Mailserver blacklisted

  • Hi all! Recently one of my servers has been blacklisted by Spamhaus ZEN, CBL, ivmSIP. Do you have any suggestion about how to check the root cause? The installed i-MSCP version is 1.2.9.
    Thank you!

  • /var/log/mail.log

    Thanks but what to look for?


    I've got some more details...


    Code
    1. IP Address ... is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
    2. It was last detected at 2015-11-15 18:00 GMT (+/- 30 minutes), approximately 9 days, 5 hours ago.
    3. This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet.
  • First have a look at your mail queue. Do you have lots of deferred queues? If yes may one of your mail accounts or websites were hacked.

  • cat /var/log/mail.info | grep relay= | tail
    Nov 25 00:55:08 srv postfix/error[28563]: 96E032CC364B: to=<[email protected]>, relay=none, delay=105526, delays=105454/71/0/0.14, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28665]: A576E2CC6468: to=<[email protected]>, relay=none, delay=416357, delays=416285/71/0/0.14, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28718]: 4EBEA2CC433F: to=<[email protected]>, relay=none, delay=359669, delays=359597/71/0/0.14, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28578]: 260842CC2344: to=<[email protected]>, relay=none, delay=181294, delays=181222/71/0/0.09, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28586]: 2D57E2CC625B: to=<[email protected]>, relay=none, delay=418486, delays=418415/71/0/0.09, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28661]: 8B7BA2CC39C7: to=<[email protected]>, relay=none, delay=245809, delays=245738/71/0/0.09, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/error[28581]: 850562CC12C3: to=<[email protected]>, relay=none, delay=106883, delays=106812/71/0/0.09, dsn=4.0.0, status=deferred (delivery temporarily suspended: host etb-1.mail.abcdef.it[....] refused to talk to me: 554 zxcv-1.mail.abcdef.it lbv81r00B0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/smtp[28673]: DAB542CC2689: to=<[email protected]>, relay=etb-2.mail.abcdef.it[....]:25, delay=187025, delays=186953/1.2/70/0, dsn=4.0.0, status=deferred (host etb-2.mail.abcdef.it[....] refused to talk to me: 554 zxcv-2.mail.abcdef.it lbv81r00o0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:08 srv postfix/smtp[28645]: 135362CC2F29: to=<[email protected]>, relay=etb-4.mail.abcdef.it[....]:25, delay=135013, delays=134942/1.1/70/0, dsn=4.0.0, status=deferred (host etb-4.mail.abcdef.it[....] refused to talk to me: 554 zxcv-2.mail.abcdef.it lbv81r00x0SDUYm01 IP: ...., You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/.... You are listed in Spamhaus ZEN)
    Nov 25 00:55:59 srv postfix/smtp[28658]: 63C602CC5C10: to=<[email protected]>, relay=mx2.fuse.net[64.8.71.15]:25, delay=313799, delays=313677/1.2/121/0, dsn=4.7.1, status=deferred (host mx2.fuse.net[64.8.71.15] refused to talk to me: 550 5.7.1 [C16] SBL-XBL Restriction: See http://www.spamhaus.org/query/bl?ip=....)

  • What you get on mailq? If you want I can help you (send me your teamviewer data via pm).

  • Thank you Ninos,


    mailq was full of emails from an hosted website that is now suspended. I purged those emails and I'm gonna monitor mailq to check if new spam messages will be queued. Is this correct? Otherwise I will contact you to check the situation.


    For specific domain delete I've issued this command


    postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /@abcdefghdomain\.com/ { print $1 }' | tr -d '*!' | postsuper -d -