MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: idove on 2019-07-03, 14:47:46
-
I have been added in last 28 days, 47 times to spamhaus, and I was unable to detect the problem until today.
I was doing update one month ago (yum update, started clean and fix scripts), maybe is this reason, and something is disconfigured, but I can't detect problem till today.
Can I get some assist, I can send domain or/and IP as PM.
For cPanel and Plesk they recommanding following links,
https://www.abuseat.org/PleskAvoid.html
https://www.abuseat.org/cPanel.html
RESULTS OF LOOKUP (from abuseat.org)
77.81.x.x is listed
This IP address was detected and listed 47 times in the past 28 days, and 6 times in the past 24 hours. The most recent detection was at Wed Jul 3 10:15:00 2019 UTC +/- 5 minutes
This IP address was self-removed 1 times in the past week.
New: many of these listings are caused by a MikroTik Router compromise. If you have a Microtik router, please consult this entry on the MikroTik Support Forum
If this IP address is NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan traffic and needs to be fixed. Find and remove the virus/spamware problem then use the CBL delisting link below.
CRITICALLY IMPORTANT, Read Carefully: In some unusual cases, IP addresses used in shared hosting (especially those using IPSwitch Imail, Plesk or Cpanel/WHM) can trigger CBL listings. If this is an IP address shared amongst many customers, make sure that your mail server software is set up to identify _itself_ in its mail connections, not each of your customers.
Many of these packages contain features that attempt to assign each customer a dedicated virtual IP address, so that each customer's stream of email comes from a different IP address. However, in many cases the package is unable to actually bind to a virtual address (and hence uses the server's primary IP address regardless), or, there are more customers than there are IP addresses, and the customers without dedicated IP address all end up using the same IP address - the server primary IP address.
To the receiving systems, an IP address that appears unable to decide what it's own name is hence highly suspect, and is in fact imitating malicious spamware.
Strictly speaking, using different names in the HELO/EHLO from the same IP address is not a violation of the Email RFC standards. However, it is clear that the RFCs are intending that the HELO/EHLO identifies who owns the mail server. Furthermore, using multiple HELO/EHLO names is highly frowned upon in many mail sender Best Current Practise (BCP) documents, such as those from the OECD and M3AAWG.
It is sometimes claimed that using a common name for the HELO/EHLO causes problems with SPF/SenderID. Nothing could be further from the truth, as witnessed by the fact that the very largest multi-domain hosters (such as gmail, yahoo etc) use the same domains for all of their mail servers.
The following web pages will give you an assist in ensuring the configuration is set up correctly.
If you are using Plesk, see this link.
If you are using cPanel, see this link.
SELF REMOVAL:
Normally, you can remove the CBL listing yourself. If no removal link is given below, follow the instructions, and come back and do the lookup again, and the removal link will appear.
-
Check 'Mail Queue' to know what's domain to send emails. And got 'clients > (client)' and then click 'Sendmail to bans'.
With this action, client/domains can't send email.
-
Thank you, how do you mean, sorry don't understand.
In qmail queue there is only 1 mail that have not been delivered. Only one. I checked that email via maillog and content of message is normal, unencrypted so I can see it look like normal email.
All I know from spahaus/abuseat.org that some problem are 6 times occurred in last 24hours, and last suspicious mail was allegedly sent today at 10:15 UTC (+/-5 min). But from maillog I can't detect suspicious one at all.
From spamhaus nor abuseat org I don't get more details about that matter, just one that I sent in previous email.
Can I somehow detect that from QMail Queue? Did I misunderstand you?
Thank you.
-
Add '/' and enable 'As Absolute Path' for 'Sendmail to bans' under 'admin' and then investigate a couple of days in 'mail queue'.
-
Like that?
Do you think that sendmail (php script) sends those emails?
What do I get with that?
I noticed that now I can't send anymore via sendmail.
Tnx.
-
With '/' for '/home/admin' with 'As Absolute Path' mean all sendmail (with php code for example) under '/home' make all sendmail from '/home' (and under it) will 'ban'.
So, go to certain client to make 'sendmail to ban' if you want.
-
Thank you for reply, with that option, yes, all sendmail are banned. I can't send none of them via sendmail, that's ok. But, they aren't also showed in Mail Queue.
Anyway, today I received reply from abuseat.org, so there is more info why I'm keep blacklisted.
My server is sending different HELO for different domains on.
Here is the reply from abuseat.org.
Hello,
77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 5, FQDNs: 5, list:
ab**ro.hr, ce**ic.hr, mo**er.info, mo**ka.net, te**ma.hr);
In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.
If you don't have such a mail server, there is most likely a spam sending
infection.
Most recent detection was at 2019/07/03 18:50:00 (UTC) (+/- 5 minutes)
You will need to examine the machine for a spam trojan or open proxy.
Up-to-date anti-virus tools are essential.
If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.
Useful links:
1. The Basics of Securing your Server - Australian Communications and
Media Authority (ACMA)[1]
2. Web Server Security and Database Server Security - Acunetix[2]
3. A comprehensive list of Information Security Resources from SANS[3]
For more information on securing NAT firewalls/gateways, please see The
CBL on NATs[4]
Full lookup page included below for completeness.
77.81.*.* has been removed.
Note: the IP address is subject to relisting again if the problem recurs.
Also note: this removal will have taken effect immediately
within our database and for the most part the now-removed listing
will no longer affect you within half an hour. However, with
some receiving installations it can take a few hours.
========================================================
New: many of these listings are caused by a MikroTik Router compromise.
If you have a Microtik router, please consult this entry on the MikroTik
Support Forum[5]
If this IP address is NOT a shared hosting IP address, this IP address is
infected with/emitting spamware/spamtrojan traffic and needs to be fixed.
Find and remove the virus/spamware problem then use the CBL delisting
link below.
CRITICALLY IMPORTANT, Read Carefully: In some unusual cases, IP addresses
used in shared hosting (especially those using IPSwitch Imail, Plesk or
Cpanel/WHM) can trigger CBL listings. If this is an IP address shared
amongst many customers, make sure that your mail server software is set
up to identify _itself_ in its mail connections, not each of your
customers.
Many of these packages contain features that attempt to assign each
customer a dedicated virtual IP address, so that each customer's stream
of email comes from a different IP address. However, in many cases the
package is unable to actually bind to a virtual address (and hence uses
the server's primary IP address regardless), or, there are more customers
than there are IP addresses, and the customers without dedicated IP
address all end up using the same IP address - the server primary IP
address.
To the receiving systems, an IP address that appears unable to decide
what it's own name is hence highly suspect, and is in fact imitating
malicious spamware.
Strictly speaking, using different names in the HELO/EHLO from the same
IP address is not a violation of the Email RFC standards. However, it is
clear that the RFCs are intending that the HELO/EHLO identifies who owns
the mail server. Furthermore, using multiple HELO/EHLO names is highly
frowned upon in many mail sender Best Current Practise (BCP) documents,
such as those from the OECD and M3AAWG.
It is sometimes claimed that using a common name for the HELO/EHLO causes
problems with SPF/SenderID. Nothing could be further from the truth, as
witnessed by the fact that the very largest multi-domain hosters (such as
gmail, yahoo etc) use the same domains for all of their mail servers.
The following web pages will give you an assist in ensuring the
configuration is set up correctly.
If you are using Plesk, see this link[6].
If you are using cPanel, see this link[7].
1. http://www.acma.gov.au/Citizen/Internet/esecurity/Online-identity/securing-your-server-internet-safety-acma
2. https://www.acunetix.com/websitesecurity/webserver-security/
3. https://www.sans.org/security-resources/
4. https://abuseat.org/nat.html
5. https://forum.mikrotik.com/viewtopic.php?t=133533
6. https://abuseat.org/PleskAvoid.html
7. https://abuseat.org/cPanel.html
--
Ray, CBL Team
I tried to send mail from mo**ka.net domain to helocheck@abuseat.org, this "howto" is explained here:
https://www.abuseat.org/helocheck.html
And I believe this is response in maillog:
Jul 4 08:02:38 server send: delivery 200: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**ka.net'_(valid_syntax)_***/Giving_up_on_
54.93.50.35./
Then I tried to send mail from the same server as mo**er.info and mo**je.com, here are the respones:
Jul 4 08:14:38 server send: delivery 224: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**je.net'_(valid_syntax)_***/Giving_up_
on_54.93.50.35./
Jul 4 08:24:52 server send: delivery 231: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**er.info'_(valid_syntax)_***/Giving_up_on
_54.93.50.35./
And in mail server settings, my mail server name is configured as: mo**er.info
Is that new feature of Kloxo MR, or?
Thank you for your reply.
-
Read https://www.network-box.com/faq-email-failure-e
-
Read https://www.network-box.com/faq-email-failure-e
Thank you I read it. Not sure what you try to tell me, I'm blacklisted because my client domains are sending emails to non existing emails (existing domains, non existing user)?
I'm confused, because as far as I understand, abuseat.org claims that my IP is added to their blacklist because I'm using too many domains in HELO when sending emails. They claims that it should be only one, domain of the server. Not the domain of the client of this server. My server name is mo**er.info, and this is also configured in mail server configuration.
Is that possible to achieve? I mean that HELO sends name/domain of the server, not the name of the multiple domains on this server.
Here is again their explanation:
77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 5, FQDNs: 5, list:
ab**ro.hr, ce**ic.hr, mo**er.info, mo**ka.net, te**ma.hr);
In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.
Just addition to that, they recommending how to configure this options in
PLESK >> https://www.abuseat.org/PleskAvoid.html
CPANEL >> https://www.abuseat.org/cPanel.html
Is that possible for Kloxo, where qmail takes HELO value when sending email? Thank you.
-
Did domain in 'mail server configure' as the same as 'reverse-dns' (aka RDNS or PTR)?.
-
Yes, it is the same.
mo**er.info, in mail configuration and as rDNS.
Is it possible to change that every domain on server sends the same HELO? Where is that configured? Can I manually change?
Thank you.
-
Check your domain to mxtoolbox.com.
-
I've checked on mxtoolbox and intodns, it seems alright to me
I already sent you my domain to PM. Please check.
Tnx.
-
No. DMARC didn't existed.
-
DMARC is enabled for that particular domain in settings, it is nok for this domain, how to fix it?
DMARC Policy Not Enabled
DMARC Quarantine/Reject policy not enabled
Anyway, I'm not sure how this is connected with the problem with multiple domains.
Is there any way to send HELO as server domain for all domains, can I manually change to send the same HELO for all clients/domains, multiple domains on this sahre hosting, VPS?
I have this problem after server upgrade/update, not sure if this is related or not.
-
Select one of your domains and then click 'Email Auth'.
-
Thank you, I knew for Email Auth. Both options SPF and DMARC were already enabled for all domains.
You don't think that multiple HELO is the problem? Can I manually disabled/handchange just for testing purpose?
Is there anything else I'm missing?
-
No. DMARC didn't existed.
Now I remembered that I changed my domain name registration from name.com > namesilo.com, and DMARC, SPF and DKIM TXT dns data aren't on my server but must be on namesilo. Namesilo record edited.
Dmarc record should now be ok.
[!] DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled
[OK] DMARC Record Published DMARC Record found
[OK] DNS Record Published DNS Record found
-
OK,
DMARC fixed,
and sendmail, all emails currently BANNED:
But still, today I get blacklisted again :(.
This IP address was detected and listed 56 times in the past 28 days, and 2 times in the past 24 hours. The most recent detection was at Fri Jul 5 09:25:00 2019 UTC +/- 5 minutes
I can't figure it out what was the trigger today at Fri Jul 5 09:25:00 2019 UTC +/- 5.
Is there possibility and reason that my server is sending multiple HELO for different domains on the same IP address?
Thank you.
-
I am not sure for latest version, but old version of roundcube have a trouble.
Try uninstall roundcube with 'yum remove kloxomr-webmail-roundcube -y'.
But, inform 'yum list kloxomr-webmail*'.
-
I'm not sure why you are ignoring my problem, please assist, thank you.
Anyway here is again reply from abuseat.org why my IP address is blacklisted:
--
Hello,
77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 6, FQDNs: 6, list:
de**ic.com,e**s.hr,me**al.hr,mo**er.info,mo**ka.net,mo**md.hr);
In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.
--
What can you advice? I have tested, and they are correct, I'm sending different HELO for different domain on the same IP server. How can I fix that? Is that a way Kloxo MR works? Is this wrong? Is this new feature (I recently upgraded server and Kloxo MR).
Here is how to test HELO:
https://www.abuseat.org/helocheck.html
And here there are suggestion for other panels:
PLESK >> https://www.abuseat.org/PleskAvoid.html
CPANEL >> https://www.abuseat.org/cPanel.html
Please assist,
thank you.
And for the end:
--
Strictly speaking, using different names in the HELO/EHLO from the same
IP address is not a violation of the Email RFC standards. However, it is
clear that the RFCs are intending that the HELO/EHLO identifies who owns
the mail server. Furthermore, using multiple HELO/EHLO names is highly
frowned upon in many mail sender Best Current Practise (BCP) documents,
such as those from the OECD and M3AAWG.
It is sometimes claimed that using a common name for the HELO/EHLO causes
problems with SPF/SenderID. Nothing could be further from the truth, as
witnessed by the fact that the very largest multi-domain hosters (such as
gmail, yahoo etc) use the same domains for all of their mail servers.
--
-
Check all cron job. Googling to know where all cron files exists and then investigate them.
-
Check all cron job. Googling to know where all cron files exists and then investigate them.
What do you assuming, that there is something in cron sending SPAM?!
I've checked all the cron files and nothing is suspicious.
Why do you ignore my previous post about HELO? You think that this is irrelevant?
-
Try 'rkhunter --check' and 'maldet -a'. And then check their log files (also from 'log manager' in panel).
-
Thank you, rkhunter and maldet, nothing suspicious :(.
Anyway, I think I found it how to define HELO to be only from the main server address for qmail.
/var/qmail/control/outgoingips
should be empty.
If its empty then it sends to HELO settings which is in mail server settings in Kloxo,
otherwise this file looks like this
domain1.com 1.2.3.4
domain2.com 1.2.3.4
domain3.com 1.2.3.4
And it sends HELO for every domain on the same IP address as it is clients domain name, and that can be marked as spam at SPAMHAUS.
More info here:
https://github.com/mamapitufo/qmail-outgoingips
You can check with sending email to helocheck@abuseat.org,
also some info here:
https://www.abuseat.org/qmailhelp.html
Now I will see in few days if it will be ok also by Spamhaus and Abuseat.