CBL Blocking

Printable View

03-13-2009, 01:54 PM
lsu_guy

CBL Blocking

I have a server running 5.0.13 NE on Ubuntu 8.04 and its been running for a few months with no problems. All of a sudden I keep getting messages that its been listed in the CBL.

Following a few of the posts on here, I have run a rootkit check and everything was fine. Since I'm running on amazon's EC2, I checked my relay and made it very restrictive
Mta trusted network: "127.0.0.0/8 10.254.199.144/32"

My external IP address has not changed...I'm not sure why we are getting on the CBL. Does anyone have any troubleshooting steps? What info should I be looking at and where would i find it?

Any help is greatly appreciated.
03-14-2009, 01:13 AM
uxbod

Have you asked CBL why your IP has been blacklisted ?
03-14-2009, 10:57 AM
lsu_guy

Hi uxbod: I would love to talk to someone at CBL. I have emailed them but I havent gotten through to them yet.

Here are some things I tried:
I tried to delist my ip a couple of times and it always ends up there.

I looked through the zimbra log and I couldnt find anything there

I ran the rootkit software through "chkrootkit" and couldn't detect anything through that (except for the false positive on bindshell port 465. However this has mentioned various times on google). Checking the pid using that port, I ran ps to see who that pid belonged to and it turned out to be one of the zimbra pids

I'm really stuck. I know this may not be zimbra specific, but I figured that since all the zimbra admins collaborate here they may have some info to get me unstuck.
03-15-2009, 02:56 AM
uxbod

Have you tried running a Open Relay test ?
03-17-2009, 03:52 AM
captainmish

It doesnt need to be your zimbra box that is getting you on the CBL either - you might have other machines that use the same internet connection, and thus can spam out of the same ip address. Its not a server that gets onto the CBL, its an IP address.

You will definately want to restrict outgoing tcp port 25 to only your zimbra box, and monitor everything on the router.
03-18-2009, 09:01 AM
lsu_guy

uxboxd: I ran the open relay test and everything passed. I forgot to mention that in my first post.

captainmish: I understand that it could be other machines using the same internet connection. I own this IP on amazon, so no-one else uses that public IP except for us. As per the above first post, I have also restricted my mta trusted network to be "10.254.199.144/32" where 10.254.199.144 is the internal network IP address of the mailserver

Update from CBL: Someone from there finally did get back to me. It seems like the problem may have been due to identification. This is what CBL wrote

"Note: xxx.xx.xxx.xxx appeared to be suspicious because it was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:

hostname.myisp.com"

This machine has 2 names that point to it. hostname.myisp.com and mail.mydomain.com. It seems that after months of operation, CBL doesnt like the machine identifying itself with hostname.myisp.com. I'm going to change that and see how it works out. I will keep you guys updated.