Weird Email Sending & Recipient Issues / Bouncebacks with my VPS?

PhoenixUK

Member
Sep 15, 2013
21
1
3
cPanel Access Level
Root Administrator
I have contacted cPanel Support directly via my VPS,WHM etc but it seems kind of stuck and I don't think I can furnish the guy 100% with more experience on my part. :(

Here's my initial ticket request wording;

Hi There,

I'm suddenly seeing a lot of bouncebacks when I'm sending emails from my @isknow.how domain name email address, that is hosted on my unmanaged VPS (I manage it, the provider doesn't)

However, these bounceback emails only seem to be if I'm sending to Microsoft "hotmail, live" addresses - as the error I'm pasting below was from an email with multiple contacts included and ONLY the MS one bounced back, the others with their own personal domain email addresses are as normal as to be expected.

One such example that is to a friends email address at that, is as follows;

"This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

[email protected]
host mx1.hotmail.com [65.55.37.88]
SMTP error from remote mail server after MAIL FROM:<emailremovedforthispost> SIZE=76103:
550 SC-001 (COL004-MC2F48) Unfortunately, messages from 46.32.249.220 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to Troubleshooting.


The details.txt file content for the above bounceback is;

Reporting-MTA: dns; vpshostnameremovedforthispost

Action: failed
Final-Recipient: rfc822;emailremovedforthispost
Status: 5.0.0
Remote-MTA: dns; mx1.hotmail.com
Diagnostic-Code: smtp; 550 SC-001 (COL004-MC2F48) Unfortunately, messages from 46.32.249.220 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to Troubleshooting.

I had previously last year added an SPF record, DKIM, registered my domain with some microsoft website to prove ownership and that thus my domains emails wouldn't be marked spam etc... is it normal for these kind of registrations to run out at all?

Anyway, I shall leave it at that and look forward to hearing from you in due course.

Regards,
Robert Stones
The first reply was;

Hello,

Typically, you receive the message you did when someone on your server has been sending spam. You can often find the culpret by running the following one-liner:

grep 'sendmail' /var/log/exim_mainlog | awk '{print $3}' | sort | uniq -c | sort -n

This shows where `sendmail` was executed from, and can possibly show the directory a possible malicious script installed thru compromised software. I'd recommend removing said malicious script (if exists) and updating all software associated with the affected website (plugins and themes included), update all authentication details associated with said website (including those where the password is shared with another web asset), et cetera.

Right. Looking at your server, it doesn't appear that there was any spam sent ever, at least according to the exim logs. However, there may be something that I am missing. You may wish to contact a systems administrative service to look your server over and ensure that no spam is being sent.

Looking at < MultiRBL.valli.org - Results of the query 46.32.249.220 >, your IP is on 2 blacklists (other than the one it says to ignore). You may wish to investigate means to be delisted from said blacklists. The page provides links to said blacklists which you are blacklisted from, so that you may follow each blacklists documentation for delistment.

Best regards,
My reply was;

I will look in to that Blacklist you mention thanks Andrew.

I'm just in the domain in questions DNS editor zone and looking specifically at the SPF record I'd previously entered last summer;

"v=spf1 +a +mx +ip4:ipremovedforthispost ~all"

Doing some further reading up if the above selections are used and I think by having +a and +mx maybe an issue? Unless I'm reading things wrong, it should be better and safer set at;

"v=spf1 a mx +ip4:ipremovedforthispost ~all"

Would you concur at all, I personally am not experienced in the above but trying to assume and learn the right understanding from this new issue I'm facing.

Regards,
His reply was;

Hello,

You can generate a syntactically-valid SPF record in cPanel -> Email -> Authentication. The +a means to add the A record for the domain, the +mx means to add the MX record for the domain. Since you have +ip4:<ip address>, this isn't strictly needed, however, it won't cause harm, unless you have your receiving email server or your web site on a hosting provider that you do not trust to send mail in your name.

Best regards,
Hi Andrew,

So in your experience, would my current SPF record settings of: "v=spf1 a mx +ip4:46.32.249.220 ~all" be really good, ok / satisfactory or actually need amending in some way, as my interpretation when setting it previously was all wrong?

I've logged into my @isknow.how domain's cPanel and navigated to the Email>Authentication and can see the various fields to set SPF record but that's as far as it goes.

Thanks in advance.
the last reply was;

Hello,

If you want the A and MX records included, you need to do +a +mx. If you want them to be excluded, remove those two tokens from the SPF string entirely. I don't believe the string you provided is a valid record.

Best regards,
So I've spent a number of hours reading up again (I set SPF and DKIM up last summer and it's worked until only the other day) and just edited my SPF to;

v=spf1 +a +mx include:spf.isknow.how -all

I added the include:spf.isknow.how section, as I wanted to setup smtp send ability on my servers mailserver etc, to try and fix a seperate to the above issue (Will deal with that down the line)

I tried going to the Microsoft SPD Wizard registration site, I used this last summer without a problem but now I'm faced with;



So that's out and I'm just ending up more confused by the minute with the whole SPD and DKIM aspects I need to get correct,;not helped by a severe bout of Pneumonia this festive season, that I'm still not fully over grrrr.

Can anybody kindly offer to help work through the above with me please, it would be very much appreciated indeed.

Regards,
Rob
 

Attachments

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
So I've spent a number of hours reading up again (I set SPF and DKIM up last summer and it's worked until only the other day) and just edited my SPF to;

v=spf1 +a +mx include:spf.isknow.how -all
Hello :)

The consensus is to avoid hard fails on SPF records since it breaks email forwarding unless the forwarding server uses SRS. The "~all" entry is generally preferred since it gets messages from non-standard senders bumped up in spam detection systems, but doesn't outright fail them.

Thank you.
 

PhoenixUK

Member
Sep 15, 2013
21
1
3
cPanel Access Level
Root Administrator
Hello :)

The consensus is to avoid hard fails on SPF records since it breaks email forwarding unless the forwarding server uses SRS. The "~all" entry is generally preferred since it gets messages from non-standard senders bumped up in spam detection systems, but doesn't outright fail them.

Thank you.
Hi There,

Thanks for reply. Well this is the funny thing - I was using ~ prior to trying to understand this whole issue earlier today but I've reverted back to ~all again, so now my SPF record is;

"v=spf1 +a +mx include:spf.isknow.how ~all"

I've since checked out one of the blacklists cPanel support made me aware of, Chilean so I have absolutely NO idea as to it's authenticity but upon entering my servers IP to run a check, the results were;

Category 127.0.0.11
Category 127.0.0.11 of DNSBL Chile include IP addresses that are currently sending spam or IP addresses that do not comply with RFC standardsdefined for the Simple Mail Transfer Protocol (SMTP).

If the IP address has stopped sending spam (we check against other DNSBL) or complies with RFC standards, you may request a delisting.

To be RFC compliant, the IP address must have a resolvable fully-qualified domain name (FQDN), that is, the IP address has to have a valid hostname given by a MX, A or AAAA record (not a generic PTR record) and a reverse (PTR record) that resolves back to the hostname.

To delist an IP address from this category you must first enable the postmaster account of the domain associated with the IP address. Do this before you proceed. A confirmation e-mail, valid for 24 hours, will be sent to the e-mail address. You will be able to make a new request only after the expiration of the previous request.

Once the request has been confirmed, the IP address will be put in a queue for delisting. If the IP address is caught sending spam, is listed by other DNSBL, changes hostname or reverse at any time, the IP address will be listed again or removed from the delisting queue.
Now I'm ever FURTHER lost, than I was earlier on trying to understand how to fully personalise / fix my SPF and DKIM areas.

*this is too much for my ickle head*

Groans!