It won't really help now, but you should really consider enabling Apache mod_userdir protection on your servers so that ~cpaneluser cannot be used - this is a good example of why.
----------------------------------- Alex Leach | Linux Systems Engineer Phone: 414.858.9335 or 800.862.5965 [email protected] CyberLynk Network | Franklin, WI ----------------------------------- On 2/19/2016 6:41 AM, Jayme wrote: > So we have hundreds of shared and dedicated cPanel servers that use the > same domain for the base hostname i.e. server.validns.com > <http://server.validns.com>, server2.validns.com > <http://server2.validns.com> etc. > > We started to get complaints from users across multiple servers that > yahoo mail was being rejected with: > > SMTP error from remote mail server after end of data: 554 Message not > allowed - [PH01] Email not accepted for policy reasons. Please visit > http://postmaster.yahoo.com/errors/postmaster-27.html [120] > > This is happening across many servers on different IPs regardless of the > sending domain, dkim/spf etc. It's basically happening to anyone sending > mail to @yahoo.com <http://yahoo.com> on any server that is using the > validns.com <http://validns.com>. We have multiple other servers on > different base hostnames on the same IP block that don't seem to be > affected. > > So I did some looking in to this and eventually I found a complaint > about a phishing attempt on our hostname coming from serverX.validns.com > <http://serverX.validns.com>. A clients site got hacked and phishing > scripts uploaded to it and they were being called using the server > hostname i.e. serverX.validns.com/~cpaneluser/hack > <http://serverX.validns.com/~cpaneluser/hack> -- this somehow led to the > entire validns.com <http://validns.com> being listed on SURBL multi. I > have no idea why they listed the entire domain VS the full hostname the > source was coming from I.e. instead of listing serverX.validns.com > <http://serverX.validns.com> they listed validns.com > <http://validns.com>. Fast forward, I cleaned up the phishing and > submitted a removal request to SURBL mutli and the domain was delisted > over 2 days ago and shows good status in their lookup. Ever since Yahoo > seems to have not dropped the listing or whatever they are using > internally that is causing them to reject all messages from any server > using this hostname. > > Is it possible that yahoo.com <http://yahoo.com> picked up on the SURBL > listing and are blocking our entire hostname based on it? I was hoping > if so they'd drop it by now seeing as the listing was removed over 2 > days ago, but so far no such luck. Or is it possible that our > validns.com <http://validns.com> could be listed in some other URBL that > yahoo could be picking up on? So far I've got it off SURBL multi, > checked it on spamhaus DBL and uribl.com <http://uribl.com> and it's not > listed on either of those. There may be others I'm not aware of. > > Right now we have hundreds of servers and thousands of users on them > that are unable to mail to yahoo.com <http://yahoo.com> and it's causing > a huge support mess. It almost seems impossible to get hold of anyone > that can actually help with the problem at yahoo, I've send emails and > forms, everything I can find but no response back yet. > > If whatever block yahoo has on our hostname continues I don't know what > else to do if I can't get a hold of them short of changing the hostnames > (which would be a huge disaster) or trying to find a way to configure > exim to route mail destined to yahoo.com <http://yahoo.com> through > another mail server (I'd have to setup one on a different hostname and > allow relaying through it) then configure all the servers to relay yahoo > through it. I'm sure it'd work but it's also quite a bit of work as well. > > Has anyone ever dealt with a problem like this? I've been in hosting > since '96 and I can't recall a case where I've ever seen a main hostname > get listed like this while the source of the problem was on a sub-domain. > > Thanks! > > James > > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > > No virus found in this message. > Checked by AVG - www.avg.com <http://www.avg.com> > Version: 2015.0.6189 / Virus Database: 4533/11658 - Release Date: 02/19/16 > _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
