Sanesecurity is blocking our entire domain, each and every server

eugenevdm.host

Well-Known Member
Oct 21, 2019
51
6
8
Cape Town
cPanel Access Level
DataCenter Provider
We have a distributed network, many servers, across four continents. Most of our servers are configured fairly similar, at least, the outgoing domain is something like:

cp01.ourdomain.com
server04.ourdomain.com
customerserverxyz.ourdomain.com

CP01 had a single mailbox with an insecure password and spammed. This happened late evening Friday on the 3rd of July. On the 5th of July the Sunday we fixed the problem.

Now every single one of our servers are getting rejected message for end-mail systems that have Sanesecurity installed. So not only is CP01's IP polluted, but every single other server. I have already used MX Toolbox and Multirbl to unlist CP01. The problem all my other servers are rejected and they don't appear in any RBL.

Even google, instead of the usual, your IP is listed, is giving saying the "domain" is suspect. Needless to say, contacting google is a waste of time and when I eventually found a form I cringed when I saw the confirmation says two weeks turnaround time.

So next best thing? Contact Sane Security. No such luck, no telephone number. Email them? Sure, I did that. Twice. No ticket response, no reply, no nothing.

I'm seeing my business go to shreds as each and every client is starting to phone in. Please give me some hope.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
If your sites are coming up in google's safe browsing as suspect and you've resolved the issue you need to request that google re-index the site - you can check this here: Google Transparency Report

Sanesecurity uses ClamAV signatures which update what appear to be hourly based on the description on their site: Sanesecurity signatures: improve ClamAV detection rate my assumption is that if you were to have the malware issue resolved and the site removed from the google suspicious site list it would drop off the sanesecurity list as well.
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
51
6
8
Cape Town
cPanel Access Level
DataCenter Provider
Hi @cPanelLauren,

Thank you so much for your reply. Your constant input and tenacity in replies inspires huge confidence in the product and the team behind WHM.

I would like to emphasize that the breach was not a website but rather standard "guess the user's password" issue.
Once the password had been guessed approximately 100 000 messages were sent out from server CP01 over two days. This happened over a weekend so was harder to detect than usual. The emails were fairly random but your typical low quality: "Do you need a loan? What's your name and the loan amount and email us here bla bla."

I have the greatest respect for services such as SORBS and UCEProtect and everyone else including Sane Security which is trying to stop these emails from going out. However, I feel I was wronged by Sane Security (and still am) by them blocking *our entire name space*.

Servers which are completely unrelated to CP01, on different continents in IP ranges at completely different ISPs, became polluted simply because they had the suffix "serverxyz.ourdomain.com". What's even worse the messages that end users are currently receiving is:
"550-This message contains a virus or other harmful content 550 (Sanesecurity.Jurlbl.1da0d7.UNOFFICIAL) (in reply to end of DATA command)"

It evokes the worst reactions from our clients. The top three problems are: My biggest client, who is hosted a number of servers but no email, all his SMTP conversation are being blocked. Another client who is our biggest reseller, his client's email ecommerce ordering messages are either being rejected or going to SPAM. And then finally a developer who is working on a prototype that heavily relies on email had lost faith.

This incident happened on Friday so it's now almost a week. UCEProtect will only unlist CP01 on the 12th. However, I have no way of fixing the other servers - they are not listed anywhere. I contacted Sane Security but they simply don't have autoresponders or advice or a telephone number or a ticket system. I believe because our firm has never had a spamming incident in two years, when they picked up on the email breach they decided to falsely accuse our entire name space of illicit activity.

As for Google, we're going to change our IP address now for CP01. Google caters for billions of end-user consumers but not for experienced systems administrator such as myself. There is no way to escalate or even properly report false positives to Google, or to let them know something is fixed.

I googled to death how to report something to Google. The standard link quoted on forums is wrong, it ends in a generic knowledgebase index page where you have to search. The broken link ends in contact/msgdelivery . The actual working link for email issue problem submission ends in contact/bulk_send_new but it's also pretty useless because it has a standard "will take 2 weeks" reply message.

In two weeks from now but business reputation is done. Google should be held accountable for not providing a proper escalation channel for experienced system administrators. They have some kind of automated system that tries to resolve these kinds of queries that might be okay for end-users but it's arrogant and an insult to experienced providers. They mention use postmaster dot google dot com to keep track of spamming incidents but that system doesn't work - For years we've not had a single incident on this domain yet not every single message to this domain is now being blocked.

I've lost respect for google trying to do my job and unlist myself from their service. I am a director and the systems's administrator for our company so I have to both solve this problem and face the backlash every time I speak to a customer to explain to them that something completely unrelated to their server or service is causing them loss of business. So between google and sane security I am pretty much screwed. I'll post in a few days after UCEProtect has unlisted us, but for now I have to change the primary IP address of a critical server, update all the name servers, re-create all the SPF records, and get back to apologizing to my clients.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
Thank you so much for your reply. Your constant input and tenacity in replies inspires huge confidence in the product and the team behind WHM.
Thank you for that, it means a great deal to me truly.

I would like to emphasize that the breach was not a website but rather standard "guess the user's password" issue.
Once the password had been guessed approximately 100 000 messages were sent out from server CP01 over two days. This happened over a weekend so was harder to detect than usual. The emails were fairly random but your typical low quality: "Do you need a loan? What's your name and the loan amount and email us here bla bla."
In that case it sort of refutes my theory entirely but if google's safe browsing did flag one of the sites I'd warrant that there is an issue, they don't typically without seeing the malware signatures.

In two weeks from now but business reputation is done. Google should be held accountable for not providing a proper escalation channel for experienced system administrators. They have some kind of automated system that tries to resolve these kinds of queries that might be okay for end-users but it's arrogant and an insult to experienced providers. They mention use postmaster dot google dot com to keep track of spamming incidents but that system doesn't work - For years we've not had a single incident on this domain yet not every single message to this domain is now being blocked.
As for the rest of this, I agree in that the entire namespace being blocked without a way to delist does feel very extreme. I have a sore spot for the services that don't allow rescanning or delisting. For google's postmaster tools this link should get you there Sign in - Google Accounts but it's not a discussion platform or support query link. You add your domains here to sign up for the FBL (Feedback Loop) and get information on domain health/reputation. This might be beneficial for you in your case moving forward but I do agree it doesn't do a lot to help you now. I will say that if you don't send a certain amount of mail per week google won't even track it here which could be why things aren't coming up. I know I myself was pretty frustrated with this UI recently as I receive a ton of my own server email to gmail and it just randomly started blocking it. I use DMARC, SPF, DKIM and have a valid PTR record on the server. There's no reason for the bounceback and none of their UI's gave me any inkling of a clue as to what was going on. From their site:

Why are some or all of my dashboards empty? Why do I not see any data?
Most of the Postmaster Tools dashboards will display data only when there is a sizable daily volume of email traffic (up to the order of hundreds) coming from your Authentication Domains and/or certain other conditions, in place to prevent abuse. Learn how to prevent your emails from being blocked by Gmail.
In addition, some of the dashboards, like Spam Rate and Feedback Loop, need your traffic to be signed by DKIM in order to show any data.
This will allow you to contact their postmaster Sender Contact Form - Gmail Help but none of this guarantees an immediate response or even a helpful one.