Hi Pak,
Saya hanya merubah nama mail servernya di e mail pertama. Berikut e mail
dari mereka:
=======================================================
[Note: if you have received messages from us about IPSwitch/IMail before,
please note that IPSwitch has finally implemented a workaround.
Please see below. We will no longer be perm-delisting IMail installations
unless there's no alternative.]
The CBL attempts to detect compromised machines in a number of ways based
upon the email that the CBL's mail servers receive.
During this it tries distinguish whether the connections represent real
mail servers by ensuring that each connection is claiming a plausible
machine name for itself (via SMTP HELO), and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).
124.81.72.134 was found to be using several different EHLO/HELO names
during multiple connections on or about:
2013:05:28 ~04:30 UTC+/- 15 minutes (approximately 7 hours, 30 minutes ago).
The names seen included:
mail.kinerja.or.id, mail.ksi-indonesia.org,
mail.prioritas.or.id, mail.sum2.or.id, rti-indomd.rti.org
Note that the above list may include one or more names that are not fully
qualified DNS names (FQDNs). Host names (ie: Windows node names) without a
dot are not FQDNs.
RFC2821 requires that the HELO be either an IP address literal - an IP
address surrounded by square brackets (ie: "[1.2.3.4]"), or a FQDN.
To resolve this you need to identify whether these are real names of your
machines. If not:
- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind
it
have an open proxy used for spamming.
- if all of the names above are IP addresses belonging to
you
(without the square brackets) you probably using Blue
Squirrel's
"Spam Sleuth" "Turing" feature. You will need to turn the
"Turing" feature off until you can get a patched version
that
doesn't do this (identifies itself consistently).
If they are real names, you need to consider whether one or more of these
machines are supposed to be sending email to the Internet (this implies
that 124.81.72.134 is a NAT firewall.)
If not, one or more machines on your internal network has an open proxy
used for spamming.
If these are real names corresponding to real mail servers behind a NAT
firewall, we strongly suggest that you configure your machines to have
consistent fully qualified domain names, like:
mail01.<your domain>, mail02.<your domain>
This is usually done by setting the machine's node name to be one of the
above, but sometimes it's a configuration parameter for the mail server.
The final possibility is that 124.81.72.134 is not a NAT firewall, and is
instead a single box with many domains provisioned on it, some that send
email directly, setting the HELO as the sending domain. If this is the
case, to prevent a relisting we strongly recommend setting the mail
software on the box so that a single identifying name is used in
outbound SMTP connections. As an alternate workaround, you can
configure the mail software to relay its outbound email through an
intermediate mail server. Even a co-resident mail server package (such as
IIS on Windows) will do fine.
If 124.81.72.134 is a NAT firewall, we STRONGLY recommend that you
configure it to prevent machines (except your real mail
servers) on your local network connecting to the Internet on port 25
(SMTP/email). In this way you can contain any insecure machines (either by
open proxy/spam trojan or emailing worm like Netsky) from attacking others
on the Internet.
If you are running Ipswitch Imail, GMS, Dmail, Ensim, WorkGroupMail or this
is part of BellSouth Shared Hosting please let us know, AND, also let us
know if all the names we've listed above are legitimate customers or
"co-customers" (if you know).
These days, we only see this problem with old unpatched copies of Ensim or
older IMail (mostly IMail 8). However, we've seen it once or twice with
Imail 10 and 11. Note the difference between IMail 8/9 and IMail 10/11
below.
If you are running Ensim, see http://forum.ensim.com/showthread.php?p=68868
This contains a workaround that you can apply which will be deployed
officially as a patch in the near future.
For IPswitch IMail, the issue arises when you have multiple domains using
different IPs for the domains hosted on the machine.
With IMail this is only an issue with the CBL when you use different IPs
for the hosted domains. This appears to now be a deprecated
configuration. Secondly, ONLY the primary IP gets listed, never the
per-domain alias IPs.
In Imail 8 and 9 (aka 2006.1 we think), the issue is that even if you have
different IPs for your customer domains, _sending_ email always comes from
the primary IP address, yet it uses the domains as HELO values. Hence, the
IP doesn't seem to make up its mind who it is.
Imail 10 and 11 appear to be able to send email from the different IPs
without difficulty, the problem arises with an anti-spam feature called
"sender address verification" (SAV - Imail appears to call it "RCPT
validation".) using different HELOs on the same outbound
(primary) IP.
Imail 8: The very last version of Imail 8 (8.23 we believe)
apparently has a straightforward option (something like
"turn off HELO spoofing") to prevent this problem.
Imail 9: Has a similar option.
Imail 10/11: Normal email sending gets the HELO right, instead
SAV probes have the Imail 8/9 problem. Contact IPSwitch
about turning SAV off. SAV is a bad idea in the first
place, so it should be turned off whether or not it
works "correctly".
If you're running Netwin Dmail, be aware that all support/development has
ceased, and you should upgrade to Netwin's Surgemail package.
If you are running Surgemail, make sure that you have set your HELO value
to a specific value (ie: your server's official DNS name), rather than
letting Surgemail guess. This appears to be via the "send_helo" and
"g_send_helo" parameters.
If you are running Fortimail, the setting is found under: Mail Settings ->
Domains -> Edit Domain -> Advanced Settings -> SMTP greeting -> check "Use
system host name"
The default setting is set to "Use this domain name", which will cause the
problems we've detected.
I've removed the entry from the list and inhibited redetections for the
next 3 days.
It may take a few hours to propagate to the public nameservers. The CBL
will relist the IP if it detects the same thing again after 3 days from now.
2013/5/30 Syafril Hermansyah <syaf...@dutaint.co.id>
> On 05/30/2013 04:46 PM, Rifkianto Aribowo wrote:
> > Beberapa waktu lalu e mail server kami di blok oleh spam haus dan
> > mengakibatkan beberapa e mail tidak bisa terkirim. saya sudah kirim
> > notofikasi ke admin spamhaus dan ada beberapa info dari mereka yang perlu
> > di rubah. Mohon bantuan informasi cara merubah settingan di mdaemon versi
> > 9. Berikut e mail dari spamhaus:
>
> Mail dari spamhaus.org nya sudah diotak-atik ya?
> Kirim apa adanya agar bisa dianalisis dengan benar.
>
> --
> syafril
> -------
> Syafril Hermansyah
> MDaemon-L Moderators, running MDaemon 13.5 Beta RC3 SecurityPlus 4.1.5
> Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.
>
>
> --
> --[MDaemon-L]------------------------------------------------
> Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.
>
> Netiket: http://www.netmeister.org/news/learn2quote
> Arsip: http://mdaemon-l.dutaint.com
> Dokumentasi : http://mdaemon.dutaint.co.id
> Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com
> Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com
> Versi terakhir MD 13.0.5, SP 4.1.5, BES 2.0.2, OC 2.3.1, SG 2.1.2, PP 2.0.1
>
>
--
--[MDaemon-L]------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.
Netiket: http://www.netmeister.org/news/learn2quote
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com
Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com
Versi terakhir MD 13.0.5, SP 4.1.5, BES 2.0.2, OC 2.3.1, SG 2.1.2, PP 2.0.1
[ attachment or non Plain-Text portion has been remove by MDaemon ]
