csi.cloudmark.com shut my server down.. suggestions...

[tommytx]

I would appreciate some basic advice before i waste ungodly time trying to clean this up...
First there is no spam unless I have one hidden somewhere that I don't know of...
Yesterday all my server email coming from exim shut down.. upon investigation I found that earthlink and cox.net and others had blocked all email good or bad due to a report from CSI.cloudmark.com giving me a bad reputation. I sent the reset to them for my server IP and they immediately reinstated me and all is well but they claim the will continue to monitor me... They did not tell me anything was wrong.. so I could correct it, just that my sever IP has a bad reputation.
So it ran all day today without a new shutdown.. but this evening I shut down the exim completely killing all email use for everyone.. I want to investigate as much as I can so they don't turn me off again... so far the only thing that I can see is I have a few "nobody" being transmitted.. not a lot just a few... and i have read the tutorial here called.. "Prevent email abuse.." and am implementing all of that... and will remove the domain putting out the nobody but it has done that for years.....

So I am still researching for anything that looks unusual, but am working in the dark.. since they did not tell me if anything particular was wrong but just a lot of little stuff pulled my rep into the suspect range.. I am pretty sure what they saw must have been minor or they would not have turned me back on immediately..

So bottom line... I am looking for suggestions and/or point me to tutorials that will help me pin down any unusual activity before i turn the emails back on as it might not be as easy to get back on if they shut me down twice...

Actually of course cloudmark did not shut me down.. they just gave me a bad rep and the email providers blocked not just the bad emails... but all emails.. so there is no error code except blocked the good and the bad are blocked.. but back on now.. and shut down temp by me..

so any suggestions I am all ears.... Thanks....

 

[ThinIce]

Take a look at the log functions within the email section of whm - do you see any evidence of large sends / small volume sends to many different addresses at these providers? (for example something working through an alphabetised list of target addresses)

If you monitor your server using microsoft / yahoo / aol tools and feedback loops do these show any unusual patterns of usage or reported spam mails?

Spam events generally take one of two forms, those which sends tens of thousands of emails very quickly to get as much crap out before they're shut down and those that are part of more stealthy botnet style operations where single emails will be sent via a compromised account relatively rarely. The latter can run for quite some time without causing blocks if your server has a lot of legitimate traffic / a good longstanding reputation.

It's fairly common policy where volume of spam has been quite low to remove a block on first request and then making the unblocking progressively harder should the problem reoccur...

 

[cPanelMichael]

Hello

You may also want to check for common issues, such as ensuring a RDNS record is configured for the IP address used to send email. In addition, ensure that SPF records are added for each domain name. It's difficult to provide specific advice without the actual offending email.

Thank you.

 

[tommytx]

Well my problem is they gave no clue for the shutdown.. but reputation.. can i go back and demand they report what caused the reputation.. should be illegal to be charged and jailed without knowing what the specific charges are... LOL...
And before i realized it..since they did not send an email I had thousands upon thousands of bounced emails.. which are all good since they did a blanket shutdown... and all they say is blocked.. no reason.. ecept they were told I am a bad guy..
I did see quite a few "nobody" and they were all valid.. mine.. but I shut that down anyway just in case... this is the second day back running.. so I hate to wait for another shutdown but without knowing what my problem is who knows... I went thru and did all the items in "How to prevent email abuse.." but have no idea what the real problem was and if it still exists..
Thanks for the suggestions... I will see if I can figure out how to check those items.... not real smart on this stuff...

 

[tommytx]

As I said above not to sure if I have enough knowledge to get to the logs you mention above but I did study the Mail Que Manager and I have thousands there to view... and try to find stuff.. that is where I saw all the "nobody" stuff and have since fixed that.. I have a couple of pipes running... and have made sure they don't bounce... as many bounce even when working... so those don't seem to be a problem and the pipes have been running fine for years.
I have noticed what seemed to be a problem..of all the choices on the Email panel.. i cannot get anything out of the ones with an X no matter what I do...
Mail Que Manager ok
Mail Deliver reports X
View Mail Stats X
View Relayers ok
View Sent Summary X
Shouldn't all these work.... I am going to report these with no output to my host to see if something is wrong here.... I am on a VPS whm..

When I began to study this thing to see if I could see any spam problems.. I noted the following plugins gave a 500 error..
ConfigServer MailQue
ConfigServer Mail Merge
configserver explorer
All 3 gave 500 error.. I contacted my host and he said an upgrade occurred awhile back and he update the plugins for me and that allowed me to inspect each domain for any unusual email activity.... and I have 126 domains on this sucker... nothing obvious showed here... for all I know i am ok.. but wont' know till they shut me down again... what a shitty way for a company to run a railroad.. guess they want me to buy their wares.. to leave me alone..
Thanks for all the advice...