The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Spam bypassing RBL check

Discussion in 'E-mail Discussions' started by pwaara, Nov 30, 2016.

Tags:
  1. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    I have one user who is receiving a great deal of spam. It looks like the spam is bypassing the RBL checks I have set up on the server. (The spam IPs are all listed in the RBLs.) The one clue I see is that the authentication is listed as localdelivery. How is this happening, and how do I stop it? I've tried changing this user's email password, but that had no effect. Any suggestions greatly appreciated. Here is an example of one of the delivery reports.

    Code:
    
        Event:
    
        success [
        Sender User: -remote-
        Sender Domain:
        Sender: someusr@cough.example.top
        Sent Time: Nov 30, 2016 4:42:16 PM
        Sender Host: things.domain.top
        Sender IP: 91.219.xxx.xxx
        Authentication: localdelivery
        Spam Score: 0
        Recipient: christine@example.com
        Delivered To: christine@example.com
        Delivery User: someusr
        Delivery Domain: example.com
        Router: virtual_user
        Transport: dovecot_virtual_delivery
        Out Time: Nov 30, 2016 4:42:16 PM
        ID: 1cCHJz-0002b8-PU
        Delivery Host: localhost
        Delivery IP: 127.0.0.1
        Size: 5.09 KB
        Result: Accepted
    
     
    #1 pwaara, Nov 30, 2016
    Last edited by a moderator: Dec 4, 2016
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    You are the root administrator of your server so can you please try to check this mail logs with the following command and update here.

    Code:
    grep 1cCHJz-0002b8-PU /var/log/exim_mainlog 
     
  3. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    Thanks for the reply. Here's what I got.

    Code:
    grep 1cCHJz-0002b8-PU /var/log/exim_mainlog
    2016-11-30 16:42:04 1cCHJz-0002b8-PU <= someusr@cough.example.top H=(things.domain.top) [91.219.238.138]:37755 P=esmtp S=5214 id=1174000610155115-312e6f7047660fe791a0b936ca7b1815christine@domain.com T="some title here." for christine@domain.com
    2016-11-30 16:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cCHJz-0002b8-PU
    2016-11-30 16:42:04 1cCHJz-0002b8-PU => christine <christine@domain.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <christine@domain.com> AR4XJfyNP1j1JgAAfcuP6A Saved"
    2016-11-30 16:42:04 1cCHJz-0002b8-PU Completed
    
     
    #3 pwaara, Nov 30, 2016
    Last edited by a moderator: Dec 4, 2016
  4. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    Anyone? The most suspicious thing I see is that all the spam that is getting through is authenticated as localdelivery, which will immediately accept the message, therefore bypass the RBL check. The question is, why is are the spam emails getting marked as local delivery? Anyone have any ideas? I've been researching this one for days, and I'm stuck.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Is this the username of an account on the system? If so, it's possible the messages are coming from a script installed on the account. The following command may help you better determine where the email is coming from:

    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    This will list the source and the number of messages from each source.

    Thank you.
     
  6. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    No, the source of the spam is definitely not one of the scripts. All accounts only sending a handful of emails. The only entry that has any significant email is

    Code:
    1075 cwd=/var/spool/exim
    
    Any other ideas? I've been digging for days and can't find anything.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  8. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    Support ticket created. ID 8043639. Thanks.
     
  9. pwaara

    pwaara Member

    Joined:
    Aug 10, 2016
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hawaii
    cPanel Access Level:
    Root Administrator
    After much investigation, it appears that everything is actually working as intended. What was confusing was that IP addresses that were on RBLs were delivering mail. After closely watching the logs and the RBLs, what appears to be happening is that a spam email gets delivered as the IP address is not on the checked RBLs, but a few seconds later that IP address shows up on the RBL and subsequent emails are not delivered. Either the RBLs were incorrectly reporting that the IP was not on the list or the IP got added quickly after the first fail. As more and more of the IPs are getting listed, fewer spam emails are getting through. Plus, a large majority of the spam was coming from .top TLD domains, so I added a filter to reject anything from *.top.

    Not sure if this will help anyone, but I wanted to let everyone who runs into similar issues what happened with me.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for taking the time to update this thread with the outcome. I'm marking this thread as resolved.
     
Loading...

Share This Page