CBL Problems

[flen]

Hi,

One of our servers is in the CBL Blacklist. I've requested serval removals but it still comes back in the blacklist. The people of CBL can't give me a solution or tell me where the problem exactly is.

- Server hostname is setted up right
- Reverse DNS is okay
- Nothing strange in mail queue as far as I could see
- No other blacklists, only CBL
- Running PhpSuExec, no mail is send under nobody (right?)

 

[dalem]

check that a cgi script is not conecting directly to the mail server via localhost there is a couple of BB scripts that do this and it connects as somthing@localhost and thats why its getting into to the CBL

 

[AndyReed]

The people of CBL can't give me a solution or tell me where the problem exactly is.

- Server hostname is setted up right
- Reverse DNS is okay
- Nothing strange in mail queue as far as I could see
- No other blacklists, only CBL
- Running PhpSuExec, no mail is send under nobody (right?)

In addition to what dalem suggested, you need to make sure that there are no spammers in-house. It is very likely that a spammer, through one of your clients, downloaded and installed a script on your server. So, you need to find out where that script, or scripts, is/are located and remove them. Overall, secure your server. Good luck!

 

[flen]

Like I said, there is nothing strange to see. I can't find any spam scripts and running serval things like Mod_Security, Open_Basedir, PHPSuExec, etc .

 

[flen]

No suggestions further? . Server is still daily on CBL and nothing strange to see :/.

 

[chirpy]

Only the maintainers of the list can tell you why or how you got on the list, so you're going to have to pursue it with them.

 

[flen]

The problem is that they only can tell me "there is something wrong with your mailserver configuration". And there it is a standard cPanel configuration :/.

 

[oulzac]

wich cbl is it?
most of them have a contact were you can email them directly for further assistance.

 

[payne]

This has been happening to me to for the past several days. http://cbl.abuseat.org

 

[payne]

Mine was due to a script that was sending a HELO command over a smtp connection. Instead of HELO myservername.com, it was doing HELO emailrecipient.com. Apparently when done to the wrong server this gets you on the blacklist somehow. I fixed the script and haven't been relisted.

 

[Jorge]

I tried to contact them asking for some help (otherwise is almost impossible to know which may be the reason) and I keep receiving the same "auto-responder" message.

BTW, I sent you a PM.

 

[payne]

I had the autoresponder problem with a different blacklist, spamcop, and ended up disabling the autoresponder feature in whm. I also disabled spam trapper for the same reason. I haven't had problems with spamcop since then (a few days running).

 

[payne]

ok... just got blacklisted again. I just followed the advice at http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/ and sent an email to deputies[at]admin.spamcop.net asking if they can give more info on what exactly is being bounced to a spamcop trap.

I'm wondering if it might be this in my exim.conf:

accept domains = +local_domains
local_parts = postmaster:abuse
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : \
sbl.spamhaus.org : \
list.dsbl.org : \
cbl.abuseat.org : \
relays.ordb.org

 

[Jorge]

Is incredible, CBL can't tell me what's the HELO that they get, thefore, it makes me impossible to find out in the whole server where it may be the problem.

 

[sparek-3]

I have run into similar issues before. Can't say as if I really have any suggestions.

As others have said, you will really just have to communicate with the list administrators to determine why you are listed and what can be done to get off of the list. Of course, this is what you are trying to do and you're not getting any responses. I too have this problem from time to time.

If a spam blacklist is going to block one of our servers, I would appreciate it if they could give me information pertaining to the blacklisting whenever it is requested.

As much as I depise AOL, I do like their feedback loop system. With their feedback loop system, we can see exactly who is responsible for getting our servers blacklisted at AOL. This same type of information would be useful with other spam blacklists.

When one of our servers gets blacklisted, I will write the list administrators and explain to them that the issue is likely a user forwarding mail, an autoresponder, or perhaps some script on the server that is responsible for the blacklisting. I'm not going to disagree with them that they should not have blacklisted the server. But, if they can give me the information that resulting in the server being blacklisted, then I can attempt to trace that down to a specific user and educate or inform that user of their action. However, this usually goes on deaf ears.

If blacklist maintainers really want to help stop spam, I think they should develop some way of providing this information. Use AOL's feedback system as a basis.

 

[payne]

I think I have this licked. I received an email back from SpamCop indicating the email caught in their spamtrap had the subject "The results of your email commands..." which is, I believe, a mailman autoresponder/bounce.

So, I wrote the following php script which checks every mailman list on my box for seven different configuration variables that are responsible for sending autoresponses/bounces and setting them appropriately. I think the defaults are to "reject" rather than "discard" various messages which causes bounces back to forged FROM: addresses (which in this case are SpamCop traps). I'll be cron'ing this script to run nightly.

<?
define('MM_PATH','/usr/local/cpanel/3rdparty/mailman');
define('LIST_PATH',MM_PATH.'/lists/');
define('BIN_PATH',MM_PATH.'/bin/');

foreach (glob(LIST_PATH."*") as $filename) {
	$list = substr($filename,strlen(LIST_PATH));
	echo '*** '.$list." ***\n";
	$config = shell_exec(BIN_PATH.'config_list -o - '.$list);
	$out = '';
	if (ereg ("respond_to_post_requests = [1].", $config, $regs)) {
		echo "PROBLEM: respond_to_post_requests is active.\n";
		$out = "respond_to_post_requests = 0\n";
	}
	if (ereg ("generic_nonmember_action = [2].", $config, $regs)) {
		echo "PROBLEM: generic_nonmember_action is bouncing.\n";
		$out.= "generic_nonmember_action = 3\n";
	}
	if (ereg ("member_moderation_action = [1].", $config, $regs)) {
		echo "PROBLEM: member_moderation_action is bouncing.\n";
		$out.= "member_moderation_action = 2\n";
	}
	if (ereg ("autorespond_postings = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_postings is autoresponding.\n";
		$out.= "autorespond_postings = 0\n";
	}
	if (ereg ("autorespond_admin = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_admin is autoresponding.\n";
		$out.= "autorespond_admin = 0\n";
	}
	if (ereg ("autorespond_requests = [1].", $config, $regs)) {
		echo "PROBLEM: autorespond_requests is autoresponding.\n";
		$out.= "autorespond_requests = 0\n";
	}
	ereg ("max_days_to_hold = ([0-9]*)", $config, $regs);
	if ($regs[1]=='0') {
		echo "PROBLEM: max_days_to_hold is deactivated.\n";
		$out.= "max_days_to_hold = 30\n";
	}
	if(!empty($out)) {
		file_put_contents($list.'.conf.bak',$config);
		file_put_contents('mm_config.tmp',$out);
		shell_exec(BIN_PATH.'config_list -i mm_config.tmp '.$list);
		unlink('mm_config.tmp');
		echo "The list has been updated with the following settings:\n".$out;
	} else {
		echo "The list needs no reconfiguration.\n";
	}
	echo "\n";
}

?>

 

[payne]

ok... still not completely cutting out the "the results of your email commands" messages. Apparently if anything is sent to [email protected], mailman will automatically respond to the sender... even if forged, and even if the sender is not a member.

Anyone know how to deal with this? I suppose the -requests address should be limited to members unless it is a subscribe request?

 

[jbreck]

First a rant:

CBL is not a responsible spam prevention service by any means. The refuse to provide a copy of the offending email so you can see what you've done. I truly, and totally hate them. It's not an overstatement. I absolutely loathe them, and wish they would vanish off of the earth.


Now a solution:

It's probably half a dozen cgi or php script on your server firing out port 25. The solution is simple reroute anything that's not going out port 25 by the mail user back through exim.

Iptables:

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -m owner --uid-owner [exim owner] -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 25 -j DNAT --to-destination=127.0.0.1

Viola. Expect some user screaming from a couple of people that were spamming out your system, or using offsite mail servers for thousands of messages per hour. Exim will also make sure your server is hello'ing as... your server. CBL problem solved.

You're welcome.

 

[brianoz]

Interesting and effective solution!

Another way of solving this is to ban all outgoing port 25 access other than from root or exim. Also solves the problem instantly - and given most of those sending outgoing mail via port 25 (if not all) are spammers, you can mostly ignore the outcry. This ban is easily accomplished using CSF.

 

[deieno]

Hi brianoz,
can you explain how to add this rules with csf?
I´m having the same issue.

Thanks