Blocked IP address can still deliver spam to server
Posted: 09 Nov 2024, 18:44
WHM 118.0.25
Almalinux 8.10.0 kvm
CSF 14.22, mailscanner 5.4.4 w/ MSFE 9.26
I have blocked the IP address 128.245.64.22 in CSF:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 128.245.64.22 in iptables
IPSET: Set:chain_DENY Match:128.245.64.22 Setting: File:/etc/csf/csf.deny
Permanent Blocks (csf.deny): 128.245.0.0/16 # do not delete
And yet spammers are still able to connect to server on port 25 and deliver spam as shown by this exim_mainlog:
2024-11-09 09:35:21 1t9oQh-000xLF-2k <= bounce-1814_HTML-221471046-284015-514018632-0@bounce.s11.exacttarget.com H=mta2.email.cryptotradersalliance.com [128.245.64.22]:46059 I=[xxx.xxx.xxx.xxx]:25 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=22815 id=31d5de85-283a-45c5-ad2f-83c45a31a422@atl1s11mta828.xt.local T="\320\222r\320\265\320\260k\321\226ng: \320\222\321\226d\320\265n's m\320\265nt\320\260l f\320\260\321\201\321\226lit\321\226\320\265s f\320\260\321\226l\320\265d h\321\226m \320\260g\320\260\321\226n\342\200\246" from <bounce-1814_HTML-221471046-284015-514018632-0@bounce.s11.exacttarget.com> for xxx@xxx.com
2024-11-09 09:35:21 SMTP connection from mta2.email.cryptotradersalliance.com [128.245.64.22]:46059 I=xxx.xxx.xxx.xxx]:25 closed by QUIT
I thought that maybe csf is being restarted by a script or server reboot or something so temporarily ipset and iptables are reloading allowing the IP address to temporarily connect, but that is definitely not the case with this email. Also, I have added "do not delete" on the CSF block so it should not be getting rotated out by IPs being added. And I have also tried just blocking the individual IP address rather than the CIDR, but the same issue occurs.
The spammers are using UTF/encoding in the subject & from address which is another issue in spamassassin rule to tweak; nevertheless the IP block should be working? Any idea how to troubleshoot this or other logs to check? Thank you
Almalinux 8.10.0 kvm
CSF 14.22, mailscanner 5.4.4 w/ MSFE 9.26
I have blocked the IP address 128.245.64.22 in CSF:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 128.245.64.22 in iptables
IPSET: Set:chain_DENY Match:128.245.64.22 Setting: File:/etc/csf/csf.deny
Permanent Blocks (csf.deny): 128.245.0.0/16 # do not delete
And yet spammers are still able to connect to server on port 25 and deliver spam as shown by this exim_mainlog:
2024-11-09 09:35:21 1t9oQh-000xLF-2k <= bounce-1814_HTML-221471046-284015-514018632-0@bounce.s11.exacttarget.com H=mta2.email.cryptotradersalliance.com [128.245.64.22]:46059 I=[xxx.xxx.xxx.xxx]:25 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=22815 id=31d5de85-283a-45c5-ad2f-83c45a31a422@atl1s11mta828.xt.local T="\320\222r\320\265\320\260k\321\226ng: \320\222\321\226d\320\265n's m\320\265nt\320\260l f\320\260\321\201\321\226lit\321\226\320\265s f\320\260\321\226l\320\265d h\321\226m \320\260g\320\260\321\226n\342\200\246" from <bounce-1814_HTML-221471046-284015-514018632-0@bounce.s11.exacttarget.com> for xxx@xxx.com
2024-11-09 09:35:21 SMTP connection from mta2.email.cryptotradersalliance.com [128.245.64.22]:46059 I=xxx.xxx.xxx.xxx]:25 closed by QUIT
I thought that maybe csf is being restarted by a script or server reboot or something so temporarily ipset and iptables are reloading allowing the IP address to temporarily connect, but that is definitely not the case with this email. Also, I have added "do not delete" on the CSF block so it should not be getting rotated out by IPs being added. And I have also tried just blocking the individual IP address rather than the CIDR, but the same issue occurs.
The spammers are using UTF/encoding in the subject & from address which is another issue in spamassassin rule to tweak; nevertheless the IP block should be working? Any idea how to troubleshoot this or other logs to check? Thank you