0

I have a website hosted in a vps that sends informative emails to my clientes, maybe 20-40 emails per day. Since few weeks ago some sent emails are bouncing with the following error:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

destination@example.com SMTP error from remote mail server after RCPT TO:: host mx1.emailsrvr.com [173.203.2.36]: 554 5.7.1 ACL dns_rbl; Client host [MY-IP] blocked using sa-dnset.blagr.emailsrvr.com=127.24.0.2 Please visit http://bounce.emailsrvr.com/?a0 for more information on why this message could not be delivered

------ This is a copy of the message, including all the headers. ------

**MY-IP is the ip of my vps server*

Tracking the error according to details in the email body, I found that my ip is blacklisted in Blocklist Removal Center with the following warning:

Technical Details:

The sending IP address or domain of the message is currently on a blacklist. The intended recipient will need to safelist the IP address the message is being sent from. Please use an alternate method to relay this information to the intended recipient. To find out more information on where the sending host is blacklisted, enter the IP address, located in the rejected message, into our Blacklist Aggregator.

Why is the ip blacklisted?

Following up the warning and information provided, this is happened to me because:

  1. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
  2. It was last detected at 2014-03-26 19:00 GMT (+/- 30 minutes), approximately 3 days, 1 hours, 30 minutes ago.
  3. The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.

Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH

What should I do in this case?

The only way to definitely remove a rootkit is to format all partitions on the server, then reinstall the operating system. Once a system has been root compromised, there is no way to confidently clean it up, because with root access, backdoors can be placed that you cannot detect. Essentially, once a server has been root compromised, it can never be trusted again, no matter what steps are taken to try to clean it.

So, what is the question here?

I am really tired dealing with emails that are never sent correctly. Also, yahoo neither hotmail are not getting the messages at inbox, but spam does.

My plan from here is to hire another hosting provider with a new ip address from scratch, make use of security procedures to avoid this situation again but I want take advantage of this change and install a S/MIME certificate to give emails more security (as a friend's recommendation).

  • Will a S/MIME certificate help me to minimize emails at spam folder on yahoo and hotmail?
  • How a S/MIME certificate will help me in this situation?
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
manix
  • 165
  • 1
  • 1
  • 8

2 Answers2

2

If the analysis provided in the question is correct it sounds like the particular incident referenced there goes well beyond just not being able to deliver mail; the system had been compromised and other bad things may be going on as well in addition to it having been blacklisted because of sending spam, etc.

Obviously you'll want to do all you can to avoid something like that happening again.

As for having a mail server and the mail it delivers "look trustworthy" I think focusing on the basics may be more effective than S/MIME.

  • Stay in control of what mail is sent from you
    • Lock down relay access
    • Don't send out mail that may come across as 'spammy'
    • Obviously all of the above relies on that the server has not been compromised
  • Have the "mailname" (name that the mail server software uses to present itself) set to the canonical name of the mail server
    • This name should resolve to the IP of the server
    • The reverse record (PTR) for the IP of the server should match this name
  • Set up SPF for your domain name(s), explicitly indicating that the owner of the domain name allows the IP of your mail server to deliver mail from this domain
  • Set up DKIM on your mail server and your domain name(s). A signature proves that the mail is originating from a server which has the key that the owner of the domain name specified (somewhat overlaps with SPF but with cryptographical rather than IP-based validation)
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Every setup detailed by you made my new vps works as superman. Now there is not kriptonite here! – manix Apr 07 '14 at 18:15
2

S/MIME does nothing to minimize bounces. You can use it to sign (and encrypt) the informative emails you send, or you can use OpenPGP as an alternative. In both cases, recipients can verify signatures only upon delivery.

SPF and DKIM can improve deliverability. They protect your domain name, not the IP address. A few more tips:

  • Check the firewall settings and install some intrusion detection package.
  • Register on DNSWL.
  • Request DMARC reports if you want to track the effectiveness of SPF and DKIM.
  • Register on any FeedBack Loop that may be relevant to you.
Ale
  • 158
  • 4
  • 1
    It is perfectly possible that the fact that a message is S/MIME signed is being considered in spam filter rules. As virtually none of the spam mail sent today actually is being signed, it would be a rather valid filter rule for ham. – the-wabbit May 15 '14 at 08:12