Skip to main content

security - S/MIME certificate to minimize email bounce

itemprop="text">

I have a website hosted in a vps that
sends informative emails to my clientes, maybe 20-40 emails per day. Since few weeks ago
some sent emails are bouncing with the following
error:






This message was created automatically by mail delivery
software.



A message that you sent could not be
delivered to one or more of its
recipients. This is a permanent error. The
following address(es)
failed:




destination@example.com
SMTP error from remote mail server after
RCPT TO::
host mx1.emailsrvr.com [173.203.2.36]: 554 5.7.1 ACL dns_rbl;
Client host [MY-IP] blocked using


sa-dnset.blagr.emailsrvr.com=127.24.0.2 Please visit
href="http://bounce.emailsrvr.com/?a0" rel="nofollow
noreferrer">http://bounce.emailsrvr.com/?a0 for more information on why
this
message could not be delivered




------ This is a copy of the message, including all the headers.
------




**MY-IP is
the ip of my vps server*



Tracking the error
according to details in the email body, I found that my ip is blacklisted in
Blocklist Removal Center with the following
warning:






Technical Details:



The sending IP
address or domain of the message is currently on a
blacklist. The intended
recipient will need to safelist the IP address
the message is being sent
from. Please use an alternate method to
relay this information to the
intended recipient. To find out more
information on where the sending host is
blacklisted, enter the IP
address, located in the rejected message, into our
Blacklist


Aggregator.




Why
is the ip blacklisted?



Following up the warning
and information provided, this is happened to me
because:




  1. It appears to be
    infected with a spam sending trojan, proxy or some other form of
    botnet.

  2. It was last detected at 2014-03-26 19:00 GMT (+/-
    30 minutes), approximately 3 days, 1 hours, 30 minutes
    ago.


  3. The host at this IP address is infected
    with the Ebury Rootkit/Backdoor
    trojan.



Ebury
is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is
installed by attackers on root-level compromised hosts by either replacing SSH related
binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by
SSH



What should I do in this
case?



The only way to definitely remove a
rootkit is to format all partitions on the server, then reinstall the operating system.
Once a system has been root compromised, there is no way to confidently clean it up,
because with root access, backdoors can be placed that you cannot detect. Essentially,
once a server has been root compromised, it can never be trusted again, no matter what
steps are taken to try to clean it.



So, what is
the question here?




I am really tired
dealing with emails that are never sent correctly. Also, yahoo neither hotmail are not
getting the messages at inbox, but spam does.



My
plan from here is to hire another hosting provider with a new ip address from scratch,
make use of security procedures to avoid this situation again but I want take advantage
of this change and install a S/MIME certificate to give emails more security (as a
friend's recommendation).




  • Will a S/MIME certificate
    help me to minimize emails at spam folder on yahoo and hotmail?

  • How a S/MIME certificate will help me in this
    situation?


class="post-text" itemprop="text">
class="normal">Answer





If the analysis provided in the question is correct it sounds like the
particular incident referenced there goes well beyond just not being able to deliver
mail; the system had been compromised and other bad things may be going on as well in
addition to it having been blacklisted because of sending spam,
etc.



Obviously you'll want to do all you can to
avoid something like that happening again.



As
for having a mail server and the mail it delivers "look trustworthy" I think focusing on
the basics may be more effective than
S/MIME.




  • Stay in control of
    what mail is sent from
    you



    • Lock down relay
      access

    • Don't send out mail that may come across as
      'spammy'

    • Obviously all of the above relies on that the
      server has not been
      compromised


  • Have the
    "mailname" (name that the mail server software uses to present itself) set to the
    canonical name of the mail
    server


    • This name should resolve to
      the IP of the server

    • The reverse record (PTR) for the IP
      of the server should match this
      name



  • Set up
    SPF for your
    domain name(s), explicitly indicating that the owner of the domain name allows the IP of
    your mail server to deliver mail from this domain

  • Set up
    DKIM on your mail
    server and your domain name(s). A signature proves that the mail is originating from a
    server which has the key that the owner of the domain name specified (somewhat overlaps
    with SPF but with cryptographical rather than IP-based
    validation)


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more