Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CBL Listing Due to "Spam Trap Servers"

Discussion in 'E-mail Discussion' started by Bashed, Apr 19, 2018.

  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    IP listed at https://www.abuseat.org/lookup.cgi.

    How do I fix this? It's a reseller shared server. I have CSF, CXS installed with many anti-spam tweaks in place.

    It says...

    I ran this command:

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n 
    Results:

    Code:
       4277 /home/werock
       6566 /home/podemoss
      50014 /home/mhd/public_html/clients/cibe/wp-content/plugins/admin-menu-editor/ajax-wrapper
     234867 /etc/csf
    Why is so much coming from CSF?

    Ran CSF Check Server Security, everything is fine there.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,775
    Likes Received:
    120
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Do you have SMTP Block enabled in CSF?

    What is the output of:

    cat /etc/csf/csf.conf | grep ^SMTP_BLOCK

    on the server?
     
  3. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I actually just enabled it, so now it's:

    [root@server ~]# cat /etc/csf/csf.conf | grep ^SMTP_BLOCK
    SMTP_BLOCK = "1"

    I do have one error in CSF security check, despite mod_cloudflare being installed and enabled via EA4.

    Check apache for mod_cloudflare

     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,775
    Likes Received:
    120
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    From the description CBL gave, it sounds like someone on your server was attempting to use DarkMailer or a DarkMailer like script, which connects directly to port 25 (the SMTP port) on other mail servers. This is a typical spammer tactic because they don't have to authenticate themselves as being a legitimate user.

    If you did not have SMTP_BLOCK enabled, then users on your server were being allowed to connect to remote SMTP servers directly, thus fitting the description that CBL gave.

    If you continue to have issues with this after enabling SMTP_BLOCK then the issue could be some where else, but I suspect that having it disabled was the cause of this problem for you.
     
    cPanelLauren likes this.
  5. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks.

    Any idea about the other issue?

    "Check apache for mod_cloudflare"

    Google giving me all sorts of conflicting and old solutions.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,775
    Likes Received:
    120
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I'm not sure on that one. It really doesn't pertain to your CBL listing.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Bashed

    You can also use the SMTP restrictions to block connections to the mail server from anyone besides root, exim, and mailman. This is present at WHM>>Server Configuration>>Tweak Settings or WHM>>Security Center>>SMTP Restrictions but the SMTP_BLOCK feature from CSF does the same thing. In regard to your other question, I would suggest opening a new thread so we can address that as well!

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice