LINUX.ORG.RU

Сообщения buninsan

 

CentOS 6.4 x32+ISPmanager=Этот IP присутсвует в черных списках

Форум — General

Помогите пожалуйста кто может, или укажите плиз в какую сторону копать, я новичок в этом деле - не судите строго. При проверке на этом сервисе http://ru.smart-ip.net/spam-check/ Тест IP на спам , выдает это CBL-Присутствует Вот что написано по ссылке

IP Address 000.000.000.000 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-01-26 09:00 GMT (+/- 30 minutes), approximately 4 hours, 30 minutes ago.

It has been relisted following a previous removal at 2014-01-25 11:04 GMT (1 days, 1 hours, 48 minutes ago)

This IP address is HELO'ing as «localhost.localdomain» which violates the relevant standards (specifically: RFC5321).

The CBL does not list for RFC violations per-se. This _particular_ behaviour, however, correlates strongly to spambot infections. In other words, out of thousands upon thousands of IP addresses HELO'ing this way, all but a handful are infected and spewing junk. Even if it isn't an infection, it's a misconfiguration that should be fixed, because many spam filtering mechanisms operate with the same rules, and it's best to fix it regardless of whether the CBL notices it or not.

DO NOT TELNET TO YOUR SERVER TO SEE WHAT IT SAYS. Telnet will show you the banner, not the HELO.

EVEN IF YOU TEST YOUR MAIL SERVER SOFTWARE AND IT HELOS PROPERLY, THAT DOES NOT MEAN THAT THIS LISTING IS IN ERROR - YOUR IP REALLY DID HELO AS «localhost.localdomain». Our system doesn't make mistakes about this. This just means that something OTHER than your mail server software is making the connections. In fact, finding that your mail server is NOT HELO'ing as «localhost.localdomain» essentially proves this is an infection, not a misconfiguration.

There is often confusion between the SMTP «banner» and the SMTP «HELO» (or EHLO) command. These are completely different things, and proper understanding is important.

First some terminology (somewhat simplified to aid understanding):

A «SMTP client» is a piece of software that makes SMTP connections to SMTP servers to send a piece of email to the server. Most E-mail servers consist of an «SMTP listener» (to listen for and handle connections made to them by SMTP clients), an SMTP client (to send emails to other mail servers) and a local delivery agent (LDA) to deliver email to «local» users (eg: via POP or IMAP).

Thus, SMTP clients make connections to SMTP listeners, and issue SMTP commands to the listener.

The «HELO» (or «EHLO») command (see RFC2821) is a command issued by the SMTP client to an SMTP server to identify the name of the client. «HELO mail.example.com» means, essentially, «Hi there, my name is mail.example.com».

The «SMTP banner» is what the listener says in response the initial connection or in response to the HELO command.

The CBL works in many cases by seeing what SMTP clients say (in the HELO/EHLO command) when the client connects to a CBL detector. Since the CBL NEVER does SMTP probes, it has no way of knowing how a given IP banners.

You can test SMTP banners with telnet and other similar diagnostic tools, but you CANNOT test SMTP HELO/EHLO with telnet.

For that, you can send an email to helocheck@helocheck.abuseat.org. That will reject the email (as an error), and the error will show you what the HELO/EHLO was.

If this IP is a mail server: please read namingproblems to find out why your IP was listed, and ways to fix it so it doesn't relist.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

How to resolve future problems and prevent relisting

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

Is this IP address a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

What affect is this listing having on you?

The CBL is intended to be used only on inbound email from the Internet.

If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer or Firefox to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the CBL against our recommendations. Contact the provider and refer them to http://cbl.abuseat.org/tandc.html and refer them to item 2 and 7.

If you are an end user: If you get an immediate popup indicating your email was blocked when you attempt to send email, this means one of two things:

You aren't using your provider's preferred configuration for sending email. This is most frequent with roaming users (eg: you're using an Internet Cafe, and are using your home provider to send email). A provider will normally give you instructions on how your mail reader should authenticate to their mail servers, perhaps on a different port (usually 587). Make sure that you comply with the provider's instructions on mail reader configuration where it refers to «SMTP relay server», «SMTP authentication» etc. If you are complying with your provider's instructions, your provider is violating the CBL Terms and Conditions and blocking their own users. Contact your provider and refer them to http://cbl.abuseat.org/tandc.html and refer them to item 6 and 7. If you get the blocking email message by return email (instead of by immediate popup), your provider is listed in the CBL, not you. Contact your provider and tell them that their IP address is listed by the CBL.

Note that the CBL is not responsible for how providers misuse the CBL. This is their problem, not ours.

If your IP address changes periodically (such as with reconnecting to your provider, connecting through an Internet Cafe etc), this is usually a dynamic (DHCP) IP address, meaning that it's most likely not you that is infected. As above, make sure that your mail reader is configured correctly as per your provider. In this case, delisting the IP address will probably not do anything useful.

If this listing is of an unshared IP address, and the affected access is email, then, the computer corresponding to this IP address at time of detection (see above) is infected with a spambot, or, if it's a mail server, in some rare cases this can be a severe misconfiguration or bug.

The first step is to run at least one (preferably more) reputable anti-spam/spyware tools on your computer. If you're lucky, one of them will find and remove the infection.

If you are unable to find it using anti-virus tools, you may want to take a close look at the discussions of netstat or tcpview in the «Per-machine methods» section of Finding BOTs in a LAN.

If the above does not help, you may have to resort to taking your computer to a computer dealer/service company and have them clean it.

If all else fails, you may need to have your machine's software re-installed from scratch.

WARNING: If you continually delist 000.000.000.000 without fixing the problem, the CBL will eventually stop allowing the delisting of 000.000.000.000. If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

Click on this link to delist 000.000.000.000.

Как решить проблему? CentOS 6.4 x32+ISPmanager хостинг этот digitalocean.com Работаю со своего ноутбука с хостингом инферно и таких проблем нет, так что троян в системе ноута отпадает

Спасибо

 , ,

buninsan
()

RSS подписка на новые темы