• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved CBL and PLESK

lvalics

Silver Pleskian
Plesk Guru
I've been listed 3 times on CBL in the last couple of days. Of course I have checked the server, all logs, it was outgoing limit for sending, it was deactivated to not send from PHP only with SMTP (Allow users and scripts to use Sendmail - nice feature) and I took all measures to be ok with spammers. Still was listed second and third time.
Asked CBL to clarify me... The answer is long, I will copy here, but main issue:
http://www.abuseat.org/PleskAvoid.html

I think is good to know that using one of PLESK feature (which I found nice, you can get listed on CBL.

Note: if you have received messages from us about IPSwitch/IMail
before, please note that IPSwitch has finally implemented a workaround.
Please see below. We will no longer be perm-delisting IMail
installations unless there's no alternative.

The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.

During this it tries distinguish whether the connections represent real
mail servers by ensuring that each connection is claiming a plausible
machine name for itself (via SMTP HELO), and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).

IP was found to be using several different EHLO/HELO names during
multiple connections on or about:

2016:06:20 ~12:30 UTC+/- 15 minutes (approximately 1 days, 12 hours ago).

The names seen included:

domain1,domain2,domain3,domain4

Note that the above list may include one or more names that are not
fully qualified DNS names (FQDNs). Host names (ie: Windows node names)
without a dot are not FQDNs.

RFC2821 requires that the HELO be either an IP address literal - an
IP address surrounded by square brackets (ie: "[1.2.3.4]"), or a FQDN.

To resolve this you need to identify whether these are real names
of your machines. If not:

- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind it
have an open proxy used for spamming.
- if all of the names above are IP addresses belonging to you
(without the square brackets) you probably using Blue Squirrel's
"Spam Sleuth" "Turing" feature. You will need to turn the
"Turing" feature off until you can get a patched version that
doesn't do this (identifies itself consistently).

If they are real names, you need to consider whether one or more
of these machines are supposed to be sending email to the Internet (this
implies that IP is a NAT firewall.)

If you are running Plesk, see http://www.abuseat.org/PleskAvoid.html

If you are running Cpanel, see http://www.abuseat.org/cPanel.html

If not, one or more machines on your internal network has an open
proxy used for spamming.

If these are real names corresponding to real mail servers behind a
NAT firewall, we strongly suggest that you configure your machines
to have consistent fully qualified domain names, like:

mail01.<your domain>, mail02.<your domain>

This is usually done by setting the machine's node name to be one
of the above, but sometimes it's a configuration parameter for the
mail server.

The final possibility is that IP is not a NAT firewall, and
is instead a single box with many domains provisioned on it, some that
send email directly, setting the HELO as the sending domain. If this
is the case, to prevent a relisting we strongly recommend setting the
mail software on the box so that a single identifying name is used in
outbound SMTP connections. As an alternate workaround, you can
configure the mail software to relay its outbound email through an
intermediate mail server. Even a co-resident mail server package
(such as IIS on Windows) will do fine.

Note: there is a fairly common belief that the HELO has to match the
From: line, otherwise mail server spam filtering will block it. This
is mistaken. If it were true, large scale email hosting environments
(such as Google, godaddy or mail.com/1and1 etc) would be unable to
function.

If IP is a NAT firewall, we STRONGLY recommend
that you configure it to prevent machines (except your real mail
servers) on your local network connecting to the Internet on port 25
(SMTP/email). In this way you can contain any insecure machines (either
by open proxy/spam trojan or emailing worm like Netsky) from attacking
others on the Internet.

If you are running Ipswitch Imail, GMS, Dmail, Ensim, WorkGroupMail or this is
part of BellSouth Shared Hosting please let us know, AND, also let us
know if all the names we've listed above are legitimate customers or
"co-customers" (if you know).

These days, we only see this problem with old unpatched copies of
Ensim or older IMail (mostly IMail 8). However, we've seen it once
or twice with Imail 10 and 11. Note the difference between IMail 8/9
and IMail 10/11 below.

If you are running Ensim, see http://forum.ensim.com/showthread.php?p=68868
This contains a workaround that you can apply which will be deployed
officially as a patch in the near future.

For IPswitch IMail, the issue arises when you have multiple domains
using different IPs for the domains hosted on the machine.

With IMail this is only an issue with the CBL when you use different
IPs for the hosted domains. This appears to now be a deprecated
configuration. Secondly, ONLY the primary IP gets listed, never the
per-domain alias IPs.

In Imail 8 and 9 (aka 2006.1 we think), the issue is that even if you
have different IPs for your customer domains, _sending_ email always
comes from the primary IP address, yet it uses the domains as HELO
values. Hence, the IP doesn't seem to make up its mind who it is.

Imail 10 and 11 appear to be able to send email from the different
IPs without difficulty, the problem arises with an anti-spam feature
called "sender address verification" (SAV - Imail appears to call
it "RCPT validation".) using different HELOs on the same outbound
(primary) IP.

Imail 8: The very last version of Imail 8 (8.23 we believe)
apparently has a straightforward option (something like
"turn off HELO spoofing") to prevent this problem.
Imail 9: Has a similar option.
Imail 10/11: Normal email sending gets the HELO right, instead
SAV probes have the Imail 8/9 problem. Contact IPSwitch
about turning SAV off. SAV is a bad idea in the first
place, so it should be turned off whether or not it
works "correctly".

If you're running Netwin Dmail, be aware that all support/development
has ceased, and you should upgrade to Netwin's Surgemail package.

If you are running Surgemail, make sure that you have set your
HELO value to a specific value (ie: your server's official DNS name),
rather than letting Surgemail guess. This appears to be via
the "send_helo" and "g_send_helo" parameters.

If you are running Fortimail, the setting is found under: Mail
Settings -> Domains -> Edit Domain -> Advanced Settings -> SMTP
greeting -> check "Use system host name"

The default setting is set to "Use this domain name", which will
cause the problems we've detected.


I've removed the entry from the list and inhibited redetections for the
next 3 days.

It may take a few hours to propagate to the public nameservers. The
CBL will relist the IP if it detects the same thing again after 3
days from now.

 
hi!

https://docs.plesk.com/en-US/12.5/a...l/configuring-serverwide-mail-settings.59430/ has been updated. The root cause of the issue is a change in the CDL behavior. They started blacklisting IP addresses that are used in HELO greetings of multiple domains if the HELO greeting contains both the IP address and the domain name. To avoid being blacklisted, please either make sure that every domain on the server has a unique dedicated IP address, or select the 'Send from domain IP addresses' option in the mail server settings
 
Nice, but I suggest to add a microupdate for this and in a way alert all admins with this feature enabled to reconsider. I think is a good feature but CBL does not like it :-(
Also when a user in the future select it give an alert with the text on updated page. CBL is not playing games and all major list get RBL from him and the server will be listed :-(

hi!

https://docs.plesk.com/en-US/12.5/a...l/configuring-serverwide-mail-settings.59430/ has been updated. The root cause of the issue is a change in the CDL behavior. They started blacklisting IP addresses that are used in HELO greetings of multiple domains if the HELO greeting contains both the IP address and the domain name. To avoid being blacklisted, please either make sure that every domain on the server has a unique dedicated IP address, or select the 'Send from domain IP addresses' option in the mail server settings
 
Nice, but I suggest to add a microupdate for this and in a way alert all admins with this feature enabled to reconsider. I think is a good feature but CBL does not like it :-(
Also when a user in the future select it give an alert with the text on updated page. CBL is not playing games and all major list get RBL from him and the server will be listed :-(

@Ivalics

Also check your mail logs.......there are probably some log lines indicating that some mail is sent to your server, to bounce back to another (genuine) mailaddress.

This could also be a cause of your IP ending up on the CBL.

Regards.....
 
Back
Top