0

I don't know if this is the right place to ask this kind of question but here goes.

I have 3 IPs on my server, which I'm running for shared hosting. The main shared IP gets blacklisted sometimes, obviously sometimes an account is compromised and it sends out spam so the IP gets blacklisted, that I can understand, I try to limit it as much as I can but where I am from, it is really hard to convince a customer to update their CMS so they don't keep getting hacked.

And that goes for most accounts so no point of kicking them all really : )

The strange thing though is, I have an important account on a dedicated IP, which I thought will solve the blacklisting problem for him! To my surprise this IP address got blocked as well even though it did not send out any spam, maybe only because it is on the same subnet?? Or how do those blacklists end up blocking my other IP?

Also if you guys can point me to the right direction as to what measures I should take to prevent this from happening again and again, I thought clamd or spamassassin should work to prevent spam, but obviously they work for incoming messages not outgoing messages.

I decided to take a somewhat drastic measure, I will setup a script that runs every hour or so, count the number of messages in the queue for each domain, and if the number exceeds X amount of messages, the domain will be blocked from sending email until reviewed.

Is there anything I can do to actually DETECT outgoing spam, so it does not have to flood the queue.

Thanks

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
AL-Kateb
  • 271
  • 1
  • 5
  • 13
  • Your question is essentially, "I'm a spam source -- why do I keep getting treated like a spam source?" Blacklists are smart. You need to fix your spam problem. If you don't feel like you have the resources to control spam, employ someone who does to handle your (and/or your customers) outgoing emails. – David Schwartz Dec 19 '16 at 09:37
  • @DavidSchwartz Thank you very much, I did not know I needed to fix my problem! And it has never occurred to me that if I was unable to solve the problem myself I could hire someone to do it! That was a very helpful insight. – AL-Kateb Dec 21 '16 at 14:50
  • Glad to help, and that will solve your problem and it's the right way to solve your problem. – David Schwartz Dec 22 '16 at 07:35

2 Answers2

0

Sometimes your MTA sends messages that have well known spam/viral signatures, but sometimes things are bit complicated. If some host inside your local network is infected by botnet client it can't send messages but can connect to the master host(s) of the botnet via nat/proxy. If such masterhost is ceized by antiviral service, every host that refer to it is qualified as bot host and enlisted in the BLs, even if no messages was really sended from it.

In that case you definitely can't determine what exact internal host is infected while the whole network is blacklisted. I've been trapped few times such way and still can't help with it, as far as I can't restrict anything except SMTP port.

Kondybas
  • 6,864
  • 2
  • 19
  • 24
  • As it turns out, the whole subnet is blacklisted! I will do my port and try to limit spam from my IPs, but this spam issue is such a hassle really. Thanks for the info though. – AL-Kateb Dec 15 '15 at 13:44
-1

The most respected blacklist (eg. spamhouse, spamcop) will blacklist an IP only if with evidence of a "bad" mail that was actualy sent by that IP, and usually will provide on their websitesome hints of the mail that triggered the blacklisting.

Other lists are more approximative and it can be difficult to detect what caused the inconvenience.

I suggest you to scan ALL the mail received by you mailserver with an antispam software AND to enforce policy limits. A good combination for postfix is spamassassin (via amavisd or similar) + cluebringer.

SimoneLazzaris
  • 382
  • 1
  • 4
  • 1
    Spamhaus blacklisted my IP because another IP on that subnet was sending out spam, I can be sure of that because before yesterday that IP was never used, and it was not blacklisted, today it is! And because the other IP sent out spam, this clean IP was blacklisted as well. I read on "another" blacklist that the blocking is because a "neighboring" IP sent out spam, so I assume that was also the reason why spamhaus blacklisted my IP. – AL-Kateb Dec 15 '15 at 13:49