Sender, sender host and failing Blacklisted SMTP IP addresses?

This morning in Mail Delivery Reports I found 7 entries that I can't figure out.

All mail on the server is handled by ca.domain2.com, not mail.domain.com. Does a helo use this mail.domain.com syntax?

There are 2 cpanels, Domain 1 and Domain 2. Domain 1b is a subdomain of Domain1.

Exim rejectlog

Code:

2015-03-26 23:37:54 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:54 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:55 H=(mail.domain1.com) [177.11.51.75]:2616 F= rejected RCPT : "JunkMail rejected - (mail.domain1.com) [177.11.51.75]:2616 is in an RBL, see Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=177.11.51.75"
2015-03-26 23:37:55 SMTP protocol synchronization error (next input sent too soon: pipelining was advertised): rejected "Subject: mail.domain2.com:25:0" H=(mail.domain2.com) [177.11.51.75]:2617 next input="To: teste13.pop3@hotmail.com\r\nDate: Fri, 27 Mar 2015 00:39:29 -0300\r\n\r\ng4bhzw yqxoo wcjuanj\r\n.\r\n"
2015-03-26 23:37:56 H=(mail.domain1b.com) [177.11.51.75]:3053 F= rejected RCPT : "JunkMail rejected - (mail.domain1b.com) [177.11.51.75]:3053 is in an RBL, see Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=177.11.51.75"

Exim mainlog

Code:

2015-03-26 23:37:51 SMTP connection from [177.11.51.75]:2617 (TCP/IP connection count = 1)
2015-03-26 23:37:51 SMTP connection from [177.11.51.75]:2616 (TCP/IP connection count = 2)
2015-03-26 23:37:52 SMTP connection from [177.11.51.75]:3053 (TCP/IP connection count = 3)
2015-03-26 23:37:54 H=(mail.domain2.com) [177.11.51.75]:2617 Warning: Sender rate 1.0 / 1h
2015-03-26 23:37:54 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:54 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:54 H=(mail.domain1.com) [177.11.51.75]:2616 Warning: Sender rate 2.0 / 1h
2015-03-26 23:37:55 no IP address found for host br13.srvmatrix.info (during SMTP connection from (mail.domain1.com) [177.11.51.75]:2616)
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 sender verify fail for <4aed0rc@domain2.com>: No such person at this address.
2015-03-26 23:37:55 H=(mail.domain2.com) [177.11.51.75]:2617 F=<4aed0rc@domain2.com> rejected RCPT : Sender verify failed
2015-03-26 23:37:55 H=(mail.domain1.com) [177.11.51.75]:2616 Warning: "Increment Connection Ratelimit - (mail.domain1.com) [177.11.51.75]:2616 because of RBL match"
2015-03-26 23:37:55 H=(mail.domain1.com) [177.11.51.75]:2616 F= rejected RCPT : "JunkMail rejected - (mail.domain1.com) [177.11.51.75]:2616 is in an RBL, see Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=177.11.51.75"
2015-03-26 23:37:55 SMTP connection from (mail.domain1.com) [177.11.51.75]:2616 closed by DROP in ACL
2015-03-26 23:37:55 SMTP protocol synchronization error (next input sent too soon: pipelining was advertised): rejected "Subject: mail.domain2.com:25:0" H=(mail.domain2.com) [177.11.51.75]:2617 next input="To: teste13.pop3@hotmail.com\r\nDate: Fri, 27 Mar 2015 00:39:29 -0300\r\n\r\ng4bhzw yqxoo wcjuanj\r\n.\r\n"
2015-03-26 23:37:56 H=(mail.domain1b.com) [177.11.51.75]:3053 Warning: Sender rate 3.0 / 1h
2015-03-26 23:37:56 no IP address found for host br13.srvmatrix.info (during SMTP connection from (mail.domain1b.com) [177.11.51.75]:3053)
2015-03-26 23:37:56 H=(mail.domain1b.com) [177.11.51.75]:3053 Warning: "Increment Connection Ratelimit - (mail.domain1b.com) [177.11.51.75]:3053 because of RBL match"
2015-03-26 23:37:56 H=(mail.domain1b.com) [177.11.51.75]:3053 F= rejected RCPT : "JunkMail rejected - (mail.domain1b.com) [177.11.51.75]:3053 is in an RBL, see Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=177.11.51.75"
2015-03-26 23:37:56 SMTP connection from (mail.domain1b.com) [177.11.51.75]:3053 closed by DROP in ACL

The ip is in the Blacklisted SMTP IP addresses.

For domain 2 it seems it never dropped the connection for the ACL even though there were 5 attempts.
For domain 1 because of an RBL match before dropping the connection.
For domain 1b because of an RBL match before dropping the connection.

All very confusing. It's the first time I've seen this in over a year of watching these logs.

 

Mail is already working properly. What I don't understand about these logs is -

1. If an ip is in the Blacklisted SMTP IP addresses, shouldn't that connection be dropped before spamassassin and sender verification complete?

2. How is it that the sender host is mail.mydomain.com? It's spoofed, as that mailserver doesn't exist. The sender host is either localhost or ab.mydomain.com if they're trying to use this mailserver, not mail.mydomain.com, but how does that affect how the server processes it?

3. How is it that one cpanel container completely missed dropping the connection for the Blacklisted SMTP IP addresses feature?

If you don't want to end up on outlook.com's blacklist, you better never make a mistake in your exim configuration from the get go. One email to them that doesn't meet their criteria gets you on their blacklist. No email from php mail, i.e. wordpress et al, (use an smtp plugin), no email without spf properly configured, dkim, dmarc, etc etc. Return Path will get you off it if you can afford the price. 644 bucks US is a high price to pay to be able to send email to Outlook/Hotmail/Bell etc users again. Once you've gone through that, you have a tendency to clamp down on your own config.

 

Request id is: 6355229
TIA