My IP Is Listed At Block.blars.org // Spammers.v6net.org
Jul 26, 2007
My IP 69.65.102.49 seems to have been listed in this set of RBLs
(block.blars.org, spammers.v6net.org) any ideas on how to get off them?
I have been told that these blacklists are not mainstream however
it is really a mess that they are used by hotmail.com for instance...
View 1 Replies
ADVERTISEMENT
Mar 13, 2007
On my domain access logs, I see a spammer using many different IPs to join my top site list with fake emails. At the end of every line, it contains I am SPAMER! How can I configure htaccess to block this spammer when a request contains that text?
View 3 Replies
View Related
Dec 1, 2007
4 times already this month we been listed by CBL
i cant for the life of me figure out why!
IP Address XX.XX.XX.XX was found in the CBL.
It was detected at 2007-11-30 16:00 GMT (+/- 30 minutes), approximately 17 hours, 30 minutes ago.
It has been relisted following a previous removal at 2007-11-25 23:59 GMT
I emailed them and it seems i get an autoresponse which makes no sense they reply me the following:
The IP was detected most recently at:
2007:11:20 ~21:00 UTC+/- 15 minutes (approximately 18 hours ago)
sending email in such a way as to strongly indicate that the IP itself
was operating an open http or socks proxy, or a trojan spam package.
In short, this IP is impersonating being a machine we know it _cannot_
be. No properly configured mail server does this under any circumstances.
You will need to examine the machine for a spam trojan or open
proxy. Up-to-date anti-virus tools are essential.
If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.
Software notes: If you are running Email Architect, set the
"Masqueraded domain" in SMTP service to be the fully qualified
domain name for the machine.
If you are using an Internet Security Systems firewall (eg:
Proventia M10), please contact ISS and obtain new firmware.
They are aware of issues with the CBL. The firmware version
that fixes this bug is, we believe, "3.5" (at least for
the M10).
Useful links:
[url]
[url](see "Securing your System" and "proxies")
[url]
For more information on securing NAT firewalls/gateways, please
see [url]
This entry has already been delisted from the CBL. Unless otherwise
stated, the CBL will relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.
has anyone been in this problem before? ive got myself delisted but its just a pain keep waking up each morning to find this happening
is it possible that someoen who is accessing their email through outlook has a virus on their pc?
View 14 Replies
View Related
Jul 25, 2008
Which file can I find my nameservers listed in?
Godaddy was disallowing me to edit nameservers, so cPanel prevented me from setting up ns1.domain.com and ns2.domain.com, this has meant now I have a major problem: A client paid me to develop his site and he has now gone on holiday, he wanted it finished today but I can't put it online because he set the nameservers to ns1.domain.com ns2.domain.com whereas I have had to set up the nameservers as one.domain.com and two.domain.com due to godaddy disallowing me to create ns1 and ns2.
Now my question is: Is it possible to edit a config file that can set up NS1 and NS2 to work along side ONE and TWO? I'm using cPanel and I have root access.
View 7 Replies
View Related
Dec 7, 2007
They kindly provided me with timestamp as to when detection was happening and they sent me this description:
Timestamp: 2007-12-02 22:55:32
(ive attached the logs from below for around couople of minutes) If anyone knows how to solve this much appreicate it..or if anyone know what could be the issue!
In a nutshell, your IP is forging a well known domain as theEHLO/HELO - imagine connecting to, say aol.com and having your IPHELO as "apple.com". Understandably, when an IP connects to ourservers and presents such an obvious forgery, we're going to consider ita virus emitter or otherwise compromised.] This is what you need to keep in mind when you're trying to resolvesituations like this: 1) Our detections are based on port 25 SMTP connections your IP makesto one or more of our mail servers. The CBL listing _itself_ is theevidence/"proof"/log of the incident. We generally do not keep samples of CBL detections, because thevolumes are so horrendously high (presently more than 700,000detections per day). They never provide any additional information,because the headers, if any, are all fake anyway. In order to preserve the effectiveness of the CBL, informationbeyond what we've already given you will not be revealed.We can sometimes give additional information (eg: more precisetimestamps) if and only if we know it's necessary to find/fixthe problem. 2) The CBL detects suspicious SMTP activity, NOT spamming per-se. Inother words, the CBL detects email being sent in such a way as toindicate that the sender is compromised in some fashion into sendingviruses or spam.
As such, the CBL focuses on identifying how to prevent the behavior infuture, instead of, for example, identifying spammers that need to beterminated. Indeed, in the case of NAT firewalls, it is almost always impossiblefor us to precisely identify which machine behind your NAT is infected. Only your NAT logs (if you keep any and know what to look for) knowwhich machine is infected. In the case of NATs, our focus is on blocking the malicioustraffic getting to the Internet. We can give tips/pointers on howyou can identify specific infected machines behind a NAT, but ourpriority is to prevent _any_ infected machine behind your NATspewing junk to the Internet, because we know that for everyinfected machine you fix, another one (or more) will eventuallyspring up in its place, and we (and we suspect you) don't likeplaying a never-ending game of whack-a-mole. 3) The viruses we detect carry their own SMTP clients with them, and donot attempt to relay through your mail servers. Hence, email transitfilters (either inbound or outbound) on your mail servers can't help.Only AV scanning the infected machine does.
Similarly, the spamware (open proxy or spam trojan) we detect donot route through your mail servers either. 4) Most AV tools aren't very good at detecting/cleaning out establishedinfections. Especially those resulting from day-zero attacks.Particularly since many of these infections open back doors, and theoriginal infection vector downloads many pieces of software that _may_not be in themselves malware, just used in a malicious fashion. 5) The headers don't help at all. Since the virus/spamware has its ownclient, and doesn't pass through your server[s], the only thing knowableabout the virus/spamware is the peer (connection) address at therecipient's mail server - which is what we've listed - your NAT firewallif you have a NAT... Only your NAT firewall logs can tell you anydifferent. Short of AV scanning the infected machine, the only useable informationabout which machine is infected is in your NAT firewall logs - ifyou actually make any logs and keep them long enough. For the most part, then, a CBL listing of an IP means that the IPneeds to be fixed. If it's a NAT IP - port 25 blocking (and youcan find/fix the infected machine[s] at your leisure), if it's nota NAT - virus/malware eradication. 6) Outbound port 25 connection blocking on NAT firewalls (permittingonly your authorized mail servers) is the best solution for NATs. 7) If you have a NAT, once you've implemented port 25 blocking, younot only contain the viruses, your NAT firewall logs will immediatelytell you who is infected or is compromised with a spam trojan oropen proxy. 8) As far as we're aware, once port 25 blocking is instituted in ANAT, the only times people have continued to have trouble with CBLlistings is when the blocking wasn't working for some reason. Itwould be a good idea to test whether the blocking is in fact working.We have suggested procedures for this if you want - ask us.
2007-12-02 22:55:05 [19907] list matching forced to fail: failed to find host name for 201.58.9.244
2007-12-02 22:55:05 [9913] SMTP connection from [81.129.182.181]:60329 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:06 [9913] SMTP connection from [85.177.218.230]:9468 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:06 [19907] H=(20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 F=<vash989@lfcc.edu> rejected RCP$
2007-12-02 22:55:06 [19907] SMTP connection from (20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 closed by DROP$
2007-12-02 22:55:07 [19908] ident connection to 71.217.38.129 timed out
2007-12-02 22:55:07 [19909] ident connection to 81.129.182.181 timed out
2007-12-02 22:55:08 [9913] SMTP connection from [213.36.8.1]:3542 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:08 [19909] H=host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25 F=<markhuu.Fabris@$
2007-12-02 22:55:08 [19909] SMTP connection from host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25$
2007-12-02 22:55:09 [19910] H=e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 F=<Vesterinenowao@jcel.com> rejected RCP$
2007-12-02 22:55:09 [19910] SMTP connection from e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19908] H=71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 F=<0agwampler@rapidreply.net> rejected $
2007-12-02 22:55:09 [19908] SMTP connection from 71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19911] H=dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.237.199]:25 F=<Norbe$
2007-12-02 22:55:09 [19911] SMTP connection from dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.2$
2007-12-02 22:55:13 [9913] SMTP connection from [201.212.156.23]:51905 I=[69.16.237.199]:25 (TCP/IP connection count = 1)
2007-12-02 22:55:13 [9913] SMTP connection from [200.122.38.174]:1152 I=[69.16.237.199]:25 (TCP/IP connection count = 2)
2007-12-02 22:55:14 [9913] SMTP connection from [201.233.222.43]:2980 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:16 [19915] ident connection to 201.233.222.43 timed out
2007-12-02 22:55:17 [19915] H=cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.199]:25 F=<Chasityse$
2007-12-02 22:55:17 [19915] SMTP connection from cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.1$
2007-12-02 22:55:18 [19920] cwd=/home/annajwa/public_html/forum 2 args: /usr/sbin/sendmail bloochunc@bk.ru
2007-12-02 22:55:18 [19920] 1IyxiY-0005BI-5f <= annajwa@host.mpadc.com U=annajwa P=local S=747 T="Welcome to An- Najwa" from <annajwa@host.mp$
2007-12-02 22:55:18 [19921] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IyxiY-0005BI-5f
View 0 Replies
View Related
Aug 27, 2007
I have a server that keeps getting listed by DSBL. It is RHEL 3 running Plesk and Qmail. In the MAIL config SMTP relay is set to "Authorization is Required" and the SMTP box is checked. I have a couple other very similar server setups and they have never been listed, so I dont know why this one is. I suspect it may be a bug.
As for the last listing (yesterday) here is the exerpt from the maillog showing the SMTP relay
===================
Aug 26 13:36:48 slv3 qmail-queue[426]: scan: the message(drweb.tmp.0PW0bG) sent by nobody@cor.neva.ru to listme@listme.dsbl.org should be passed without checks, because contains uncheckable addresses
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: to=listme@listme.dsbl.org
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: recipient[3] = 'listme@listme.dsbl.org'
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: handlers dir = '/var/qmail//handlers/before-queue/recipient/listme@listme.dsbl.org'
Aug 26 13:36:48 slv3 qmail: 1188153408.989183 starting delivery 7244: msg 2327042 to remote listme@listme.dsbl.org
Aug 26 13:36:48 slv3 qmail-remote-handlers[430]: to=listme@listme.dsbl.org
===================
why my server is relaying?
View 6 Replies
View Related
Jul 7, 2007
I signed up with a new VPS provider and got three IPs and ordered an additional IPS. It turns out all six IPS were listed by SORBS as spam sources.
So I contact the provider and they give me one clean IP but I have to keep the remaining 5 SORBS marked spam IPs that I am going to use for nameservers and "reseller" account with nameservers.
My quetion is . . . is being marked by SORBS going to have any negative effect on my VPS? Alot of places will mention this when looking up a domain like Domain Tools and DNS Stuff, so is this going to make my web sites come off as spammers?
View 3 Replies
View Related
Jul 19, 2007
my server's Ip adresse was found listed at the CBL list.
check this out :
[url]
i think i'm listed for naming issue as they referred me to this page to solve the problem.
what should i do to correct the probleme i made some changes on /etc/hostname and etc/hosts and requested delisting but without positive results.
I'm On debian SARGE.
View 12 Replies
View Related
Jun 8, 2007
I did a site for a UK company that has a .com address, and for various reasons the site is hosted in the US. Unfortunately the site doesn't appear under the google search for pages in the UK.
One reason I chose the US hosting company is that they provide ColdFusion hosting, and my plan is to upgrade the site to use ColdFusion in the near future.
They do also have the .co.uk address registered, which is currently set to forward to the .com address, and that doesn't show up in google at all.
I'm thinking the solutions might be:
1) Move the .com hosting to the UK
2) Get additional hosting for the .co.uk address (uk mirror)
3) Both?
The company is based in the UK, and provides holidays in Montenegro, primarily aiming at the UK market.
When I originally looked into it I could not find a UK host that provided ColdFusion and mySQL 5 - and those that had ColdFusion and other database applicaitons were far more expensive than the US one we're using currently.
What would be the best way forward?
View 5 Replies
View Related
Jan 25, 2009
we have a dedicatd linux server. we use to send daily newsletters to our customers but for last few days, it looks like our mail server is sending out email to client's spam folder.
Is there any way to diagnose our mail server and find out if there is anything wrong or if our mail server has been black listed?
View 2 Replies
View Related
May 19, 2009
I would like to know there is any.
View 14 Replies
View Related
Jul 30, 2008
I just got a vps and I realised that all email sent to hotmail automatically goes into the spam box (until i approve an email address as being "safe").
I believe that hotmail's senderid and a spf record is the way to go
I have already submitted the senderid form saying i dont have an spf record
for the "domains to be added to the senderid program", i listed a couple of my domains.
1) do i still need an spf record?
2) in the future, will i need to tell customers to use outgoing mailservers under one of the domains i submitted (in the senderid form)?
View 5 Replies
View Related
Jun 24, 2008
Is it normal for dedicated server providers to give out IPs that are listed on spam database?
I was under the impression that they would check first before assigning it to new clients.
View 13 Replies
View Related
Oct 27, 2006
I installed chirpy's csf / lfd firewall and when starting firewall I get this
Error: IP [ipaddress] is listed twice in ifconfig!, at line 657
How do I fix this?
View 14 Replies
View Related
Feb 24, 2015
Plesk12 has been installed on Windows2012R2. In the Tools and Settings/Database Servers list we have
· Local MySQL server (default for MySQL)
· .MSSQLSERVER2012
· sql-db-1 (default for MS SQL)
We only expect to use the remote sql-db-1 database for user databases.
Can we delete the other 2 databases and is this recommended? Does the Local MySQL server contain the Plesk Management database/schema?
View 1 Replies
View Related
Oct 15, 2014
I'm looking for a way to get a report of the top domains that are continuously greylisted so I can determine which ones need to be put on the "domains- whitelist" because they use different IPs when resending, causing very long delays (hours/days/never) for each message sent.We're using Plesk11 on CentOS 6.4 with Postfix and the Plesk built-in Greylisting option enabled.
# /usr/local/psa/bin/grey_listing --info-server
Grey listing configuration.
Grey listing checking enabled
Grey interval 5 minutes
Expire interval 51840 minutes
Penalty interval 2 minutes
Penalty disabled
Personal grey listing
configuration allowed
[code]....
Black domains patterns list:
SUCCESS: Gathering of server wide information complete.Click to expand...
View 4 Replies
View Related
May 17, 2009
Any thoughts, or opinions are welcome. Looking for options on how to stop this.
Recently I've started receiving spam that appears to originate from a hosted domain on my VPS. It appears to only be an issue with this website account and not the VPS generally.
I've disabled the IMAP service to ensure the spam was not being sent from the server. The spam continues which leaves the POP email accounts as a possibility or something else.
My hosting provider says it looks like email spoofing.
Someone seems to be using the address at foobar.com to send out spam. The method that he has employed is called email spoofing. Email spoofing is the practice of changing your name in email so that it looks like the email came from somewhere or someone else. However, you need not be concerned.
Individuals, who are sending "junk" email or "SPAM", typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator. The spammer is not using our server to send out spam, hence your email address will never be blacklisted.
There is really no way to prevent receiving a spoofed email. Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox.
The following are headers of two spam emails. Both of these addresses are setup as forwarders and not actual email accounts. The spam came to our attention because it is being sent to addresses on foobar.com with headers as also originating from foobar.com
I changed the actual names for privacy
host.vpsdomain.com [123.123.123.123] - VPS domain
foobar.com - website account on VPS
myemailaccount@gmail.com - address foobar forwarders send to
Delivered-To: myemailaccount@gmail.com .....
View 1 Replies
View Related
Jan 26, 2007
It looks like someone spammng from our server. I have checked exim_mainlog and got the this info.
2007-01-23 03:12:32 1H99Fz-0004wl-RV => erio@erio.com R=lookuphost T=remote_smtp H=mail.erio.com [217.220.27.241]
2007-01-23 03:12:40 1H99Fz-0004wl-RV => brown2525@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> beth46@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> dstanfie@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> harris3943@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> yumyyelow@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gloverlm@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> debilu@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mosleyclan4@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> 61369@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> melabong@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> k_mcmull@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> anniern@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bannaj1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> lizzied@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gillumd@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pfeiferk36@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mommyof2@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tongem@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> whitsonswrecker@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mmal63@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> goosynina1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> malenat@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jlhk@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tawndawn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> usnssn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crazybutcute0304@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> thomas0421@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mercibw@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crouch1966@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pj16@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> alba93@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> sassyd69@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bettysue57@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jimfiscus@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> nvonalme@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> breweragency@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> annaksimpson@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
In the log file is showing like this.
2007-01-22 19:11:24 1H99Fz-0004wm-Vp <= <> R=1H99Fz-0004wl-RV U=mailnull P=local S=605030
2007-01-22 19:11:24 1H99Fz-0004wl-RV <= stlawson100@yahoo.com.hk U=churchre P=local S=3558 id=23894.217.194.149.171.1169511083....el@65.xx.xx.xx
I couldn't find who is sending.
View 14 Replies
View Related
Dec 15, 2007
problem with spammers.. i installed bruteforce attack and apf but spammers still trying to use my mail server to spam.. bfa sending me 20-30 warning emails everyday like
Quote:
The remote system 200.83.230.214 was found to have exceeded acceptable login failures on xxxxxx; there was 62 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.
Executed ban command:
/etc/apf/apf -d 200.83.230.214 {bfd.exim}
The following are event logs from 200.83.230.214 on service exim (all time stamps are GMT -0600):
this spammers causing to load cpu very hi and freeze my server sometimes.
is there any way i can setup to only allow authenticated users to access the mail server. or any idea..
im not a hosting company hosting my websites and im a poor guy can't hire server admin.. and i have search it on google could'nt found anything..
View 5 Replies
View Related
Jun 30, 2008
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late.
Any thoughts or suggestions?
View 9 Replies
View Related
Nov 8, 2009
I have found some spammer hotlinking to my images to get his site crawled, I have modified the .htaccess to attempt and serve his hotlinking domain with a warning but it does not work...
My actual .htaccess file is the one below (it was created by wordpress automatically):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I am adding these lines right below:
--------------------------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+.)?spammerdomain.com/ [NC,OR]
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
------------------------------------
My questions...
I dont kmow too much what I am doing, following the tutorial here, http://altlab.com/htaccess_tutorial.html but the problem is that my .htacces already contains something created by wordpress that to me looks like garbage as I don't understand the meaning.
I dont know if I should add the lines inside the <IfModule mod_write.c> or outside them as I have done.
I dont know if it is ok to have two times Rewrite Engine On
PS: When I added the lines I describe above, my site also stopped displaying the images, I had stopped everyone including myself from hotlinking them. I only want to stop certain domain. or even better, my ideal solution is to WHITELIST my domain names (I have two using hotlinkg to those images), but I will settle for blacklist if it is easier.
View 9 Replies
View Related
Jun 2, 2009
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View 3 Replies
View Related
Jun 3, 2007
I have someone on my server who likes to send spam emails. How would I go about catching this person?
View 13 Replies
View Related
Jan 29, 2008
I was on my visitors on AWstats, and when looking up most of the top IPs (the ones that viewed the most pages), most of them were associated with IANA, and tagged as spam/hacker IPs.
Of course, I've blocked all of those IPs with my .htaccess file, but how can I further protect my server from such threats? How can I rid my server of these spammers/hackers?
View 3 Replies
View Related
Apr 9, 2004
Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.
mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME";
}
else {
print INFO "$date - $PWD - @info";
}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
View 14 Replies
View Related
Jul 31, 2007
trying to find a spammer on my system, who just sent out and is still sending out 4000+ emails...
i have a centos vps with whm.
looked at exim_mainlog, there's nothign telling. the message body is visible, but the links it points to arent' hosted by me. there is no return address, its sending mail as nobody. phpsuexec is not an option.
View 6 Replies
View Related
May 14, 2007
I need to know the ways I can distinguish spammers on my server and how to stop spamming.
View 10 Replies
View Related
Nov 3, 2009
I have deciated windows 2008 server and from last 2 days there is some thing which is using our smtp server to send spam its like we get thousand of spam emails qued in our outbound que, although our security is really high, such as smtp authtenication (open relay) and other options are already enable and we ran anti virus scan too but nothing found.
I wonder if there is anyone else out there who face such problem and how did you stop?
View 6 Replies
View Related