Forward in directadmin leads to CBL spam listing

nostech

Verified User
Joined
Jun 5, 2009
Messages
37
Hello,

In the ast 7 days my server has been listed on the CBL blacklist twice. I have followed their complete guidance, but unfortunately nothing indicates that there is a bad script somewhere on the server (not the logs do indicate that a bad script should be uploaded around the times). So I'm getting a bit frustrated..., as I won' be able to keep delisting the server from he CBL blacklist. And they suggest to have the issue solved (but nothing indicates there even is an issue). SO I'm trying to find out what could be causing this, and 1 question I have about tis, could it be possible the domain.com is hosted on the server and there exist an email forward to let's say [email protected], so:

Incoming email (whit virus/spam) on server --> DA redirects email to [email protected] --> [email protected] receives this infected mail, will it be reported coming from my server, or will it still be the original sending server that will be reported?

In case it's the IP of my server (performing the forward via DA), this could be causing the block maybe?

FYI: the used email services are dovecot and exim.

Thanks in advance.
 
Any email sent from your server (including mail received on your server and then forwarded) will be reported as coming from your server, from your IP#.

That said, it's unlikely that hotmail reports to CBL.

To help you find the problem you'll need to search your logs for mail which remains on the queue ecause incoming mail servers won't accept it. Then look at the mail and try to find it in the logs to see where it's coming from.

Searching logs for email issues can be extremely tedius.

But that's the only way to know what's going on.

This document (bradthemad.org) will probably help you search logs, queue, etc.

Jeff
 
Thank you for the reply Jeff.

So basically what you're saying is: yes forwarded mail will be reported as coming from my IP, but CBL will be smart enough to know that this spam was originally not coming from my server (my ip/server is not the original sender) but was a forward, correct?

Hotmail was just an example here, CBL seems to be used by practically everything (hotmail, gmail, exchange companies, ...)

I've checked the logs (also as described on the link), and nothing special to notice, when I look in DA, I see an average of 50 outgoing mails in the DA log. When I look into the exim-logs and look for messages around the time (up to a couple of hours before/after) of being blocked (CBL provides this time), no notice of suspicious outgoing messages neither
When checking the mail-queue, there are only a couple of mails (+/-5) hanging every hour... So nothing extreme neither here. That's why I was thinking the reason of being blocked for forwarding infected mails (which then have my IP), instead of being blocked for sending out a mass of spam.
 
So basically what you're saying is: yes forwarded mail will be reported as coming from my IP, but CBL will be smart enough to know that this spam was originally not coming from my server (my ip/server is not the original sender) but was a forward, correct?
No, that's not what I meant at all. Sorry for the delay in replying, I had cataract surgery on one of my eyes, and have been avoiding spending too much time staring at a computer.
Hotmail was just an example here, CBL seems to be used by practically everything (hotmail, gmail, exchange companies, ...)
Unless CBL gives you moe information, or you can see blocked email in your logs, or still on the queue, then you won't know why it's happening.

But all blocked email should be in your queue for several days or should be returned to your server as undeliverable (and then perhaps returned to real original senders) according to settings. If you've been blocked then you should be able to find out why. Look for outgoing emails which are not accepted.

If recipients are using CBL to score and throw away emails after accepting them (the way you may be using SpamAssassin) then you may not ever be able to tell which emails are being blocked.

To catch thi sort of problem I set up a feedback loop with AOL (information here (aol.com), because if AOL gets reports of spam originating from your server (including spam emails forwarded through your server) they'll send you the report, including a copy of the email, so you'll see subject line which you can search in your logs.

Jeff
 
Back
Top