The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Listed by CBL as a result of using "Send mail from account's dedicated IP"

Discussion in 'E-mail Discussions' started by brianoz, Apr 16, 2012.

  1. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Just recently CBL listed us as a result of us using the "Send mail from account’s dedicated IP address" parameter so I thought I'd list the outcome from discussions with CBL and some problems with cPanel.

    From CBL's point of view, they don't list shared hosts. However, with "Send mail from account's dedicated IP address" set, they will list you reliably when, for instance, a compromised account sends a trojan. If you get onto CBL, you will also be listed on zen.spamhaus in very short order, which will mean you can't send email to around 50% of providers worldwide.

    From my email discussion with CBL, (assuming they won't mind me quoting a single paragraph, especially as this info is available on their site) CBL's criteria is:


    The problem here is that, if you turn on "Send mail from IP" that greys out the options below it:

    The fix that I chose was to turn "Send mail from IP" off, and to replace /etc/mailhelo with (using these instructions):

    Code:
    *: mail.dogfrog5.net
    and to preserve the contents of /etc/mailips, adding at the end:

    Code:
    *: 123.456.123.111
    The /etc/mailips line is simply to ensure that email for new domains - which will not now be added to /etc/mailips as the option is off - goes out a non-default IP. I'm not sure that it's 100% necessary.

    While this gets us out of trouble with CBL until we find out who is sending a trojan initially, cPanel need to take notice of this as it has a very serious impact on email.

    Incidentally, it appears the latest method for trojan sending is via stolen SMTP auth credentials. This leaves little or no trace on the server and so can be very hard to find. Obviously outgoing trojan scanning helps find these issues.
     
    #1 brianoz, Apr 16, 2012
    Last edited: Apr 16, 2012
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    Have you contacted cPanel directly about this? Reporting it here gets it into the system: http://go.cpanel.net/bugs
     
  3. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    I also confirm that some of servers which actively using this option got listed.
    What is most important CBL listed primary server IP because /etc/mailhelo contains different domains even for shared hosts. So assuming you have hostname as X and domains A, B and C of which C is on dedicated IP, when domains A & B sending emails they are using HELO A and HELO B and not HELO X like they should.

    I will shortly submit this to bugtracker.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    True, only domains with dedicated IPs should be using a different HELO response. Shared accounts on the shared IP should all be sent as the rDNS (PTR for the shared IP) for the response.
     
  5. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    So, why they are being sent using domain in HELO? PTR are set for all IPs, including main. And we were listed by CBL because of this. You may request us confirmation via PM/email. CBL confirms that at least several shared domains were used in HELO instead of real PTR hostname.
     
  6. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    As an example, I see that file /etc/mailhelo contains the pairs of DOMAIN: HELO and it actually looks like it lists DOMAIN: RESELLER, e.g. each domain having its reseller's domain in HELO. Could you confirm it? How it could be avoided if these resellers didn't have dedicated IP?

    One minor note: main server IP is not the main shared IP for most of the domains. We use main server IP for mails and second IP as shared for customers' domains. While it should not affects the sending anyway.
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: Listed by CBL as a result of using "Send mail from account's dedicated

    If you haven't reported in via a ticket, that's the way you would want to go. We cannot test or login to your machine via the forums and bug reports are submitted using http://go.cpanel.net/bugs
     
  8. bellwood

    bellwood Member
    PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
  9. jcorreia

    jcorreia Well-Known Member

    Joined:
    Apr 25, 2005
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Hi,
    I´ve also being hit, by this "bug" ?
    That´s because of this aggressive and overpower behavior from this black list that I dont use any of them.
    They usually give more problems than solutions. CBL isthe only one (in more than 90) that are blacklisting my IP diary for over a week without absolutely no reason.

    At least they have answered me through this email to whom migth need it: cbl@cbl.abuseat.org.

    Is there any way to fix this in cpanel or at least to not be blacklisted by them

    Here is the full answer (with my IP and domains masked) they gave to help fix this:


    I've removed the entry from the list and inhibited redetections for the
    next 3 days.

    It may take a few hours to propagate to the public nameservers. The
    CBL will relist the IP if it detects the same thing again after 3
    days from now.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page