• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Full Hostname, CBL blacklist

Jack Lee

New Pleskian
CBL is blacklisting us:
Results of Lookup
74.208.165.208 is listed

74.208.165.208 was found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".


We are using:
Plesk Onyx
Version 17.0.17 Update #36, last updated on Oct 19, 2017 03:23 AM
Our website is https://www.esaproductmanager.com


I see the "Full Hostname" under Tools & Settings, Server Settings
What do I enter in the Full Hostname?

And will this resolve the CBL issue?
TIA...
 
Hi Jack Lee,

pls. check the following files on your server:
  • /etc/hostname
  • /etc/hosts
  • /etc/mailname

Examples for a correct configuration:

/etc/hostname:
YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM


/etc/hosts
:
Code:
127.0.0.1    localhost.localdomain    localhost
127.0.0.1    YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM        YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER

XXX.XXX.XXX.XXX    YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM        YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER
( where XXX.XXX.XXX.XXX will be YOUR first unique IPv4 of your server )


/etc/mailname
:
YOUR-DEFINED-SUBDOMAIN-FOR-YOUR-SERVER.YOUR-FQDN-WHICH-RESOLVES-TO-YOUR-IP.COM
 
Ok, here is what they are:


/etc/hostname
localhost.localdomain

/etc/hosts
127.0.0.1 localhost.localdomain localhost localhost4 localhost4.localdomain4
::1 localhost.localdomain localhost localhost6 localhost6.localdomain6


/etc/mailname
file does not exist
 
I would try this for your /etc/hosts:

127.0.0.1 esaproductmanager.com localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 esaproductmanager.com localhost localhost.localdomain localhost4 localhost4.localdomain4
 
Been listed again on CBL, same problem.

I have no idea how to fix this.
The CBL

Results of Lookup
74.208.165.208 is listed

This IP address was detected and listed 53 times in the past 28 days, and 4 times in the past 24 hours. The most recent detection was at Thu Nov 16 20:15:00 2017 UTC +/- 5 minutes

This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.

74.208.165.208 was found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".

etc/hostname
esaproductmanager.com


etc/hosts
127.0.0.1 localhost.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6

74.208.165.208 esaproductmanager.com esaproductmanager

etc/mailname
cat: mailname: No such file or directory
 
1) In /etc/hosts add your public domain name as the first name after the 127.0.0.1 and ::1 addresses.

2) In Tools & Settings > Mailserver > Server Wide Mail Settings > General Options > Outgoing Mail Mode set the selection to "Send from domain IP addresses". At this point it is crucial to avoid the "Send from domain IP addresses and use domain names in SMTP greeting" setting, because in that case the list will list you simply for doing that, because the same IP address will be used for different domains.

3) Besides these two, make sure that you really not spamming. Very often server operators don't realize that their servers are indeed spamming. For example many did not block execution permissions for the /tmp partition, so that some malware has installed a stand-alone instance of an additional mail server like Exim. Check you process list whether Exim is running. Many more times, malware plugins of Wordpress or Joomla are sending spam. You can try to run
# egrep -r -i --include=\*.php '64_decode|edoced_46' --exclude-dir={system,logs,bin,dev,etc,lib,lib64,sbin,usr,var,tmp} /var/www/vhosts/ | less
on your virtual hosts, then carefully examine the output to find all PHP source code locations that have strange looking paragraphs of encrypted code to them. This is frequently malware code. (Single lines of base64 encoded variables are normally o.k.)
 
Back
Top