Aug 28, 2007
For the last month I've had problems with my VPS being blacklisted, and it always seems to be around the same time of day.
Anyway, the VPS is managed, but it's a right pain the backside getting support to deal with the problem for me and sort it out. I get answers like "Its a PHP script", and when I ask which script they say they can't find out.
After getting advice from people on this forum, I asked support to setup exim so that it recorded the folder of any scripts sending out mail, but when I run grep so show any exim_mainlog entries with cwd= there is very little appearing appart from genuine mails being sent by contact forms on websites.
I managed to get evidence of a mail which caused the server to be blacklisted and sent this to support, who said the mails are being send via header injection on contact scripts, so I've got through the contact scripts and changed them, but again, still blacklisted.
I may be wrong here, but surely if someone was doing mail injection then I would be receiving copies of the mail myself as the website mails me with the enquiry, and also surely the exim_mainlog would so the folder containing the script as sending mails...but it doesnt.
I'm completely lost here, somehow mail is being sent from the server, whether it be via a script or what, but I can't(and neither can support) determine the exact script that is sending mail.
Here is a snippet of the exim_mainlog from around the time the evidence mail was sent.
Code:
Aug 25 21:59:40 awt spamd[5164]: spamd: checking message <16291601c7e75a$d5a016e0$0d4cb34c@ALLEN> for thegran:32010
Aug 25 21:59:46 awt spamd[23731]: spamd: connection from localhost [127.0.0.1] at port 47366
Aug 25 21:59:46 awt spamd[23731]: spamd: setuid to libraifa succeeded
Aug 25 21:59:46 awt spamd[23731]: spamd: checking message <494307824222.548029453854@flcjn.net> for libraifa:32006
Aug 25 21:59:48 awt spamd[5164]: spamd: identified spam (17.1/5.0) for thegran:32010 in 7.7 seconds, 1050 bytes.
Aug 25 21:59:48 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL scantime=7.7,size=1050,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47347,mid=<16291601c7e75a$d5a016e0$0d4cb34c@ALLEN>,bayes=1.000000,autolearn=spam
Aug 25 21:59:48 awt spamd[28500]: prefork: child states: IB
Aug 25 21:59:52 awt spamd[23731]: spamd: identified spam (12.3/2.5) for libraifa:32006 in 6.4 seconds, 6742 bytes.
Aug 25 21:59:52 awt spamd[23731]: spamd: result: Y 12 - AXB_XMID_1212,BAYES_60,EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE scantime=6.4,size=6742,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=47366,mid=<494307824222.548029453854@flcjn.net>,bayes=0.654621,autolearn=no
Aug 25 21:59:52 awt spamd[28500]: prefork: child states: II
Aug 25 21:59:53 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 21:59:56 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=39944, rcvd=56, sent=40746, time=3
Aug 25 22:04:12 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 48176
Aug 25 22:04:12 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:04:12 awt spamd[5164]: spamd: checking message <E1IP2ng-0002eI-Eg@wear.readytogo.net> for libraifa:32006
Aug 25 22:04:20 awt spamd[5164]: spamd: clean message (-2.6/2.5) for libraifa:32006 in 7.6 seconds, 1827 bytes.
Aug 25 22:04:20 awt spamd[5164]: spamd: result: . -2 - AWL,BAYES_00 scantime=7.6,size=1827,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=48176,mid=<E1IP2ng-0002eI-Eg@wear.readytogo.net>,bayes=0.000000,autolearn=ham
Aug 25 22:04:20 awt spamd[28500]: prefork: child states: II
Aug 25 22:09:29 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49145
Aug 25 22:09:29 awt spamd[5164]: spamd: setuid to gbtravel succeeded
Aug 25 22:09:29 awt spamd[5164]: spamd: checking message <putcgcbfbhamfer@fruitpads.com> for gbtravel:32017
Aug 25 22:09:39 awt spamd[5164]: spamd: identified spam (12.6/5.0) for gbtravel:32017 in 10.2 seconds, 5003 bytes.
Aug 25 22:09:39 awt spamd[5164]: spamd: result: Y 12 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,LOCALPART_IN_SUBJECT,MSGID_SPAM_LETTERS,SPF_PASS,TVD_RATWARE_MSGID_02,URIBL_BLACK,URI_NOVOWEL scantime=10.2,size=5003,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=49145,mid=<putcgcbfbhamfer@fruitpads.com>,bayes=1.000000,autolearn=no
Aug 25 22:09:39 awt spamd[28500]: prefork: child states: II
Aug 25 22:10:06 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 22:10:07 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=1
Aug 25 22:11:27 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49520
Aug 25 22:11:27 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:11:27 awt spamd[5164]: spamd: checking message <000601c7e75c$894ed180$0100007f@fpviosw> for libraifa:32006
Aug 25 22:11:36 awt spamd[5164]: spamd: identified spam (16.3/2.5) for libraifa:32006 in 8.5 seconds, 19328 bytes.
Aug 25 22:11:36 awt spamd[5164]: spamd: result: Y 16 - BAYES_60,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,SHORT_HELO_AND_INLINE_IMAGE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.5,size=19328,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=49520,mid=<000601c7e75c$894ed180$0100007f@fpviosw>,bayes=0.726583,autolearn=spam
Aug 25 22:11:36 awt spamd[28500]: prefork: child states: II
Aug 25 22:16:17 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 50217
Aug 25 22:16:17 awt spamd[5164]: spamd: setuid to sr8 succeeded
Aug 25 22:16:17 awt spamd[5164]: spamd: checking message <984907979.55364767348457@utsc.utoronto.ca> for sr8:32004
Aug 25 22:16:26 awt spamd[5164]: spamd: identified spam (12.9/5.0) for sr8:32004 in 9.3 seconds, 9431 bytes.
Aug 25 22:16:26 awt spamd[5164]: spamd: result: Y 12 - DATE_IN_FUTURE_03_06,FH_HELO_EQ_D_D_D_D,FUZZY_CREDIT,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,HTML_OBFUSCATE_10_20,MIME_HTML_ONLY,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_RCVD_IP scantime=9.3,size=9431,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50217,mid=<984907979.55364767348457@utsc.utoronto.ca>,autolearn=spam
Aug 25 22:16:26 awt spamd[28500]: prefork: child states: II
Aug 25 22:19:29 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 22:19:29 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=0
Aug 25 22:20:33 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51016
Aug 25 22:20:33 awt spamd[5164]: spamd: setuid to thegran succeeded
Aug 25 22:20:33 awt spamd[5164]: spamd: checking message <21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d> for thegran:32010
Aug 25 22:20:41 awt spamd[5164]: spamd: identified spam (17.5/5.0) for thegran:32010 in 8.1 seconds, 1174 bytes.
Aug 25 22:20:41 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FH_HOST_EQ_VERIZON_P,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_RED,URIBL_RHS_DOB scantime=8.1,size=1174,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51016,mid=<21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d>,bayes=0.999360,autolearn=spam
Aug 25 22:20:41 awt spamd[28500]: prefork: child states: II
Aug 25 22:26:21 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51946
Aug 25 22:26:21 awt spamd[5164]: spamd: setuid to gbtravel succeeded
Aug 25 22:26:21 awt spamd[5164]: spamd: checking message <264166.236793146.1188032962@ourfirststep.net> for gbtravel:32017
Aug 25 22:26:30 awt spamd[5164]: spamd: identified spam (7.1/5.0) for gbtravel:32017 in 9.2 seconds, 6091 bytes.
Aug 25 22:26:30 awt spamd[5164]: spamd: result: Y 7 - AWL,BAYES_50,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_TAG_BALANCE_HEAD,MPART_ALT_DIFF,SPF_PASS,URIBL_BLACK,URIBL_JP_SURBL scantime=9.2,size=6091,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51946,mid=<264166.236793146.1188032962@ourfirststep.net>,bayes=0.592462,autolearn=no
Aug 25 22:26:30 awt spamd[28500]: prefork: child states: II
Aug 25 22:34:09 awt pop3d: LOGIN, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74]
Aug 25 22:34:10 awt pop3d: LOGOUT, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74], top=0, retr=2252, rcvd=50, sent=2521, time=1
Aug 25 22:51:28 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 55911
Aug 25 22:51:28 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:51:28 awt spamd[5164]: spamd: checking message <3235985408.20070825170556@qmuqybrxw> for libraifa:32006
Aug 25 22:51:35 awt spamd[5164]: spamd: identified spam (9.8/2.5) for libraifa:32006 in 7.2 seconds, 836 bytes.
Aug 25 22:51:35 awt spamd[5164]: spamd: result: Y 9 - BAYES_99,RDNS_NONE,SPF_HELO_NEUTRAL,SPF_NEUTRAL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=7.2,size=836,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=55911,mid=<3235985408.20070825170556@qmuqybrxw>,bayes=1.000000,autolearn=no
Aug 25 22:51:35 awt spamd[28500]: prefork: child states: II
Aug 25 22:54:30 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56343
Aug 25 22:54:30 awt spamd[5164]: spamd: setuid to sr8 succeeded
Aug 25 22:54:30 awt spamd[5164]: spamd: checking message <8678967196.190217665470@yahoo.com> for sr8:32004
Aug 25 22:54:37 awt spamd[5164]: spamd: identified spam (14.0/5.0) for sr8:32004 in 6.9 seconds, 847 bytes.
Aug 25 22:54:37 awt spamd[5164]: spamd: result: Y 14 - FORGED_YAHOO_RCVD,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,REPTO_QUOTE_YAHOO,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=6.9,size=847,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56343,mid=<8678967196.190217665470@yahoo.com>,autolearn=spam
Aug 25 22:54:37 awt spamd[28500]: prefork: child states: II
Aug 25 22:57:06 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56732
Aug 25 22:57:06 awt spamd[5164]: spamd: setuid to thegran succeeded
Aug 25 22:57:06 awt spamd[5164]: spamd: checking message <1IP4?n-000NOC-YL@pool-72-82-6-40.prvdri.east.verizon.net> for thegran:32010
Aug 25 22:57:14 awt spamd[5164]: spamd: identified spam (13.8/5.0) for thegran:32010 in 8.3 seconds, 1185 bytes.
View 2 Replies
View Related
Jun 23, 2009
Fivebean.com VPS -
[url]
Although the domain was registered in 4/15/08, I could find next to nothing on WHT or the ‘net in general in the way of reviews on FiveBean. Saw a lot of specials and things they have been running off and on at different venues and boards, but couldn’t find a review to save my life. I did search pretty thoroughly. No web cache on web.archive.org either.
So, I’ll be the first to post one (that I know of), with a special they are offering, it’s very affordable, if the service turns out to be good enough, then I have another node at a great price J. The more, the merrier. Win / Win 4 all.
(FiveBean also offers shared hosting, so not exclusively a VPS provider.)
Hardware nodes –
From their site:
“VPS Nodes are built with Intel Core2 Quad Processors, Premium SATA Disks and RAID Protection powered by CentOS 5.x and MoxieVM. Each VPS server is backed up daily and we provide 2 full backups to our customers.”
Although I never rely on provider’s backups, it’s good to see them offered as standard. Could come in handy.
They offer 5 plans; I ordered the middle-of-the road “Starter”. All VPSs appear to be OpenVZ based.
Ordered Plan -
512M / 1G burst
40G HDD
450G BW
1 IP
CentOS 5 for initial load
Initial order, small issue -
Placed order at about midnight, got my welcome email at 7:40 AM.
One issue was, I did not receive any emails from their ordering system, other than the PayPal-originating receipt. The emails were listed under the Client Area, so I still had access to read. Since I own and admin my own mail servers, I checked logs -
Emails from ordering system were sent from a non-FQDN domain.
From SMTP logfile:
RECEIVED: MAIL FROM:<fivebean@kona> SIZE=3560
Mail server rejected because of the incomplete domain.
This appeared to be an issue with the sign-up process only. All support ticket replies came from a FQDN. I described this problem in a support ticket, curios to see if they really do look @ and fix. Maybe on my second order?
Everything initially ordered during the process was delivered, with no follow-ups required to correct anything. That's a little rare, from my experiences.
They offer online chat support, but have not caught it online as of yet, although I haven’t checked before 9PM on any given day, so not a fair eval on that aspect. FWIW.
- On to the goodies -
Control panel -
Apparently, FiveBean previously used HyperVM, but has since disabled and rolled out their own self-spun VM manager, "moxieVM". It's a simple, yet effective, web interface that allows me to do everything I need to, and everything works. That's always a good plus!
moxieVM control panel contains the following:
VPS list facility / user profile control / pass reset
VPS Controls -- Reboot / Start / Stop / Rebuild OS / Set Reverse DNS
Report (simple) shows -- OS currently installed / Monthly BW Usage total / Current Memory Usage / Action Log of previous control commands
Noteworthy - when you select "reboot / start / stop" there is no confirmation, action is queued and executed immediately. Good info to know.
Rebuilds -
FiveBean offers 13 OS rebuild option w/ 6 Flavors - Ubuntu / Suse / Slackware / Fedora / Debian / CentOS, 32/64bit in most.
Reload of OS (From CentOS 5 to Fedora 10) took about 4 minutes. Note - keep your original root login password! On OS reload, the pass is reset to the original you receive in your VPS welcome email, NOT whatever you have currently changed it to. I can see this being an issue if it’s been a while since you have reloaded and end up digging out the old email. A little different than HyperVM.
Network -
Ping times are consistently 15-16ms from/to Austin, 21ms from/to Atlanta, 12-18ms from/to Kansas City, MO. Traceroute to node (69.162.118.226) puts them behind Limestone Networks in Dallas, Tx.
One thing I can report, their network seems to be very peppy. I've had a hard time hitting anything from / to the VPS with more than 20ms. I haven't seen a 30ms yet. From anywhere. An I have VPSs from coast to coast.
VPS / Initial Order-
Hostname was set properly right off the bat, both initially and on OS reloads.
Reverse DNS PTR self-set worked without having to put in a ticket, a first for sure! I just entered the rDNS PTR I required, waited about an hour, and it was set and propagated, ready to go. No muss, no fuss.
Although I haven't put any load on the system, the CLI is responding very fast, and pings / traces / nslookups are very quick (as stated above).
The only issue at all so far was the aforementioned order response email non-FQDN flurb. But, stuff happens. Small beans (pun intended).
AUP
No porn, excessive violence, hate, deception, illegal
IRC that causes no disturbances is allowed. I really prefer non-IRC networks, but they have a long lecture about it in the AUP, so it appears they watch activity pretty close.
Nuts n Bolts -
Benchmark
(benchmark is on newly loaded system, minimal install FC 10, no load)
------------------
INDEX VALUES
TEST BASELINE RESULT INDEX
Dhrystone 2 using register variables 376783.7 11243614.3 298.4
Double-Precision Whetstone 83.1 1239.4 149.1
Execl Throughput 188.3 5574.6 296.0
File Copy 1024 bufsize 2000 maxblocks 2672.0 127493.0 477.1
File Copy 256 bufsize 500 maxblocks 1077.0 48517.0 450.5
File Read 4096 bufsize 8000 maxblocks 15382.0 803836.0 522.6
Pipe-based Context Switching 15448.6 509724.8 329.9
Pipe Throughput 111814.6 1790127.7 160.1
Process Creation 569.3 16151.2 283.7
Shell Scripts (8 concurrent) 44.8 1055.8 235.7
System Call Overhead 114433.5 1246883.8 109.0
=========
FINAL SCORE 270.6
--------------------------------------------------------------------------------------------
Conclusions – so far, so good. I’m actually pretty impressed with everything I’ve seen up to this point. I’m planning on putting the server under load as a backend node of a busy website’s load balancer. I’ll post follow ups as we go along.
View 14 Replies
View Related