Skip to main content

security - S/MIME certificate to minimize email bounce



I have a website hosted in a vps that sends informative emails to my clientes, maybe 20-40 emails per day. Since few weeks ago some sent emails are bouncing with the following error:





This message was created automatically by mail delivery software.



A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:



destination@example.com
SMTP error from remote mail server after RCPT TO::
host mx1.emailsrvr.com [173.203.2.36]: 554 5.7.1 ACL dns_rbl; Client host [MY-IP] blocked using

sa-dnset.blagr.emailsrvr.com=127.24.0.2 Please visit
http://bounce.emailsrvr.com/?a0 for more information on why this
message could not be delivered



------ This is a copy of the message, including all the headers. ------




**MY-IP is the ip of my vps server*



Tracking the error according to details in the email body, I found that my ip is blacklisted in Blocklist Removal Center with the following warning:





Technical Details:



The sending IP address or domain of the message is currently on a
blacklist. The intended recipient will need to safelist the IP address
the message is being sent from. Please use an alternate method to
relay this information to the intended recipient. To find out more
information on where the sending host is blacklisted, enter the IP
address, located in the rejected message, into our Blacklist

Aggregator.




Why is the ip blacklisted?



Following up the warning and information provided, this is happened to me because:




  1. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

  2. It was last detected at 2014-03-26 19:00 GMT (+/- 30 minutes), approximately 3 days, 1 hours, 30 minutes ago.


  3. The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.



Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH



What should I do in this case?



The only way to definitely remove a rootkit is to format all partitions on the server, then reinstall the operating system. Once a system has been root compromised, there is no way to confidently clean it up, because with root access, backdoors can be placed that you cannot detect. Essentially, once a server has been root compromised, it can never be trusted again, no matter what steps are taken to try to clean it.



So, what is the question here?




I am really tired dealing with emails that are never sent correctly. Also, yahoo neither hotmail are not getting the messages at inbox, but spam does.



My plan from here is to hire another hosting provider with a new ip address from scratch, make use of security procedures to avoid this situation again but I want take advantage of this change and install a S/MIME certificate to give emails more security (as a friend's recommendation).




  • Will a S/MIME certificate help me to minimize emails at spam folder on yahoo and hotmail?

  • How a S/MIME certificate will help me in this situation?


Answer




If the analysis provided in the question is correct it sounds like the particular incident referenced there goes well beyond just not being able to deliver mail; the system had been compromised and other bad things may be going on as well in addition to it having been blacklisted because of sending spam, etc.



Obviously you'll want to do all you can to avoid something like that happening again.



As for having a mail server and the mail it delivers "look trustworthy" I think focusing on the basics may be more effective than S/MIME.




  • Stay in control of what mail is sent from you



    • Lock down relay access

    • Don't send out mail that may come across as 'spammy'

    • Obviously all of the above relies on that the server has not been compromised


  • Have the "mailname" (name that the mail server software uses to present itself) set to the canonical name of the mail server


    • This name should resolve to the IP of the server

    • The reverse record (PTR) for the IP of the server should match this name



  • Set up SPF for your domain name(s), explicitly indicating that the owner of the domain name allows the IP of your mail server to deliver mail from this domain

  • Set up DKIM on your mail server and your domain name(s). A signature proves that the mail is originating from a server which has the key that the owner of the domain name specified (somewhat overlaps with SPF but with cryptographical rather than IP-based validation)


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more