving installations it can take a few hours.


========================================================

New: many of these listings are caused by a MikroTik Router compromise.
If you have a Microtik router, please consult this entry on the MikroTik
Support Forum[5]

If this IP address is NOT a shared hosting IP address, this IP address is
infected with/emitting spamware/spamtrojan traffic and needs to be fixed.
Find and remove the virus/spamware problem then use the CBL delisting
link below.

CRITICALLY IMPORTANT, Read Carefully: In some unusual cases, IP addresses
used in shared hosting (especially those using IPSwitch Imail, Plesk or
Cpanel/WHM) can trigger CBL listings. If this is an IP address shared
amongst many customers, make sure that your mail server software is set
up to identify _itself_ in its mail connections, not each of your
customers.

Many of these packages contain features that attempt to assign each
customer a dedicated virtual IP address, so that each customer's stream
of email comes from a different IP address. However, in many cases the
package is unable to actually bind to a virtual address (and hence uses
the server's primary IP address regardless), or, there are more customers
than there are IP addresses, and the customers without dedicated IP
address all end up using the same IP address - the server primary IP
address.

To the receiving systems, an IP address that appears unable to decide
what it's own name is hence highly suspect, and is in fact imitating
malicious spamware.

Strictly speaking, using different names in the HELO/EHLO from the same
IP address is not a violation of the Email RFC standards. However, it is
clear that the RFCs are intending that the HELO/EHLO identifies who owns
the mail server. Furthermore, using multiple HELO/EHLO names is highly
frowned upon in many mail sender Best Current Practise (BCP) documents,
such as those from the OECD and M3AAWG.

It is sometimes claimed that using a common name for the HELO/EHLO causes
problems with SPF/SenderID. Nothing could be further from the truth, as
witnessed by the fact that the very largest multi-domain hosters (such as
gmail, yahoo etc) use the same domains for all of their mail servers.

The following web pages will give you an assist in ensuring the
configuration is set up correctly.

If you are using Plesk, see this link[6].

If you are using cPanel, see this link[7].



1. http://www.acma.gov.au/Citizen/Internet/esecurity/Online-identity/securing-your-server-internet-safety-acma
2. https://www.acunetix.com/websitesecurity/webserver-security/
3. https://www.sans.org/security-resources/
4. https://abuseat.org/nat.html
5. https://forum.mikrotik.com/viewtopic.php?t=133533
6. https://abuseat.org/PleskAvoid.html
7. https://abuseat.org/cPanel.html



--
Ray, CBL Team



I tried to send mail from mo**ka.net domain to helocheck@abuseat.org, this "howto" is explained here:
https://www.abuseat.org/helocheck.html

And I believe this is response in maillog:
Code: [Select]
Jul  4 08:02:38 server send: delivery 200: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**ka.net'_(valid_syntax)_***/Giving_up_on_
54.93.50.35./


Then I tried to send mail from the same server as mo**er.info and mo**je.com, here are the respones:

Code: [Select]
Jul  4 08:14:38 server send: delivery 224: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**je.net'_(valid_syntax)_***/Giving_up_
on_54.93.50.35./


Jul  4 08:24:52 server send: delivery 231: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**er.info'_(valid_syntax)_***/Giving_up_on
_54.93.50.35./


And in mail server settings, my mail server name is configured as: mo**er.info
Is that new feature of Kloxo MR, or?

Thank you for your reply.
« Last Edit: 2019-07-04, 08:39:55 by idove »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #7 on: 2019-07-04, 11:18:22 »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #8 on: 2019-07-04, 11:54:14 »
Read https://www.network-box.com/faq-email-failure-e

Thank you I read it. Not sure what you try to tell me, I'm blacklisted because my client domains are sending emails to non existing emails (existing domains, non existing user)?


I'm confused, because as far as I understand, abuseat.org claims that my IP is added to their blacklist because I'm using too many domains in HELO when sending emails. They claims that it should be only one, domain of the server. Not the domain of the client of this server. My server name is mo**er.info, and this is also configured in mail server configuration.
Is that possible to achieve? I mean that HELO sends name/domain of the server, not the name of the multiple domains on this server.

Here is again their explanation:
Code: [Select]
77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 5, FQDNs: 5, list:
ab**ro.hr, ce**ic.hr, mo**er.info, mo**ka.net, te**ma.hr);

In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.

Just addition to that, they recommending how to configure this options in
PLESK >> https://www.abuseat.org/PleskAvoid.html
CPANEL >> https://www.abuseat.org/cPanel.html

Is that possible for Kloxo, where qmail takes HELO value when sending email? Thank you.
« Last Edit: 2019-07-04, 12:15:18 by idove »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #9 on: 2019-07-04, 12:46:04 »
Did domain in 'mail server configure' as the same as 'reverse-dns' (aka RDNS or PTR)?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #10 on: 2019-07-04, 14:17:04 »
Yes, it is the same.
mo**er.info, in mail configuration and as rDNS.

Is it possible to change that every domain on server sends the same HELO? Where is that configured? Can I manually change?

Thank you.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #11 on: 2019-07-04, 14:56:17 »
Check your domain to mxtoolbox.com.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #12 on: 2019-07-04, 15:23:28 »
I've checked on mxtoolbox and intodns, it seems alright to me
 I already sent you my domain to PM. Please check.

Tnx.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Added to SPAMHAUS
« Reply #13 on: 2019-07-04, 16:39:59 »
No. DMARC didn't existed.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Valuable Member
  • *
  • Posts: 142
  • Karma: +0/-0
    • View Profile
Re: Added to SPAMHAUS
« Reply #14 on: 2019-07-04, 17:00:41 »
DMARC is enabled for that particular domain in settings, it is nok for this domain, how to fix it?
Code: [Select]
DMARC Policy Not Enabled
DMARC Quarantine/Reject policy not enabled

Anyway, I'm not sure how this is connected with the problem with multiple domains.
Is there any way to send HELO as server domain for all domains, can I manually change to send the same HELO for all clients/domains, multiple domains on this sahre hosting, VPS?

I have this problem after server upgrade/update, not sure if this is related or not.
« Last Edit: 2019-07-04, 17:06:56 by idove »

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.052 seconds with 21 queries.

web stats analysis