My IP keeps being put on and removed from the SenderScore.org blacklist.

Yet, they refuse to tell me why.

I have been trying to track down the reason through my WHM and have been unable to find out what can be causing my IP to be put on their blacklist.

I don't see any high volume traffic from any one Domain account. I host 12 Domains. All of the email is grouped together into either 'mailnull' or 'nobody'. Which make it impossible to see who is sending out what volume of email.

How do I track down the culprit?

I have Exim set to :fail: and have gone to each Domain and set their 'Default Address' to :fail:. Yet, I see that some emails are still being sent to :blackhole:.

I also see: **bypassed** volume: 5848KB messages: 852

Do I need to turn off all bypassing?

Thanks

Did you restart exim after you made the changes? Can you post an example of how you're setting it to fail for the default addresses?

For cPanel I go to 'Mail|Default Address' and set it to :fail:.

For WHM I go to: 'Tweak Settings|Mail|Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks. fail'

I do restart the Exim anytime I make a change.

You may need to go through each domain that is already setup and change the behavior there, the default behavior with cpanel i believe is written into the file when the domain is setup and toggling the default isn't going to do anything except for future domains.

Sorry, I didn't realize you were using cpanel, assumed you were doing this manually Makes it easier and harder both.

Thanks rweaver. The WHM changes only affect new accounts.

I had followed the recommendation to change the Tweak Settings in WHM and the cPanel for the Host Domain only.

I spent a few hours yesterday going through all of the Domain cPanel Default Address settings for the websites I Host. I manually set each one to :fail:.

I am now praying that I corrected the problem. I did find two people who were responding to the SPAMs they were receiving, even though I had already talked to them, in the past, about not doing that. So, I set-up their email Filters to automatically delete those emails. Of course, the complaints are "My email takes forever to load." since the Filters run while loading the Inbox.

You are also right in that by only using the WHM/cPanel GUI I have given up some of the real control I could have through the command line.

Are you just getting listed with SS, or are you appearing on other lists {that actually matter} too, like Spamhaus and Barracuda? (You can use something like Robtex to check or a tool like this: http://freshmeat.net/projects/spampig-dnsblcheck). If you can find it on another list you may be able to get better information.

The key thing is it does not need to be about volume. It only takes a single honeypot address in a list to get an IP listed with some dnsbl's. It can even come down to the 'helo' given and be nothing to do with 'spam' as such.

Start with what you have. If you managed to get spam or a response back from an irate victim grep through the logs looking for the victims email address. You may be able to tie it up. At a guess you may have a seriously spammy customer on board - or a customer has a flawed email script being worked by spammers - but equally it could be plain old misconfiguration and resulted in you being on something like the CBL or SORBS and that reflecting back to SS. Hence it's wise to check.

HTH

HUMOUR TIME>>>>
Now normally if you send out Spam, JD Falk and his merry men at Return Path will *whitelist* you in HABEAS...
{Now I've got that cheap joke out of the way - I just could not resist it, forgive me..}

Thanks Dave_Devnull

I was placed on a blacklist once for 'backscatter' because the settings in my WHM got reset, during an update, to a default setting for Exim. I corrected that and had clear sailing.

About 6-months ago I started to get reject notices from ComCast because my IP was on the SenderScore blacklist. When I tried to find out why, I could never get an answer from either SenderScore or ComCast. I would be listed for about 3-days and then I would be removed from the list. It was only ComCast who said SenderScore had me listed. That sounded really strange. Because no one else rejected emails from my IP.

ComCast did return my call and would only say I needed to contact my Hosting Service because it had a 'Bad reputation.' The guy refused to accept that I was the Host for the IP. According to him, only companies like ComCast and Verizon could be considered a Hosting Service. He talked to me like I was an idiot and just kept repeating that my Hosting Service had a bad reputation. I am not an expert in my Server Software. But, I can usually find out how to repair what broke. If I know what is broken.

There is no way to contact SenderScore, to find out why they place you on the blacklist. Even their parent comapny, Return Path, will not answer emails. The SenderScore website just says you're listed and there is nothing you can do about it. All I could find was a web page which said my IP had sent some emails which were 'similar' to SPAM emails, no specifics were available. I only have 12 Domains hosted. Yet, I would like to at least know which Domain was causing the problem with SenderScore. If there really is a problem, I can fix it. Or, is SenderScore only trying to force me to purchase the software their parent company, Return Path, is trying to sell. From what I understand, if I purchase this software, then SenderScore would stop blacklisting me.

I have found similar stories in other Forums about SenderScore.

I feel your pain, and much that I would love to have a rant about RP/SS it's not going to help anyone. They are who they are, they operate how they operate and there is no changing that. So, it's back to troubleshooting dnsbl issue in generic terms. I'm not familiar with Exim or WHM, but one is just an MTA, the other a configuaration tool - so that need not be a massive issue at this stage.

The obvious first (and I'm mentioning this for the benefit of the archives - not to be clever or condecending);
A server IP will usually only be listed as having a 'poor reputation' for:
sending spam to a trap/honeypot address
sending spam marked by customers
sending backscatter
poorly configured (open relay, wrong helo, no PTR, PTR host A does not match server IP, SPF fail/broken DNS setting)

I'm guessing you are running your own hosting business on a server of some kind. Is the Exim MTA on that server under you total control, or is this a reseller account on a shared server where other customers use the MTA? If it's a shared platform it's easily possible that it's not you or your customer. If that is the case it is going to be grey as to what you can do about it. If not, then the ball is in your court which is probably the better scenario.

Back to basics - do you have access to the raw mail logs on the server - or are you able to obtain them? I would scan them from the day where you have the irate victim and find who sent what to them. It's probably obvious, but don't assume that only having a few domains and customers means there is no spam coming from them. Spammers just love to find small, cheap hosts with good IP reputations that they can use to snowshoe spam out from. It could even be as simple as a customer who is painfully unaware of their actions.

I'm happy to check for any obvious howlers if that would be of any use to you, but I'll need you to email me from the offending server to tell you anything useful. I'll PM you with an email address.

You are right Dave.

I did get a little carried away with my last post. I need to stay focused on finding the problem and correcting it.

Ande, I've replied via email as there is some sensitive data in there. To anyone following this thread, the issue is related to the PTR/Reverse DNS not matching the connecting IP.

If you helo with host.yourdomain.com from IP 1.2.3.4, then the hostname lookup for 1.2.3.4 should map back 'host.yourdomain.com'.

When you send email to a host providing a feed to someone like SS/RP it is likely an error of this nature will have you listed.

It's not necessarily all about sending spam, sometimes it just a simple little error - but a pain in the bottom when those that list you give you little or no feedback. One of the reasons, IMHO Return Path and SS are a utter rubbish. On the other side of the coin if you get listed by Barracuda, you can call them 24/7 and they *will* help you and tell you *why* they have listed you - but they are far more professional that RP will ever be. </end rant>

1 members found this post helpful.