Facebook
Twitter
I've been plagued by CBL listing for quite some time now, on a linux server with Plesk 12.
After months of a fierce fight against every possible malware on the about 120 various websites on this server, extensively monitoring clients emails, enabling restrictive policies and finally even hiring a private security firm to investigate the problems further, we were sure that not a single spam message was sent by our server in any way.
So we finally contacted CBL, exposed the issue and got this answer:
The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.
During this it tries distinguish whether the connections represent real
mail servers by ensuring that each connection is claiming a plausible
machine name for itself (via SMTP HELO), and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).
54.194.XX.XXX was found to be using several different EHLO/HELO names during
multiple connections on or about:
2015:01:09 ~16:30 UTC+/- 15 minutes (approximately 3 days, 21 hours, 14 minutes ago).
The names seen included:
xxx1.xx, xxx2.xx, xxx3.xx, xxx4.xx, xx.xxx5.xx, veniceberg.com
Note that the above list may include one or more names that are not
fully qualified DNS names (FQDNs). Host names (ie: Windows node names)
without a dot are not FQDNs.
[...]
The final possibility is that 54.194.XX.XXX is not a NAT firewall, and
is instead a single box with many domains provisioned on it, some that
send email directly, setting the HELO as the sending domain. If this
is the case, to prevent a relisting we strongly recommend setting the
mail software on the box so that a single identifying name is used in
outbound SMTP connections
mail software on the box so that a single identifying name is used in
outbound SMTP connections. As an alternate workaround, you can
configure the mail software to relay its outbound email through an
intermediate mail server. Even a co-resident mail server package
(such as IIS on Windows) will do fine.
This pointed me to this Plesk Mail setting (not sure if this selection is the default). Now we are waiting a few days to see if changing to "Send from domain IP addresses" solves the issue.
I think this is a kind of issue which deserves attention by Parallels to avoid other users go trough our fatiguing ordeals. If this setting is responsible for getting servers blacklisted, it should be highly discouraged.
After months of a fierce fight against every possible malware on the about 120 various websites on this server, extensively monitoring clients emails, enabling restrictive policies and finally even hiring a private security firm to investigate the problems further, we were sure that not a single spam message was sent by our server in any way.
So we finally contacted CBL, exposed the issue and got this answer:
The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.
During this it tries distinguish whether the connections represent real
mail servers by ensuring that each connection is claiming a plausible
machine name for itself (via SMTP HELO), and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).
54.194.XX.XXX was found to be using several different EHLO/HELO names during
multiple connections on or about:
2015:01:09 ~16:30 UTC+/- 15 minutes (approximately 3 days, 21 hours, 14 minutes ago).
The names seen included:
xxx1.xx, xxx2.xx, xxx3.xx, xxx4.xx, xx.xxx5.xx, veniceberg.com
Note that the above list may include one or more names that are not
fully qualified DNS names (FQDNs). Host names (ie: Windows node names)
without a dot are not FQDNs.
[...]
The final possibility is that 54.194.XX.XXX is not a NAT firewall, and
is instead a single box with many domains provisioned on it, some that
send email directly, setting the HELO as the sending domain. If this
is the case, to prevent a relisting we strongly recommend setting the
mail software on the box so that a single identifying name is used in
outbound SMTP connections
mail software on the box so that a single identifying name is used in
outbound SMTP connections. As an alternate workaround, you can
configure the mail software to relay its outbound email through an
intermediate mail server. Even a co-resident mail server package
(such as IIS on Windows) will do fine.
This pointed me to this Plesk Mail setting (not sure if this selection is the default). Now we are waiting a few days to see if changing to "Send from domain IP addresses" solves the issue.
I think this is a kind of issue which deserves attention by Parallels to avoid other users go trough our fatiguing ordeals. If this setting is responsible for getting servers blacklisted, it should be highly discouraged.
Last edited:
