Page 1 of 1

Yahoo/Google mail servers getting blocked by CSF

Posted: 17 Sep 2013, 09:56
by benArrayx
Hi there, we have a cPanel server which is doing both mail and web hosting, we're finding that periodically yahoo and google mail servers are getting blocked, which stops exim delivering mail to those servers, leading to it getting held up in the queue. Here's an example block of a google server (1e100[dot]net) from this morning:

Code: Select all

Time: Tue Sep 17 06:48:40 2013 +0100 
IP: 173.194.66.26 (US/United States/we-in-f26.1e100[dot]net) 
Hits: 11 
Blocked: Temporary Block 

Sample of block hits: 
Sep 17 06:47:31 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=135 TOS=0x00 PREC=0x00 TTL=49 ID=39179 PROTO=TCP SPT=25 DPT=55997 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:34 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=136 TOS=0x00 PREC=0x00 TTL=49 ID=11564 PROTO=TCP SPT=25 DPT=56002 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:39 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=132 TOS=0x00 PREC=0x00 TTL=49 ID=62080 PROTO=TCP SPT=25 DPT=56007 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:41 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=135 TOS=0x00 PREC=0x00 TTL=49 ID=39179 PROTO=TCP SPT=25 DPT=55997 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:44 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=136 TOS=0x00 PREC=0x00 TTL=49 ID=11565 PROTO=TCP SPT=25 DPT=56002 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:46 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=135 TOS=0x00 PREC=0x00 TTL=49 ID=7260 PROTO=TCP SPT=25 DPT=56017 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:49 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=132 TOS=0x00 PREC=0x00 TTL=49 ID=62080 PROTO=TCP SPT=25 DPT=56007 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:47:56 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=135 TOS=0x00 PREC=0x00 TTL=49 ID=7260 PROTO=TCP SPT=25 DPT=56017 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:48:13 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=133 TOS=0x00 PREC=0x00 TTL=49 ID=21903 PROTO=TCP SPT=25 DPT=56036 WINDOW=1002 RES=0x00 ACK PSH URGP=0 
Sep 17 06:48:27 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=133 TOS=0x00 PREC=0x00 TTL=49 ID=49961 PROTO=TCP SPT=25 DPT=56058 WINDOW=992 RES=0x00 ACK PSH URGP=0 
Sep 17 06:48:37 {server} kernel: Firewall: *INV_NOSYN* IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=173.194.66.26 DST={serverIP} LEN=133 TOS=0x00 PREC=0x00 TTL=49 ID=49961 PROTO=TCP SPT=25 DPT=56058 WINDOW=992 RES=0x00 ACK PSH URGP=0
I don't understand why their server is probing us on these weird destination ports 560??. Other blocks are setup due to invalid packets on similarly odd port ranges.

Can anyone help me understand what's going on here? And ideally, how to stop it since it's affecting our mail delivery to Yahoo and Google?

AHA, Ben

Re: Yahoo/Google mail servers getting blocked by CSF

Posted: 08 Oct 2013, 09:55
by benArrayx
Seems like this question is answered here: http://forum DOT configserver DOT com/viewtopic.php?p=6720#p6720