CBL Listing Due to "Spam Trap Servers"

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
IP listed at https://www.abuseat.org/lookup.cgi.

How do I fix this? It's a reseller shared server. I have CSF, CXS installed with many anti-spam tweaks in place.

It says...

xxx.xxx.34.82 is listed

This IP address was detected and listed 659 times in the past 28 days, and 90 times in the past 24 hours. The most recent detection was at Thu Apr 19 20:05:00 2018 UTC +/- 5 minutes

This IP address has been connecting to our spam trap servers and is attempting to use our spam traps to relay email to other locations. In other words, IP address xxx.xxx.34.82 has been attempting to use our spamtraps as open relays.

A mail server normally only accepts email for its own users.

An ISP "outbound mail server" or "smarthost" accepts email, usually authenticated by userid and password, from its own users to relay it out to the Internet. This is a "mail submission agent" (MSA) server.

In other words, properly designed mail servers only accept email from its own users, or, to its own users.

A mail server that accepts email from non-users and relays it to other non-users is a "relay". Servers should not be set up as "open relays" - that is, not be permitted to relay email from any arbitrary place on the internet to another.

A computer that attempts to "trick" another mail server to be an "open relay" is acting as an "open relay injector", and that is what xxx.xxx.34.82 is doing.

Any IP address making lots of outbound connections on port 25 (less commonly 587) is usually the sign of such activity. If IP address xxx.xxx.34.82 is a NAT or PAT firewall, turning on logging of port 25/587 connections will usually identify the culprit in your network.
I ran this command:

Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Results:

Code:
   4277 /home/werock
   6566 /home/podemoss
  50014 /home/mhd/public_html/clients/cibe/wp-content/plugins/admin-menu-editor/ajax-wrapper
 234867 /etc/csf
Why is so much coming from CSF?

Ran CSF Check Server Security, everything is fine there.
 

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
I actually just enabled it, so now it's:

[[email protected] ~]# cat /etc/csf/csf.conf | grep ^SMTP_BLOCK
SMTP_BLOCK = "1"

I do have one error in CSF security check, despite mod_cloudflare being installed and enabled via EA4.

Check apache for mod_cloudflare

This module logs the real users IP address to Apache. If this is reported to lfd via ModSecurity, cxs or some other vector through Apache it will lead to that IP being blocked, but because the IP is coming through the CloudFlare service the IP will not be blocked as so far as iptables is concerned the originating IP address is CloudFlare itself and the abuse will continue. To block these IP's in the CloudFlare Firewall look at using CF_ENABLE in csf.conf
 

sparek-3

Well-Known Member
Aug 10, 2002
2,087
243
368
cPanel Access Level
Root Administrator
From the description CBL gave, it sounds like someone on your server was attempting to use DarkMailer or a DarkMailer like script, which connects directly to port 25 (the SMTP port) on other mail servers. This is a typical spammer tactic because they don't have to authenticate themselves as being a legitimate user.

If you did not have SMTP_BLOCK enabled, then users on your server were being allowed to connect to remote SMTP servers directly, thus fitting the description that CBL gave.

If you continue to have issues with this after enabling SMTP_BLOCK then the issue could be some where else, but I suspect that having it disabled was the cause of this problem for you.
 
  • Like
Reactions: cPanelLauren

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
Thanks.

Any idea about the other issue?

"Check apache for mod_cloudflare"

Google giving me all sorts of conflicting and old solutions.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,282
313
Houston
Hi @Bashed

You can also use the SMTP restrictions to block connections to the mail server from anyone besides root, exim, and mailman. This is present at WHM>>Server Configuration>>Tweak Settings or WHM>>Security Center>>SMTP Restrictions but the SMTP_BLOCK feature from CSF does the same thing. In regard to your other question, I would suggest opening a new thread so we can address that as well!

Thank you,