The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block IP addresses from port 25

Discussion in 'E-mail Discussions' started by PumpinIron, Mar 10, 2015.

  1. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    PROBLEM:
    Users are getting 15-20 SPAM emails per hour, even with SpamAssassin set to its most aggressive settings

    SOLUTION:
    SPAM filtering services are available from companies like McAfee (Intel). These services work by changing the domain MX record to point to the McAfee servers; McAfee filters the email and returns it to our HostGator private server on port 25.

    NEW PROBLEM:
    Spammers are ignoring our MX records and delivering email directly to port 25 of our domain host (e.g. yourdomain.com) … so SpamAssassin is useless and we can’t use an outside Spam Service. If we can’t fix this we will be forced to move all the domains on our Private Server to a GoDaddy Exchange Server (Exchange implements the solution proposed below).

    PLATFORM:
    I'm using a dedicated server that I lease through HostGator. The server is running CentOS with a WHM / cPanel setup. I'm hoping to find some sort of script / plugin that will allow me to block all IP addresses (except ones that I choose to allow) from port 25 on SOME domains but not all domains (since some users aren't using McAfee as a 3rd party solution).

    PROPOSED SOLUTION:
    McAfee recommends that participating domains (not all domains will use an external SPAM service) deny SMTP access to all mail servers (clients can still access via SMTP AUTH) … EXCEPT for an ALLOW block containing IP Addresses of authorized McAfee servers. This is evidently the solution Exchange uses.

    QUESTION:
    Is there a way to do this? HostGator has been ZERO help to me whatsoever. They just keep telling me to use SpamAssassin, which I don't want to use.
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't know the answer to your specific dilemma, but i do know from experience that these so called interceptors are more trouble than they are worth.
    I've tried at least four on a 30 day trial basis, and everyone of them created more work for me.
    Having to fix or report false positives, spam that frustrating still gets through.

    How confident are you that your exim config, spamassasin and custom rules are configured.
    Since switching to our own dedicated server, i've managed to reduce spam to only a few per day.
     
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    If spams are being delivered at port 25 then I would suggest you to use another port for smtp and block the port 25 in csf. You can not split domains between two smtp ports.

    It is better to block smtp port 25 forever on server and use another port for smtp.
     
  4. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The issue at hand is that even with Spam Assassin enabled (which is working) the spammers are ignoring my MX record and sending the emails straight to me. This was verified by HostGator tech support. That being the case, since the spam is bypassing the MX record it's getting through Spam Assassin completely unfiltered.

    This is what HostGator told me about the spam emails I'm getting:

    "Thank you for your update. I have reviewed the mail headers and mail logs from your server. I can confirm that the SMTP connection is being directly established with your server from the source server which is spoofing their hostname in the mail headers."
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Which accounts are spammers sending email data to? If email accounts are handled on a remote mail server, then email should be bounced if you have added the domain names to the /etc/remotedomains file. Where is the mail delivered to?

    Thank you.
     
  6. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Well, there's about 20 domains on this dedicated server. Each domain has it's own cPanel (as each domain belongs to a different user).

    For two of my personal domains I wanted to end all of this spam I am consistently getting, so I signed up with McAfee to take advantage of their services. They tell you to change the MX records for each domain you want to filter spam on, and change the MX record to point to them.

    We did that and email works great. The issue is that all of the spam is bypassing McAfee because the spammers are sending email straight to the domain and bypassing the MX record. Here is a full header of one of the hundreds of spam messages that's went through:

    - Removed -

    That message (along with hundreds of others) have completely bypassed the MX records (for McAfee) that I have setup, and they're being sent straight to me instead.

    The sad part is that you'd think that since I'm paying for a 'managed' dedicated server through HostGator they would be able to help. They've been of no help whatsoever, they just told me the following...

    "Thank you for your update. I have reviewed the mail headers and mail logs from your server. I can confirm that the SMTP connection is being directly established with your server from the source server which is spoofing their hostname in the mail headers. I see that you were wanting to block all connections to port 25 except for those made from your external spam service. We will be glad to adjust your firewall rules to satisfy that request, however we would need you to provide the list of IP addresses that you want to accept connections from on port 25."
    Of course now they're telling me they can't block port 25 on a per domain basis, only for the entire server which would affect ALL domains. The issue is that I have other clients on this server who don't want to pay for this McAfee service, so we can't just block port 25 altogether, we only want to do it for select domains (the ones that are running McAfee).
     
    #6 PumpinIron, Mar 11, 2015
    Last edited by a moderator: Apr 21, 2015
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  8. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I wouldn't even know where to start. My /var/log/exim_mainlog is MASSIVE. I could copy and paste the entire thing but that seems like it would be advised against.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  10. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks, I submitted a ticket request!
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  12. PumpinIron

    PumpinIron Member

    Joined:
    Mar 8, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The request ID is 6226153.
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can search /var/log/exim_mainlog using the "exigrep" utility. EX:

    Code:
    exigrep "SPAM SUBJECT" /var/log/exim_mainlog
    Thank you.
     
  14. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    You asked how to block IP from port 25. I guess my solution is a bit different. I find that the IP needs to be blocked all together so I use /etc/hosts.deny for this. If you read about TCP Wrapper it will better explain. But basically when I determine I have addresses to block I use this method.
    Here is a cPanel ddoc that might also help.
     
  15. pri123

    pri123 Registered

    Joined:
    Apr 21, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mumbai, India
    cPanel Access Level:
    Website Owner
    This is really good thread , learning very important things from it.
     
  16. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    I know this thread is kind of old but you can try the following:
    - In CSF delete port 25 to all in TCP/UDP IN/OUT
    - In CSF add McAffee MXs IPs and allow port 25 TCP/UPD IN/OUT for each of those IPs.

    Just my 2 cents.
     
Loading...

Share This Page