31
Kloxo-MR Technical Helps / Re: Added to SPAMHAUS
« on: 2019-07-04, 07:54:24 »
Thank you for reply, with that option, yes, all sendmail are banned. I can't send none of them via sendmail, that's ok. But, they aren't also showed in Mail Queue.
Anyway, today I received reply from abuseat.org, so there is more info why I'm keep blacklisted.
My server is sending different HELO for different domains on.
Here is the reply from abuseat.org.
I tried to send mail from mo**ka.net domain to helocheck@abuseat.org, this "howto" is explained here:
https://www.abuseat.org/helocheck.html
And I believe this is response in maillog:
Then I tried to send mail from the same server as mo**er.info and mo**je.com, here are the respones:
And in mail server settings, my mail server name is configured as: mo**er.info
Is that new feature of Kloxo MR, or?
Thank you for your reply.
Anyway, today I received reply from abuseat.org, so there is more info why I'm keep blacklisted.
My server is sending different HELO for different domains on.
Here is the reply from abuseat.org.
Code: [Select]
Hello,
77.81.*.* is listed in the CBL, it tried to send email using too many
different domains in the HELO (domains: 5, FQDNs: 5, list:
ab**ro.hr, ce**ic.hr, mo**er.info, mo**ka.net, te**ma.hr);
In some cases it's a multi-domain capable mail server attempting to use
different HELO values for each domain. The domain used in a HELO should
reflect the name of the server, and it's owner, not the customer. In some
cases, it may make sense to use a single common domain, with different
subdomains for each customer. For example, "cust1.example.com",
"cust2.example.com" etc.
If you don't have such a mail server, there is most likely a spam sending
infection.
Most recent detection was at 2019/07/03 18:50:00 (UTC) (+/- 5 minutes)
You will need to examine the machine for a spam trojan or open proxy.
Up-to-date anti-virus tools are essential.
If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.
Useful links:
1. The Basics of Securing your Server - Australian Communications and
Media Authority (ACMA)[1]
2. Web Server Security and Database Server Security - Acunetix[2]
3. A comprehensive list of Information Security Resources from SANS[3]
For more information on securing NAT firewalls/gateways, please see The
CBL on NATs[4]
Full lookup page included below for completeness.
77.81.*.* has been removed.
Note: the IP address is subject to relisting again if the problem recurs.
Also note: this removal will have taken effect immediately
within our database and for the most part the now-removed listing
will no longer affect you within half an hour. However, with
some receiving installations it can take a few hours.
========================================================
New: many of these listings are caused by a MikroTik Router compromise.
If you have a Microtik router, please consult this entry on the MikroTik
Support Forum[5]
If this IP address is NOT a shared hosting IP address, this IP address is
infected with/emitting spamware/spamtrojan traffic and needs to be fixed.
Find and remove the virus/spamware problem then use the CBL delisting
link below.
CRITICALLY IMPORTANT, Read Carefully: In some unusual cases, IP addresses
used in shared hosting (especially those using IPSwitch Imail, Plesk or
Cpanel/WHM) can trigger CBL listings. If this is an IP address shared
amongst many customers, make sure that your mail server software is set
up to identify _itself_ in its mail connections, not each of your
customers.
Many of these packages contain features that attempt to assign each
customer a dedicated virtual IP address, so that each customer's stream
of email comes from a different IP address. However, in many cases the
package is unable to actually bind to a virtual address (and hence uses
the server's primary IP address regardless), or, there are more customers
than there are IP addresses, and the customers without dedicated IP
address all end up using the same IP address - the server primary IP
address.
To the receiving systems, an IP address that appears unable to decide
what it's own name is hence highly suspect, and is in fact imitating
malicious spamware.
Strictly speaking, using different names in the HELO/EHLO from the same
IP address is not a violation of the Email RFC standards. However, it is
clear that the RFCs are intending that the HELO/EHLO identifies who owns
the mail server. Furthermore, using multiple HELO/EHLO names is highly
frowned upon in many mail sender Best Current Practise (BCP) documents,
such as those from the OECD and M3AAWG.
It is sometimes claimed that using a common name for the HELO/EHLO causes
problems with SPF/SenderID. Nothing could be further from the truth, as
witnessed by the fact that the very largest multi-domain hosters (such as
gmail, yahoo etc) use the same domains for all of their mail servers.
The following web pages will give you an assist in ensuring the
configuration is set up correctly.
If you are using Plesk, see this link[6].
If you are using cPanel, see this link[7].
1. http://www.acma.gov.au/Citizen/Internet/esecurity/Online-identity/securing-your-server-internet-safety-acma
2. https://www.acunetix.com/websitesecurity/webserver-security/
3. https://www.sans.org/security-resources/
4. https://abuseat.org/nat.html
5. https://forum.mikrotik.com/viewtopic.php?t=133533
6. https://abuseat.org/PleskAvoid.html
7. https://abuseat.org/cPanel.html
--
Ray, CBL Team
I tried to send mail from mo**ka.net domain to helocheck@abuseat.org, this "howto" is explained here:
https://www.abuseat.org/helocheck.html
And I believe this is response in maillog:
Code: [Select]
Jul 4 08:02:38 server send: delivery 200: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**ka.net'_(valid_syntax)_***/Giving_up_on_
54.93.50.35./
Then I tried to send mail from the same server as mo**er.info and mo**je.com, here are the respones:
Code: [Select]
Jul 4 08:14:38 server send: delivery 224: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**je.net'_(valid_syntax)_***/Giving_up_
on_54.93.50.35./
Jul 4 08:24:52 server send: delivery 231: failure: User_and_password_not_set,_continuing_without_authentication./54.93.50.35_does_not
_like_recipient./Remote_host_said:_550_***_The_HELO_for_IP_address_77.81.*.*_was_'mo**er.info'_(valid_syntax)_***/Giving_up_on
_54.93.50.35./
And in mail server settings, my mail server name is configured as: mo**er.info
Is that new feature of Kloxo MR, or?
Thank you for your reply.