Skip to main content

security - S/MIME certificate to minimize email bounce



I have a website hosted in a vps that sends informative emails to my clientes, maybe 20-40 emails per day. Since few weeks ago some sent emails are bouncing with the following error:





This message was created automatically by mail delivery software.



A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:



destination@example.com
SMTP error from remote mail server after RCPT TO::
host mx1.emailsrvr.com [173.203.2.36]: 554 5.7.1 ACL dns_rbl; Client host [MY-IP] blocked using

sa-dnset.blagr.emailsrvr.com=127.24.0.2 Please visit
http://bounce.emailsrvr.com/?a0 for more information on why this
message could not be delivered



------ This is a copy of the message, including all the headers. ------




**MY-IP is the ip of my vps server*



Tracking the error according to details in the email body, I found that my ip is blacklisted in Blocklist Removal Center with the following warning:





Technical Details:



The sending IP address or domain of the message is currently on a
blacklist. The intended recipient will need to safelist the IP address
the message is being sent from. Please use an alternate method to
relay this information to the intended recipient. To find out more
information on where the sending host is blacklisted, enter the IP
address, located in the rejected message, into our Blacklist

Aggregator.




Why is the ip blacklisted?



Following up the warning and information provided, this is happened to me because:




  1. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

  2. It was last detected at 2014-03-26 19:00 GMT (+/- 30 minutes), approximately 3 days, 1 hours, 30 minutes ago.


  3. The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.



Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH



What should I do in this case?



The only way to definitely remove a rootkit is to format all partitions on the server, then reinstall the operating system. Once a system has been root compromised, there is no way to confidently clean it up, because with root access, backdoors can be placed that you cannot detect. Essentially, once a server has been root compromised, it can never be trusted again, no matter what steps are taken to try to clean it.



So, what is the question here?




I am really tired dealing with emails that are never sent correctly. Also, yahoo neither hotmail are not getting the messages at inbox, but spam does.



My plan from here is to hire another hosting provider with a new ip address from scratch, make use of security procedures to avoid this situation again but I want take advantage of this change and install a S/MIME certificate to give emails more security (as a friend's recommendation).




  • Will a S/MIME certificate help me to minimize emails at spam folder on yahoo and hotmail?

  • How a S/MIME certificate will help me in this situation?


Answer




If the analysis provided in the question is correct it sounds like the particular incident referenced there goes well beyond just not being able to deliver mail; the system had been compromised and other bad things may be going on as well in addition to it having been blacklisted because of sending spam, etc.



Obviously you'll want to do all you can to avoid something like that happening again.



As for having a mail server and the mail it delivers "look trustworthy" I think focusing on the basics may be more effective than S/MIME.




  • Stay in control of what mail is sent from you



    • Lock down relay access

    • Don't send out mail that may come across as 'spammy'

    • Obviously all of the above relies on that the server has not been compromised


  • Have the "mailname" (name that the mail server software uses to present itself) set to the canonical name of the mail server


    • This name should resolve to the IP of the server

    • The reverse record (PTR) for the IP of the server should match this name



  • Set up SPF for your domain name(s), explicitly indicating that the owner of the domain name allows the IP of your mail server to deliver mail from this domain

  • Set up DKIM on your mail server and your domain name(s). A signature proves that the mail is originating from a server which has the key that the owner of the domain name specified (somewhat overlaps with SPF but with cryptographical rather than IP-based validation)


Comments

Post a Comment

Popular posts from this blog

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

linux - How can I get my mediawiki to stop thinking I have cookies disabled?

I've searched half a day for how to resolve this issue, and can't figure it out. Shortly after I made my wiki a simple private wiki according to the instructions at Mediawiki's website, it started giving me this weird login error message: Wiki uses cookies to log in users. You have cookies disabled. Please enable them and try again. If I remove those private wiki settings, the error disappears, even if I try logging in. But I need it to be a private wiki for only my team. So what do I do? Here's what I've done so far. Just to be safe, after ever change, I try rebooting Apache using: sudo /etc/init.d/apache2 restart In my php.ini file, I have the following set: session.save_path = "/var/lib/php5" session.cookie_secure = secure session.cookie_path = /tmp session.cookie_domain = my server's internal URL (should I even set this? this field was blank before, but not commented out) session.referer_check = Off I ran the following to ensure that the fold...
Post a Comment
Read more