3

I own a small business with two servers for webhosting. When setting up the primary (CentOS 5.5 + WHM, secondary is WHM DNS Only) server I kinda messed up the firewall, so the hackers could send stuff from my server. My primary IP is x.y.29.218.

Anyway - I got blacklisted in several places, but now those blacklistings are gone. For a week or so, but Google still has my IP blacklisted.

I handling serious damages because of that. Many clients want to switch from my hosting, etc.

I've fixed the hole with CSF firewall SMTP_BLOCK option and enabled also the WHM SMTP TEAK

Currently all I see from the Main >> Email >> View Mail Statistics (Errors section) in WHM is rows and rows of the following message

removed-the-email-address-for-security R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host aspmx.l.google.com [a.b.39.27]: 550-5.7.1 [x.y.29.218 1] Our system has detected an unusual rate of\n550-5.7.1 unsolicited mail originating from your IP address. To protect our\n550-5.7.1 users from spam, mail sent from your IP address has been blocked.\n550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review\n550 5.7.1 our Bulk Email Senders Guidelines. h24si3868764fas.171

What are my options?

I have one IP free. How can I configure Exim to send mail from that IP?

My brain is like constantly blowing up because of this problem. Please someone, who has any knowledge how to deal with the current situation, please give me some kind of help - any help, suggestions, etc.

I've tried everything I know, and I still don't know much, because this is the first time (I just started to webhost, etc) I deal with real physical servers not some kind of pre-setup VPS solution.

Many - many thanks, whoever has time to offer some help.

Lekensteyn
  • 6,241
  • 6
  • 39
  • 55
Reyo
  • 31
  • 1
  • 1
  • 3
  • As noted by Chris S, the ban is most likely temporary, although moving to the URL noted in the SMTP logs will more than likely provide you with a path of speediest resolution by working with google directly. You *can* switch IPs which may be better but may introduce other issues. I would file a request with google to have the IP unblocked. – Charles Dec 17 '10 at 15:36

2 Answers2

1

Fix your mailserver, ensure you don't make faulty setup again that will allow relaying. I advise you to check own mails for spam too to ensure some of your own users don't spam either deliberately or if their mail account gets stolen and thief uses it to legitimately tries to spam from your server.

When that is done, change the ip of your mailserver to other IP available, adjust DNS records, to reflect the IP change.

You can force that mails are sent from other IP with SNAT rule in iptables

iptables -t nat -D POSTROUTING -j SNAT -p tcp --dport 25 --to ot.her.ip.address

extra: add SPF field in zone that will confirm new IP is legit source to send mails for domain(s) Add DKIM filter to sign mails.

oh, and If I may suggest to try replacing exim with postfix

Hrvoje Špoljar
  • 5,245
  • 26
  • 42
  • What Hrvoje Špoljar suggess is right. You should really consider setting a SPF record in the domain. Google mail validates SPF records. If you don't have any your email may end up in the spam folder. – tftd Feb 19 '11 at 13:30
  • I currently "waited it out" and installed CSF and ClamAV. Found a emailing script on the server - back to toaster.php or _toaster.php or something like it. Anyway - removed it. Disabled SMTP relay and setup pretty strict emailing system. Why should I use PostFix not Exim? Exim is the default for cPanel WHM – Reyo Feb 20 '11 at 17:54
0

You're likely in the first level of ban; you'll just have to wait it out. It doesn't take that long. If you sent them a lot of spam over a long period of time, you're perma-banned. I don't know if/how that can be undone.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • How long will the "proccess" usually take? I'm seeing only legit emails in the errorlog now. – Reyo Dec 22 '10 at 23:12
  • I don't know the exact amount of time, and I suspect it's some formula similar to n hours * e-mail's received + x days. Most I've seen are around a week. Unfortunately Google isn't upfront about the process, so it's impossible to tell, and there's virtually no recourse. – Chris S Dec 23 '10 at 03:24
  • @ChrisS Hello Chris. When searching Google and it blocks due to frequent queries, do you know what is the block time until it's removed? – Boris_yo Jun 09 '14 at 07:49
  • @Boris_yo It's usually quite short, <1 day certainly. If you're still blocked, it's because you're still sending too many queries. This usually happens because you are sending automated queries (which is against their TOS), or have a number of people behind a misconfigured proxy (making Google think that all the queries are from a single computer). – Chris S Jun 09 '14 at 13:31