SOLVED Spam bypassing RBL check

pwaara

Member
Aug 10, 2016
22
1
53
Hawaii
cPanel Access Level
Root Administrator
I have one user who is receiving a great deal of spam. It looks like the spam is bypassing the RBL checks I have set up on the server. (The spam IPs are all listed in the RBLs.) The one clue I see is that the authentication is listed as localdelivery. How is this happening, and how do I stop it? I've tried changing this user's email password, but that had no effect. Any suggestions greatly appreciated. Here is an example of one of the delivery reports.

Code:
    Event:

    success [
    Sender User: -remote-
    Sender Domain:
    Sender: [email protected]
    Sent Time: Nov 30, 2016 4:42:16 PM
    Sender Host: things.domain.top
    Sender IP: 91.219.xxx.xxx
    Authentication: localdelivery
    Spam Score: 0
    Recipient: [email protected]
    Delivered To: [email protected]
    Delivery User: someusr
    Delivery Domain: example.com
    Router: virtual_user
    Transport: dovecot_virtual_delivery
    Out Time: Nov 30, 2016 4:42:16 PM
    ID: 1cCHJz-0002b8-PU
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 5.09 KB
    Result: Accepted
 
Last edited by a moderator:

SysSachin

Well-Known Member
Aug 23, 2015
604
49
28
India
cPanel Access Level
Root Administrator
Twitter
You are the root administrator of your server so can you please try to check this mail logs with the following command and update here.

Code:
grep 1cCHJz-0002b8-PU /var/log/exim_mainlog
 

pwaara

Member
Aug 10, 2016
22
1
53
Hawaii
cPanel Access Level
Root Administrator
You are the root administrator of your server so can you please try to check this mail logs with the following command and update here.

Code:
grep 1cCHJz-0002b8-PU /var/log/exim_mainlog
Thanks for the reply. Here's what I got.

Code:
grep 1cCHJz-0002b8-PU /var/log/exim_mainlog
2016-11-30 16:42:04 1cCHJz-0002b8-PU <= [email protected] H=(things.domain.top) [91.219.238.138]:37755 P=esmtp S=5214 id=11740006101551[email protected] T="some title here." for [email protected]
2016-11-30 16:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cCHJz-0002b8-PU
2016-11-30 16:42:04 1cCHJz-0002b8-PU => christine <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> AR4XJfyNP1j1JgAAfcuP6A Saved"
2016-11-30 16:42:04 1cCHJz-0002b8-PU Completed
 
Last edited by a moderator:

pwaara

Member
Aug 10, 2016
22
1
53
Hawaii
cPanel Access Level
Root Administrator
Anyone? The most suspicious thing I see is that all the spam that is getting through is authenticated as localdelivery, which will immediately accept the message, therefore bypass the RBL check. The question is, why is are the spam emails getting marked as local delivery? Anyone have any ideas? I've been researching this one for days, and I'm stuck.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
2016-11-30 16:42:04 1cCHJz-0002b8-PU <= [email protected]
Hello,

Is this the username of an account on the system? If so, it's possible the messages are coming from a script installed on the account. The following command may help you better determine where the email is coming from:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list the source and the number of messages from each source.

Thank you.
 

pwaara

Member
Aug 10, 2016
22
1
53
Hawaii
cPanel Access Level
Root Administrator
Hello,

Is this the username of an account on the system? If so, it's possible the messages are coming from a script installed on the account. The following command may help you better determine where the email is coming from:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list the source and the number of messages from each source.

Thank you.
No, the source of the spam is definitely not one of the scripts. All accounts only sending a handful of emails. The only entry that has any significant email is

Code:
1075 cwd=/var/spool/exim
Any other ideas? I've been digging for days and can't find anything.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here and we will update this thread with the outcome.

Thank you.
 

pwaara

Member
Aug 10, 2016
22
1
53
Hawaii
cPanel Access Level
Root Administrator
After much investigation, it appears that everything is actually working as intended. What was confusing was that IP addresses that were on RBLs were delivering mail. After closely watching the logs and the RBLs, what appears to be happening is that a spam email gets delivered as the IP address is not on the checked RBLs, but a few seconds later that IP address shows up on the RBL and subsequent emails are not delivered. Either the RBLs were incorrectly reporting that the IP was not on the list or the IP got added quickly after the first fail. As more and more of the IPs are getting listed, fewer spam emails are getting through. Plus, a large majority of the spam was coming from .top TLD domains, so I added a filter to reject anything from *.top.

Not sure if this will help anyone, but I wanted to let everyone who runs into similar issues what happened with me.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Hello,

Thank you for taking the time to update this thread with the outcome. I'm marking this thread as resolved.