Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VPS mail server listed on CBL, my ISP claims it's coming from my network


  • Please log in to reply
4 replies to this topic

#1 McBride

McBride

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Mill, SC
  • Local time:02:42 PM

Posted 22 January 2014 - 09:54 PM

Long time listener. First time caller.

 

I run IT/system of a small network of 45 computers. Beginning last week, users had numerous emails returned undeliverable with MTA's poor reputation and CBL blacklist errors. I have a static IP in the building and went to each individual computer and run Adwcleaner and Mailwarebytes. I found cookies and minor infections on networked machines and cleaned them in safe mode.

 

I changed my smtp to another outgoing server to successfully send mail. However, my VPS smtp continues to be blacklisted. My ISP who hosts the VPS email server ran extensive captures on the server and through the exim configs, and they claim everything is normal. Here are two of the blacklistings.

 

 

http://cbl.abuseat.org/lookup.cgi?ip=216.189.0.235

 

http://www.spamhaus.org/query/bl?ip=216.189.0.235

 

My questions for the gurus.

 

  1. Can I still get relisted on the CBL if my entire network was off during the weekend?
  2. Could the trojan be on my network and still be on the CBL if it doesn't use the VPS smtp to send mail?
  3. What tools/service would you suggest to find the source?
  4. What spam settings on Cpanel do you suggest for the maximum benefits?

I'll hang up and listen. Thanks in advance for your help.

 



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 23 January 2014 - 08:18 PM

Welcome to the site :) Easier to give you help here rather than on Twitter.

 

So I understand your setup, you have a virtual private server hosted outside of your network running a smtp/pop3 server. Your users on the network access that server to send and retrieve email?

 

I would ask your provider for a copy of the logs associated with your mail server.  It may contain the addresses of those computers that are repeatedly connecting to your server. If they are all on internal ips and being NATed by the router, that wont help.

 

The next step would be to use a ethernet sniffer like wireshark and if possible mirror the traffic from all the switch ports to the port used by the sniffer. Then you can find those that are performing heavy smtp requests.

 

To your questions:

 

1. Only if the VPS server itself is compromised and being used to send the spam.  Then it does not matter what is connected to it.

 

2. No.  Your router ip address, if using NAT would be listed instead. Or another server that the trojaned computer is sending mail through.

 

3. Wireshark is good choice for finding the SMTP traffic.

 

4. Unfortunately, I can't help with Cpanel. Never used it.



#3 McBride

McBride
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Mill, SC
  • Local time:02:42 PM

Posted 24 January 2014 - 07:09 AM

Thanks Lawrence! I'll try your suggestions.


Edited by McBride, 24 January 2014 - 07:09 AM.


#4 McBride

McBride
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Mill, SC
  • Local time:02:42 PM

Posted 28 January 2014 - 10:24 AM

I'm upto 14 blacklists. This is loads of fun.



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 28 January 2014 - 10:29 AM

Did you try any of my suggestions? What were the outcomes?

Ever get the logs from the provider?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users