LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-21-2010, 12:25 PM   #1
AndeAnderson
Member
 
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237

Rep: Reputation: 30
Unhappy Newbie SPAM Email blacklist question


My IP keeps being put on and removed from the SenderScore.org blacklist.

Yet, they refuse to tell me why.

I have been trying to track down the reason through my WHM and have been unable to find out what can be causing my IP to be put on their blacklist.

I don't see any high volume traffic from any one Domain account. I host 12 Domains. All of the email is grouped together into either 'mailnull' or 'nobody'. Which make it impossible to see who is sending out what volume of email.

How do I track down the culprit?

I have Exim set to :fail: and have gone to each Domain and set their 'Default Address' to :fail:. Yet, I see that some emails are still being sent to :blackhole:.

I also see: **bypassed** volume: 5848KB messages: 852

Do I need to turn off all bypassing?

Quote:
Volume Messages
**bypassed** 5848KB 852
:blackhole: 2940KB 477
remote_smtp 1709KB 106
virtual_userdelivery 91MB 1953
Thanks
 
Old 01-21-2010, 01:01 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 167Reputation: 167
Did you restart exim after you made the changes? Can you post an example of how you're setting it to fail for the default addresses?
 
Old 01-21-2010, 02:27 PM   #3
AndeAnderson
Member
 
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237

Original Poster
Rep: Reputation: 30
:fail: for Exim Emails

Quote:
Originally Posted by rweaver View Post
Did you restart exim after you made the changes? Can you post an example of how you're setting it to fail for the default addresses?
For cPanel I go to 'Mail|Default Address' and set it to :fail:.

For WHM I go to: 'Tweak Settings|Mail|Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks. fail'

I do restart the Exim anytime I make a change.
 
Old 01-21-2010, 03:18 PM   #4
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 167Reputation: 167
You may need to go through each domain that is already setup and change the behavior there, the default behavior with cpanel i believe is written into the file when the domain is setup and toggling the default isn't going to do anything except for future domains.

Sorry, I didn't realize you were using cpanel, assumed you were doing this manually Makes it easier and harder both.
 
Old 01-22-2010, 07:31 AM   #5
AndeAnderson
Member
 
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237

Original Poster
Rep: Reputation: 30
WHM and cPanel

Thanks rweaver. The WHM changes only affect new accounts.

I had followed the recommendation to change the Tweak Settings in WHM and the cPanel for the Host Domain only.

I spent a few hours yesterday going through all of the Domain cPanel Default Address settings for the websites I Host. I manually set each one to :fail:.

I am now praying that I corrected the problem. I did find two people who were responding to the SPAMs they were receiving, even though I had already talked to them, in the past, about not doing that. So, I set-up their email Filters to automatically delete those emails. Of course, the complaints are "My email takes forever to load." since the Filters run while loading the Inbox.

You are also right in that by only using the WHM/cPanel GUI I have given up some of the real control I could have through the command line.
 
Old 01-22-2010, 07:59 AM   #6
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
Are you just getting listed with SS, or are you appearing on other lists {that actually matter} too, like Spamhaus and Barracuda? (You can use something like Robtex to check or a tool like this: http://freshmeat.net/projects/spampig-dnsblcheck). If you can find it on another list you may be able to get better information.

The key thing is it does not need to be about volume. It only takes a single honeypot address in a list to get an IP listed with some dnsbl's. It can even come down to the 'helo' given and be nothing to do with 'spam' as such.

Start with what you have. If you managed to get spam or a response back from an irate victim grep through the logs looking for the victims email address. You may be able to tie it up. At a guess you may have a seriously spammy customer on board - or a customer has a flawed email script being worked by spammers - but equally it could be plain old misconfiguration and resulted in you being on something like the CBL or SORBS and that reflecting back to SS. Hence it's wise to check.

HTH

HUMOUR TIME>>>>
Now normally if you send out Spam, JD Falk and his merry men at Return Path will *whitelist* you in HABEAS...
{Now I've got that cheap joke out of the way - I just could not resist it, forgive me..}
 
Old 01-22-2010, 09:09 AM   #7
AndeAnderson
Member
 
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237

Original Poster
Rep: Reputation: 30
Thanks Dave_Devnull

I was placed on a blacklist once for 'backscatter' because the settings in my WHM got reset, during an update, to a default setting for Exim. I corrected that and had clear sailing.

About 6-months ago I started to get reject notices from ComCast because my IP was on the SenderScore blacklist. When I tried to find out why, I could never get an answer from either SenderScore or ComCast. I would be listed for about 3-days and then I would be removed from the list. It was only ComCast who said SenderScore had me listed. That sounded really strange. Because no one else rejected emails from my IP.

ComCast did return my call and would only say I needed to contact my Hosting Service because it had a 'Bad reputation.' The guy refused to accept that I was the Host for the IP. According to him, only companies like ComCast and Verizon could be considered a Hosting Service. He talked to me like I was an idiot and just kept repeating that my Hosting Service had a bad reputation. I am not an expert in my Server Software. But, I can usually find out how to repair what broke. If I know what is broken.

There is no way to contact SenderScore, to find out why they place you on the blacklist. Even their parent comapny, Return Path, will not answer emails. The SenderScore website just says you're listed and there is nothing you can do about it. All I could find was a web page which said my IP had sent some emails which were 'similar' to SPAM emails, no specifics were available. I only have 12 Domains hosted. Yet, I would like to at least know which Domain was causing the problem with SenderScore. If there really is a problem, I can fix it. Or, is SenderScore only trying to force me to purchase the software their parent company, Return Path, is trying to sell. From what I understand, if I purchase this software, then SenderScore would stop blacklisting me.

I have found similar stories in other Forums about SenderScore.
 
Old 01-22-2010, 09:39 AM   #8
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
I feel your pain, and much that I would love to have a rant about RP/SS it's not going to help anyone. They are who they are, they operate how they operate and there is no changing that. So, it's back to troubleshooting dnsbl issue in generic terms. I'm not familiar with Exim or WHM, but one is just an MTA, the other a configuaration tool - so that need not be a massive issue at this stage.

The obvious first (and I'm mentioning this for the benefit of the archives - not to be clever or condecending);
A server IP will usually only be listed as having a 'poor reputation' for:
sending spam to a trap/honeypot address
sending spam marked by customers
sending backscatter
poorly configured (open relay, wrong helo, no PTR, PTR host A does not match server IP, SPF fail/broken DNS setting)

I'm guessing you are running your own hosting business on a server of some kind. Is the Exim MTA on that server under you total control, or is this a reseller account on a shared server where other customers use the MTA? If it's a shared platform it's easily possible that it's not you or your customer. If that is the case it is going to be grey as to what you can do about it. If not, then the ball is in your court which is probably the better scenario.

Back to basics - do you have access to the raw mail logs on the server - or are you able to obtain them? I would scan them from the day where you have the irate victim and find who sent what to them. It's probably obvious, but don't assume that only having a few domains and customers means there is no spam coming from them. Spammers just love to find small, cheap hosts with good IP reputations that they can use to snowshoe spam out from. It could even be as simple as a customer who is painfully unaware of their actions.

I'm happy to check for any obvious howlers if that would be of any use to you, but I'll need you to email me from the offending server to tell you anything useful. I'll PM you with an email address.
 
Old 01-22-2010, 11:00 AM   #9
AndeAnderson
Member
 
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237

Original Poster
Rep: Reputation: 30
You are right Dave.

I did get a little carried away with my last post. I need to stay focused on finding the problem and correcting it.
 
Old 01-22-2010, 12:32 PM   #10
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
Ande, I've replied via email as there is some sensitive data in there. To anyone following this thread, the issue is related to the PTR/Reverse DNS not matching the connecting IP.

If you helo with host.yourdomain.com from IP 1.2.3.4, then the hostname lookup for 1.2.3.4 should map back 'host.yourdomain.com'.

When you send email to a host providing a feed to someone like SS/RP it is likely an error of this nature will have you listed.

It's not necessarily all about sending spam, sometimes it just a simple little error - but a pain in the bottom when those that list you give you little or no feedback. One of the reasons, IMHO Return Path and SS are a utter rubbish. On the other side of the coin if you get listed by Barracuda, you can call them 24/7 and they *will* help you and tell you *why* they have listed you - but they are far more professional that RP will ever be. </end rant>
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blacklist Email Sending on Postfix carlosinfl Linux - Server 1 04-15-2010 05:14 PM
Very Newbie question, My system generated email are not being formatted in HTML dcarnold56 Linux - Server 1 01-20-2009 01:25 PM
how to Blacklist specific email in postfix nhansense Linux - Server 19 08-22-2008 04:00 PM
My domain in a spam blacklist gabsik Linux - Networking 8 01-24-2007 02:03 AM
I'll take some email with my spam awdoyle General 5 05-08-2003 08:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration