|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bill Cole (postfixlists-070913
billmail.scconsult.com)
Date: Tue Dec 04 2007 - 23:12:55 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 7:03 PM -0700 12/4/07, utahnix wrote:
>Last week I discovered that my server had been listed in the CBL.
>But at the time of the listing, I was relaying outgoing mail through
>my ISP's SMTP server (per their requirement).
Postfix was doing so. that does not say anything about any
compromised web scripts that might have been sending spam...
>I guess my question is related to the CBL and how it affects
>Postfix. If my server did in fact send out emails containing viruses
>and other forms of mal-ware, and routed it through my ISP's SMTP
>server, wouldn't their SMTP server get blacklisted instead of mine?
Yes.
>... or does the CBL look at more than just email protocols?
The CBL website is truthful as far as it goes, and last I looked it
said that the CBL only listed IP's behaving badly as SMTP clients
trying to pass mail to places that shouldn't be getting any mail.
What they don't define is what that bad behavior is precisely, but in
my direct experience you can get a little bit of detail in regards to
your listed IP by asking for it in email to the contact address on
the site. They won't give you full details, but it should be enough
to narrow down the problem.
Having used the CBL since its inception and having worked directly
with some listed addresses, I'm convinced that they only list IP's
that have tried to hand their trap systems spam. Whether that
includes backscattered spam from a normal mailserver, I can't say,
but it seems unlikely unless there's something else wrong with the
mailserver.
>I know the maintainers of the CBL won't say what the criterion are,
>and I understand why, but if I don't know what to look for, how am I
>supposed to find the problem?
Others have already said it, but I'll add my voice to the choir:
packet sniffing.
My first guess based on your description of your server is that you
probably have a cracked web script.
>Now I am in the process of doing network traffic analysis and other
>things to look for suspicious activity... but it's kinda hard not
>knowing what to look for.
Look for outbound TCP packets with destination port 25. Correlate
that to activity logged by Postfix. If you see anything that does not
fit, track it back to a process.
Oh, and stop the backscatter too. It may or may not be associated
with the CBL listing, but it is bad and it will give your mail system
a bad reputation even if it isn't in such an obvious way as a CBL
listing. I don't have any instant fixes for Postfix and Cyrus, but
one approach I've seen used well in similar situations is content
filtering that detects bounces and looks inside them to determine the
target user and reason for the bounce. The task then is to make a
guess about whether the original message was likely to have been junk
anyway (e.g. look for a scoring header in the body of the bounce) and
just drop bounces of mesages that looked even slightly iffy on the
say in.
--
Bill Cole
billscconsult.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]