Frequent Web Server Blacklisting - What to do?

rooftop · April 27, 2013, 2:16pm

Hi

For at least a couple of years now, on and off, our supported dedicated web server has been frequently added to a handful of blacklists (UCEPROTECTL1, SPAMCOP etc) and suffered, during that blacklisting, a Poor reputation on senderbase.org.

The result is a series of calls and emails from upset clients who host with us complaining that their outbound email is bouncing and that some inbound is not reaching them. Lasts for 7 to 10 days or so. Bit of a drag all round then.

The cause invariably is one our client’s web hosting accounts being compromised and sending out thousands of emails.

When we discover we are blackisted - several hours after the problem first occurred - we change the passwords and gradually recover our reputation and are removed from blacklists. Until the next incident…

There are, I’m afraid, rather a lot of accounts set up on the server - 283 in total.

And rather a mixed bag in terms of ‘quality’ - some tech savvy clients and others who may be less than diligent with their own pc security.

When we have raised this problem with our server’s support they have suggested that we are always likely to have problems with such a large number of accounts - some with weak passwords and security.

And the problems keep on coming. 1 to 2 incidents a month.

Given that we appear to have no end of client’s whose account’s can be compromised, either on, or off, the server does anybody have any suggestions for what can we do to prevent thousands of emails being sent out - both short and long term.

I’m thinking of:-

ways to configure the server to prevent thousands of emails being sent.
Services which alert us to blacklisting
ways to manage clients email going forward
etc etc

Just for your info the server is :-IntelTM Xeon Starlake E5205 1.86Ghz (Dual Core), 2GB DDR2 ECC SDRAM, 50gig Diskless Storage, Linux CentOS.

TIA
Pete

Lee7997 · April 27, 2013, 5:48pm

How is the server configured, does it have a control panel like cPanel or are you running everything from ssh?

I would be concerned more about your server security/hardening techniques to be honest if you are experiencing this often.

rooftop · April 27, 2013, 7:24pm

Yep. It has Cpanel.

Lee7997 · April 27, 2013, 9:01pm

Ok well that’s much easier then, from within WHM: Server Configuration > Tweak Settings > Mail > Max hourly emails per domain. You can limit the number of outgoing mails each account can send per month. It will help you significantly by setting a cap.

In addition to that just do a simple check every couple of days or even once a week on the mail Q’s. Again in WHM Email > click View Sent Summary, enter a date range and it will show you where all the mail is coming from, generally speaking it is easy to see where there may an issue. You can check suspicious volumes to see what is actually being sent and spam can be spotted from a mile off.

rooftop · April 27, 2013, 10:38pm

Excellent Tip. Excellent. Thank you.

Lee7997 · April 27, 2013, 10:46pm

You’re welcome, now as you are running cPanel you should also install CSF, it’s a firewall, spam detector and many other things, including options to monitor mail and send you email alerts if it’s excessive. If you already have it installed go and look in the configuration section.

If you are not using it (it’s free and used by pretty much most cPanel hosts) go check it here:

http://configserver.com/cp/csf.html

And very easy to install > http://configserver.com/free/csf/install.txt

Just be careful if you are already running a different firewall or have you own iptables rules running as it could remove them.

dklynn · April 28, 2013, 11:15am

Additionally, have the host install maldet and have it run on AT LEAST a daily basis (I’d do it every six hours with that number of accounts). Maldet will scan for malware which are installed by your clients and/or hackers and will notify you of their presence (I believe it can also delete the offending code). SUSPEND any account with a maldet warning and advise the client that the account will be closed if they can’t keep their website secure. ALL your clients will appreciate the increase in “quality” you mentioned as everyone is injured by your failure to maintain server security.

Regards,

DK

rooftop · May 1, 2013, 9:41am

Thanks both. I will check out both of these programs and run them by our Support.