Getting XBL/CBL blacklisted

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
GeoffM
New user
New user
Posts: 11
Joined: 2016-11-29 20:24

Getting XBL/CBL blacklisted

Post by GeoffM » 2016-11-29 20:45

I've hosted a website with email for 15 years now, Centos, PHP, and Joomla based, but just moved to Windows (Server 2012 R2), IIS - and hMailServer. I've done everything I can think of to ensure the mail is set up correctly. Yet I keep getting blacklisted in Spamhaus, specifically XML->CBL (allegedly part of a botnet). If I delist then it re-appears 12-18 hours later. Using mail-tester.com the results are 10/10; SpamAssassin score of 0.1 (good), properly authenticated etc.

hMailServer itself reports only a handful of outbound emails, and maybe 100 inbound per day (about right - mostly spam).

I'm struggling to use Wireshark to monitor outbound traffic on port 25 but I firewalled the port to only allow hMailServer to use it - and got blacklisted a few hours later anyway.

Virus scans, HijackThis, malware scans, Process Explorer come up clean.

Am I looking in the wrong place for the cause of the blacklisting, with regards to the botnet thing? I thought it was some malware opening port 25 and sending stuff out but now I'm not so sure.

Many thanks.


-----------
Some diagnostics:

Remote server replied: 550 5.7.1 Service unavailable, Client host [X.X.X.X] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS16012611)
Remote server replied: 550 OU-001 (SNT004-MC11F7) Unfortunately, messages from X.X.X.X weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
Remote server replied: 553 Mail from X.X.X.X not allowed - 5.7.1 [BL23] Connections not accepted from IP addresses on Spamhaus XBL; see http://postmaster.yahoo.com/errors/550-bl23.html [550]
(etc)

-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Great! Your signature is valid
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name
0.001 SPF_HELO_PASS SPF: HELO matches SPF record
0.001 SPF_PASS SPF: sender matches SPF record
Great! Your SPF is valid
0.01 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain

[SPF] Your server X.X.X.X is authorized to use XXX@XXX.co.uk
[Sender ID] Your server X.X.X.X is authorized to use XXX@XXX.co.uk
Your DKIM signature is valid
Your message passed the DMARC test
Your server X.X.X.X is successfully associated with XXX.co.uk
Your domain name XXX.co.uk is assigned to a mail server.
Your hostname XXX.co.uk is assigned to a server.

Not listed in BACKSCATTERER
Not listed in BARRACUDA
Not listed in CASA-CBLPLUS
Not listed in IMP-SPAM
Not listed in INPS_DE
Not listed in LASHBACK
Not listed in MAILSPIKE-BL
Not listed in NIXSPAM
Not listed in PSBL
Not listed in RATS-ALL
Not listed in REDHAWK
Not listed in SEM-BACKSCATTER
Not listed in SEM-BLACK
Not listed in SORBS-DUHL
Not listed in SORBS-SPAM
Not listed in SPAMCANNIBAL
Not listed in SPAMCOP
Not listed in SPAMHAUS-ZEN <--- This is where it keeps getting listed
Not listed in SWINOG
Not listed in TRUNCATE
Not listed in WPBL

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting XBL/CBL blacklisted

Post by SorenR » 2016-11-29 20:48

What is your score at Spamhaus ??? 127.0.0.3 ??

Enable SMTP logging and post here (as attachment if really big) or PM to me if security is a concern.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

GeoffM
New user
New user
Posts: 11
Joined: 2016-11-29 20:24

Re: Getting XBL/CBL blacklisted

Post by GeoffM » 2016-11-30 02:20

How do you see the score? I waited until blacklisted again but this is the only specific information to my domain:
IP Address X.X.X.X is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2016-11-29 22:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.

It has been relisted following a previous removal at 2016-11-29 08:04 GMT (16 hours, 6 minutes ago)

Perhaps the person who previously removed it didn't actually fix the problem.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
I'm PMd the log to you. Many thanks for having a look.

Forgot to mention it's a virtual private server so I should be in control of virtually everything on it.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting XBL/CBL blacklisted

Post by SorenR » 2016-11-30 04:49

IP Address X.X.X.X is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2016-11-29 22:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.

It has been relisted following a previous removal at 2016-11-29 08:04 GMT (16 hours, 6 minutes ago)

Perhaps the person who previously removed it didn't actually fix the problem.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
2016-11-29 22:00 GMT relate to when in your LOG... I don't know your timezone :wink:

The only thing I see is a transaction at 23:00 when "Chris" is having an email forwarded to mail.com... That email, from a Brazilian sender would set all of my SPAM bells ringing like crazy... :mrgreen:

The mail is received from server 190.129.4.168 at 22:59 to a local user and sent out to mail.com 1 minute later. I assume it is a forward as the recipient user and domain is changed so it is definately NOT a relay.

Oh, and when you are done with the DNS changes I PM'ed you, you should look into setting up SPF and DKIM...

OOH... Brain fart... From hMailServer ChangeLog...
Issue 50: When performing forwarding, hMailServer now keeps the original From address rather than changing to that of the forwarding account. This change was made to reduce risk of message delivery failures. To force the previous behavior, set RewriteEnvelopeFromWhenForwarding=1 under the [Settings] section in hMailServer.ini.

The original sender is ... TaDa ... Drum roll ... gil.rookard.*****@leetelemensagem.com.br :roll: NOT someone from your domain and I can see why you potentially would be listed as a bot or something... :idea:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

GeoffM
New user
New user
Posts: 11
Joined: 2016-11-29 20:24

Re: Getting XBL/CBL blacklisted

Post by GeoffM » 2016-11-30 07:39

SorenR wrote:2016-11-29 22:00 GMT relate to when in your LOG... I don't know your timezone :wink:
That would be... 2016-11-29 22:00 GMT :wink: (it stays on GMT year round)
SorenR wrote:The only thing I see is a transaction at 23:00 when "Chris" is having an email forwarded to mail.com... That email, from a Brazilian sender would set all of my SPAM bells ringing like crazy... :mrgreen:
Trouble is, we DO have Brazilian users. There are 15,000 users of my website, although probably only a tenth of those are active, and I know there are at least a handful of genuine users in Brazil. And before you panic, only around 15 email addresses in my domain. So yes, Chris is a legitimate email user but him sending to a Brazilian (or receiving from) would not be entirely unusual.

But what bothers me more is surely the actions of one user can't bring down a whole domain, can it? :shock:

SorenR wrote:The mail is received from server 190.129.4.168 at 22:59 to a local user and sent out to mail.com 1 minute later. I assume it is a forward as the recipient user and domain is changed so it is definately NOT a relay.
Ah, now there is something wrong. That IP address is in Bolivia (allegedly). Hmm.
SorenR wrote:Oh, and when you are done with the DNS changes I PM'ed you, you should look into setting up SPF and DKIM...
But those are set up, aren't they? At least mail-server says they're valid (per my OP).

I've read your PM and will deal with that separately.
SorenR wrote:OOH... Brain fart... From hMailServer ChangeLog...
Issue 50: When performing forwarding, hMailServer now keeps the original From address rather than changing to that of the forwarding account. This change was made to reduce risk of message delivery failures. To force the previous behavior, set RewriteEnvelopeFromWhenForwarding=1 under the [Settings] section in hMailServer.ini.

The original sender is ... TaDa ... Drum roll ... gil.rookard.*****@leetelemensagem.com.br :roll: NOT someone from your domain and I can see why you potentially would be listed as a bot or something... :idea:
Ok, so just to be absolutely sure, you're recommending I make this [Settings] change? I ask because the behavior must have been changed for a reason, and I prefer not to change defaults unless instructed to do so!

Thanks again. I know you don't need to deal with these sorts of issues as they're 99.9% my setup and 0.1% how to do it in hMailServer so I appreciate the help!

Somehow I think when I set up the Linux server all those years ago all this was done for me as all this is new to me; now I'm on a Windows server they've disc imaged it to a raw Windows setup and thrown me the keys to set it up securely entirely on my own (or $$$ for support)!

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting XBL/CBL blacklisted

Post by SorenR » 2016-11-30 11:27

There is a difference in "from" and "envelope-from". Recipient never see "envelope-from" but recipient server do. It's the FROM in the SMTP log... I would add the option in the .ini... It has worked fine for hMailserver for the past 10'ish years. ;-)
IIRC This option was introduced in 5.6.2.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

GeoffM
New user
New user
Posts: 11
Joined: 2016-11-29 20:24

Re: Getting XBL/CBL blacklisted

Post by GeoffM » 2016-11-30 19:16

Fingers crossed... hopefully that will sort it. Thanks again.

GeoffM
New user
New user
Posts: 11
Joined: 2016-11-29 20:24

Re: Getting XBL/CBL blacklisted

Post by GeoffM » 2016-12-14 19:29

It didn't sort it - but I did (eventually) find out why. I have MantisBT running on PHP and an SMTP virtual server. What I hadn't realised was that this virtual server bypasses hMailServer and goes straight onto the internet by itself. That had an IP address instead of the domain name for the EHLO message. Fixed but I don't want this happening.

Now, I need to stop the SMTP VS from connecting to the internet and instead talk to hMailServer directly. I have found a couple of threads on here on how to do it.

Cheers.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Getting XBL/CBL blacklisted

Post by SorenR » 2016-12-14 20:39

GeoffM wrote:It didn't sort it - but I did (eventually) find out why. I have MantisBT running on PHP and an SMTP virtual server. What I hadn't realised was that this virtual server bypasses hMailServer and goes straight onto the internet by itself. That had an IP address instead of the domain name for the EHLO message. Fixed but I don't want this happening.

Now, I need to stop the SMTP VS from connecting to the internet and instead talk to hMailServer directly. I have found a couple of threads on here on how to do it.

Cheers.
Check file config_inc.php there should be a line with "$g_smtp_host" in it.

On hMailServer - in case MantisBT cannot send SMTP AUTH, you can create an IP Range for the MantisBT server IP only and omit "require auth"..
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply