Aug 28, 2007
For the last month I've had problems with my VPS being blacklisted, and it always seems to be around the same time of day.
Anyway, the VPS is managed, but it's a right pain the backside getting support to deal with the problem for me and sort it out. I get answers like "Its a PHP script", and when I ask which script they say they can't find out.
After getting advice from people on this forum, I asked support to setup exim so that it recorded the folder of any scripts sending out mail, but when I run grep so show any exim_mainlog entries with cwd= there is very little appearing appart from genuine mails being sent by contact forms on websites.
I managed to get evidence of a mail which caused the server to be blacklisted and sent this to support, who said the mails are being send via header injection on contact scripts, so I've got through the contact scripts and changed them, but again, still blacklisted.
I may be wrong here, but surely if someone was doing mail injection then I would be receiving copies of the mail myself as the website mails me with the enquiry, and also surely the exim_mainlog would so the folder containing the script as sending mails...but it doesnt.
I'm completely lost here, somehow mail is being sent from the server, whether it be via a script or what, but I can't(and neither can support) determine the exact script that is sending mail.
Here is a snippet of the exim_mainlog from around the time the evidence mail was sent.
Code:
Aug 25 21:59:40 awt spamd[5164]: spamd: checking message <16291601c7e75a$d5a016e0$0d4cb34c@ALLEN> for thegran:32010
Aug 25 21:59:46 awt spamd[23731]: spamd: connection from localhost [127.0.0.1] at port 47366
Aug 25 21:59:46 awt spamd[23731]: spamd: setuid to libraifa succeeded
Aug 25 21:59:46 awt spamd[23731]: spamd: checking message <494307824222.548029453854@flcjn.net> for libraifa:32006
Aug 25 21:59:48 awt spamd[5164]: spamd: identified spam (17.1/5.0) for thegran:32010 in 7.7 seconds, 1050 bytes.
Aug 25 21:59:48 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL scantime=7.7,size=1050,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47347,mid=<16291601c7e75a$d5a016e0$0d4cb34c@ALLEN>,bayes=1.000000,autolearn=spam
Aug 25 21:59:48 awt spamd[28500]: prefork: child states: IB
Aug 25 21:59:52 awt spamd[23731]: spamd: identified spam (12.3/2.5) for libraifa:32006 in 6.4 seconds, 6742 bytes.
Aug 25 21:59:52 awt spamd[23731]: spamd: result: Y 12 - AXB_XMID_1212,BAYES_60,EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE scantime=6.4,size=6742,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=47366,mid=<494307824222.548029453854@flcjn.net>,bayes=0.654621,autolearn=no
Aug 25 21:59:52 awt spamd[28500]: prefork: child states: II
Aug 25 21:59:53 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 21:59:56 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=39944, rcvd=56, sent=40746, time=3
Aug 25 22:04:12 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 48176
Aug 25 22:04:12 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:04:12 awt spamd[5164]: spamd: checking message <E1IP2ng-0002eI-Eg@wear.readytogo.net> for libraifa:32006
Aug 25 22:04:20 awt spamd[5164]: spamd: clean message (-2.6/2.5) for libraifa:32006 in 7.6 seconds, 1827 bytes.
Aug 25 22:04:20 awt spamd[5164]: spamd: result: . -2 - AWL,BAYES_00 scantime=7.6,size=1827,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=48176,mid=<E1IP2ng-0002eI-Eg@wear.readytogo.net>,bayes=0.000000,autolearn=ham
Aug 25 22:04:20 awt spamd[28500]: prefork: child states: II
Aug 25 22:09:29 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49145
Aug 25 22:09:29 awt spamd[5164]: spamd: setuid to gbtravel succeeded
Aug 25 22:09:29 awt spamd[5164]: spamd: checking message <putcgcbfbhamfer@fruitpads.com> for gbtravel:32017
Aug 25 22:09:39 awt spamd[5164]: spamd: identified spam (12.6/5.0) for gbtravel:32017 in 10.2 seconds, 5003 bytes.
Aug 25 22:09:39 awt spamd[5164]: spamd: result: Y 12 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,LOCALPART_IN_SUBJECT,MSGID_SPAM_LETTERS,SPF_PASS,TVD_RATWARE_MSGID_02,URIBL_BLACK,URI_NOVOWEL scantime=10.2,size=5003,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=49145,mid=<putcgcbfbhamfer@fruitpads.com>,bayes=1.000000,autolearn=no
Aug 25 22:09:39 awt spamd[28500]: prefork: child states: II
Aug 25 22:10:06 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 22:10:07 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=1
Aug 25 22:11:27 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 49520
Aug 25 22:11:27 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:11:27 awt spamd[5164]: spamd: checking message <000601c7e75c$894ed180$0100007f@fpviosw> for libraifa:32006
Aug 25 22:11:36 awt spamd[5164]: spamd: identified spam (16.3/2.5) for libraifa:32006 in 8.5 seconds, 19328 bytes.
Aug 25 22:11:36 awt spamd[5164]: spamd: result: Y 16 - BAYES_60,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,SHORT_HELO_AND_INLINE_IMAGE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.5,size=19328,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=49520,mid=<000601c7e75c$894ed180$0100007f@fpviosw>,bayes=0.726583,autolearn=spam
Aug 25 22:11:36 awt spamd[28500]: prefork: child states: II
Aug 25 22:16:17 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 50217
Aug 25 22:16:17 awt spamd[5164]: spamd: setuid to sr8 succeeded
Aug 25 22:16:17 awt spamd[5164]: spamd: checking message <984907979.55364767348457@utsc.utoronto.ca> for sr8:32004
Aug 25 22:16:26 awt spamd[5164]: spamd: identified spam (12.9/5.0) for sr8:32004 in 9.3 seconds, 9431 bytes.
Aug 25 22:16:26 awt spamd[5164]: spamd: result: Y 12 - DATE_IN_FUTURE_03_06,FH_HELO_EQ_D_D_D_D,FUZZY_CREDIT,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,HTML_OBFUSCATE_10_20,MIME_HTML_ONLY,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_RCVD_IP scantime=9.3,size=9431,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50217,mid=<984907979.55364767348457@utsc.utoronto.ca>,autolearn=spam
Aug 25 22:16:26 awt spamd[28500]: prefork: child states: II
Aug 25 22:19:29 awt pop3d: LOGIN, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86]
Aug 25 22:19:29 awt pop3d: LOGOUT, user=andrew@myhomeonthe.net, ip=[::ffff:212.159.101.86], top=0, retr=0, rcvd=12, sent=39, time=0
Aug 25 22:20:33 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51016
Aug 25 22:20:33 awt spamd[5164]: spamd: setuid to thegran succeeded
Aug 25 22:20:33 awt spamd[5164]: spamd: checking message <21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d> for thegran:32010
Aug 25 22:20:41 awt spamd[5164]: spamd: identified spam (17.5/5.0) for thegran:32010 in 8.1 seconds, 1174 bytes.
Aug 25 22:20:41 awt spamd[5164]: spamd: result: Y 17 - BAYES_99,DATE_IN_PAST_06_12,FH_HOST_EQ_VERIZON_P,FORGED_MUA_OUTLOOK,INVALID_MSGID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,STOX_REPLY_TYPE,URIBL_RED,URIBL_RHS_DOB scantime=8.1,size=1174,user=thegran,uid=32010,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51016,mid=<21ecc01c7e75d$bbd32420$2f01a8c0@windowsa607f1d>,bayes=0.999360,autolearn=spam
Aug 25 22:20:41 awt spamd[28500]: prefork: child states: II
Aug 25 22:26:21 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 51946
Aug 25 22:26:21 awt spamd[5164]: spamd: setuid to gbtravel succeeded
Aug 25 22:26:21 awt spamd[5164]: spamd: checking message <264166.236793146.1188032962@ourfirststep.net> for gbtravel:32017
Aug 25 22:26:30 awt spamd[5164]: spamd: identified spam (7.1/5.0) for gbtravel:32017 in 9.2 seconds, 6091 bytes.
Aug 25 22:26:30 awt spamd[5164]: spamd: result: Y 7 - AWL,BAYES_50,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_TAG_BALANCE_HEAD,MPART_ALT_DIFF,SPF_PASS,URIBL_BLACK,URIBL_JP_SURBL scantime=9.2,size=6091,user=gbtravel,uid=32017,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51946,mid=<264166.236793146.1188032962@ourfirststep.net>,bayes=0.592462,autolearn=no
Aug 25 22:26:30 awt spamd[28500]: prefork: child states: II
Aug 25 22:34:09 awt pop3d: LOGIN, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74]
Aug 25 22:34:10 awt pop3d: LOGOUT, user=mike@camberleydrivingschool.co.uk, ip=[::ffff:86.13.153.74], top=0, retr=2252, rcvd=50, sent=2521, time=1
Aug 25 22:51:28 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 55911
Aug 25 22:51:28 awt spamd[5164]: spamd: setuid to libraifa succeeded
Aug 25 22:51:28 awt spamd[5164]: spamd: checking message <3235985408.20070825170556@qmuqybrxw> for libraifa:32006
Aug 25 22:51:35 awt spamd[5164]: spamd: identified spam (9.8/2.5) for libraifa:32006 in 7.2 seconds, 836 bytes.
Aug 25 22:51:35 awt spamd[5164]: spamd: result: Y 9 - BAYES_99,RDNS_NONE,SPF_HELO_NEUTRAL,SPF_NEUTRAL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=7.2,size=836,user=libraifa,uid=32006,required_score=2.5,rhost=localhost,raddr=127.0.0.1,rport=55911,mid=<3235985408.20070825170556@qmuqybrxw>,bayes=1.000000,autolearn=no
Aug 25 22:51:35 awt spamd[28500]: prefork: child states: II
Aug 25 22:54:30 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56343
Aug 25 22:54:30 awt spamd[5164]: spamd: setuid to sr8 succeeded
Aug 25 22:54:30 awt spamd[5164]: spamd: checking message <8678967196.190217665470@yahoo.com> for sr8:32004
Aug 25 22:54:37 awt spamd[5164]: spamd: identified spam (14.0/5.0) for sr8:32004 in 6.9 seconds, 847 bytes.
Aug 25 22:54:37 awt spamd[5164]: spamd: result: Y 14 - FORGED_YAHOO_RCVD,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RDNS_NONE,REPTO_QUOTE_YAHOO,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=6.9,size=847,user=sr8,uid=32004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56343,mid=<8678967196.190217665470@yahoo.com>,autolearn=spam
Aug 25 22:54:37 awt spamd[28500]: prefork: child states: II
Aug 25 22:57:06 awt spamd[5164]: spamd: connection from localhost [127.0.0.1] at port 56732
Aug 25 22:57:06 awt spamd[5164]: spamd: setuid to thegran succeeded
Aug 25 22:57:06 awt spamd[5164]: spamd: checking message <1IP4?n-000NOC-YL@pool-72-82-6-40.prvdri.east.verizon.net> for thegran:32010
Aug 25 22:57:14 awt spamd[5164]: spamd: identified spam (13.8/5.0) for thegran:32010 in 8.3 seconds, 1185 bytes.
View 2 Replies
View Related
Apr 2, 2009
This question gets asked a lot in our Helpdesk and I figured I would post our knowledgebase article here to help anyone else wondering the Pros and Cons of Unlimited Domain Shared Hosting vs. Reseller Hosting. If anyone has anything else to add, I appreciate any feedback on how we can improve our KB article.
----------------------------------------------------------------------
Given the present state of shared hosting, many clients may ask "Why would I need a Reseller account if I can host unlimited Addon and Parked domains within a single shared hosting account?". There is certainly enough Disk Space and Bandwidth provided in many of today's hosting packages, so why bother to purchase a Reseller account?
Many don't realize the drawbacks of hosting large numbers of domains within a single hosting account until they've already packed tens of them onto a single package.
So how do you know whether a Reseller account or Shared Hosting account is right for you? The answer is in how you plan to provide access to others and how "mission-critical" the sites are. You should consider the following factors when deciding on hosting a large number of domains:
1. Who will be managing these sites?
2. How important is site security between sites?
3. Will these domains need dedicated SSLs?
4. How resource intensive will these sites be (RAM, CPU, MySQL)?
In a nutshell, Reseller plans are for those who wish to host websites for other sub-clients and a shared hosting package is for a single individual managing multiple personal domains. We'll go over the 4 points above in greater detail.
1. Who will be managing these site?
If you personally own multiple domains and wish to host them within the same hosting space, you can easily do so with an Addon or Parked domain. An addon domain will allow you to host a new domain within a subdirectory of your hosting space. A parked domain will allow you to have multiple domain names point to the same content. Since addon domains reside within the same user space as your main domain, you can manage all of your domains with a single login. You can see the problem if you want to provide another user with access. Since all accounts are managed with a single set of login credentials, if you give another user access to their addon domain you are also giving them access to your main domain. If you have vital information stored on your main domain and you are hosting another domain as an addon domain for someone else, you cannot provide them access to their hosting without compromising the integrity of your main domain.
When hosting sites as a Reseller, your clients in turn will want access to their account and will want exclusive rights to their disk space and server resources. With a Reseller account, each sub-account you create gets its own username, password, and isolated user space on the server. Individual clients of yours have access to their user space and their user space alone. In addition to the isolation with regards to access concerns, each account also gets their own cPanel access. All of the same great features that you use to manage your sites can also be given to your clients. Next time client Y wants to add an email account, you don't have to do it for them for fear of giving them access to your cPanel, you can simply give them their login details and they can manage their own email accounts.
2. How important is site security between sites?
This is along the same lines as point 1. This is not necessarily related to who you are hosting for, but what content you are hosting. Imagine that you are a webmaster and you are hosting your own personal site-in-a-box community forums (such as PHPBB or vBulliten) on your main domain and a company website for a paying client on an addon domain. It is not uncommon for popular scripts to have security flaws in older versions. Script authors will often update security flaws in later versions of their software. For this reason, it is very important to keep scripts up to date on your site. But let's assume you forget to update your scripts for a couple of months and an unscrupulous individual takes advantage of a well known security hole. Using this exploit, they gain access to your forums and any subdirectories. Since you are hosting another domain as an addon, they now have access to this domain's content as well. A site defacement on this company's site may not bode well for you when they are considering you for web master services in the future.
If these two domains had been separate into two individual users (i.e. two subaccounts created through a Reseller), their content would've been inherently isolated server side by Linux's user management. Sure, your forums still would've been affected by the security hole, but the break-in would've been isolated to your site alone.
Going back to our example, let's say that instead of a corporate website as an addon domain you are hosting an image gallery site for all of your cats. In this case, it may not be a big deal if a compromise in your main domain spreads to your addon domain. After all, they are both owned by you and you're only losing some time and effort to restore these sites from your local backups (which I'm sure you've actively maintained ). But then again, you are losing time and time is money. If these sites had been separated into individual users, again, you'd only have to restore one site's content.
The idea here is isolation. Reseller plans provide you with the peace of mind to know that if one of your users doesn't keep up with their site's content as actively as they should, their actions won't negatively impact the content hosted on other domains. If you and those you host in your addons are diligent webmasters, maybe this point won't have much bearing on your decision. Only you can say for sure.
3. Will these domains need SSLs?
As of this writing, SSL certificates must have a dedicated IP address to be installed. If you are hosting multiple domains on the same shared hosting package, you can still install an SSL (or purchase a dedicated IP address and install one) but you are limited to exactly one SSL on your account. If you are hosting multiple domains on the same package (and consequently the same IP), you must choose which domains gets to have the dedicated SSL.
Sub accounts of Resellers can each be placed onto separate IP addresses and, as a result, can each have their own dedicated SSL installed.
Of course, both shared accounts and Resellers' sub accounts can use the server's shared SSL free of charge. However, some clients prefer to see their domain in the URL bar when they visit https.
4. How resource intensive will these sites be (RAM, CPU, MySQL)?
We've already established that disk space and bandwidth will be no problem. But what about CPU, RAM, and MySQL resources?
It's important to be aware of the resource needs of your website. As administrators, we have to make sure all users "play nice" on the server. We can't have user X eating all of the CPU cycles computing pi to the trillionth decimal place while you are trying to serve web pages to your loyal visitors. We have to monitor the actions of all of our users and in the event someone is stepping beyond the bounds of acceptable resource consumption, we have to take action. In most cases, this entails disabling the abusive script, but in extreme cases we have to suspend the abusive user account to prevent other domains from encountering performance degradation on their sites.
If you are hosting 100 domains as addon domains, all serving nothing but static HTML pages, maybe you will stay off the radar.
But considering most sites are more complicated than static HTML, you may want to be aware of how many sites you host as addons and what content they serve. If you're hosting the latest and greatest Joomla modules, with up to date news feeds, integrated forums modules, polls, blog posts, etc your site can certainly require a degree of CPU to serve your pages. Now imagine you have 5 or 10 of these sites all hosted as addon domains. The resources these sites need to generate their content can quickly add up and before you know it you've got a friendly email from Acenet, Inc. in your inbox wondering why your user is consuming 2 of the 8 CPU cores on the server. That may be an exaggeration, but you get the idea. In the event your resource usage becomes so excessive that we have to suspend your user, now all of your sites are down instead of whichever one may be the direct cause of the spike in CPU, RAM, or MySQL consumption.
If each of these had been separate Reseller accounts, the offending account could've been suspended temporarily while we work through the cause, leaving the rest of your domains live and kicking.
The conclusion here is that you need to be aware of the needs of your sites in a general sense. Hosting unlimited domains within a shared hosting space is certainly a nice feature. For those webmasters who have multiple presences on the web, it's very convenient to be able to manage all of their personal domains from a single control panel. For those entrepreneurs who are hosting multiple domains for other individuals, the features and security associated with a Reseller plan and the inherent isolation of Linux users is a must have.
----------------------------------------------------------------------
View 12 Replies
View Related