The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CBL blacklisted but no outgoing spam detected

Discussion in 'E-mail Discussions' started by iso99, Jan 28, 2016.

  1. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    When this happens, CSF usually notifies me about it and mail queue is usually full since I have only 80 mails per hour limit for each account.

    Where should I check next? I can't seem to fix this, /var/log/exim_mainlog don't seems to have relevant logs regarding the said "spam".


    And what's frustrating is that I have average 200 mail deliveries per hour with max of 1000 today.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you explain this another way, I don't understand your actual question.
     
  3. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    I have to agree with Infopro

    That being said I think I know what you are trying to convey I'm guessing since you cant see it its going out nice and slow
    usually its the localhost Spam that is hard to see

    check to see if there are any scripts that are sending out more than usual (only you would know the answer to that)
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

    if it is localhost Spam here is another thread to help you detect it
    H=localhost (User) spammer
     
  4. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Oh sorry about that, I might have ranted a bit.

    So here it goes, CBL blacklisted one of my IPs saying it was sending spam. There was no further details on their lookup page which was new for me, just stated that there might be a script/trojan that caused the blacklisting or it may be a false positive which happens for shared hosting servers. I was blacklisted before but CBL page says which domain was it coming from, so it was rather easy to fix.

    Now, another thing is, CSF was not able to track which domain was spamming. Usually, if there was really a script or relay sending huge amount of emails, it's logged properly and email notifications are sent. Exim also queues messages once they reach the max threshold.

    The odd thing today is, no CSF notification and no EXIM queues. I have set it to 80 max emails per hour per domain, and hard limit of 200 (which is catched by Exim all of the time when is met).

    80 and 200 are small numbers to be considered as SPAM and they were even not met this day. That's why I'm wondering how come CBL blacklisted this IP?

    I browsed my Mail stats and based the deliveries per hour today, it was max of 600-700. Checked exim logs again for those hour blocks, no relevant "spam" logs.


    I was wondering if I missed any logs to check and where to further check if possible?
    Is it really possible that CBL blacklisted this as false positive and where to prevent this (in WHM)?

    Hope that helps my case.
     
  5. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator

    Thanks for the tip, no it's not localhost though

    The result is pretty much normal with max of 800 for a single domain, others are below that with average of 2-6.
     
  6. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    322
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you tried this ?

    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

    The above command will show the exact path for mail script.
     
  7. chujanet

    chujanet Registered

    Joined:
    Jul 6, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I'm having the same problem as iso99. A few days ago my server was listed in CBL and i dont find anything at exim_mainlog. When i run the mentioned command I get the following results:


    19573 cwd=/var/spool/exim
    1414 cwd=/
    1345 cwd=/etc/csf
    173 cwd=/usr/local/cpanel/whostmgr/docroot
    71 cwd=/tmp
    8 cwd=/root
    8 cwd=/home/domain1/public_html/form
    6 cwd=/home/domain2/public_html
    3 cwd=/var/log
    2 cwd=/home/domain3/public_html
    2 cwd=/home/domain4/public_html/Comuna
    2 cwd=/home/domain5/public_html
    1 cwd=/home/domain6/public_html
    1 cwd=/home/domain7/public_html

    can I see if a script is being used to send spam?
     
  8. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    how do you know if you cant find it.
     
  9. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I've used your cmd line and got pretty much the same results as chujanet


    PS: Recently updated to WHM 54, if that helps
     
    #9 iso99, Jan 28, 2016
    Last edited: Jan 28, 2016
  10. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Further details:

    Exim stats deliveries per hour:

    00-01 290 ...............
    01-02 245 ............
    02-03 229 ............
    03-04 260 .............
    04-05 280 ..............
    05-06 330 .................
    06-07 295 ...............
    07-08 304 ................
    08-09 590 ...............................
    09-10 836 ............................................
    10-11 969 ...................................................
    11-12 833 ...........................................
    12-13 699 ....................................
    13-14 542 ............................
    14-15 686 ....................................
    15-16 625 ................................
    16-17 615 ................................
    17-18 606 ...............................
    18-19 442 .......................
    19-20 337 .................
    20-21 331 .................
    21-22 351 ..................
    22-23 381 ....................
    23-24 446 .......................


    All email errors (rejection) where sent remotely

    R=lookuphost T=remote_smtp
     
  11. chujanet

    chujanet Registered

    Joined:
    Jul 6, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello, CBL team informed me that:

    Can anyone tell me if you also have this problem in version 54.0.8? how can i fix this issue?
     
    #11 chujanet, Jan 29, 2016
    Last edited by a moderator: Jan 29, 2016
  12. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Update:

    I also emailed CBL and verified that the email accounts were referencing their own domain name for HELO/EHLO instead of the hostname's/reseller's shared IP.

    I checked the email headers and it was indeed the case. Before, it was:

    Received: from hostname.server.com (hostname.server.com. [xxx.xxx.xxx.xxx])

    but now, it's

    Received: from domain.name (hostname.server.com. [xxx.xxx.xxx.xxx])


    This somehow got messed up on an update and waiting for cPanel ticket for advice.
     
  13. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    No official fix yet but was advised to try the following for now:

     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case CPANEL-3984 is open to address an issue where accounts assigned a shared IP address are added to the /etc/mailips and /etc/mailhelo files when IPv6 is enabled. The current workaround is to disable "Send mail from account’s dedicated IP address" and use the "Reference /etc/mailhelo and /etc/mailips" options explained at:

    How to Configure Exim's Outgoing IP Address - cPanel Knowledge Base - cPanel Documentation

    Please monitor our change log for the inclusion of a resolution for this case:

    54 Change Log - Documentation - cPanel Documentation

    Thank you.
     
    eva2000 likes this.
  15. matt1206

    matt1206 Member

    Joined:
    Dec 20, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for this @cPanelMichael , I've been having my own IP blocked regularly since upgrading to 54. Have applied the above "fix" and will see what happens
     
  16. matt1206

    matt1206 Member

    Joined:
    Dec 20, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Blocked again :(
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Case CPANEL-3984 addresses the issue by turning off IPv6 handling in the /etc/mailips and /etc/mailhelo files for the time being. This resolution is scheduled for inclusion in a future build cPanel version 54, but there's no specific time frame available at this time. I'll update this thread when the case is released to a public build of cPanel.

    Thank you.
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A resolution for internal case CPANEL-3984 is included in cPanel version 54.0.15. Please let us know if the issue continues on this version of cPanel (It's currently only released to the "Current" build tier).

    Thank you.
     
  19. Mads Nordholm

    Mads Nordholm Member

    Joined:
    Jun 7, 2015
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    I see that our servers have now updated to 54.0.15, so I'm curious to know if it's now safe to switch back to the "Send mail from account’s dedicated IP address" setting?
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page