The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail Bypassing Greylisting Issue

Discussion in 'E-mail Discussions' started by mtindor, Jul 17, 2015.

  1. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Seems I'm now starting to see the greylisting daemon whitelisting [or ignoring] spam emails against my will. I'm talking about IP addresses that haven't been seen by Exim in at least the last four weeks. They are blatantly spamming, but they are passing right through greylisting without cpgreylistd ever attempting to initially defer them.

    [2015-07-17 18:19:52 -0400] info [cpgreylistd] Request:- OP: ['should_defer'], Sender IP: ['216.169.125.4'], From Address: ['LoveYourBodyAgain@flammar.click'], To Address: ['abc@123.com']. Reply:- ['no (whitelisted or opt-out)']

    1. 216.169.125.4 is not on the whitelist

    Nearest IPs on whitelist are:

    216.163.240.0-216.163.255.255 # metlife
    216.175.17.175 # redcondor.geneseo.net

    2. In the course of 25 minutes this particular spam made it through to 11 recipients in six domains.

    3. ALL of the recipients domains have greylisting ENabled (not a single domain on the server has opted out)

    If cpgreylistd ever ran 216.169.125.4 through greylisting [meaning if cpgreylistd initially deferred delivery from this IP], an entry should exist in /usr/local/cpanel/logs/cpgreylistd.log with "Reply:- ['yes']" instead of "Reply:-['no (whitelisted or opt-out']. But there are no "Reply:- ['yes']" entries in cpgreylistd.log to indicate that greylisting ever acted upon it.

    Either cpgreylistd is adding whole swaths of IP space to the whitelist on its own [which cannot be seen from the GUI], or something isn't working correctly in cpgreylistd.

    No, I didn't open a ticket. I'm getting a feeling there isn't interest in further refinement so I figure why bother.

    But I'm curious if others can verify that some spamming IPs are not going through the greylist process despite the fact that (a) they are not whitelisted in the GUI and (b) the recipient domains do have greylisting ENabled.

    Mike
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Yet another instance where cpgreylistd made absolutely no attempt to Defer emails from a block of IP space that (a) hadn't been seen connecting to the server in the past four weeks and (b) is sending spam.

    Every one of the entries (from the first hit for 209.160.30.x) shows a similar result suggesting it was whitelisted or that the end user opted out of greylisting, neither of which is true.

    [2015-07-22 14:40:10 -0400] info [cpgreylistd] Request:- OP: ['should_defer'], Sender IP: ['209.160.30.44'], From Address: ['Prevent-Your-Acid-Reflux@supportheartcure.link'], To Address: ['somebody@somedomainonmyserver.com']. Reply:- ['no (whitelisted or opt-out)']

    Fact:

    a. somedomainonmyserver.com has greylisting enabled / never opted out of greylisting
    b. no IP addresses even remotely close to 209.160.30.x exist in the whitelist according to what I can see from the GUI

    So something is amiss here. cpgreylistd perhaps is misintrepreting some Ip addresses and then erroneously matching up against an Ip that is in the whitelist.

    m
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why wouldn't there be an interest, the feature is brand new.

    If you suspect its not working as expected, a ticket is the best way to go.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Done.

    m
     
    Infopro likes this.
  5. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Do you have the setting checked to bypass greylisting if they have a valid SPF?

    I've noticed tons of spam getting through recently as well that actually has valid SPF records, example

    From: "Accounting Programs" <AccountingPrograms@frankhomeland.xyz>
    Subject: Become.. an Expert.. In Accounting...

    -0.0 SPF_PASS SPF: sender matches SPF record

    We do bypass greylisting with valid SPF records but maybe its time to disable that
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No, I do not bypass greylisting for valid SPF. Before greylisting was available, I had already observed that most of the spam that was coming through already passed valid SPF / DKIM [and often even DMARC] checks.

    So I definitely do not bypass greylisting if they have valid SPF.

    Mike
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    The cPanel folks figured out what the problem was. It had nothing to do with a bug in cpgreylistd.

    What had happened was that I apparently mistyped a manual entry I was adding to the database, which ended up whitelisting a huge block of IP space.

    I added this to the whitelist by accident:

    203.244.226.255-
    220.244.226.0

    And all the troubles i reported above had to do with IP addresses within that range. So I actually was the one responsible for making the erroneous entry and causing my own problems.

    The cPanel staff worked diligently on finding the issue. As much as I hate to admit this was an error on my part, I'm glad it was my error and not a problem with cpgreylistd.

    Thanks Travis, Tristan, Andrew, Sky and Jared for your efforts!

    Mike

    PS: might be a good idea to somehow mark this as resolved so nobody thinks there is a current issue with cpgreylistd
     
    Infopro likes this.
  8. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Doh! ;)
     
    mtindor likes this.
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Those folks can fix anything. Happy to hear you got this sorted.
     
    mtindor likes this.
Loading...

Share This Page