Listed in CBL

[dreamfox]

Hello It seems my mailserver is listed in CBL.
The message i see is :

This IP is operating (or NATting for a computer that is operating) the "sendsafe" or similar (such as Advanced Mass Sender - AMS) bulk emailing malware. This software is almost exclusively used for sending "Nigerian 419"/"advance fee" frauds or phishing attempts. It is also used occasionally to send pharmaceutical spam.

Sendsafe works by acquiring userid and password (usually stolen) for a valid email account on a mail server. Then, a machine compromised by sendsafe (in this case your IP) makes a SMTP connection to that mail server, authenticates with the compromised email login credentials, and proceeds to send spam emails.

One way to look for this is to look for authenticated outbound SMTP connections from this IP address either on port 25 or port 587. This particular detection was of a SMTP connection made from your IP address to IP address 203.183.65.42.

NOTE When a sendsafe infection starts to send email to the compromised mail server (at 203.183.65.42), it usually sends VERY VERY large quantities all at once. The compromised mail server probably can't relay it as fast as it's receiving it, so will queue it for later delivery. The timestamp we give above is the time which the recipient's mail server received it, _not_ when sendsafe sent it. Therefore, the reception timestamp may be as much as 4 days _after_ the sendsafe infection sent it. So, if you have firewall logs, search for at least the 4 previous days for connections to 203.183.65.42.

DO NOT BOTHER looking for emails in your mail server logs, because these infections DO NOT use your mail server software, and will obviously not show up in your mail server logs.

In some cases it turns out to be a SSH login account (with a weak or compromised password) used to proxy inbound connections to outbound SMTP connections. Check your SSH logs for logins from unusual places (such as Nigeria).

---------------------------------------------------------------------------
But i'm not sure i understand the message.
Are the talking about stolen userid and passwords of emailaccounts on my emailserver?
Is my emailserver sending out spam, or trough another emailserver?

Can someone tell me in simple english what the message above mean and what i need to do to solve this?

 

[nobaloney]

Yeah, confusing to me, too; and this is my specialty.

Someone has likely set up software and is using it to send spam through your server.

Unfortunately they don't tell us enough about Sendsafe to Google it; too many products use the term. And of course it may be software called by a different name entirely.

So we don't know which program it is. Fortunately the blocklist maintainer has sent you enough information to find the behavior. Turn on all smtp logging in your exim.conf: Temporarily replace the log_selector code in your exim.conf file with this code:
[code[log_selector = \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+subject \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery \
+arguments \
+smtp_confirmation \
+smtp_incomplete_transaction \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error[/code]
but note it will increase your log size dramatically.

Then restart exim, and watch your /var/log/mainlog log for 203.183.65.42. While the blocklist writes that you shouldn't look in your mailserver logs in one place, in another he says you should look in your mail queue. Anything in your queue will be in your logs, and vice-versa; it pays to look there.

And also to look in your queue for mail coming in from 203.183.65.42.

While you can firewall connections from the IP#, it won't stop the spammer from switching IP#s if he hasn't already set up multiples.

My best guess is that if the spammer is using your server he's either got email software running in his space on your system, sending spam, or he's using authenticated mail submission on port 587, since a default DirectAdmin installation won't relay mail coming in on port 25. If he's got software on your server it's going to be hard to find him, but start by using maldet to find malware in your userspace (search these forums). If he's logging in it's going to be a lot easier, and you'll be able to find him by limiting email on a per-user basis; search these forums. But even low limits will result in a lot of email going out, as he can send to over a hundred recipients with one email connection and DirectAdmin will only see it as one email.

Check your exim mainlog for very long lines; if he's sending to multiple recipients on one connection then very lines in your exim mainlog file will stick out like a sore thumb.

Good luck. If you need professional help, I or others can work for you. For information from me, please email me (from an offserver account, such as gmail); as I respond to email more quickly than I do to PMs.

Jeff