Ubuntu – False IP blacklisting on CBL and Spamhaus ZEN

blacklistemail-serverpostfixspamUbuntu

I've gone thru this: Spamhaus XBL keeps adding my IP

I'm managing the server 23.239.30.81 on Ubuntu using Postfix.

Since last 6 months or so I started forwarding all my:

Cron Daemon logs
Postfix SMTP errors
Drupal website error logs
Copy of subscription emails etc

to my one hotmail email.

But two weeks ago it was put on Spamhaus ZEN & CBL blacklist. But now I've changed the email from hotmail to one privately managed MS Exchange mail server.

But still after 3 days it is added back to blacklist.

Since a year I also have email monitoring setup using a cron script using pflogsumm which informs me if emails per day sent exceeds 300. But there aren't that many and just now I've checked in evening 6.30 pm and I can see just 93

Now I've added "always_bcc=myemai@privatecompany.com" in Postfix main.cf so that I can see all outgoing emails from this server. Here are the snapshots of those emails.

There isn't any spam .. I can see those( in addition to above) are:

Contact us messages
forum replies
Account activation emails
Mysql database backups
Advertising reports etc

I'm forwarding the emails to a private email servers, how come Spamhaus ZEN & CBL can see those emails(except for forum subscriptions & replies) to blacklist this IP again?

I've emailed to cbl[@]abuseat.org but I've got only seemingly automated reply to check the system for viruses etc.

I've also run the system using clamAV antivirus.

All the forum replies and subscription and activation emails contain unsubscribe information. However the error logs do not.

What could I be missing?

Update: I've restricted emails to be sent only through Postfix: Firewall rule to only allow Postfix to send email through SMTP on port 25 and I do have copy of all the emails and none is spam. However it has been relisted the 4th time after some 15 hours.

Today(on 8th Dec) I've this reply from CBL:

The IP 23.239.30.81 is infected with spamware, most recently detected
at:

2015:12:04 ~14:30 UTC+/- 15 minutes (approximately 3 days, 3 hours, 59
minutes ago)

This host HELOed as [127.0.0.1] … Please correct that.

Best Answer

I would highly recommend to go through the CBL and Spamhuas websites again, because they have all the information you need to start with troubleshooting and safeguarding your server. The information there can help you understand how the blacklisting process works and why one gets listed and also advices on keeping server safe to avoid blaklisting.

I'm just going to quote a few important parts from CBL, the rest you can check for yourself. The point is, since you are getting listed again and again, your server is most probably compromised and it is not related to your postfix. Now you need to investigate and find out the possible cause. It can be a rootkit or a trojan or spambot or just another malicious script. You need to do a complete scan of your system for possible issues. Once you find the real cause, then you can resolve the problem and can take necessary steps to avoid it happening again.

Here is from CBL:

What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

I'm running Linux (FreeBSD, OpenBSD, UNIX...) and CANNOT be infected with a virus!

While it is perfectly true that UNIX-like operating systems are almost NEVER infectable with Windows viruses, there are a number of virus-like things that UNIX-like systems are susceptible to. For example:

Windows emulation software (eg: VMWARE or Wine) are just as susceptable to infection as native Windows. In fact, it's probably somewhat more likely that an emulator instance of Windows gets infected, because the fact that it's running under another O/S can lead to a false sense of security, and emulator instances are less likely to be protected with a full anti-virus suite.

Open proxies (eg: insecure Squid configurations) leading to open proxy spamming.

Web server vulnerabilities or compromises. For example, the DarkMailer/DirectMailer trojan is injected via FTP (using compromised user's userid/passwords) onto web servers, and thereupon is used to send very larger volumes of spam. Virtually all web servers are susceptible to this if they permit upload of content from the Internet.

Application vulnerabilities: many applications have security vulnerabilities, particularly those associated with PHP on web servers. Eg: older versions of Wordpress, PHPNuke, Mamba etc. Some of these vulnerabilities are to the extent that a malefactor can install a full proxy/trojan spamming engine on your machine and control it remotely. Through this, they can set up spamming engines, open proxies, malware download and spam redirectors. Watch out for strange directories being created, particularly those starting with a "." in /tmp. Check for this by doing an "ls -la" in /tmp, and look for directory names starting with "." (other than "." and ".." themselves).

For troubleshooting and protection

It is CRITICALLY IMPORTANT that all web-facing applications or application infrastructures (Wordpress, Joomla, Cpanel, etc. etc.) are kept fully patched and up-to-date. Furthmore, userid/passwords and other credentials for logging into such systems should be highly protected, require strong passwords and changed as frequently as practical/feasible.

Such sites should consider continous monitoring of web, ftp and other subsystems.

Rootkits are where a malicious entity has installed software on your machine and buried it in such a way that the normal system utilities cannot find it. In some cases they replace the normal system utilities with hacked versions that won't show their tracks.

Check that you have good remote login-capable passwords (eg: telnet, FTP, SSH), inspect your logs for large quantities of failed/SSH/telnet login attempts.

Consider running a "system modification" detector such as Tripwire or rkhunter. Tripwire is designed to detect and report modification to important system programs. Rkhunter does what Tripwire does, but looks for specific rootkits, insecure versions of system software and more. Not all viruses are windows binaries. Some viruses/worms are in application-level files using non-binary programming techniques (such as macro viruses, Java, PHP or Perl). These can be truly infectious cross-platform.

More on MailServer in CBL: Mail Server in CBL

From Spamhuas:

What is "proxy hijacking"? What do I need to know about proxies?

What is a "honeypot" or "proxypot"? What is a "proxy hijack source" or "C&C"?

Best Answer

Related Solutions

CBL This IP address is HELO’ing as “localhost.localdomain”

PTR OK, SPF, DKIM passed but email messages are marked as Spam by Google

Related Topic