• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Full Hostname, CBL blacklist

J

Jack Lee

New Pleskian
CBL is blacklisting us:
Results of Lookup
74.208.165.208 is listed

74.208.165.208 was found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".


We are using:
Plesk Onyx
Version 17.0.17 Update #36, last updated on Oct 19, 2017 03:23 AM
Our website is https://www.esaproductmanager.com


I see the "Full Hostname" under Tools & Settings, Server Settings
What do I enter in the Full Hostname?

And will this resolve the CBL issue?
TIA...
 
Hi Jack Lee,

pls. check the following files on your server:
  • /etc/hostname
  • /etc/hosts
  • /etc/mailname

Examples for a correct configuration:

/etc/hostname:
YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM
Click to expand...


/etc/hosts:
Code: 
127.0.0.1    localhost.localdomain    localhost
127.0.0.1    YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM        YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER

XXX.XXX.XXX.XXX    YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM        YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER
( where XXX.XXX.XXX.XXX will be YOUR first unique IPv4 of your server )


/etc/mailname:
YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM
Click to expand...
 
Ok, here is what they are:


/etc/hostname
localhost.localdomain

/etc/hosts
127.0.0.1 localhost.localdomain localhost localhost4 localhost4.localdomain4
::1 localhost.localdomain localhost localhost6 localhost6.localdomain6

/etc/mailname
file does not exist
 
I would try this for your /etc/hosts:

127.0.0.1 esaproductmanager.com localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 esaproductmanager.com localhost localhost.localdomain localhost4 localhost4.localdomain4
 
Been listed again on CBL, same problem.

I have no idea how to fix this.
The CBL

Results of Lookup
74.208.165.208 is listed

This IP address was detected and listed 53 times in the past 28 days, and 4 times in the past 24 hours. The most recent detection was at Thu Nov 16 20:15:00 2017 UTC +/- 5 minutes

This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.

74.208.165.208 was found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".

etc/hostname
esaproductmanager.com

etc/hosts
127.0.0.1 localhost.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6

74.208.165.208 esaproductmanager.com esaproductmanager

etc/mailname
cat: mailname: No such file or directory
 
1) In /etc/hosts add your public domain name as the first name after the 127.0.0.1 and ::1 addresses.

2) In Tools & Settings > Mailserver > Server Wide Mail Settings > General Options > Outgoing Mail Mode set the selection to "Send from domain IP addresses". At this point it is crucial to avoid the "Send from domain IP addresses and use domain names in SMTP greeting" setting, because in that case the list will list you simply for doing that, because the same IP address will be used for different domains.

3) Besides these two, make sure that you really not spamming. Very often server operators don't realize that their servers are indeed spamming. For example many did not block execution permissions for the /tmp partition, so that some malware has installed a stand-alone instance of an additional mail server like Exim. Check you process list whether Exim is running. Many more times, malware plugins of Wordpress or Joomla are sending spam. You can try to run
# egrep -r -i --include=\*.php '64_decode|edoced_46' --exclude-dir={system,logs,bin,dev,etc,lib,lib64,sbin,usr,var,tmp} /var/www/vhosts/ | less
on your virtual hosts, then carefully examine the output to find all PHP source code locations that have strange looking paragraphs of encrypted code to them. This is frequently malware code. (Single lines of base64 encoded variables are normally o.k.)
 
You must log in or register to reply here.

Similar threads

B
Issue My email server is blocked - what antivirus should I use
Replies
5
Views
2K
TravisB
TravisB
S
Issue InnoDB: page_cleaner: 1000ms intended loop took ****ms
Replies
6
Views
10K
Shark
S
M
Question Spam sent by my server
Replies
12
Views
6K
MarkM
MarkM
L
Resolved Has your Plesk Onyx done something like this?
Replies
3
Views
1K
UFHH01
U
O
Resolved Ubuntu Server 16.04 stops, without any errors
Replies
2
Views
2K
Oliver_Strixner
O
Back
Top