The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server listed in CBL - advice ?

Discussion in 'General Discussion' started by 4u123, May 8, 2006.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    We have a cpanel server getting listed in CBL but I cannot work out why.

    Ive contacted them and they say the IP is HELO/EHLO'ing as a domain we dont own - thats about as much info as they were prepared to give us.

    We have the smtp tweak on so only guid mail and mailman can send email. How can I monitor this to see if indeed another process is somehow making smtp connections ?
     
  2. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    They are saying that The most recent incident was at precisely 2006/05/07-19:04:44 and the server was helo'ing as aol.com.

    How can I find out what process was doing this ?
     
  3. chzelle

    chzelle Active Member

    Joined:
    Jul 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    You can check your /tmp for any possible suspicious file that is running the phishing mail sending. You can run grep on your .tmp to check for possible files that are running there.
     
  4. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    It seems that someone is spoofing some other domains mail id and that was reported and the ip got blocked. If you have been given information of the spoofed domain, you can grep the mail logs to get information. Implement extended exim logging and that will help you to track the culprit.
     
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi Guys, thanks for your input but neither of these scenarios are happening here.

    /tmp is clean - there are no suspicious files on the server that I am aware of - ive done full trojan / rootkit scans etc too.

    Its not as simple as a spoofed header - CBL dont list for this kind of activity - they list for exploited mailservers and the like. This server is running a standard exim config. What they are suggesting is that an SMTP process has run on the server claiming to be sending mail as AOL. i.e some kind of trojan or bot.

    As mentioned, you would normally expect this to be running from the tmp partition but there is nothing in there but normal session data.

    My problem here is knowing where to look - Ive grep'd the whole of var/log/* looking for somethign that might indicate what is going on but so far Ive come up with nothing. It doesnt help that those in charge of the CBL list havent provided very much information but they say this is because they dont want to reveal their methods of uncovering such issues.

    I'm left here scratching my head.
     
  6. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    as a last resort grep /home for "aol.com" (hopefully you dont have too much accounts)

    also you could close all unused outbound ports with a firewall (but provide a range of open ports to be used by ftp server when in passive mode - put them in ftp config file)
     
  7. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    There are many places that spambot could be installed. Howabout this scenerio. Somebody compromises one of our user websites. They upload a mailer that sends out spam. After the mailer is done, it deletes itself. Since all messages leave your box as nobody, you wouldnt even know about it unless the messages happen to pile up in the message queue and you were smart enough to be able to identify them. I saw this happend recently and its quite a popular way of sending out mail without your knowledge since you would not have a clue which website it was being sent from.
     
  8. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    That is why it is good to run phpsuexec. You will know which account is sending it.
     
  9. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
  10. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Sorry if i am pointing out the obvious but is your server hostname correct?
    When you telnet to your server to port 25, what does it identify as?

    Test your domain at www.dnsreport.com (not the mail test) to see if there is anything unusual with the mail server.
     
  11. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    hello 4u123,

    have you found the reason why you get blacklisted by CBL? can you share in this forum? as i got the same problem with you.

    thanks
     
Loading...

Share This Page