SOLVED Spam bypassing RBL check

[pwaara]

I have one user who is receiving a great deal of spam. It looks like the spam is bypassing the RBL checks I have set up on the server. (The spam IPs are all listed in the RBLs.) The one clue I see is that the authentication is listed as localdelivery. How is this happening, and how do I stop it? I've tried changing this user's email password, but that had no effect. Any suggestions greatly appreciated. Here is an example of one of the delivery reports.

    Event:

    success [
    Sender User: -remote-
    Sender Domain:
    Sender: [email protected]
    Sent Time: Nov 30, 2016 4:42:16 PM
    Sender Host: things.domain.top
    Sender IP: 91.219.xxx.xxx
    Authentication: localdelivery
    Spam Score: 0
    Recipient: [email protected]
    Delivered To: [email protected]
    Delivery User: someusr
    Delivery Domain: example.com
    Router: virtual_user
    Transport: dovecot_virtual_delivery
    Out Time: Nov 30, 2016 4:42:16 PM
    ID: 1cCHJz-0002b8-PU
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 5.09 KB
    Result: Accepted

 

[SysSachin]

You are the root administrator of your server so can you please try to check this mail logs with the following command and update here.

grep 1cCHJz-0002b8-PU /var/log/exim_mainlog

 

[pwaara]

You are the root administrator of your server so can you please try to check this mail logs with the following command and update here.

grep 1cCHJz-0002b8-PU /var/log/exim_mainlog

Thanks for the reply. Here's what I got.

grep 1cCHJz-0002b8-PU /var/log/exim_mainlog
2016-11-30 16:42:04 1cCHJz-0002b8-PU <= [email protected] H=(things.domain.top) [91.219.238.138]:37755 P=esmtp S=5214 [email protected]main.com T="some title here." for [email protected]
2016-11-30 16:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cCHJz-0002b8-PU
2016-11-30 16:42:04 1cCHJz-0002b8-PU => christine <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> AR4XJfyNP1j1JgAAfcuP6A Saved"
2016-11-30 16:42:04 1cCHJz-0002b8-PU Completed

 

[pwaara]

Anyone? The most suspicious thing I see is that all the spam that is getting through is authenticated as localdelivery, which will immediately accept the message, therefore bypass the RBL check. The question is, why is are the spam emails getting marked as local delivery? Anyone have any ideas? I've been researching this one for days, and I'm stuck.

 

[cPanelMichael]

2016-11-30 16:42:04 1cCHJz-0002b8-PU <= [email protected]

Hello,

Is this the username of an account on the system? If so, it's possible the messages are coming from a script installed on the account. The following command may help you better determine where the email is coming from:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

This will list the source and the number of messages from each source.

Thank you.

 

[pwaara]

Hello,

Is this the username of an account on the system? If so, it's possible the messages are coming from a script installed on the account. The following command may help you better determine where the email is coming from:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

This will list the source and the number of messages from each source.

Thank you.

No, the source of the spam is definitely not one of the scripts. All accounts only sending a handful of emails. The only entry that has any significant email is

1075 cwd=/var/spool/exim

Any other ideas? I've been digging for days and can't find anything.

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here and we will update this thread with the outcome.

Thank you.

 

[pwaara]

Support ticket created. ID 8043639. Thanks.

 

[pwaara]

After much investigation, it appears that everything is actually working as intended. What was confusing was that IP addresses that were on RBLs were delivering mail. After closely watching the logs and the RBLs, what appears to be happening is that a spam email gets delivered as the IP address is not on the checked RBLs, but a few seconds later that IP address shows up on the RBL and subsequent emails are not delivered. Either the RBLs were incorrectly reporting that the IP was not on the list or the IP got added quickly after the first fail. As more and more of the IPs are getting listed, fewer spam emails are getting through. Plus, a large majority of the spam was coming from .top TLD domains, so I added a filter to reject anything from *.top.

Not sure if this will help anyone, but I wanted to let everyone who runs into similar issues what happened with me.

 

[cPanelMichael]

Hello,

Thank you for taking the time to update this thread with the outcome. I'm marking this thread as resolved.