The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CBL Problems

Discussion in 'E-mail Discussions' started by flen, Jun 28, 2006.

  1. flen

    flen Member

    Joined:
    Jun 12, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    One of our servers is in the CBL Blacklist. I've requested serval removals but it still comes back in the blacklist. The people of CBL can't give me a solution or tell me where the problem exactly is.

    - Server hostname is setted up right
    - Reverse DNS is okay
    - Nothing strange in mail queue as far as I could see
    - No other blacklists, only CBL
    - Running PhpSuExec, no mail is send under nobody (right?)
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    check that a cgi script is not conecting directly to the mail server via localhost there is a couple of BB scripts that do this and it connects as somthing@localhost and thats why its getting into to the CBL
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In addition to what dalem suggested, you need to make sure that there are no spammers in-house. It is very likely that a spammer, through one of your clients, downloaded and installed a script on your server. So, you need to find out where that script, or scripts, is/are located and remove them. Overall, secure your server. Good luck!
     
  4. flen

    flen Member

    Joined:
    Jun 12, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Like I said, there is nothing strange to see. I can't find any spam scripts and running serval things like Mod_Security, Open_Basedir, PHPSuExec, etc :(.
     
  5. flen

    flen Member

    Joined:
    Jun 12, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    No suggestions further? :(. Server is still daily on CBL and nothing strange to see :/.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Only the maintainers of the list can tell you why or how you got on the list, so you're going to have to pursue it with them.
     
  7. flen

    flen Member

    Joined:
    Jun 12, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    The problem is that they only can tell me "there is something wrong with your mailserver configuration". And there it is a standard cPanel configuration :/.
     
  8. oulzac

    oulzac Well-Known Member

    Joined:
    Aug 7, 2005
    Messages:
    131
    Likes Received:
    0
    Trophy Points:
    16
    wich cbl is it?
    most of them have a contact were you can email them directly for further assistance.
     
  9. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
  10. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    Mine was due to a script that was sending a HELO command over a smtp connection. Instead of HELO myservername.com, it was doing HELO emailrecipient.com. Apparently when done to the wrong server this gets you on the blacklist somehow. I fixed the script and haven't been relisted.
     
  11. Jorge

    Jorge Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    I tried to contact them asking for some help (otherwise is almost impossible to know which may be the reason) and I keep receiving the same "auto-responder" message.

    BTW, I sent you a PM.
     
  12. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    I had the autoresponder problem with a different blacklist, spamcop, and ended up disabling the autoresponder feature in whm. I also disabled spam trapper for the same reason. I haven't had problems with spamcop since then (a few days running).
     
  13. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    ok... just got blacklisted again. I just followed the advice at http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/ and sent an email to deputies[at]admin.spamcop.net asking if they can give more info on what exactly is being bounced to a spamcop trap.

    I'm wondering if it might be this in my exim.conf:

    accept domains = +local_domains
    local_parts = postmaster:abuse
    deny message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text
    !hosts = +relay_hosts
    !authenticated = *
    dnslists = dnsbl.njabl.org : \
    sbl.spamhaus.org : \
    list.dsbl.org : \
    cbl.abuseat.org : \
    relays.ordb.org
     
  14. Jorge

    Jorge Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Is incredible, CBL can't tell me what's the HELO that they get, thefore, it makes me impossible to find out in the whole server where it may be the problem.
     
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I have run into similar issues before. Can't say as if I really have any suggestions.

    As others have said, you will really just have to communicate with the list administrators to determine why you are listed and what can be done to get off of the list. Of course, this is what you are trying to do and you're not getting any responses. I too have this problem from time to time.

    If a spam blacklist is going to block one of our servers, I would appreciate it if they could give me information pertaining to the blacklisting whenever it is requested.

    As much as I depise AOL, I do like their feedback loop system. With their feedback loop system, we can see exactly who is responsible for getting our servers blacklisted at AOL. This same type of information would be useful with other spam blacklists.

    When one of our servers gets blacklisted, I will write the list administrators and explain to them that the issue is likely a user forwarding mail, an autoresponder, or perhaps some script on the server that is responsible for the blacklisting. I'm not going to disagree with them that they should not have blacklisted the server. But, if they can give me the information that resulting in the server being blacklisted, then I can attempt to trace that down to a specific user and educate or inform that user of their action. However, this usually goes on deaf ears.

    If blacklist maintainers really want to help stop spam, I think they should develop some way of providing this information. Use AOL's feedback system as a basis.
     
  16. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    I think I have this licked. I received an email back from SpamCop indicating the email caught in their spamtrap had the subject "The results of your email commands..." which is, I believe, a mailman autoresponder/bounce.

    So, I wrote the following php script which checks every mailman list on my box for seven different configuration variables that are responsible for sending autoresponses/bounces and setting them appropriately. I think the defaults are to "reject" rather than "discard" various messages which causes bounces back to forged FROM: addresses (which in this case are SpamCop traps). I'll be cron'ing this script to run nightly.


    Code:
    <?
    define('MM_PATH','/usr/local/cpanel/3rdparty/mailman');
    define('LIST_PATH',MM_PATH.'/lists/');
    define('BIN_PATH',MM_PATH.'/bin/');
    
    foreach (glob(LIST_PATH."*") as $filename) {
    	$list = substr($filename,strlen(LIST_PATH));
    	echo '*** '.$list." ***\n";
    	$config = shell_exec(BIN_PATH.'config_list -o - '.$list);
    	$out = '';
    	if (ereg ("respond_to_post_requests = [1].", $config, $regs)) {
    		echo "PROBLEM: respond_to_post_requests is active.\n";
    		$out = "respond_to_post_requests = 0\n";
    	}
    	if (ereg ("generic_nonmember_action = [2].", $config, $regs)) {
    		echo "PROBLEM: generic_nonmember_action is bouncing.\n";
    		$out.= "generic_nonmember_action = 3\n";
    	}
    	if (ereg ("member_moderation_action = [1].", $config, $regs)) {
    		echo "PROBLEM: member_moderation_action is bouncing.\n";
    		$out.= "member_moderation_action = 2\n";
    	}
    	if (ereg ("autorespond_postings = [1].", $config, $regs)) {
    		echo "PROBLEM: autorespond_postings is autoresponding.\n";
    		$out.= "autorespond_postings = 0\n";
    	}
    	if (ereg ("autorespond_admin = [1].", $config, $regs)) {
    		echo "PROBLEM: autorespond_admin is autoresponding.\n";
    		$out.= "autorespond_admin = 0\n";
    	}
    	if (ereg ("autorespond_requests = [1].", $config, $regs)) {
    		echo "PROBLEM: autorespond_requests is autoresponding.\n";
    		$out.= "autorespond_requests = 0\n";
    	}
    	ereg ("max_days_to_hold = ([0-9]*)", $config, $regs);
    	if ($regs[1]=='0') {
    		echo "PROBLEM: max_days_to_hold is deactivated.\n";
    		$out.= "max_days_to_hold = 30\n";
    	}
    	if(!empty($out)) {
    		file_put_contents($list.'.conf.bak',$config);
    		file_put_contents('mm_config.tmp',$out);
    		shell_exec(BIN_PATH.'config_list -i mm_config.tmp '.$list);
    		unlink('mm_config.tmp');
    		echo "The list has been updated with the following settings:\n".$out;
    	} else {
    		echo "The list needs no reconfiguration.\n";
    	}
    	echo "\n";
    }
    
    ?>
     
  17. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    ok... still not completely cutting out the "the results of your email commands" messages. Apparently if anything is sent to listname-requests@domain.com, mailman will automatically respond to the sender... even if forged, and even if the sender is not a member.

    Anyone know how to deal with this? I suppose the -requests address should be limited to members unless it is a subscribe request?
     
  18. jbreck

    jbreck Member
    PartnerNOC

    Joined:
    Mar 7, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    First a rant:

    CBL is not a responsible spam prevention service by any means. The refuse to provide a copy of the offending email so you can see what you've done. I truly, and totally hate them. It's not an overstatement. I absolutely loathe them, and wish they would vanish off of the earth.


    Now a solution:

    It's probably half a dozen cgi or php script on your server firing out port 25. The solution is simple reroute anything that's not going out port 25 by the mail user back through exim.

    Iptables:

    iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -m owner --uid-owner [exim owner] -j ACCEPT
    iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -j DNAT --to-destination=127.0.0.1

    Viola. Expect some user screaming from a couple of people that were spamming out your system, or using offsite mail servers for thousands of messages per hour. Exim will also make sure your server is hello'ing as... your server. CBL problem solved.

    You're welcome.
     
  19. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Interesting and effective solution!

    Another way of solving this is to ban all outgoing port 25 access other than from root or exim. Also solves the problem instantly - and given most of those sending outgoing mail via port 25 (if not all) are spammers, you can mostly ignore the outcry. This ban is easily accomplished using CSF.
     
  20. deieno

    deieno Well-Known Member

    Joined:
    Nov 16, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Floripa - Brazil
    Hi brianoz,
    can you explain how to add this rules with csf?
    I´m having the same issue.

    Thanks
     
Loading...

Share This Page