I"m so tired of our mail server IPs being blacklisted -- What are "best practices" for prventing outgoing spam?

[electric]

It seems like every other day our mail server IP (in /etc/mailips) is getting blacklisted and then we have to change it to another IP... which then gets blacklisted... and then we change it.. .which is blacklisted... etc...

It's VERY frustrating, because we often can't find what customer is causing the problem. Or multiple customers. We regularly find hacked scripts and compromised email accounts, and we know how to search the logs to find them and then suspend them... but then it's too late, and the IP is already blacklisted again.

What are the "best practices" for this situation? What do you other hosting providers do?

Do you enable the Exim Configuration setting of " Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting"? But does this inform the customer or admin of the rejection? Or is it only at SMTP time, so there is no notification to the customer or admin and that causes them to get upset because "my email is missing!!" since it's sent by never received?

Is there another setting or service that you recommend?

Thanks!

 

[andrew.n]

This is a VERY WRONG practice to keep changing Exim's outgoing IP address rather than finding out the source of spam. You should start by limiting the number of email messages which can be sent per hour per domain in WHM Tweak Settings under Mail option as well as setting a deferred email threshold. Furthermore you can also monitor the mail queue to see the bounce back messages. If you have many emails stuck in the queue you will be able to check their headers and see where they come from.

 

[ZenHostingTravis]

Hi @electric,

That's no good. Very frustrating indeed.

Have you considered using an SMTP gateway such as SMTP2GO?

In terms of keeping your server clean of malware, I'd highly recommend using Imunify 360 and setting up regular scans.

Additionally, limit the amount of email each account / domain can send to a conservative limit, like @andrew.n suggested.

 

[cPDavidL]

Greetings!

First, I would encourage you to review our documentation on how to prevent email abuse:

How to Prevent Email Abuse | cPanel & WHM Documentation

This document outlines some of the best practices that you can follow to avoid email abuse on your cPanel & WHM server.

docs.cpanel.net

This page provides important advice and best practices to make sure limitations are in place to limit the damage an exploited site can cause. Much of what @andrew.n mentioned, is discussed there as well.

As mentioned by @ZenHostingTravis, using tools such as Imunify can certainly help you avoid the exploited conditions generating the mail.

Ultimately, however, given the recurring nature of these conditions, I would also encourage getting advice from a qualified security administrator. Having them examine the sites, they can advise you on steps to prevent these situations from occurring.

 

[ffeingol]

It's not free (but it's only $40 / server) you may also want to consider ConfigServers OSM ( Outgoing Spam Monitor (osm) ). You can setup rules that if over "x" emails are sent from a IP/account/same subject etc. to hold them in the queue, delete them etc. We have found this to be very effective to stop spamming. It took a bit of tweaking/tuning (customers that send newsletters etc.) but once we get it set for a server it pretty much just works. We get notified when an account exceeds our thresholds and then we can review the emails. If they are OK we remove the hold and release them. If they are spam we delete them and then handle the issue with the customer.