This is my 5th spam email from them. Users - avoid this hosting directory and other hosts, I suggest you avoid using someone with business tactics like this.
Quote:
Hey it's Ian from Web Hosting Break....
They kindly provided me with timestamp as to when detection was happening and they sent me this description:
Timestamp: 2007-12-02 22:55:32
(ive attached the logs from below for around couople of minutes) If anyone knows how to solve this much appreicate it..or if anyone know what could be the issue!
In a nutshell, your IP is forging a well known domain as theEHLO/HELO - imagine connecting to, say aol.com and having your IPHELO as "apple.com". Understandably, when an IP connects to ourservers and presents such an obvious forgery, we're going to consider ita virus emitter or otherwise compromised.] This is what you need to keep in mind when you're trying to resolvesituations like this: 1) Our detections are based on port 25 SMTP connections your IP makesto one or more of our mail servers. The CBL listing _itself_ is theevidence/"proof"/log of the incident. We generally do not keep samples of CBL detections, because thevolumes are so horrendously high (presently more than 700,000detections per day). They never provide any additional information,because the headers, if any, are all fake anyway. In order to preserve the effectiveness of the CBL, informationbeyond what we've already given you will not be revealed.We can sometimes give additional information (eg: more precisetimestamps) if and only if we know it's necessary to find/fixthe problem. 2) The CBL detects suspicious SMTP activity, NOT spamming per-se. Inother words, the CBL detects email being sent in such a way as toindicate that the sender is compromised in some fashion into sendingviruses or spam.
As such, the CBL focuses on identifying how to prevent the behavior infuture, instead of, for example, identifying spammers that need to beterminated. Indeed, in the case of NAT firewalls, it is almost always impossiblefor us to precisely identify which machine behind your NAT is infected. Only your NAT logs (if you keep any and know what to look for) knowwhich machine is infected. In the case of NATs, our focus is on blocking the malicioustraffic getting to the Internet. We can give tips/pointers on howyou can identify specific infected machines behind a NAT, but ourpriority is to prevent _any_ infected machine behind your NATspewing junk to the Internet, because we know that for everyinfected machine you fix, another one (or more) will eventuallyspring up in its place, and we (and we suspect you) don't likeplaying a never-ending game of whack-a-mole. 3) The viruses we detect carry their own SMTP clients with them, and donot attempt to relay through your mail servers. Hence, email transitfilters (either inbound or outbound) on your mail servers can't help.Only AV scanning the infected machine does.
Similarly, the spamware (open proxy or spam trojan) we detect donot route through your mail servers either. 4) Most AV tools aren't very good at detecting/cleaning out establishedinfections. Especially those resulting from day-zero attacks.Particularly since many of these infections open back doors, and theoriginal infection vector downloads many pieces of software that _may_not be in themselves malware, just used in a malicious fashion. 5) The headers don't help at all. Since the virus/spamware has its ownclient, and doesn't pass through your server[s], the only thing knowableabout the virus/spamware is the peer (connection) address at therecipient's mail server - which is what we've listed - your NAT firewallif you have a NAT... Only your NAT firewall logs can tell you anydifferent. Short of AV scanning the infected machine, the only useable informationabout which machine is infected is in your NAT firewall logs - ifyou actually make any logs and keep them long enough. For the most part, then, a CBL listing of an IP means that the IPneeds to be fixed. If it's a NAT IP - port 25 blocking (and youcan find/fix the infected machine[s] at your leisure), if it's nota NAT - virus/malware eradication. 6) Outbound port 25 connection blocking on NAT firewalls (permittingonly your authorized mail servers) is the best solution for NATs. 7) If you have a NAT, once you've implemented port 25 blocking, younot only contain the viruses, your NAT firewall logs will immediatelytell you who is infected or is compromised with a spam trojan oropen proxy. 8) As far as we're aware, once port 25 blocking is instituted in ANAT, the only times people have continued to have trouble with CBLlistings is when the blocking wasn't working for some reason. Itwould be a good idea to test whether the blocking is in fact working.We have suggested procedures for this if you want - ask us.
2007-12-02 22:55:05 [19907] list matching forced to fail: failed to find host name for 201.58.9.244
2007-12-02 22:55:05 [9913] SMTP connection from [81.129.182.181]:60329 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:06 [9913] SMTP connection from [85.177.218.230]:9468 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:06 [19907] H=(20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 F=<vash989@lfcc.edu> rejected RCP$
2007-12-02 22:55:06 [19907] SMTP connection from (20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 closed by DROP$
2007-12-02 22:55:07 [19908] ident connection to 71.217.38.129 timed out
2007-12-02 22:55:07 [19909] ident connection to 81.129.182.181 timed out
2007-12-02 22:55:08 [9913] SMTP connection from [213.36.8.1]:3542 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:08 [19909] H=host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25 F=<markhuu.Fabris@$
2007-12-02 22:55:08 [19909] SMTP connection from host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25$
2007-12-02 22:55:09 [19910] H=e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 F=<Vesterinenowao@jcel.com> rejected RCP$
2007-12-02 22:55:09 [19910] SMTP connection from e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19908] H=71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 F=<0agwampler@rapidreply.net> rejected $
2007-12-02 22:55:09 [19908] SMTP connection from 71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19911] H=dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.237.199]:25 F=<Norbe$
2007-12-02 22:55:09 [19911] SMTP connection from dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.2$
2007-12-02 22:55:13 [9913] SMTP connection from [201.212.156.23]:51905 I=[69.16.237.199]:25 (TCP/IP connection count = 1)
2007-12-02 22:55:13 [9913] SMTP connection from [200.122.38.174]:1152 I=[69.16.237.199]:25 (TCP/IP connection count = 2)
2007-12-02 22:55:14 [9913] SMTP connection from [201.233.222.43]:2980 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:16 [19915] ident connection to 201.233.222.43 timed out
2007-12-02 22:55:17 [19915] H=cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.199]:25 F=<Chasityse$
2007-12-02 22:55:17 [19915] SMTP connection from cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.1$
2007-12-02 22:55:18 [19920] cwd=/home/annajwa/public_html/forum 2 args: /usr/sbin/sendmail bloochunc@bk.ru
2007-12-02 22:55:18 [19920] 1IyxiY-0005BI-5f <= annajwa@host.mpadc.com U=annajwa P=local S=747 T="Welcome to An- Najwa" from <annajwa@host.mp$
2007-12-02 22:55:18 [19921] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IyxiY-0005BI-5f
In my move away from proprietary CP not configured for my needs and over which I have little control, I'm uninstalling them from my servers. On one of my VPS, I reinstalled the OS, CentOS 5.2 and am trying to prepare for an upgrade to CentOS 5.3 (and installs of new mailserver, webserver, CP and DNS server) by doing the required software updates on the server. However, I keep getting nearly the exact same error, outputting the exact same files. In this case, I'm trying to install "vim-minimal" for bash since I'm having bash problems, too:
-bash-3.2# yum install vim-minimal
Loaded plugins: fastestmirror, protect-packages
Loading mirror speeds from cached hostfile
* rpmforge: fr2.rpmfind.net
* base: ftp.nluug.nl
* updates: ftp.nluug.nl
* addons: ftp.nluug.nl
* extras: ftp.nluug.nl
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package vim-minimal.x86_64 2:7.0.109-4.el5_2.4z set to be updated
--> Processing Dependency: libc.so.6(GLIBC_2.2.5)(64bit) for package: vim-minimal
--> Processing Dependency: libc.so.6(GLIBC_2.3.4)(64bit) for package: vim-minimal
--> Processing Dependency: libc.so.6(GLIBC_2.4)(64bit) for package: vim-minimal
--> Processing Dependency: libacl.so.1(ACL_1.0)(64bit) for package: vim-minimal
--> Processing Dependency: libc.so.6(GLIBC_2.3)(64bit) for package: vim-minimal
--> Processing Dependency: libc.so.6()(64bit) for package: vim-minimal
--> Processing Dependency: libacl.so.1()(64bit) for package: vim-minimal
--> Processing Dependency: libtermcap.so.2()(64bit) for package: vim-minimal
--> Processing Dependency: libselinux.so.1()(64bit) for package: vim-minimal
--> Running transaction check
---> Package libtermcap.x86_64 0:2.0.8-46.1 set to be updated
---> Package glibc.x86_64 0:2.5-34 set to be updated
--> Processing Dependency: glibc-common = 2.5-34 for package: glibc
---> Package libselinux.x86_64 0:1.33.4-5.1.el5 set to be updated
--> Processing Dependency: libsepol.so.1()(64bit) for package: libselinux
---> Package libacl.x86_64 0:2.2.39-3.el5 set to be updated
--> Processing Dependency: libattr.so.1(ATTR_1.0)(64bit) for package: libacl
--> Processing Dependency: libattr.so.1()(64bit) for package: libacl
---> Package glibc.i686 0:2.5-34 set to be updated
---> Package libselinux.i386 0:1.33.4-5.1.el5 set to be updated
--> Running transaction check
---> Package libattr.x86_64 0:2.4.32-1.1 set to be updated
---> Package libsepol.x86_64 0:1.15.2-1.el5 set to be updated
---> Package glibc-common.x86_64 0:2.5-34 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved .....
Microsoft Windows Server 2008 R2 Service Pack 1
Panel version 11.0.9 Update #59, last updated at Oct 3, 2013 02:06 AM
MailEnable version 5
I see in the plesk documentation that the screen to enable SPAM filtering for an individual there is an option to "Move spam to the Spam folder". I don't see that option so I am wondering if it is only available on some versions of Plesk, or in combination with certain mail servers. How to make that option available?
One of our customers on a VPS downloaded this file and then ran it perl bnc.txt
I am wondering if its a spammer using the script to send spam.
It seems to be written in Portuguese, I have translated parts of it and it reminds of of the typical spam subjects you find now-a-days.
We are having some big issues with a spam bot on the server. We can remove the bot but could you please explain, IN DETAIL , how to configure the NAT to prevent outbound port 25 connections to the internet except from our real mail servers on with windows server 2003. Currently, the only firewall on this system is the standard windows one.
View 1 Replies View Relatedthrough some accounts on the server and the amount of spam in their mail queue is really frustrating. I had to set admin accounts for each site I run and the spammers have discovered them, so I am looking for a ssh command where I can just easily clean all the spam out. I tried cat /dev/null > /var/mail/"the username" but that didn't work.
View 1 Replies View RelatedSomeone on our server is sending spam mails, he does not know about it.
Most spam are sent to aol.com,gmail.com and cs.com
I'm getting loads of these Mail delivery failed mails:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
The e-mails come from the system/user account e-mail of the domain (usernameDA@domain.com), where DA is Direct Admin.
I think it sent more then 30.000 mails in 2 days.
Also received a complaint from aol.
How can I trace this? What can I do to fix it?
Is it a some crappy written php script?
He said he updated joomla, wiki and smf forum.
I use cpanel license, i enable phpsux on my server, but user can send email without smtp address.
how can pervent user for send mail without smtp?
I just got this from EasyAntiSpam. Unless my address is harvested from the HostingCon database, I've certainly never been in touch with them. Disappointing either way.
Matt:
Good afternoon! I hope you are doing well. I am the new Director of Sales for Easy Antispam and I wanted to get in touch with you to find out who currently provides you with your anti-spam solutions?
I have listed below a few key benefits for our antispam solution here at Easy Antispam [url]
· Fully brandable quarantine with customizable url
· Customer level whitelisting
· Nothing to install. No complex configuration changes to make.
All you have to do is redirect the MX.
Easy Antispam is a service of Interjuncture, Corp. which was founded by George A. Roberts IV and Frank Spaulding in 2004. Easy Antispam offers a solution that doesn’t cause more problems and work than the spam itself. Thousands of businesses, organizations and individuals rely on Easy Antispam’s Email Protection Services to defend their inboxes against spam and other threats. So, what are YOU waiting for? Get protected, sign up now for a 30 day free trial.
I have a linux server with shared hosting ,now for couple of days one of my client face problem regarding spam with gmail,I have also cross-checked all the mandatory records,and we have already create MX,SPF & reverse dns record with domain keys for that domain.
View 5 Replies View Relatedim getting 50 and more spam mails each day, how do i secure my vps to stop 99% of the spam from coming in as i understand theres no way to completely block spams.
Im using directadmin control panel and enabled SpamAssasain but its not much of use even when i apply strict options on it.
I used to have a reseller account and have shifted everything to a dedicated server. I now find that a couple of clients are getting lots of spam when they didn't before.
It seems that the servers used by the reseller account had some level of basic spam filtering installed; my provider suggested I look for a filtering program to install on my server.
There are, of course, dozens of them, so I wondered if anyone has any experience - enough, perhaps, to make a recommendation.
I'm having difficulties with a whm running on centos dedicated server. The problem is that we receive too much of spam and junk emails. by too much I mean 2000 bulks per week. It's killing us.
how I can stop it.
I am facing some major SPAM problems.
I am a web host from the city of Kolkata, India.
Almost 95% of my clients are from my city - others are also known to me. I know many of them face to face - there are very little chances that any of them are SPAMMER.
Still my server IP is blacklisted - several times in last 1 year - I changed my datacenter - but the problem still persists.
We're using whm/cpanel and we're always up to date with the latest upgrades (with all our scripts).
2 weeks ago, we receive a notification from SpamCop saying that our server was sending out spam. We verified everything and found nothing. 2 days ago, same story.
We tried looking at our logs and found nothing. Does this mean that there's a security hole somewhere? How can we find out from where the spammer is sending his viagra emails from ? We do not want to be permanently banned because of a spammer.
I have problems with my mail server.
I have installed cPanel WHM.
In my server there are many accounts and now I discovered that not all accounts, when they send email to hotmail and yahoo, go to spam.
It does not happen in all accounts.
How can I bypass the filter of yahoo and hotmail for all domains configured on my server?
i have this in my account:
/cgi-bin/check.cgi
/cgi-bin/gz.cgi
/cgi-bin/km.cgi
/cgi-bin/hnc.cgi
/cgi-bin/ypej.cgi
some script that sends (a LOT)spam, and dissapears
Does anyone know what that was?
i cannot find anything about it
i disabled cgi scripting,
I guess the economy must be hitting them hard. They have resorted to unsolicited commercial email, everyone's favourite.
Quote:
I hope this finds you well. I am currently attempting to reach out to companies that offer web hosting services and either use, or have used, Parallels Plesk Panel as a part of the service offerings. The goal is to re-introduce Parallels Plesk Panel and hopefully revive any previously established relationships. This includes looking into why the Parallels Plesk Panel business slowed, or stopped completely, within your organization.
We are working very hard to establish a reputable channel within the hosting marketplace. In order to do so we need to look at what is currently working and what is not currently working. The best place to begin this research is with companies that have used us, but now don't really offer our products. With that said, are you available for a phone call to discuss?
My goal is to understand:
* Do you currently offer control panels, if so, is Parallels Plesk Panel a part of your offerings?
* If you are no longer offering (pushing) Parallels Plesk Panel, is there a reason?
* Would you be receptive to some sort of "trial" program to re-introduce you to Parallels Plesk Panel and our Service Provider Partnership Program?
I look forward to your response and hopefully speaking with you soon.
Antoine Wilson
Partner Recruitment Manager
Service Provider Division
Parallels, Inc.
+1 (703) 995-4170 Direct
+1 (703) 991-5511 Efax
AIM: scrams93
Skype: antoine.wilson
ICQ: 215351114
I was running an IP check on spamcannibal.org
It shows blocked because of this reason:
no reverse DNS, MX host should have rDNS - RFC1912 2.1
Is it actually possible to setup some kind of generic ptr records on IPs, even if they are assigned to dedicated server clients?
I noticed that reported server usage from Plesk is 2.x - 3.x, so I went to mail queue (in Plesk) and saw lots of mails that shouldn't be there.
There were several senders under the domain dedibox.fr sendint LOTS of emails to lots of addresses in the same email. There shouldn't be a sender @dedibox.fr, as that domain isn't hosted on our dedicated server.
I know little about Linux administration... I tried going to the /var/log folder and grep for dedibox on the messages and maillog files, but nothing found...
How can I know if someone connected to our server as an user or something like that?
I have a server that is sending spam, but I can not know who sent because the server not has installed suphp.
There is another option to see who sends spam?
We are always looking for different ways to help combat spam, and have done things such as disabling pop before smtp on our servers, limiting the number of e-mails per domain per hour and so forth.
Lately we have been considering making SPF mandatory on all accounts. According to what I've read, it allows receiving e-mail servers to check that the e-mail did indeed originate from our e-mail servers and reject it if it fails (depending upon the SPF record configuration of course).
I am thinking something along these lines
"v=spf1 a mx -all"
would be good? or not? Am I right in thinking it would only allow e-mails coming from the IP of the A record on the domain OR the MX record?
2 questions:
1) This would mean that clients would need to use our SMTP servers (authentication is already required on our end, so that's not a big deal) or otherwise risk some e-mails been rejected by the recipient server?
2) Are there any potential pitfalls I have not mentioned in this message?
I am not sure if many of you have been getting this same spam. But I've been getting spam about sexual topics and the email is just an image with words written on it.
Sometimes the email has words too such as what is written below.
Quote:
Doees Using sexual Body Langauge to Attract Women Really Works? www. med72. com. Chicago Bulls' Masecot Sued For Baad High-Five
I was wondering if you know of a way to block those emails.
Got this strange issue here. Comcast customers cannot receive any emails sent from my server. With the others, most of the emails are being sent to a spam folder instead of inbox.
Serve is Centos 5 / Cpanel
I confirmed IP has proper reverse dns and is not blaclisted. I also setup SPF as well.
I will preface this thread this way:
I know there is no perfect solution to elimating SPAM and not losing "good email".
What do you use that is working well for you? I need some suggestions? I don't have time to babysite/teach a spam filter as I get thousands and thousands of emails each day through various emails address on the server. I cannot use services such as easyat.com as they don't work with server that use a remote/clustered DNS.
i have fews hundred domain and 5 servers
THey all mix from windows/unix/linux and different control panel.
THey all have spam filter but we are getting so much spam that the server cant even process them quick enough.
Please let me know if there are any dedicated linux appliance and or firewall i can use to drop the spam IP address instead of process the spam.
I am using WHMCS and almost every order or invoice reminder goes to spam/junk folder(gmail/hostmail +++ )
I know problem isn't whmcs but my server, is there any step by steep tutorial on how to fix this problem ?
I am using couple of emails on my domain since 3 years. I am having a big amount of spam emails. If I use SpamAssassin™ in the Cpanel it will miss sometimes hotmail, yahoo emails etc.. If I disable it, I will continue receiving those spam emails. However, some of my clients uses free emails like hotmail and yahoo.
View 10 Replies View Related
