Results 1 to 4 of 4

Thread: Bitninja greylist -> smtp malicious activity

  1. #1
    Join Date
    May 2014
    Location
    Leuven, Belgium
    Posts
    49

    Bitninja greylist -> smtp malicious activity

    The host of my VPN sent me a warning the have received a report of malicious activity originating from my VPS.
    After examining the exim mainlog, I found the origin :

    2019-06-30 17:29:09 1hhRXi-0003bF-PW == jamesdiaz@littleitalytours.it <JamesDiaz@littleitalytours.it> R=lookuphost T=remote_smtp defer (-19) H=littleitalytours.it [185.81.2.195]: Malformed SMTP reply in response to HELO server.webfoundry-hosting.be: 550 5.7.1 Your IP (xxx.xxx.xxx.xxx) is on the BitNinja server security greylist. This means that we experienced malicious attacks coming from your IP and placed it on our greylist due to security reasons. If you have taken the necessary steps to eliminate its source, you can delist this IP. You can only delist this IP a couple of times. It is good idea to warn your service provider about this incident.

    So my server is probably sending spam.

    Maldetect, spamassassin, clamav and firewall (CFS) are running. Is there something else I can do to prevent this ?

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,800
    Hello,

    In order to reduce possible outgoing SPAM:

    - Check and disable catch-all redirects to external addresses.
    - Check and disable forwarders to external addresses whenever it's possible
    - Prevent exim from including the original email in a bounce message
    - Enable sending limits in DirectAdmin on per user bases
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  3. #3
    Join Date
    May 2014
    Location
    Leuven, Belgium
    Posts
    49
    Thanks zEitEr for your help.
    I've been doing some reading, and tried mxtoolbox as a test. It says my DMARC Quarantine/Reject policy not enabled

    When I read https://help.directadmin.com/item.php?id=596 it states p=none
    Should I try to make the default p=reject ?
    change:
    _dmarc TXT "v=DMARC1; p=none; sp=none; rua=mailto:info@webfoundry.be"

    to:
    _dmarc TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:info@webfoundry.be"

    or am I looking in the wrong direction ?

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,800
    DMARC does not protect your server against outgoing SPAM. It is used only for protecting your domain reputation from email spoofing. So I'd rather say it is not relevant to your issue reported in the initial post here.

    Beside the mentioned DMARC is worth enabling. And your DMARC reports will be sent only for webfoundry.be. Related: https://help.directadmin.com/item.php?id=596
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •