Results 1 to 3 of 3
  1. #1
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034

    repeated listings daily at cbl.abuseat.org

    Ok since about a week ago one of our ips the main server ip is getting listed daily at cbl, I admin a few server and this has the first time I have experienced something like this.

    Upon doing the lookup I am greeted with this message.

    IP Address 89.x.x.x is currently listed in the CBL.

    It was detected at 2008-04-15 19:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.

    It has been relisted following a previous removal at 2008-04-15 11:16 GMT

    ATTENTION: If you are running IPSwitch Imail, or similar shared hosting software, please contact the CBL by email. If you are running Ensim, please read this for a workaround. Otherwise, this IP is infected with/emitting spamware/spamtrojan traffic and needs to be fixed.

    Request delisting of 89.x.x.x.
    So its telling me the host of the ip address 'may' be infected but it isn't telling me the exact reason its listed, there is no spam sample.

    on clicking the remove button there is another message saying what they do and what they dont do.

    Such as

    The CBL only lists IP addresses that are demonstrably infected by a mass mailing virus, or some sort of spam sending compromise (open proxy, trojan, spambot, insecure AnalogX/wingate etc).
    The CBL is strongly committed to detecting only compromised machines in a ethical, professional and responsible manner, and assisting in whatever way necessary to eradicate these compromises as quickly as possible
    Our "compromise detection" techniques are extremely accurate, and almost never makes mistakes. Hence, detections must be taken seriously, and you should do whatever you can to understand and fix (or at least avoid) the problem
    It goes onto say the probable reason is either a open proxy or spambot infection.

    I click on the button next to that says it this a mail server.

    Greeted with this.

    It is very rare for "real" mail servers to find themselves listed in the CBL. The CBL's techniques are specifically designed to avoid listing real mail servers, even if the mail server relays viruses or trojan/proxy spam.

    A correctly operating and configured mail server cannot trigger a CBL listing under any circumstances.

    The only exception is if the mail server machine itself is infected with a virus, trojan or open proxy of some sort. As a matter of very last resort, if your mail server is running on Microsoft Windows or is running proxy services, please consult Scanning your machine.
    The machine isnt windows its freebsd.

    Most times the address is actually that of a NAT gateway "between" the mail server and the Internet - if you have a NAT (this includes the case where your mail server is also acting as a NAT - IE: MS ISA or SBS), you should review this link before proceeding with this page
    This isnt.

    Ok so I have CBL at this point telling me the server is listed and it is probably due to either been a windows machine been infected or hosts an open proxy, I portscanned the machine and checked for proxy processes no results. No sign of a trojan/virus although I do understand one could be running hidden, nothing in places like /tmp however.

    Ok so more reading on CBL

    What are the exact criteria for listing on the CBL?
    Those will not be disclosed because it may give spammers or virus writers hints on how to avoid the CBL.

    The next section provides information on how to diagnose persistent CBL relistings
    On another post on this forum I found a url on the cbl website showing how to do helo tests which indicates they are treating simple misconfigured email servers as spam.

    I did email cbl 3 days ago asking for assistance but have had no reply. The main server ip is been blacklisted although senders accounts on the server have assigned ip addresses and none use the main server ip, if we test send through apache it uses the assigned ip address not the main one, if I test send from the shell it does use the server ip. HELO is automatically set by exim to mail.senderdomain.com it is a shared hosting server. Reverse dns is valid for all smtp ips.

    I have concluded there is either a hidden rootkit somehow on the machine or cbl are listing for something silly that I havent spotted. The exim logs show no obvious spam been sent during the timeframe they listed only normal emails, /tmp is clean including hidden files with . at start of filename. I have modified exim configuration to block things like localhost, ip literals as helo. Sender verification is disabled in exim. So far I have found their lack of assistance and their very vague documents dissapointing so any advice here is appreciated.
    Last edited by Chrysalis; 04-15-2008 at 07:14 PM.

  2. #2
    Join Date
    Jul 2006
    Posts
    285
    Make sure no one is using challenge/response along with a catchall address. cPanel's version of this (boxtrapper) caused a couple of my boxes to get listed on the CBL before.

    Also, try to set your firewall to force all port 25 traffic through exim so that rogue mailing scripts at least get logged, making them easier to track down.
    Last edited by Iwannasite; 04-28-2008 at 01:30 AM.

  3. #3
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    thanks for your reply I should have updated before.

    CBL says it just lists open proxies and the like but in fact it also lists what it considers as badly configured servers that may not be sending anything rogue.

    there is a hidden helo header page on the cbl site which I only discovered via a post on here. I also got a reply of them.

    The fact the server in question has multiple helos for one ip triggered the listing, the multiple helos are quite deliberate I do this so the domain sending the email has a matching helo header. CBL consider this incorrect and it triggers a listing, because I find their listing policy dishonest I may stop using it for all my mail servers.

    In addition they showed some domain which were used as from address's to their harvesters, I searched my mail logs and the domains I matched up were sending spam TO the server and not FROM the server. I found no evidence of rogue mail been sent from the server, so I concluded that they were maybe recieving bounce emails back from the server and combined with the multiple helos they listed the server.

    Interesting about the catchall I do know a few catchalls are used but I dont know if they are combined with a challenge/response will have to check that.

    did a google after you mentioned the word boxtrapper and it seems CBL listing policies are not correct they are overly agressive and hitting innocent ips.

    http://forums.12wonder.com/showthread.php?t=300

    thanks for your info. Currently to stop listings we have outbound 25 on the server ip firewalled off but this is breaking a few things such as server status emails, and bounce emails.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •