I"m so tired of our mail server IPs being blacklisted -- What are "best practices" for prventing outgoing spam?

electric

Well-Known Member
Nov 5, 2001
789
10
318
It seems like every other day our mail server IP (in /etc/mailips) is getting blacklisted and then we have to change it to another IP... which then gets blacklisted... and then we change it.. .which is blacklisted... etc...

It's VERY frustrating, because we often can't find what customer is causing the problem. Or multiple customers. We regularly find hacked scripts and compromised email accounts, and we know how to search the logs to find them and then suspend them... but then it's too late, and the IP is already blacklisted again.

What are the "best practices" for this situation? What do you other hosting providers do?

Do you enable the Exim Configuration setting of " Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting"? But does this inform the customer or admin of the rejection? Or is it only at SMTP time, so there is no notification to the customer or admin and that causes them to get upset because "my email is missing!!" since it's sent by never received?

Is there another setting or service that you recommend?

Thanks!
 

andrew.n

Well-Known Member
Jun 9, 2020
628
181
43
EU
cPanel Access Level
Root Administrator
This is a VERY WRONG practice to keep changing Exim's outgoing IP address rather than finding out the source of spam. You should start by limiting the number of email messages which can be sent per hour per domain in WHM Tweak Settings under Mail option as well as setting a deferred email threshold. Furthermore you can also monitor the mail queue to see the bounce back messages. If you have many emails stuck in the queue you will be able to check their headers and see where they come from.
 

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
275
95
28
Australia
cPanel Access Level
Root Administrator
Hi @electric,

That's no good. Very frustrating indeed.

Have you considered using an SMTP gateway such as SMTP2GO?

In terms of keeping your server clean of malware, I'd highly recommend using Imunify 360 and setting up regular scans.

Additionally, limit the amount of email each account / domain can send to a conservative limit, like @andrew.n suggested.
 

cPDavidL

Linux Analyst II
Oct 15, 2012
79
18
133
cPanel Access Level
Root Administrator
Greetings!

First, I would encourage you to review our documentation on how to prevent email abuse:

This page provides important advice and best practices to make sure limitations are in place to limit the damage an exploited site can cause. Much of what @andrew.n mentioned, is discussed there as well.

As mentioned by @ZenHostingTravis, using tools such as Imunify can certainly help you avoid the exploited conditions generating the mail.

Ultimately, however, given the recurring nature of these conditions, I would also encourage getting advice from a qualified security administrator. Having them examine the sites, they can advise you on steps to prevent these situations from occurring.
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
631
207
343
cPanel Access Level
DataCenter Provider
It's not free (but it's only $40 / server) you may also want to consider ConfigServers OSM ( Outgoing Spam Monitor (osm) ). You can setup rules that if over "x" emails are sent from a IP/account/same subject etc. to hold them in the queue, delete them etc. We have found this to be very effective to stop spamming. It took a bit of tweaking/tuning (customers that send newsletters etc.) but once we get it set for a server it pretty much just works. We get notified when an account exceeds our thresholds and then we can review the emails. If they are OK we remove the hold and release them. If they are spam we delete them and then handle the issue with the customer.
 
  • Like
Reactions: texo and cPDavidL