I have a website hosted in a vps that sends informative emails to my clientes, maybe 20-40 emails per day. Since few weeks ago some sent emails are bouncing with the following error:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:
destination@example.com
SMTP error from remote mail server after RCPT TO::
host mx1.emailsrvr.com [173.203.2.36]: 554 5.7.1 ACL dns_rbl; Client host [MY-IP] blocked using
sa-dnset.blagr.emailsrvr.com=127.24.0.2 Please visit
http://bounce.emailsrvr.com/?a0 for more information on why this
message could not be delivered
------ This is a copy of the message, including all the headers. ------
**MY-IP is the ip of my vps server*
Tracking the error according to details in the email body, I found that my ip is blacklisted in Blocklist Removal Center with the following warning:
Technical Details:
The sending IP address or domain of the message is currently on a
blacklist. The intended recipient will need to safelist the IP address
the message is being sent from. Please use an alternate method to
relay this information to the intended recipient. To find out more
information on where the sending host is blacklisted, enter the IP
address, located in the rejected message, into our Blacklist
Aggregator.
Why is the ip blacklisted?
Following up the warning and information provided, this is happened to me because:
- It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
- It was last detected at 2014-03-26 19:00 GMT (+/- 30 minutes), approximately 3 days, 1 hours, 30 minutes ago.
- The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.
Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH
What should I do in this case?
The only way to definitely remove a rootkit is to format all partitions on the server, then reinstall the operating system. Once a system has been root compromised, there is no way to confidently clean it up, because with root access, backdoors can be placed that you cannot detect. Essentially, once a server has been root compromised, it can never be trusted again, no matter what steps are taken to try to clean it.
So, what is the question here?
I am really tired dealing with emails that are never sent correctly. Also, yahoo neither hotmail are not getting the messages at inbox, but spam does.
My plan from here is to hire another hosting provider with a new ip address from scratch, make use of security procedures to avoid this situation again but I want take advantage of this change and install a S/MIME certificate to give emails more security (as a friend's recommendation).
- Will a S/MIME certificate help me to minimize emails at spam folder on yahoo and hotmail?
- How a S/MIME certificate will help me in this situation?
Answer
If the analysis provided in the question is correct it sounds like the particular incident referenced there goes well beyond just not being able to deliver mail; the system had been compromised and other bad things may be going on as well in addition to it having been blacklisted because of sending spam, etc.
Obviously you'll want to do all you can to avoid something like that happening again.
As for having a mail server and the mail it delivers "look trustworthy" I think focusing on the basics may be more effective than S/MIME.
- Stay in control of what mail is sent from you
- Lock down relay access
- Don't send out mail that may come across as 'spammy'
- Obviously all of the above relies on that the server has not been compromised
- Have the "mailname" (name that the mail server software uses to present itself) set to the canonical name of the mail server
- This name should resolve to the IP of the server
- The reverse record (PTR) for the IP of the server should match this name
- Set up SPF for your domain name(s), explicitly indicating that the owner of the domain name allows the IP of your mail server to deliver mail from this domain
- Set up DKIM on your mail server and your domain name(s). A signature proves that the mail is originating from a server which has the key that the owner of the domain name specified (somewhat overlaps with SPF but with cryptographical rather than IP-based validation)
No comments:
Post a Comment