Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Server blacklisted by CBL (How can I find the cause?)
  •  
Will Mayall

Messages: 173
Karma: 5
Send a private message to this user
Our server has been blacklisted by CBL twice in the past 3 days but I can find nothing out of the ordinary in the logs or traffic charts. The server has not been blacklisted before and has run for 5+ years.

I really think that all the basics have been done regarding relaying and authentication.

If it is a user's computer that is infected, I don't see anything obvious. I sent a message to all users to check their computers but you know how effective that is...

Any thoughts on how I can track this down?

Log settings or searches that will help?

Thanks for any help!

Will Mayall
  •  
hberm001

Messages: 30
Karma: 0
Send a private message to this user
If it is a computer that is infected, the mail is likely not passing through kerio at all. You would have to do some sniffing for outgoing mail at your gateway/router/etc depending on your network setup.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I guess you will find the answer on CBL website: http://cbl.abuseat.org

Quote:

CBL zone download users

Important: If you are doing CBL zone downloads, please change the host name to rsync.abuseat.org. See this for further information.

I'm listed, what do I do?

The CBL has easy self-removal. See: CBL Lookup AND Removal It will provide you with information on why the IP was listed, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose the problem.

  •  
Will Mayall

Messages: 173
Karma: 5
Send a private message to this user
I read through the CBL page carefully without finding the answer. My server does not match their description of an infected machine. The server does not do NAT for others. It is a Mac OS X Server.

Does anyone know of anything that can infect a Mac OS X Server and, if so, how to detect it?

I'm currently logging via the firewall all traffic but that seems like it will be pretty tough to go through.

Again, thanks. It has been so long since I've had any problem on the server and this one is especially nasty.
  •  
hberm001

Messages: 30
Karma: 0
Send a private message to this user
The CBL doesnt blacklist servers, it blacklists by IP. So if any malicious traffic (in this case spam related) is detected, the IP is marked bad. This means if your outgoing mail uses the same IP as any other computer(s) you could have a possible problem on any one of those machines. Remember, outgoing mail doesnt require access to your mail server, it can go straight out to the internet from other programs, in this case maybe some malicious software.
  •  
Will Mayall

Messages: 173
Karma: 5
Send a private message to this user
FYI. CBL removes an IP address very quickly via their lookup tool:

http://cbl.abuseat.org/lookup.cgi

After removal, the lookup tool reports the date, time, and reason for the previous listing.

When an IP address gets blacklisted again, CBL warns that the IP address may be permanently blacklisted. They do not give information about how quickly or how many times it takes to get permanently blacklisted.

After about 8 days, the lookup tool removes the information about the previous listing. My guess is that this 8 days is when blacklisting is permanently removed. Again, this is just a guess.

Will Mayall

[Updated on: Wed, 02 October 2013 18:56]

  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
The first this to do is use the firewall to block SMTP (ports 25 & 587) traffic from any host other than your Kerio Connect server.

Good is better than evil because it's nicer
--Mammy Yokum
Previous Topic: Account connection problem
Next Topic: Shutting down Kerio
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 20:34:40 CEST 2017

Total time taken to generate the page: 0.00443 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.