Server listed in CBL - advice ?
We have a cpanel server getting listed in CBL but I cannot work out why.
Ive contacted them and they say the IP is HELO/EHLO'ing as a domain we dont own - thats about as much info as they were prepared to give us.
We have the smtp tweak on so only guid mail and mailman can send email. How can I monitor this to see if indeed another process is somehow making smtp connections ?
They are saying that The most recent incident was at precisely 2006/05/07-19:04:44 and the server was helo'ing as aol.com.
How can I find out what process was doing this ?
You can check your /tmp for any possible suspicious file that is running the phishing mail sending. You can run grep on your .tmp to check for possible files that are running there.
It seems that someone is spoofing some other domains mail id and that was reported and the ip got blocked. If you have been given information of the spoofed domain, you can grep the mail logs to get information. Implement extended exim logging and that will help you to track the culprit.
Stop Reymond !! A single conversation with a wise man is better than ten years of study. So....
Hi Guys, thanks for your input but neither of these scenarios are happening here.
/tmp is clean - there are no suspicious files on the server that I am aware of - ive done full trojan / rootkit scans etc too.
Its not as simple as a spoofed header - CBL dont list for this kind of activity - they list for exploited mailservers and the like. This server is running a standard exim config. What they are suggesting is that an SMTP process has run on the server claiming to be sending mail as AOL. i.e some kind of trojan or bot.
As mentioned, you would normally expect this to be running from the tmp partition but there is nothing in there but normal session data.
My problem here is knowing where to look - Ive grep'd the whole of var/log/* looking for somethign that might indicate what is going on but so far Ive come up with nothing. It doesnt help that those in charge of the CBL list havent provided very much information but they say this is because they dont want to reveal their methods of uncovering such issues.
I'm left here scratching my head.
as a last resort grep /home for "aol.com" (hopefully you dont have too much accounts)
also you could close all unused outbound ports with a firewall (but provide a range of open ports to be used by ftp server when in passive mode - put them in ftp config file)
There are many places that spambot could be installed. Howabout this scenerio. Somebody compromises one of our user websites. They upload a mailer that sends out spam. After the mailer is done, it deletes itself. Since all messages leave your box as nobody, you wouldnt even know about it unless the messages happen to pile up in the message queue and you were smart enough to be able to identify them. I saw this happend recently and its quite a popular way of sending out mail without your knowledge since you would not have a clue which website it was being sent from.Originally Posted by 4u123
That is why it is good to run phpsuexec. You will know which account is sending it.
You can even implement the Perl/sendmail spam trapper.
Chek the http://www.webhostgear.com/232.html
Stop Reymond !! A single conversation with a wise man is better than ten years of study. So....
Sorry if i am pointing out the obvious but is your server hostname correct?
When you telnet to your server to port 25, what does it identify as?
Test your domain at www.dnsreport.com (not the mail test) to see if there is anything unusual with the mail server.
Host Ultra
Quality Affordable Web Hosting
hello 4u123,
have you found the reason why you get blacklisted by CBL? can you share in this forum? as i got the same problem with you.
thanks
LinkBack URL
About LinkBacks
Reply With Quote