My IP Is Listed At Block.blars.org // Spammers.v6net.org
My IP 69.65.102.49 seems to have been listed in this set of RBLs
(block.blars.org, spammers.v6net.org) any ideas on how to get off them?
I have been told that these blacklists are not mainstream however
it is really a mess that they are used by hotmail.com for instance...
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
3ix.org
I am hosting two websites with hosting comapny - [url] They provide hosting for as low as $1 per month and this was the reason I thought to host with them just like thousands of other users who have hosted with them. I was stunned to see that my domains hosted with them has doorway subdomains with adverisements and malware. I checked my cpanel and amazingly there were actually no sub domains in cpanel. Those subdomains were actually created secretly through DNS entries by 3ix.org so that they can serve advertisements and malwares without being caught by HOSTING USERS. So I did a Reverse DNS lookup and found that all domains hosted by them are suffering from the same issue. They are cheating their users and now all the sites hosted with them are in danger as this will be considered as spam by Search engines and all sites can be banned anytime. I would strictly advice to stay away from this web hosting company....
View Replies!
View Related
Cubichost.org Review
Day 1/2 - 18th August 2009. Signed up to VPS Mini with discount after reading an advert here. First problem on the first day, the IP and server information they gave me wouldnt work. "it was a routing issue, it was routing to another server. We fixed this and it should be working for you. " This was fixed in ~24 hours, and then I had access. I struggled with the limited RAM, and OS, so I changed to Ubuntu and queried about cost to change RAM amount - decided not to and just used apache to run 4 websites. Day 3 - 21st August 2009 System goes down, "Seemed like your ssh was not running; rebooted your vps now it looks good.", not quite sure on this - as I am quite experienced with *nix, and I dont see why "it wasnt running" but apache was. I suspect there was some routing problems somewhere, but eitherway, it was back up after approx 6 hours of non-ssh downtime. Day 11 - 29th August 2009 Had some issues in the days previous - saw some threads here on WHT. Still decided to upgrade to premium - as was going to be running a demanding MySQL server. Payment taken on 4th September for upgrade, and all was OK! Day ?? - 19th-21st (?) September 2009 Servers all went down, cubic host lost their IP range. Thread on forums somewhere about it. new IP allocation email received on ~24th, 2 days downtime, host unreachable. October 3rd 2009 My VPS vanishes completely, along with all the data. IP resolves to a new server, with fresh apache install. I am unable to log into root. Their billing system had "messed up" during my upgrade: Hey, The billing system say invoice #196 which was issued on 04/09/2009 is unpaid so the system automatically terminated your VPS after a period of non payment. I will confer with my partner that this invoice was in fact paid and will re activate your account. Regards, Gray F. CubicHost.org They responded by saying my VPS had been setup again I created your VPS manually. And for the inconvenience can give you 2 months from this date FREE. Then you will not get an invoice until December 2nd But, sadly, no backups had been kept on their end, and none of my websites or data was recoverable. I was digging around and couldn't find any backups anywhere. The billing system did a good job of terminating, unfortunately. What I could do is provide you hypervm panel access where you are able to configure backups and such. Like I said, you have 2 months from today, on the house; if you wish to use them. username: andyross.vm password: 7HzYn6KXYm you have full reboot access, can change your hostname, and all sorts of the like - Cameron Cubichost.org - Innovative Solutions October 12th 2009 Requested to close account obviously - as I had nothing left there now! Account appears to have been closed - could not log into cubichost.org, or their ticketing system - just email chains left. October 18th 2009 Cubichost take a $5 payment from my account. Dear Mr A P Ross, You sent $5.00 USD to Cubichost for a subscription payment. ----------------------------------- Payment Details ----------------------------------- Subscription name: Mr A P Ross Transaction date: Oct 18, 2009 Transaction time: 05:40:22 PDT Funding source: Credit Card Subscription number: XXXX exchange rate for this purchase is 1 GBP = 1.59235USD I am not quite sure why they have charged me after my account has been closed, but eitherway, it's only $5. Overview Cubichost whilst appearing cheap, and offering what at first may be a good service, in my experience has struggled with reliability and providing a good, consistent service. They managed to give me ~7 days downtime with no-proactive communication (all communication was my-end first noticing service was down), and then deleted all my data due to "a billing issue". They finally, charged me $5 after my account was closed, for what I am not quite sure, but I dont fancy the effort of chasing.
View Replies!
View Related
3ix.org - What A Disappointment!
A few words of warning. I came across 3ix by googling the net. Compared it to a few others and thought, hey, they're cheap. I'll host my site with them. They offer a US $ 1 dollar package (minimum 6 months subscription) for a small site and US $ 3 package (minimum 6 months subscription). I chose the US $ 3 a month subscription which equals US $ 18 a month. The reason I chose the $3 package over the $1 package is because I was and still am pretty cluelesss as to how to design my site and the $3 deal came with a site builder called "Click Be" and templates. Nice templates. the only problem I could neither edit existing buttons in the menu nor remove them. I e-mailed 3ix.org about the problem and got no answer. I visited Click Be's authors, a company in the Nehterlands and indeed on their forum I discovered that others were discussing and complaining about the same problems they had with Click Be. A few replies as well from the Click Be authors on that same forum confirming that indeed the buttons in the menu can neither be edited nor removed and that they're working on a newer version of Click Be site builder. Fair enough. however, this wasn't described anywhere on 3ix's site and none of 3ix sales staff had told me about this flaw. 3ix's site builder Click Be was touted as the latest and most powerful site builder on the net. they also advertise money back guaranteed within 2 weeks if not satisfied. I have e-mailed them at least 5 times before the 14-day trial period ended asking them to either fix the problem or arrange for a refund. Never heard from them again. Cheap does not necessarily mean good. I was duped by 3ix.org. Buyers beware!
View Replies!
View Related
Jailtime.org Xen Images
Has anyone here gotten any of the Xen images from jailtime.org to work on CentOS? I've figured out what the heck I'm doing since my last question [url], but they still won't boot. And the more I Google it, the more people I find asking the same questions. It looks like they're depending on a bunch of non-standard images in their initrd, and, unless we have some of these unknown modules, the darned thing won't boot. Mine ends up failing like this: Code: NET: Registered protocol family 1 NET: Registered protocol family 17 Using IPI No-Shortcut mode XENBUS: Device with no driver: device/vbd/2049 XENBUS: Device with no driver: device/vbd/2050 XENBUS: Device with no driver: device/vif/0 md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. VFS: Cannot open root device "sda1" or unknown-block(0,0) Please append a correct "root=" boot option Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) The xen.conf for this particular VM: Code: # This points ta real Dom0 kernel! kernel = "/boot/vmlinuz-2.6.18-53.1.13.el5xen" memory = "256" name = "Ubuntu-Matt" vif = [ 'mac=00:01:02:03:04:07, bridge=xenbr0, vifname=vif1.0' ] # Set the disk... disk = ['file:/home/matt/vms/ubuntu-7.04/ubuntu.7-04.img,sda1,w', 'file://home/matt/vms/ubuntu-7.04/ubuntu.swap,sda2,w'] root = "/dev/sda1 ro" This is driving me bonkers... Has anyone gotten these to work? Would I be better off just installing from an ISO?
View Replies!
View Related
Review: Maximum-Hosting.org - Horrific Experience
this is my experience with Maximum-Hosting.org. I went there for the low prices to startup my Shoutcast station. At $3 a month, it sounded too good to be true. I got my service, and the owner, seemed like a nice guy. He was very helpful, and was eager to help me get started. This was back in March. The first half of my stent there was great, however, in the last half, downtimes and even a data loss was getting on my nerves. I saw some really personal issues and arguments in the IRC server about the owner and staff, and even some back talk and really personal stuff that I wish I never had heard. Because of the downtime, the owner did provide me with some free service and features. In these times, I was itching to leave, but the owner lured me back in with something better. In this time, the service was 'okay', no real big complaints, I was even promoted to an IRCop, on the server. Four things happened. 1) There was an incident in the chatroom with a regular joke we have done may times was taken really the wrong way. (I did not use my IRCop powers when this happened) 2) After a long outage (last night from 'this' post date), I was the only human on the irc server. In order for me to ask the owner what happened, I silenced a eggdrop bot by banning it from the main room. This was so I can get a new message notification when a real person enters the room. The bot posted every 2min, and it was at 2am in the morning. 3) I actually found a pretty big security hole in the control panel, the owner thanked me yesterday, and was furious the next. 4) because of the top three things, the owner basically got extremely mad and took away my IRCops. Those 4 things basically were the last pieces of trash I could take. Yes, I forgot to unban the bot I mentioned in #2, but is that a good reason to get me out? Tonight, after a somewhat heated discussion with the owner, my account was instantly closed, all http/ftp pipes closed. I am very lucky I saw the owner start to fall into this cycle he seems to do, I had a full backup of the space I had. In a nut shell, I would highly advise people NOT to use Maximum-Hosting. If you want low prices, frequent downtime, and the possibility your data could be gone in an instant, this is the host for you! I can only hope no one else falls into the nightmare I have had to put up with for cheap hosting.
View Replies!
View Related
UK Web Hosting 500MB Space 1GB Bandwidth Existing .org.uk Domain
I'm the webmaster for a church website: stpetersbraunstone.org.uk and our domain & hosting renewal is coming up, so I'm looking to see if there's a better deal. We're with namehog.net (and have been for 2 years with no problems at all) on their Professional package. The renewal fees are 105GBP (web hosting) + 5.90GBP (domain name) + 17.5pc VAT to cover the next 2 years, which comes to 130.31GBP. The site is powered by WordPress, so PHP and MySQL are needed. And we upload lots of photos, so need at least 250MB webspace I'd have thought. So far, our highest monthly bandwidth usage has been under 800Mb, and our visitor numbers are increasing and our highest monthly figure so far was 401. Any recommendations gratefully received. There seems to be many different companies out there who offer what I want, so I'm after some personal recommendations please. I've already used this site to discount streamline.net due to bad reviews. I'm looking at fuzioned.com and redfoxhosting.co.uk - any thoughts? I've also come across no-wires.co.uk - has anyone had any good or bad experiences with them? And yes, I have submitted my details to the "request quote" thing.
View Replies!
View Related
Htaccess Block Spammers
On my domain access logs, I see a spammer using many different IPs to join my top site list with fake emails. At the end of every line, it contains I am SPAMER! How can I configure htaccess to block this spammer when a request contains that text?
View Replies!
View Related
Where Are Nameservers Listed
Which file can I find my nameservers listed in? Godaddy was disallowing me to edit nameservers, so cPanel prevented me from setting up ns1.domain.com and ns2.domain.com, this has meant now I have a major problem: A client paid me to develop his site and he has now gone on holiday, he wanted it finished today but I can't put it online because he set the nameservers to ns1.domain.com ns2.domain.com whereas I have had to set up the nameservers as one.domain.com and two.domain.com due to godaddy disallowing me to create ns1 and ns2. Now my question is: Is it possible to edit a config file that can set up NS1 and NS2 to work along side ONE and TWO? I'm using cPanel and I have root access.
View Replies!
View Related
CBL Listed
4 times already this month we been listed by CBL i cant for the life of me figure out why! IP Address XX.XX.XX.XX was found in the CBL. It was detected at 2007-11-30 16:00 GMT (+/- 30 minutes), approximately 17 hours, 30 minutes ago. It has been relisted following a previous removal at 2007-11-25 23:59 GMT I emailed them and it seems i get an autoresponse which makes no sense they reply me the following: The IP was detected most recently at: 2007:11:20 ~21:00 UTC+/- 15 minutes (approximately 18 hours ago) sending email in such a way as to strongly indicate that the IP itself was operating an open http or socks proxy, or a trojan spam package. In short, this IP is impersonating being a machine we know it _cannot_ be. No properly configured mail server does this under any circumstances. You will need to examine the machine for a spam trojan or open proxy. Up-to-date anti-virus tools are essential. If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers. Software notes: If you are running Email Architect, set the "Masqueraded domain" in SMTP service to be the fully qualified domain name for the machine. If you are using an Internet Security Systems firewall (eg: Proventia M10), please contact ISS and obtain new firmware. They are aware of issues with the CBL. The firmware version that fixes this bug is, we believe, "3.5" (at least for the M10). Useful links: [url] [url](see "Securing your System" and "proxies") [url] For more information on securing NAT firewalls/gateways, please see [url] This entry has already been delisted from the CBL. Unless otherwise stated, the CBL will relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again. has anyone been in this problem before? ive got myself delisted but its just a pain keep waking up each morning to find this happening is it possible that someoen who is accessing their email through outlook has a virus on their pc?
View Replies!
View Related
Keep Getting Listed At DSBL
I have a server that keeps getting listed by DSBL. It is RHEL 3 running Plesk and Qmail. In the MAIL config SMTP relay is set to "Authorization is Required" and the SMTP box is checked. I have a couple other very similar server setups and they have never been listed, so I dont know why this one is. I suspect it may be a bug. As for the last listing (yesterday) here is the exerpt from the maillog showing the SMTP relay =================== Aug 26 13:36:48 slv3 qmail-queue[426]: scan: the message(drweb.tmp.0PW0bG) sent by nobody@cor.neva.ru to listme@listme.dsbl.org should be passed without checks, because contains uncheckable addresses Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: to=listme@listme.dsbl.org Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: recipient[3] = 'listme@listme.dsbl.org' Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: handlers dir = '/var/qmail//handlers/before-queue/recipient/listme@listme.dsbl.org' Aug 26 13:36:48 slv3 qmail: 1188153408.989183 starting delivery 7244: msg 2327042 to remote listme@listme.dsbl.org Aug 26 13:36:48 slv3 qmail-remote-handlers[430]: to=listme@listme.dsbl.org =================== why my server is relaying?
View Replies!
View Related
IP Addresses Listed On SORBS
I signed up with a new VPS provider and got three IPs and ordered an additional IPS. It turns out all six IPS were listed by SORBS as spam sources. So I contact the provider and they give me one clean IP but I have to keep the remaining 5 SORBS marked spam IPs that I am going to use for nameservers and "reseller" account with nameservers. My quetion is . . . is being marked by SORBS going to have any negative effect on my VPS? Alot of places will mention this when looking up a domain like Domain Tools and DNS Stuff, so is this going to make my web sites come off as spammers?
View Replies!
View Related
Repeated CBL Listed
They kindly provided me with timestamp as to when detection was happening and they sent me this description: Timestamp: 2007-12-02 22:55:32 (ive attached the logs from below for around couople of minutes) If anyone knows how to solve this much appreicate it..or if anyone know what could be the issue! In a nutshell, your IP is forging a well known domain as theEHLO/HELO - imagine connecting to, say aol.com and having your IPHELO as "apple.com". Understandably, when an IP connects to ourservers and presents such an obvious forgery, we're going to consider ita virus emitter or otherwise compromised.] This is what you need to keep in mind when you're trying to resolvesituations like this: 1) Our detections are based on port 25 SMTP connections your IP makesto one or more of our mail servers. The CBL listing _itself_ is theevidence/"proof"/log of the incident. We generally do not keep samples of CBL detections, because thevolumes are so horrendously high (presently more than 700,000detections per day). They never provide any additional information,because the headers, if any, are all fake anyway. In order to preserve the effectiveness of the CBL, informationbeyond what we've already given you will not be revealed.We can sometimes give additional information (eg: more precisetimestamps) if and only if we know it's necessary to find/fixthe problem. 2) The CBL detects suspicious SMTP activity, NOT spamming per-se. Inother words, the CBL detects email being sent in such a way as toindicate that the sender is compromised in some fashion into sendingviruses or spam. As such, the CBL focuses on identifying how to prevent the behavior infuture, instead of, for example, identifying spammers that need to beterminated. Indeed, in the case of NAT firewalls, it is almost always impossiblefor us to precisely identify which machine behind your NAT is infected. Only your NAT logs (if you keep any and know what to look for) knowwhich machine is infected. In the case of NATs, our focus is on blocking the malicioustraffic getting to the Internet. We can give tips/pointers on howyou can identify specific infected machines behind a NAT, but ourpriority is to prevent _any_ infected machine behind your NATspewing junk to the Internet, because we know that for everyinfected machine you fix, another one (or more) will eventuallyspring up in its place, and we (and we suspect you) don't likeplaying a never-ending game of whack-a-mole. 3) The viruses we detect carry their own SMTP clients with them, and donot attempt to relay through your mail servers. Hence, email transitfilters (either inbound or outbound) on your mail servers can't help.Only AV scanning the infected machine does. Similarly, the spamware (open proxy or spam trojan) we detect donot route through your mail servers either. 4) Most AV tools aren't very good at detecting/cleaning out establishedinfections. Especially those resulting from day-zero attacks.Particularly since many of these infections open back doors, and theoriginal infection vector downloads many pieces of software that _may_not be in themselves malware, just used in a malicious fashion. 5) The headers don't help at all. Since the virus/spamware has its ownclient, and doesn't pass through your server[s], the only thing knowableabout the virus/spamware is the peer (connection) address at therecipient's mail server - which is what we've listed - your NAT firewallif you have a NAT... Only your NAT firewall logs can tell you anydifferent. Short of AV scanning the infected machine, the only useable informationabout which machine is infected is in your NAT firewall logs - ifyou actually make any logs and keep them long enough. For the most part, then, a CBL listing of an IP means that the IPneeds to be fixed. If it's a NAT IP - port 25 blocking (and youcan find/fix the infected machine[s] at your leisure), if it's nota NAT - virus/malware eradication. 6) Outbound port 25 connection blocking on NAT firewalls (permittingonly your authorized mail servers) is the best solution for NATs. 7) If you have a NAT, once you've implemented port 25 blocking, younot only contain the viruses, your NAT firewall logs will immediatelytell you who is infected or is compromised with a spam trojan oropen proxy. 8) As far as we're aware, once port 25 blocking is instituted in ANAT, the only times people have continued to have trouble with CBLlistings is when the blocking wasn't working for some reason. Itwould be a good idea to test whether the blocking is in fact working.We have suggested procedures for this if you want - ask us. 2007-12-02 22:55:05 [19907] list matching forced to fail: failed to find host name for 201.58.9.244 2007-12-02 22:55:05 [9913] SMTP connection from [81.129.182.181]:60329 I=[69.16.237.199]:25 (TCP/IP connection count = 3) 2007-12-02 22:55:06 [9913] SMTP connection from [85.177.218.230]:9468 I=[69.16.237.199]:25 (TCP/IP connection count = 4) 2007-12-02 22:55:06 [19907] H=(20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 F=<vash989@lfcc.edu> rejected RCP$ 2007-12-02 22:55:06 [19907] SMTP connection from (20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 closed by DROP$ 2007-12-02 22:55:07 [19908] ident connection to 71.217.38.129 timed out 2007-12-02 22:55:07 [19909] ident connection to 81.129.182.181 timed out 2007-12-02 22:55:08 [9913] SMTP connection from [213.36.8.1]:3542 I=[69.16.237.199]:25 (TCP/IP connection count = 4) 2007-12-02 22:55:08 [19909] H=host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25 F=<markhuu.Fabris@$ 2007-12-02 22:55:08 [19909] SMTP connection from host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25$ 2007-12-02 22:55:09 [19910] H=e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 F=<Vesterinenowao@jcel.com> rejected RCP$ 2007-12-02 22:55:09 [19910] SMTP connection from e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 closed by DROP in ACL 2007-12-02 22:55:09 [19908] H=71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 F=<0agwampler@rapidreply.net> rejected $ 2007-12-02 22:55:09 [19908] SMTP connection from 71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 closed by DROP in ACL 2007-12-02 22:55:09 [19911] H=dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.237.199]:25 F=<Norbe$ 2007-12-02 22:55:09 [19911] SMTP connection from dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.2$ 2007-12-02 22:55:13 [9913] SMTP connection from [201.212.156.23]:51905 I=[69.16.237.199]:25 (TCP/IP connection count = 1) 2007-12-02 22:55:13 [9913] SMTP connection from [200.122.38.174]:1152 I=[69.16.237.199]:25 (TCP/IP connection count = 2) 2007-12-02 22:55:14 [9913] SMTP connection from [201.233.222.43]:2980 I=[69.16.237.199]:25 (TCP/IP connection count = 3) 2007-12-02 22:55:16 [19915] ident connection to 201.233.222.43 timed out 2007-12-02 22:55:17 [19915] H=cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.199]:25 F=<Chasityse$ 2007-12-02 22:55:17 [19915] SMTP connection from cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.1$ 2007-12-02 22:55:18 [19920] cwd=/home/annajwa/public_html/forum 2 args: /usr/sbin/sendmail bloochunc@bk.ru 2007-12-02 22:55:18 [19920] 1IyxiY-0005BI-5f <= annajwa@host.mpadc.com U=annajwa P=local S=747 T="Welcome to An- Najwa" from <annajwa@host.mp$ 2007-12-02 22:55:18 [19921] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IyxiY-0005BI-5f
View Replies!
View Related
Google UK: Getting .com Sites Listed? Better To Host In The UK?
I did a site for a UK company that has a .com address, and for various reasons the site is hosted in the US. Unfortunately the site doesn't appear under the google search for pages in the UK. One reason I chose the US hosting company is that they provide ColdFusion hosting, and my plan is to upgrade the site to use ColdFusion in the near future. They do also have the .co.uk address registered, which is currently set to forward to the .com address, and that doesn't show up in google at all. I'm thinking the solutions might be: 1) Move the .com hosting to the UK 2) Get additional hosting for the .co.uk address (uk mirror) 3) Both? The company is based in the UK, and provides holidays in Montenegro, primarily aiming at the UK market. When I originally looked into it I could not find a UK host that provided ColdFusion and mySQL 5 - and those that had ColdFusion and other database applicaitons were far more expensive than the US one we're using currently. What would be the best way forward?
View Replies!
View Related
Is My Mail Server Black Listed
we have a dedicatd linux server. we use to send daily newsletters to our customers but for last few days, it looks like our mail server is sending out email to client's spam folder. Is there any way to diagnose our mail server and find out if there is anything wrong or if our mail server has been black listed?
View Replies!
View Related
Hotmail - Email Listed As SPAM
I just got a vps and I realised that all email sent to hotmail automatically goes into the spam box (until i approve an email address as being "safe"). I believe that hotmail's senderid and a spf record is the way to go I have already submitted the senderid form saying i dont have an spf record for the "domains to be added to the senderid program", i listed a couple of my domains. 1) do i still need an spf record? 2) in the future, will i need to tell customers to use outgoing mailservers under one of the domains i submitted (in the senderid form)?
View Replies!
View Related
Server's IP Black Listed On CBL
my server's Ip adresse was found listed at the CBL list. check this out : [url] i think i'm listed for naming issue as they referred me to this page to solve the problem. what should i do to correct the probleme i made some changes on /etc/hostname and etc/hosts and requested delisting but without positive results. I'm On debian SARGE.
View Replies!
View Related
How To Block A Block Of IP'S
I'm currently experiencing a lot of IP's starting with 200 and 201 (from Brazil) some IP’s have over 200 connections. I have APF installed and want to know how to block a block on ip's if this is possible. IPS: 200.11.******* 201.*******
View Replies!
View Related
Spammers Help
It looks like someone spammng from our server. I have checked exim_mainlog and got the this info. 2007-01-23 03:12:32 1H99Fz-0004wl-RV => erio@erio.com R=lookuphost T=remote_smtp H=mail.erio.com [217.220.27.241] 2007-01-23 03:12:40 1H99Fz-0004wl-RV => brown2525@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> beth46@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> dstanfie@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> harris3943@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> yumyyelow@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gloverlm@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> debilu@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mosleyclan4@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> 61369@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> melabong@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> k_mcmull@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> anniern@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bannaj1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> lizzied@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gillumd@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pfeiferk36@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mommyof2@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tongem@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> whitsonswrecker@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mmal63@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> goosynina1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> malenat@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jlhk@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tawndawn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> usnssn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crazybutcute0304@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> thomas0421@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mercibw@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crouch1966@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pj16@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> alba93@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> sassyd69@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bettysue57@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jimfiscus@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> nvonalme@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> breweragency@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] 2007-01-23 03:12:40 1H99Fz-0004wl-RV -> annaksimpson@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32] In the log file is showing like this. 2007-01-22 19:11:24 1H99Fz-0004wm-Vp <= <> R=1H99Fz-0004wl-RV U=mailnull P=local S=605030 2007-01-22 19:11:24 1H99Fz-0004wl-RV <= stlawson100@yahoo.com.hk U=churchre P=local S=3558 id=23894.217.194.149.171.1169511083....el@65.xx.xx.xx I couldn't find who is sending.
View Replies!
View Related
Spammers
problem with spammers.. i installed bruteforce attack and apf but spammers still trying to use my mail server to spam.. bfa sending me 20-30 warning emails everyday like Quote: The remote system 200.83.230.214 was found to have exceeded acceptable login failures on xxxxxx; there was 62 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible. Executed ban command: /etc/apf/apf -d 200.83.230.214 {bfd.exim} The following are event logs from 200.83.230.214 on service exim (all time stamps are GMT -0600): this spammers causing to load cpu very hi and freeze my server sometimes. is there any way i can setup to only allow authenticated users to access the mail server. or any idea.. im not a hosting company hosting my websites and im a poor guy can't hire server admin.. and i have search it on google could'nt found anything..
View Replies!
View Related
How To Stop Spammers?
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late. Any thoughts or suggestions?
View Replies!
View Related
Spammers Hotlinking
I have found some spammer hotlinking to my images to get his site crawled, I have modified the .htaccess to attempt and serve his hotlinking domain with a warning but it does not work... My actual .htaccess file is the one below (it was created by wordpress automatically): # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress I am adding these lines right below: -------------------------------- RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://(.+.)?spammerdomain.com/ [NC,OR] RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L] ------------------------------------ My questions... I dont kmow too much what I am doing, following the tutorial here, http://altlab.com/htaccess_tutorial.html but the problem is that my .htacces already contains something created by wordpress that to me looks like garbage as I don't understand the meaning. I dont know if I should add the lines inside the <IfModule mod_write.c> or outside them as I have done. I dont know if it is ok to have two times Rewrite Engine On PS: When I added the lines I describe above, my site also stopped displaying the images, I had stopped everyone including myself from hotlinking them. I only want to stop certain domain. or even better, my ideal solution is to WHITELIST my domain names (I have two using hotlinkg to those images), but I will settle for blacklist if it is easier.
View Replies!
View Related
How To Stop Spammers ...?
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View Replies!
View Related
Protecting Against Spammers?
I was on my visitors on AWstats, and when looking up most of the top IPs (the ones that viewed the most pages), most of them were associated with IANA, and tagged as spam/hacker IPs. Of course, I've blocked all of those IPs with my .htaccess file, but how can I further protect my server from such threats? How can I rid my server of these spammers/hackers?
View Replies!
View Related
Finding Spammers
trying to find a spammer on my system, who just sent out and is still sending out 4000+ emails... i have a centos vps with whm. looked at exim_mainlog, there's nothign telling. the message body is visible, but the links it points to arent' hosted by me. there is no return address, its sending mail as nobody. phpsuexec is not an option.
View Replies!
View Related
Spammers On VPS
Any thoughts, or opinions are welcome. Looking for options on how to stop this. Recently I've started receiving spam that appears to originate from a hosted domain on my VPS. It appears to only be an issue with this website account and not the VPS generally. I've disabled the IMAP service to ensure the spam was not being sent from the server. The spam continues which leaves the POP email accounts as a possibility or something else. My hosting provider says it looks like email spoofing. Someone seems to be using the address at foobar.com to send out spam. The method that he has employed is called email spoofing. Email spoofing is the practice of changing your name in email so that it looks like the email came from somewhere or someone else. However, you need not be concerned. Individuals, who are sending "junk" email or "SPAM", typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator. The spammer is not using our server to send out spam, hence your email address will never be blacklisted. There is really no way to prevent receiving a spoofed email. Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox. The following are headers of two spam emails. Both of these addresses are setup as forwarders and not actual email accounts. The spam came to our attention because it is being sent to addresses on foobar.com with headers as also originating from foobar.com I changed the actual names for privacy host.vpsdomain.com [123.123.123.123] - VPS domain foobar.com - website account on VPS myemailaccount@gmail.com - address foobar forwarders send to Delivered-To: myemailaccount@gmail.com .....
View Replies!
View Related
Our Smtp Being Used By Spammers
I have deciated windows 2008 server and from last 2 days there is some thing which is using our smtp server to send spam its like we get thousand of spam emails qued in our outbound que, although our security is really high, such as smtp authtenication (open relay) and other options are already enable and we ran anti virus scan too but nothing found. I wonder if there is anyone else out there who face such problem and how did you stop?
View Replies!
View Related
Hosting Spammers
As hosting providers, it is important to follow the standard industry supported AUP/TOS agreements to keep spammers in their place. Do you believe spammers should be able to buy their way to hosting? Some hosting providers have allowed spammers to stay by allowing them to pay a premium hosting fee.
View Replies!
View Related
Stopping Spammers
I have WHM 11.1.0 cPanel 11.2.1-C11635 FEDORA 4 i686 - WHM X v3.1.0 PHP Version 4.4.4 I'm not sure what my apache version is. I want to try this: http://www.webhostgear.com/232_print.html It says it's for Apache 1.3x, PHP 4.3x Will that work on my server? Will it be safe to try?
View Replies!
View Related
How To Stop Spammers
I have a massive spam problem on my server, which I cannot seem to find a cure for. Here is an example of the headers from an example email (from WHM) that is stuck in the mail queue: Quote: 1HiU0X-0006Y3-O6-Hmailnull 47 12<>1177932329 0-ident mailnull-received_protocol local-body_linecount 78-allow_unqualified_recipient-allow_unqualified_sender-frozen 1177932333-localerrorXX1vrroark@freemail.ru144P Received: from mailnull by host.zaggs.com with local (Exim 4.63)id 1HiU0X-0006Y3-O6for vrroark@freemail.ru; Mon, 30 Apr 2007 12:25:06 +0100045 X-Failed-Recipients: download@host.zaggs.com029 Auto-Submitted: auto-replied058F From: Mail Delivery System <Mailer-Daemon@host.zaggs.com>024T To: vrroark@freemail.ru059 Subject: Mail delivery failed: returning message to sender047I Message-Id: <E1HiU0X-0006Y3-O6@host.zaggs.com>038 Date: Mon, 30 Apr 2007 12:25:06 +01001HiU0X-0006Y3-O6-DThis message was created automatically by mail delivery software.A message that you sent could not be delivered to one or more of itsrecipients. This is a permanent error. The following address(es) failed: download@host.zaggs.com (generated from abraham@keysupplier.com) retry timeout exceeded------ This is a copy of the message, including all the headers. ------Return-path: <vrroark@freemail.ru>Received: from [220.157.245.77] (port=3648 helo=localhost.localdomain)by host.zaggs.com with smtp (Exim 4.63)(envelope-from <vrroark@freemail.ru>)id 1HiU0X-0006Xu-7rfor abraham@keysupplier.com; Mon, 30 Apr 2007 12:25:06 +0100Message-ID: <10fb01c78b19$683b6042$8bc8505a@freemail.ru>From: Noticeable <vrroark@freemail.ru>To: abraham@keysupplier.comSubject: I am 79 years young!Date: Mon, 30 Apr 2007 14:19:48 +0300MIME-Version: 1.0Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_9E7D5C31.01A57A34"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express V6.00.2900.2180X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180This is a multi-part message in MIME format.------=_NextPart_000_0000_9E7D5C31.01A57A34Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bit A few words about HGH LifeI have been taking HGH Life for five weeks and there is a noticeable improvementin me overall. Waking up without muscular pain is the most obvious! WhenI run out, I shall be ordering as much as my pension will allow. I am inEngland and am 79 years young!Order HGH Life online ------=_NextPart_000_0000_9E7D5C31.01A57A34Content-Type: text/html; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><META http-equiv=3DContent-Type content=3D"text/html; =charset=3Diso-8859-1"><META content=3D"MSHTML 6.00.2900.2912" name=3D"GENERATOR"></HEAD><BODY text=3D#000000 bgColor=3D#ffffff><font size=3D"3" face=3D"Times New Roman"><p align=3D"center"><font =face=3D"Arial" color=3D"#009900" size=3D"5"><strong>A few =words about HGH Life™</strong></font></p><p align=3D"center"><font face=3D"Arial">I have been taking HGH =Life™ <strong>for five weeks </strong>and there is a noticeable =improvement in me overall. Waking up without muscular pain is the most =obvious! When I run out, I shall be ordering as much as my pension will =allow. I am in England and am <strong>79 years =young</strong>!"</font></p><p align=3D"center"><a href=3D"http://worldwdefull.com"><strong><font =face=3D"Arial" color=3D"#ff6600" size=3D"4">Order HGH Life™ =online</font></strong></a></p></font></BODY></HTML>------=_NextPart_000_0000_9E7D5C31.01A57A34-- I can confirm that the person who is doing this IS NOT using the 'nobody' user because I am keeping a spam_log for that. How else is a user able to use our server for spam? Please help as I would like to get this sorted ASAP.
View Replies!
View Related
Hackers..spammers..
I've been on yet-another crusade this morning..and have a few questions for the..umm.."general" hosting audience. We live in odd times. If you told me that script kiddies might be able to completely comprimise a server via php..or that spammers are now using the webserver *itself* to send spam a few years ago..I would have laughed. This is no laughing matter. A concept of privacy comes into play..and I'm curious how many of you handle it. Joe pays me for a account..agrees to my TOS/AUP..and starts uploading files. The way I see it..we have many ways of dealing with scripts that do bad things. It seems to me, though...this may be considered "spying" on our customers. If we have a script..say..that runs every fifteen minutes..and looks for these scripts..wouldn't that be considered spying? Or would this be something we should just bury in our aup/tos that this might happen? I have read and agreed to quite a few of those AUP/TOS things..and I can't remember even one time even a mention that files that I upload to the server may be scanned or inspected..before allowing the file to be placved on the server. Never..not once. However...this may have changed. If you've ever tried to get even a simple Perl script to work on a Cpanel server...you probably understand that many safeguards are there for the sake of everybody else on the server...and may prevent you from doing what you want to do with the script(s). At the same time..though..it seems to fly in the face of common sense that many script packages available today are inherently insecure. Chmod 777 files and directories? Even in the times we live in today and know this is a very, very bad idea? Yet..there seem to be even more like this today than ever before. >>I mention this from first hand expereince. One of the many magazines I get had a article detailing the trials the author was having trying to get Simple Groupware working on a vps. yesterday..I noticed a post with a person wanting something installed on a production server. Not only was the program a beta..but..just like Simple Groupware..looked horribly insecure. In retrospect...I can remember the very first php script I ever used. The year was 1996..and this was my first Cpanel shared account. I even remember having to add *.php to the mime types. It installed without a hitch..and..coming from the Perl world I had spent many years in..and many hours getting those scripts to work..it seemed almost like a miracle. It seems, as hosts, there are a few ways we can go at this. 1) Modify the ftp server so it inspects files 2) Have a program that looks for things..much like rkhunter does. 3) A front-end for all scripts..perhaps MySQL as well..that enforces rulesets..for restricted content..or resource allocations.
View Replies!
View Related
Find And Kill Spammers!
Just got alerted that my server is being used to send spam. Here is the information the datacenter gave me: [information .....] NOTE: I changed the real domain name and IP only. Is there an expert who can help me decipher this? How do I find the culprit? My provider is threatening to shut me down and sink all my clients with the ship! I am running the latest WHM and cpanel server, fyi.
View Replies!
View Related
Uncovering Comment Spammers -- What Are They Doing?
A lot is known about e-mail spammers, both due to lots of investigations into them and due to some "ex-spammers" talking about what they've done. And it's widely known that they're using infected PCs now. But what about comment spam? I've been dealing with it a lot at work, and am noticing some oddities. A good amount tends to come from countries where labor can be had cheaply, and watching logs on pages with captchas suggests that they're doing it slowly enough that they're probably just doing it by hand. Unlike the scripts I'd been used to (which would just hammer out POST requests to forms as fast as they could), some spammers are now loading pages on which the comment form resides, waiting a few seconds, and then submitting the spam with a sensible HTTP referrer -- it's as if someone is actually sitting there and copying-and-pasting spam. It seems really odd to me that someone is actually sitting there manually posting spam, though. Comment spam tends to come from a few areas of the world -- the poverty-stricken parts of Asia; Russia, Africa, and Latin America in particular -- and yet it's often hyping products in other parts of the world. Has anyone found what I'm thinking are US-owned shops paying third-world spammers? Is that what's actually happens? And other nonsense reigns. Some of the spam getting posted to my employer's site links to sites that, according to whois records, have never existed. A LOT of other spam has egregious formatting errors -- BBCode on a site that doesn't support it, or malformed links (mysite.com/www.spamsite.com) posted over and over again. It's like they're either so clueless that they have no idea that their spam doesn't work, or that they're just being paid by post or something and so they don't even care if the links work. Has anyone (not necessarily personally) ever tracked down exactly what this "industry" is up to? Even though it seems like a simple extension of e-mail spam, there's a lot of odd behavior that makes me think it's actually quite different, and now I'm really curious.
View Replies!
View Related
How-To: Find PHP Nobody Spammers!
Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same. mv /usr/sbin/sendmail /usr/sbin/sendmail2 pico /usr/bin/sendmail (paste the below code into it) chmod +x /usr/bin/sendmail echo > /var/log/formmail chmod 777 /var/log/formail #!/usr/local/bin/perl # use strict; use Env; my $date = `date`; chomp $date; open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!"; my $uid = $>; my @info = getpwuid($uid); if($REMOTE_ADDR) { print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME"; } else { print INFO "$date - $PWD - @info"; } my $mailprog = '/usr/sbin/sendmail.real'; foreach (@ARGV) { $arg="$arg" . " $_"; } open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!"; while (<STDIN> ) { print MAIL; } close (INFO); close (MAIL);
View Replies!
View Related
Email Security From Spammers
I have two domains that I haven't set email up for yet. One is hosted on a good plan that uses cPanel. The other has some not-so-user-friendly interface. Either case, I haven't set up email because I don't know what to seperate between truth and fiction. I know of the front end measures of cloaking an email link to your site using hex or some other hack so it doesn't show up to spiders and bots. I also heard a rumor that using generic "webmaster@" on any domain is a surefire way for these bots to spam through. So is that true? Should I name my link like "thiswebmaster@" instead ? (or to that effect?) What can I do to prevent too much (relatively speaking I guess) spam coming in?
View Replies!
View Related
Spammers Impersonating My Domain
I'm receiveing tons of "Mail Delivery Failure" emails lately, like hundreds a day. Today I opened a few to check what's going on... And basically these emails say a message could not be delivery due to a random error. What intrigued me was that emails from my domain were the alledged sender or were on the reply-to field. Those email accounts not even exist under my domain. And the spam messages were not sent from my server as it's clear in the body of the delivery error email. So the situation is I have a spammer sending out thousands of emails a day impersonating my domain. You can see a copy of the emails I'm getting here: http://cl1p.net/delivery_error Why's the spammer doing this? Why the need to impersonate my domain? And how can I stop him? I think I might have a problem with my SPF rules, too loose! How to tighten it?
View Replies!
View Related
Spammers Ruining My Server
I just opened my "catch-all" email pop account that sends me everything addressed to my server that doesn't have an assigned email address. I check it every few days. Over 4,500 undeliverables. Someone is using mydomain as a phony return address in different forms (gleskit@mydomain.com, peterepred@mydomain.com etc.) If I got over 4,500 undeliverables, these lowlife creeps must have sent innumerable thousands or tens of thousands using my domain as a return address. What really stinks is that I've had a bunch of users complain that they're not getting usual auto-messages from my forum software. Come to find out that my domain is now banned from at least one major ISP, I'm guessing probably more by now. The website I run depends heavily on VOLUNTARY auto-communications and updates. For example, one mailing list I maintain have over 4,800 members who've signed up for updates. It uses other feeds and email functions as well. Am I to understand that any jackass spammer can hose a server this way, with no redress on the part of the innocent party? Also, how am I going to get back in the good graces of the ISPs and personal anti-spam programs that have now blacklisted my server for no reason? Besides contacting all of the larger ones personally, I wouldn't even know where to begin addressing this. Is it possible that some nasty geek with a spam program can just ruin a server in this fashion? Just checked the account again. In the ten minutes it took me to write the above post, I just got 54 more undeliverables.
View Replies!
View Related
Suspicious Overload And Spammers
I have a small VPS, with few websites each one with very low visitors in average less than100 visits per day CentOS 2.6.9 Plesk PHP 5.1.6 Apache/2.2.3 Few days ago some Forum spammers signed up to one of the forums. One of them: stopforumspam.com/ipcheck/212.178.2.3 Today I was away for few 5 hours after I came back I recived a notice from my script that "SMF could not connect to the database" I checked and I noticed almost all of my sites are not responding. MySql was working. A script on remote server which uses mysql from my server loaded but with dealy ------------------Next step------------------- log to SSH # uptime # 12:XX:XX up XXX days, 5:06, X users, load average: 10.58, 8.86, 5.86 my normal load is less than 0.9 -----------------check open ports --------------------------- netstat -nap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1936/couriertcpd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 32447/mysqld tcp 0 0 0.0.0.0:106 0.0.0.0:* LISTEN 14307/xinetd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 9943/smbd tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1916/couriertcpd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1840/couriertcpd tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 9626/httpsd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7645/httpd tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 14307/xinetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 14307/xinetd tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named tcp 0 0 [MyServerIP]:53 0.0.0.0:* LISTEN 13619/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13619/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 13820/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 14307/xinetd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
View Replies!
View Related
Avoid Thinkhost.com - Spammers
Avoid thinkhost.com, they've decided to promote their affiliate program by spamming competitors. We found this ticket wasting spacei n our helpdesk and should be a good indication of their ethics: Quote: Hello, I'm Vladislav Davidzon, the Executive Director of ThinkHost, Inc - I'd like to invite you to join our high converting partner program. $100 commissions! 2nd tier cash - up to $65 per account comprehensive partner interface 10 year cookie + IP + session tracking Great range of creatives Coupons to give away Monthly payments Amazing EPC rates - an industry leader! Solid company, established in 1999 We offer unlimited domains, unlimited databases and much more. ThinkHost Inc, has been providing web hosting services to the world since 1999 - we're also a "green" host - powered by 100% renewable energy. We'd love to have you join our program! You can sign up/learn more here:[url] .. or if you have any questions; I'd be very happy to address them! I look forward to hearing from you soon! Vladislav Davidzon Executive Director ThinkHost, Inc 14525 SW Millikan Way #17760 Beaverton, OR 97005-2343[url]
View Replies!
View Related
Want To Ban Spammers? 8 Easy Steps
1. Install CSF 2. Install Iptables if it's not installed (apt-get install iptables on redhat/centos) 3. In WHM under "# ConfigServer Security&Firewall" click on firewall deny ips 4. Open a 2nd window, Goto Main >> Server Status >> Apache Status 5. Check if there are any spammers with lots of connections to a specific file, that's how I got a lot of the IP's. 6. Goto http://ws.arin.net/whois/?queryinput=99.225.243.201 7. Enter the IP you found at "Server Status" and enter it at ws.arin.net to get the proper CIDR which you can easily add to your CSF deny hosts file (which is open in another window) 8. Get a tea and watch the server status closely.
View Replies!
View Related
Spammers Use My Server To Send Out Email
I think someone has successfully make my server to send out emails. Why i know this? it's because I saw many return emails saying that the emails sent out to their inbox are consider spam. I mean a lot for instance within 1 second, there are more than 10 mails. Can someone help explains me how I can find the culprit and fix the problem?
View Replies!
View Related
Drupal Website Under Attack By Spammers
I have a Drupal based website which allows comments on posts after validating through CAPTCHA. Someone has been using a robot to bypass Image CAPTCHA and spam my site by posting hundreds of comments each day. I use Google Analytics and Statcounter counters on my site. But I haven't been able to find spammer's IP address from visitor logs as the spammer comes directly to my site without any referral. Is there a way to find spammer's IP address and block it in the .HTACCESS file? I don't think I can stop the spammer just by applying CAPTCHA on comments.
View Replies!
View Related
Datacenters / ISP's That Ignore Spammers
Would you be happy to host your BUSINESS (i.e. servers etc) at a datacenter or ISP that's known for ignoring spam complaints? I am just curious because I already submitted SEVERAL spam complaints to servercentral.net but they simple ignore it. A big anti-spam list such as Spamcop not even bother to try and submit spam complaints to them and purge such complaints. abuse#servercentral.net@devnull.spamcop.net In my opinion it's a high risk to host your servers at a company that ignore spam complaints because many of their IP addresses will eventually be on spam block lists. (And because IP addresses are "recycled" I won't be happy to get IP addresses assigned to a server that was previously used by a spammer)
View Replies!
View Related
Spammers Hanging My Mail Server
A spammer (probably www.powerball.com) is sending spams using one of my email addresses as his / her "from" address. This hanged my mail server last week and it took more than 60 hours to solve the problem. My host replied me the problem was "You have over 100,000 emails in your mail queue due to a large amount of Frozen emails that were either deferred by the remote servers or sent to invalid addresses repeatedly". From this morning, my emails are blocked again. I can't send / receive mails using any of my email accounts (from this server). I don't know how long this will take again to solve the situation, and I'm afraid that this may not be the last time. Now I don't know what to do. Ideally, a logical solution could be to delete any bounced mail automatically (I'm using nutsmail + squirrel mail).
View Replies!
View Related
|
TRACKER
