Why is Exim ignoring the list of blacklisted IPs

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,255
60
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hi sirs. I'm having the same issue as commented in this old thread, which wasn't solved either:
http://forums.cpanel.net/f5/exim-ignoring-list-blacklisted-ips-230112.html

I found that in cPanel 11.34 and now in 11.36, the IP Block list provided by WHM in the Exim config editor is completely useless. Exim continues to ignore those IP. I tried with single IPs instead of IP ranges, and they are also being ignored.
I opened a ticket but the operators cannot find the reason. May be a problem with exim?

Help with this issue will be appreciated. I have identified nearly 400 spam IP addresses and blocking those IPs is the thorough way I have to stop the lots of spam that are arriving to our servers.
Thank you
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I added an IP from one of my servers, saved, restarted EXIM and then fired off an email to that server. I received a 550 email in return, as expected.
I added 200 more IPs to that list, leaving mine in there, saved, restarted EXIM and fired off another email. Another 550 email is sent back.

cPanel EDGE 11.36.1 4

A few questions if I could:
How many IPs do you have in there?
Why block them here instead of in CSF? CSF does not send back confirmation that my email was blocked, like this does.

I do note that you've reopened the ticket, best to hold with that I think until Marlon gets back to you there.

In my testing, this works as expected. Although, I certainly would not use it myself.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,255
60
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hi Infopro. I do prefer the Black List for exim rather than add them to CSF, because CSF create several rules for iptable that reside in memory. The more IPs you block in CSF, less free memory for your apps you'll have. In exchange, the exim block list is readed and closed whenever is needed, thus not consuming memory permanently. In the other hand, if you have a low powered server, one CPU, 1GB ram, the better you manage the memory usage by applications, the better the server will perform.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,255
60
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
oh BTW, I added my IP to the Black List, sent an email and it wasn't blocked. The logs shows the following:

Code:
2013-04-11 09:45:34 [7500] SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25 (TCP/IP connection count = 2)
2013-04-11 09:45:39 [8167] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25)
2013-04-11 09:45:39 [8167] list matching forced to fail: failed to find host name for 190.190.189.125
2013-04-11 09:45:41 [8167] 1UQGsm-00027j-Ld <= [email][email protected][/email] H=(USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 P=esmtpa A=courier_login:[email protected] S=15984 [email protected] T="mail de prueba" from <[email protected]> for [email][email protected][/email]
2013-04-11 09:45:44 [8167] SMTP connection from (USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 closed by QUIT
Then, I deleted the IP form the Block List and sent the email again:

Code:
2013-04-11 09:50:37 [5671] SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25 (TCP/IP connection count = 6)
2013-04-11 09:50:42 [23930] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25)
2013-04-11 09:50:42 [23930] list matching forced to fail: failed to find host name for 190.190.189.125
2013-04-11 09:50:44 [23930] 1UQGxf-0006Dy-Cx <= [email][email protected][/email] H=(USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 P=esmtpa A=courier_login:[email protected] S=15998 [email protected] T="otro mail de prueba" from <[email protected]> for [email][email protected][/email]
2013-04-11 09:50:46 [23930] SMTP connection from (USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 closed by QUIT
The two transactions look pretty the same.

Can you tell what's going on? Can you share the portion of your logs for the trial you did?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Sure thing.


Blocked:
Code:
2013-04-11 08:05:11 SMTP connection from [12.34.56.789]:47247 (TCP/IP connection count = 1)
2013-04-11 08:05:12 H=12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 rejected connection in "connect" ACL: Host is banned
2013-04-11 08:05:12 SMTP connection from 12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 closed by DROP in ACL
Scanned and passed:
Code:
2013-04-11 09:09:56 SMTP connection from [12.34.56.789]:48624 (TCP/IP connection count = 1)
2013-04-11 09:10:00 1UQHGJ-0004GK-V1 H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 Warning: Message has been scanned: no virus or other harmful content was found
2013-04-11 09:10:00 1UQHGJ-0004GK-V1 <= me @ myotherdomain.com H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=2285 [email protected] T="TesterThree" for myother @ domain.com
2013-04-11 09:10:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UQHGJ-0004GK-V1
2013-04-11 09:10:00 SMTP connection from 12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 closed by QUIT
2013-04-11 09:10:00 1UQHGJ-0004GK-V1 => mememe!  R=virtual_user T=virtual_userdelivery
2013-04-11 09:10:00 1UQHGJ-0004GK-V1 Completed
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,255
60
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Well, this is weird. I can recall that "rejected connection in connect ACL: Host is banned" in my logs when the filter used to work! If I dont fail to remember, it stopped working when I upgraded to 11.34 :(
Since then, waves of spam are unstoppable :(

- - - Updated - - -

May be this failure be caused by any individual, arbitrary, Exim configuration in WHM. Any option to (un)tick to evaluate if that is the culprit of exim ignoring block lists? Maybe, but which one?
Do you have all the Exim configurations by default in WHM?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
May be this failure be caused by any individual, arbitrary, Exim configuration in WHM. Any option to (un)tick to evaluate if that is the culprit of exim ignoring block lists? Maybe, but which one?
I can't grasp what this says, sorry.

Do you have all the Exim configurations by default in WHM?
Yes, stock perfectly operational cPanel setup.