Mail Bypassing Greylisting Issue
Seems I'm now starting to see the greylisting daemon whitelisting [or ignoring] spam emails against my will. I'm talking about IP addresses that haven't been seen by Exim in at least the last four weeks. They are blatantly spamming, but they are passing right through greylisting without cpgreylistd ever attempting to initially defer them.
[2015-07-17 18:19:52 -0400] info [cpgreylistd] Request:- OP: ['should_defer">, Sender IP: ['216.169.125.4">, From Address: ['LoveYourBodyAgain@flammar.click[/EMAIL]">, To Address: ['abc@123.com[/EMAIL]">. Reply:- ['no (whitelisted or opt-out)">
1. 216.169.125.4 is not on the whitelist
Nearest IPs on whitelist are:
216.163.240.0-216.163.255.255 # metlife
216.175.17.175 # redcondor.geneseo.net
2. In the course of 25 minutes this particular spam made it through to 11 recipients in six domains.
3. ALL of the recipients domains have greylisting ENabled (not a single domain on the server has opted out)
If cpgreylistd ever ran 216.169.125.4 through greylisting [meaning if cpgreylistd initially deferred delivery from this IP], an entry should exist in /usr/local/cpanel/logs/cpgreylistd.log with "Reply:- ['yes">" instead of "Reply:-['no (whitelisted or opt-out">. But there are no "Reply:- ['yes">" entries in cpgreylistd.log to indicate that greylisting ever acted upon it.
Either cpgreylistd is adding whole swaths of IP space to the whitelist on its own [which cannot be seen from the GUI], or something isn't working correctly in cpgreylistd.
No, I didn't open a ticket. I'm getting a feeling there isn't interest in further refinement so I figure why bother.
But I'm curious if others can verify that some spamming IPs are not going through the greylist process despite the fact that (a) they are not whitelisted in the GUI and (b) the recipient domains do have greylisting ENabled.
Mike
-
Yet another instance where cpgreylistd made absolutely no attempt to Defer emails from a block of IP space that (a) hadn't been seen connecting to the server in the past four weeks and (b) is sending spam. Every one of the entries (from the first hit for 209.160.30.x) shows a similar result suggesting it was whitelisted or that the end user opted out of greylisting, neither of which is true. [2015-07-22 14:40:10 -0400] info [cpgreylistd] Request:- OP: ['should_defer">, Sender IP: ['209.160.30.44">, From Address: ['Prevent-Your-Acid-Reflux@supportheartcure.link">, To Address: ['somebody@somedomainonmyserver.com">. Reply:- ['no (whitelisted or opt-out)"> Fact: a. somedomainonmyserver.com has greylisting enabled / never opted out of greylisting b. no IP addresses even remotely close to 209.160.30.x exist in the whitelist according to what I can see from the GUI So something is amiss here. cpgreylistd perhaps is misintrepreting some Ip addresses and then erroneously matching up against an Ip that is in the whitelist. m 0 -
No, I didn't open a ticket. I'm getting a feeling there isn't interest in further refinement so I figure why bother.
Why wouldn't there be an interest, the feature is brand new. If you suspect its not working as expected, a ticket is the best way to go.0 -
Why wouldn't there be an interest, the feature is brand new. If you suspect its not working as expected, a ticket is the best way to go.
Done. m0 -
Do you have the setting checked to bypass greylisting if they have a valid SPF? I've noticed tons of spam getting through recently as well that actually has valid SPF records, example From: "Accounting Programs" Subject: Become.. an Expert.. In Accounting... -0.0 SPF_PASS SPF: sender matches SPF record We do bypass greylisting with valid SPF records but maybe its time to disable that 0 -
Do you have the setting checked to bypass greylisting if they have a valid SPF? I've noticed tons of spam getting through recently as well that actually has valid SPF records, example From: "Accounting Programs" Subject: Become.. an Expert.. In Accounting... -0.0 SPF_PASS SPF: sender matches SPF record We do bypass greylisting with valid SPF records but maybe its time to disable that
No, I do not bypass greylisting for valid SPF. Before greylisting was available, I had already observed that most of the spam that was coming through already passed valid SPF / DKIM [and often even DMARC] checks. So I definitely do not bypass greylisting if they have valid SPF. Mike0 -
The cPanel folks figured out what the problem was. It had nothing to do with a bug in cpgreylistd. What had happened was that I apparently mistyped a manual entry I was adding to the database, which ended up whitelisting a huge block of IP space. I added this to the whitelist by accident: 203.244.226.255- 220.244.226.0 And all the troubles i reported above had to do with IP addresses within that range. So I actually was the one responsible for making the erroneous entry and causing my own problems. The cPanel staff worked diligently on finding the issue. As much as I hate to admit this was an error on my part, I'm glad it was my error and not a problem with cpgreylistd. Thanks Travis, Tristan, Andrew, Sky and Jared for your efforts! Mike PS: might be a good idea to somehow mark this as resolved so nobody thinks there is a current issue with cpgreylistd 0 -
Doh! ;) 0 -
Those folks can fix anything. Happy to hear you got this sorted. 0
Please sign in to leave a comment.
Comments
8 comments