CBL Listing Due to "Spam Trap Servers"

[Bashed]

IP listed at https://www.abuseat.org/lookup.cgi.

How do I fix this? It's a reseller shared server. I have CSF, CXS installed with many anti-spam tweaks in place.

It says...

xxx.xxx.34.82 is listed

This IP address was detected and listed 659 times in the past 28 days, and 90 times in the past 24 hours. The most recent detection was at Thu Apr 19 20:05:00 2018 UTC +/- 5 minutes

This IP address has been connecting to our spam trap servers and is attempting to use our spam traps to relay email to other locations. In other words, IP address xxx.xxx.34.82 has been attempting to use our spamtraps as open relays.

A mail server normally only accepts email for its own users.

An ISP "outbound mail server" or "smarthost" accepts email, usually authenticated by userid and password, from its own users to relay it out to the Internet. This is a "mail submission agent" (MSA) server.

In other words, properly designed mail servers only accept email from its own users, or, to its own users.

A mail server that accepts email from non-users and relays it to other non-users is a "relay". Servers should not be set up as "open relays" - that is, not be permitted to relay email from any arbitrary place on the internet to another.

A computer that attempts to "trick" another mail server to be an "open relay" is acting as an "open relay injector", and that is what xxx.xxx.34.82 is doing.

Any IP address making lots of outbound connections on port 25 (less commonly 587) is usually the sign of such activity. If IP address xxx.xxx.34.82 is a NAT or PAT firewall, turning on logging of port 25/587 connections will usually identify the culprit in your network.

I ran this command:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Results:

   4277 /home/werock
   6566 /home/podemoss
  50014 /home/mhd/public_html/clients/cibe/wp-content/plugins/admin-menu-editor/ajax-wrapper
 234867 /etc/csf

Why is so much coming from CSF?

Ran CSF Check Server Security, everything is fine there.

 

[sparek-3]

Do you have SMTP Block enabled in CSF?

What is the output of:

cat /etc/csf/csf.conf | grep ^SMTP_BLOCK

on the server?

 

[Bashed]

I actually just enabled it, so now it's:

[[email protected] ~]# cat /etc/csf/csf.conf | grep ^SMTP_BLOCK
SMTP_BLOCK = "1"

I do have one error in CSF security check, despite mod_cloudflare being installed and enabled via EA4.

Check apache for mod_cloudflare

This module logs the real users IP address to Apache. If this is reported to lfd via ModSecurity, cxs or some other vector through Apache it will lead to that IP being blocked, but because the IP is coming through the CloudFlare service the IP will not be blocked as so far as iptables is concerned the originating IP address is CloudFlare itself and the abuse will continue. To block these IP's in the CloudFlare Firewall look at using CF_ENABLE in csf.conf

 

[sparek-3]

From the description CBL gave, it sounds like someone on your server was attempting to use DarkMailer or a DarkMailer like script, which connects directly to port 25 (the SMTP port) on other mail servers. This is a typical spammer tactic because they don't have to authenticate themselves as being a legitimate user.

If you did not have SMTP_BLOCK enabled, then users on your server were being allowed to connect to remote SMTP servers directly, thus fitting the description that CBL gave.

If you continue to have issues with this after enabling SMTP_BLOCK then the issue could be some where else, but I suspect that having it disabled was the cause of this problem for you.

 

[Bashed]

Thanks.

Any idea about the other issue?

"Check apache for mod_cloudflare"

Google giving me all sorts of conflicting and old solutions.

 

[sparek-3]

I'm not sure on that one. It really doesn't pertain to your CBL listing.

 

[cPanelLauren]

Hi @Bashed

You can also use the SMTP restrictions to block connections to the mail server from anyone besides root, exim, and mailman. This is present at WHM>>Server Configuration>>Tweak Settings or WHM>>Security Center>>SMTP Restrictions but the SMTP_BLOCK feature from CSF does the same thing. In regard to your other question, I would suggest opening a new thread so we can address that as well!

Thank you,