we have a dedicatd linux server. we use to send daily newsletters to our customers but for last few days, it looks like our mail server is sending out email to client's spam folder.
Is there any way to diagnose our mail server and find out if there is anything wrong or if our mail server has been black listed?
my server's Ip adresse was found listed at the CBL list.
check this out :
[url]
i think i'm listed for naming issue as they referred me to this page to solve the problem.
what should i do to correct the probleme i made some changes on /etc/hostname and etc/hosts and requested delisting but without positive results.
I'm On debian SARGE.
I've come across a few of my sites on the server at my work that are showing up with Black Diamonds with question marks in them. It seems like just recently have we started having this problem, sites that have been up for a while now without these problems are now having them. What could be the cause of this so that we may look into it?
View 9 Replies View RelatedI have 20 clients who are on different networks and countries but all of the sudden their IP's are keep getting black list in spamhause, CBL, dsbl etc and they can not send email i am so very tired of this,
View 7 Replies View RelatedI have started having daily numproc black alerts on my VPS. Tech Support have increased the numproc limit already to 1500 but say that I will need a dedicated server, that's the last I have heard. I'd like to know if there is anything I can do to limit this numproc problem without the need to get a dedicated server. The numproc alerts seem to be getting more frequent but the visitors to the site are not increasing. Here are the details:
2 x AMD Opteron(tm) Processor 244, 904.127 MHz, cache size: 1024 KB
Linux 2.6.8-022stab078.21-enterprise #1
Apache/1.3.36 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.2 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.27 OpenSSL/0.9.7a
Cpanel
Only one site is hosted on the VPS. Includes phpbb forum & various php / mysql sections like an affiliate store & photo gallery. Averaging about 11000 visitors/day
I tried to run /proc/user_beancounters & ps axv commands when the numproc was maxed this morning but could not log in to run it so these are the ones I ran yesterday.
Code:
uid resource held maxheld barrier limit failcnt
132: kmemsize 13786145 13803842 39485440 40632320 0
lockedpages 0 0 1024 1024 0
privvmpages 110039 110045 262144 278528 17
shmpages 731 731 86016 86016 0
dummy 0 0 0 0 0
numproc 683 683 1500 1500 4709595
physpages 62578 62580 0 2147483647 0
vmguarpages 0 0 135168 2147483647 0
oomguarpages 66597 66599 104448 2147483647 0
numtcpsock 47 49 1440 1440 0
numflock 11 11 752 824 0
numpty 1 1 64 64 0
numsiginfo 0 1 1024 1024 0
tcpsndbuf 92552 112604 6881280 10813440 0
tcprcvbuf 692 1384 6881280 10813440 0
othersockbuf 98524 103180 4504320 8388608 0
dgramrcvbuf 0 0 1048576 1048576 0
numothersock 123 123 1440 1440 0
dcachesize 619920 622790 9093120 9666560 0
numfile 2434 2435 23280 23280 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
numiptent 47 47 512 512 0
Code:
PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND
1 ? Ss 0:00 0 26 1593 552 0.0 init
15751 ? Ss 0:00 0 28 1495 596 0.0 syslogd -m 0
15761 ? S 0:00 0 10 1437 456 0.0 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -facility=mail -start /usr/libexec/courier-authlib/authdaemond
15762 ? S 0:00 0 13 1782 576 0.0 /usr/libexec/courier-authlib/authdaemond
15786 ? S 0:00 0 13 1782 616 0.0 /usr/libexec/courier-authlib/authdaemond
15787 ? S 0:00 0 13 1782 596 0.0 /usr/libexec/courier-authlib/authdaemond
15788 ? S 0:00 0 13 1782 616 0.0 /usr/libexec/courier-authlib/authdaemond
15789 ? S 0:00 0 13 1782 616 0.0 /usr/libexec/courier-authlib/authdaemond
15790 ? S 0:00 0 13 1782 584 0.0 /usr/libexec/courier-authlib/authdaemond
15799 ? Ssl 0:00 8 269 39030 2664 0.0 /usr/sbin/named -u named
15814 ? Ss 0:01 3 296 3711 1704 0.0 /usr/sbin/sshd
15825 ? Ss 0:00 2 138 1933 864 0.0 xinetd -stayalive -pidfile /var/run/xinetd.pid
15836 ? S 0:00 0 573 1570 1068 0.0 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/server.surfing-waves.com.pid
15861 ? Sl 0:01 40 4000 108171 26516 0.7 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.surfing-waves.com.pid --skip-external-locking
15907 ? S 0:00 0 829 8938 7388 0.2 chkservd
15923 ? S 0:00 0 10 1441 468 0.0 /usr/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
15924 ? S 0:00 0 44 1515 512 0.0 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
15934 ? S 0:00 0 10 1441 400 0.0 /usr/sbin/courierlogger -pid=/var/run/imapd-ssl.pid -start -name=imapd-ssl /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
15935 ? S 0:00 0 44 1515 492 0.0 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
15940 ? S 0:00 0 10 1441 472 0.0 /usr/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
15941 ? S 0:00 0 44 1515 512 0.0 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
15946 ? S 0:00 0 10 1441 400 0.0 /usr/sbin/courierlogger -pid=/var/run/pop3d-ssl.pid -start -name=pop3d-ssl /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
15950 ? S 0:00 0 44 1515 492 0.0 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=30 -nodnslookup -noidentlookup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
15971 ? Ss 0:00 0 678 6669 1880 0.0 /usr/sbin/exim -bd -q60m
15977 ? Ss 0:00 0 678 6669 1800 0.0 /usr/sbin/exim -tls-on-connect -bd -oX 465
15982 ? S 0:00 0 829 2214 1584 0.0 antirelayd
16024 ? Ss 0:00 1 829 24742 19592 0.5 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5
16046 ? Ss 0:07 2 533 13126 5752 0.1 /usr/local/apache/bin/httpd -DSSL
16057 ? Ss 0:00 0 36 2435 1040 0.0 crond
16073 ? S 0:03 4 829 28146 25804 0.7 spamd child
16074 ? S 0:00 14 829 25006 22188 0.6 spamd child
16075 ? S 0:54 120 533 16206 9392 0.2 /usr/local/apache/bin/httpd -DSSL
16076 ? S 0:57 154 533 16306 9500 0.2 /usr/local/apache/bin/httpd -DSSL
16077 ? S 0:54 159 533 16426 9628 0.2 /usr/local/apache/bin/httpd -DSSL
16078 ? S 1:00 143 533 16046 9224 0.2 /usr/local/apache/bin/httpd -DSSL
16079 ? S 0:54 191 533 16330 9508 0.2 /usr/local/apache/bin/httpd -DSSL
16131 ? S 0:00 0 829 6754 4892 0.1 eximstats
16160 ? S 0:55 89 533 16222 9424 0.2 /usr/local/apache/bin/httpd -DSSL
16167 ? S 0:00 1 829 6090 4940 0.1 cpbandwd
16168 ? SN 0:03 19 829 15762 13068 0.3 cpanellogd - sleeping for logs
16185 ? S 0:00 0 829 2950 2300 0.0 entropychat
16189 ? S 0:54 167 533 16114 9288 0.2 /usr/local/apache/bin/httpd -DSSL
16190 ? S 0:51 125 533 15974 9176 0.2 /usr/local/apache/bin/httpd -DSSL
16191 ? S 0:00 1 52 1623 552 0.0 /usr/local/cpanel/bin/startmelange
16208 ? Ss 0:00 1 61 9774 4560 0.1 /usr/bin/stunnel-4.15local /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
16213 ? S 0:53 110 533 16214 9404 0.2 /usr/local/apache/bin/httpd -DSSL
16214 ? S 0:51 133 533 16170 9356 0.2 /usr/local/apache/bin/httpd -DSSL
16217 ? Ss 0:00 0 828 8367 5604 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
16224 ? Ss 0:00 0 61 3982 1084 0.0 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1
16247 ? Ss 0:00 0 27 1452 492 0.0 /usr/sbin/portsentry -tcp
16255 ? S 0:00 0 828 8091 5344 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
16256 ? S 0:00 0 828 8115 5520 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
16257 ? S 0:00 0 828 8111 5164 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
16258 ? S 0:00 0 828 8075 5760 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
16259 ? S 0:00 0 828 8087 5356 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
16260 ? S 0:00 0 828 8111 4780 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
16261 ? S 0:00 0 828 8119 5072 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
16262 ? S 0:00 0 828 8119 4672 0.1 /usr/local/bin/python2.4 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
22479 ? S 0:00 0 2127 6332 6232 0.1 /etc/authlib/authProg
28484 ? S 0:00 0 2127 6332 6996 0.2 /etc/authlib/authProg
28488 ? S 0:00 0 2127 6332 6996 0.2 /etc/authlib/authProg
5372 ? S 0:00 0 2127 6332 6996 0.2 /etc/authlib/authProg
25825 ? S 0:02 0 3552 8707 10792 0.3 cpsrvd - waiting for connections
7655 ? S 0:00 0 2127 6332 6996 0.2 /etc/authlib/authProg
19601 ? S 0:07 5 533 15518 8700 0.2 /usr/local/apache/bin/httpd -DSSL
30024 ? Ss 0:00 3 106 5765 1812 0.0 pure-ftpd (SERVER)
30027 ? S 0:00 0 8 3559 928 0.0 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
3949 ? S 0:01 0 3552 9059 11152 0.3 whostmgrd - serving 127.0.0.1
3950 ? S 0:00 0 7839 15344 21744 0.6 /usr/local/cpanel/whostmgr/bin/whostmgr2 ./managepid
3951 ? Z 0:00 0 0 0 0 0.0 [ps] <defunct>
3952 ? S 0:01 2 166 1477 532 0.0 strace -p 16260
9881 ? S 0:00 1 533 15450 8612 0.2 /usr/local/apache/bin/httpd -DSSL
11712 ? S 0:00 1 533 15454 8620 0.2 /usr/local/apache/bin/httpd -DSSL
11749 ? S 0:00 2 533 15490 8656 0.2 /usr/local/apache/bin/httpd -DSSL
14310 ? Ss 0:00 0 296 6603 2184 0.0 sshd: surfingw [priv]
15455 ? S 0:00 0 296 6603 2248 0.0 sshd: surfingw@ttyp0
15457 ttyp0 Ss 0:00 0 573 1578 1276 0.0 -bash
20096 ? S 0:00 0 533 13258 5904 0.1 /usr/local/apache/bin/httpd -DSSL
20103 ? S 0:00 0 533 13258 5904 0.1 /usr/local/apache/bin/httpd -DSSL
20104 ? S 0:00 0 533 13270 5924 0.1 /usr/local/apache/bin/httpd -DSSL
20136 ttyp0 R+ 0:00 0 56 2207 680 0.0 ps axv
Some times I read in logs
server mod_evasive[24203]: Blacklisting address 84.255.151.xxx: possible attack.
Where can I find this black list and all IP listed
if anybody knows of a script that I could install on my server
and use to do a query in RBL databases, just like this page
[url]
Just wanted to know if anyone know of a black owned dedicated web hosting company?
View 11 Replies View Related[url]
i like the I/O panel is in the front and not the back. It can be a pain in the butt to access the back I/O panel in the DC.
I'm pretty sure the default SuperMicro panel will have to be take out but is there any motherboard that can fit this case? Did anyone try this case? Can it be bolt down by its ears? It's interesting that i don't see the blower on this case. How do you cool it?
I just got email from the company with which I co locate my servers (one of the resellers in MPT). The email said:
"We have detected a deny of service attack on one of your IP's
69.90.xxx.xxx. The attack was approximately 200Kpps and 120Mbps. The
IP has been null routed and will be in place for 24 hours."
Now all my sites hosted on that IP are down.
Is this the way the co location companies and their upstream providers deal with DOS attacks?
Its going to harm me a lot if I have to wait for 24 hours for the
services to work.
can any1 tell me if this is ok for 3 or 4 days i was having Black and yellow zone alerts for NUMFILE on my vps, vps has 256Ram,1024 burst, using centos, virtuozzo and cpanel
somehone can tell me what else to check,
Code:
root@ns1 [~]# cat /proc/user_beancounters
Version: 2.5
uid resource held maxheld barrier limit failcnt
399: kmemsize 8507424 8831248 59228160 60948480 0
lockedpages 0 0 1536 1536 0
privvmpages 90223 93110 262144 270008 0
shmpages 3279 3279 129024 129024 0
dummy 0 0 0 0 0
numproc 86 89 500 500 3736
physpages 47988 50219 0 2147483647 0
vmguarpages 0 0 65536 2147483647 0
oomguarpages 49398 51629 65536 2147483647 0
numtcpsock 47 51 1880 1880 0
numflock 12 13 1128 1236 0
numpty 1 1 64 64 0
numsiginfo 0 1 1536 1536 0
tcpsndbuf 436020 467324 10321920 16220160 0
tcprcvbuf 770048 802816 10321920 16220160 0
othersockbuf 34888 39360 6756480 12582912 0
dgramrcvbuf 0 0 1572864 1572864 0
numothersock 30 34 2160 2160 0
dcachesize 1012491 1047191 13639680 14499840 0
numfile 4370 4487 8192 8192 6491
dummy 0 0 0 0 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
numiptent 298 298 2000 2000 0
root@ns1 [~]#
Code:
root@ns1 [~]# ps -auxf
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1620 600 ? Ss 2006 0:22 init [3]
root 26544 0.0 0.0 1524 544 ? Ss 2006 0:18 syslogd -m 0
named 26570 0.0 0.0 46640 2976 ? Ssl 2006 1:14 /usr/sbin/named -u named
root 27659 0.0 0.0 1448 376 ? S 2006 0:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon
root 27667 0.0 0.0 1796 616 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 27697 0.0 0.0 1796 368 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 7289 0.0 0.1 9880 8584 ? S Jan21 0:06 | \_ /etc/authlib/authProg
root 27699 0.0 0.0 1796 368 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 13800 0.0 0.0 9888 6156 ? S 2006 0:22 | \_ /etc/authlib/authProg
root 27700 0.0 0.0 1796 368 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 5506 0.0 0.1 9880 8584 ? S Jan21 0:06 | \_ /etc/authlib/authProg
root 27701 0.0 0.0 1796 368 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 7516 0.0 0.1 9880 8588 ? S Jan21 0:07 | \_ /etc/authlib/authProg
root 27702 0.0 0.0 1796 368 ? S 2006 0:00 \_ /usr/libexec/courier-authlib/authdaemond
root 31958 0.0 0.1 9880 8584 ? S Jan21 0:07 \_ /etc/authlib/authProg
root 30718 0.0 0.0 4008 1128 ? Ss 2006 0:02 /usr/sbin/sshd
root 29967 0.0 0.0 6900 2280 ? Ss 15:06 0:00 \_ sshd: root@pts/0
root 30115 0.0 0.0 2944 1280 ? Ss 15:06 0:00 \_ login -- root
root 30124 0.0 0.0 2280 1340 pts/0 Ss 15:06 0:00 \_ -bash
root 5923 0.0 0.0 2300 812 pts/0 R+ 15:20 0:00 \_ ps -auxf
root 31769 0.0 0.0 2072 788 ? Ss 2006 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 31780 0.0 0.0 2144 1124 ? S 2006 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/my
mysql 31808 0.0 0.3 112316 24712 ? Sl 2006 9:08 \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/li
root 31980 0.0 0.0 9752 8012 ? S 2006 1:05 chkservd
root 31995 0.0 0.0 1452 380 ? S 2006 0:01 /usr/sbin/courierlogger -pid=/var/run/imapd.pid -s
root 31996 0.0 0.0 1560 512 ? S 2006 0:02 \_ /usr/lib/courier-imap/libexec/couriertcpd -add
root 32018 0.0 0.0 1452 300 ? S 2006 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd-ssl.pi
root 32019 0.0 0.0 1560 492 ? S 2006 0:00 \_ /usr/lib/courier-imap/libexec/couriertcpd -add
root 32027 0.0 0.0 1452 380 ? S 2006 0:02 /usr/sbin/courierlogger -pid=/var/run/pop3d.pid -s
root 32029 0.0 0.0 1560 512 ? S 2006 0:02 \_ /usr/lib/courier-imap/libexec/couriertcpd -add
root 32036 0.0 0.0 1452 300 ? S 2006 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d-ssl.pi
root 32037 0.0 0.0 1560 492 ? S 2006 0:00 \_ /usr/lib/courier-imap/libexec/couriertcpd -add
root 32263 0.0 0.0 2472 928 ? Ss 2006 0:05 crond
root 32288 0.0 0.0 3024 1160 ? S 15:20 0:00 \_ crond
root 32370 0.0 0.0 2096 1036 ? Ss 15:20 0:00 \_ /bin/sh /usr/local/sbin/bfd -q
root 32463 0.1 0.0 2100 1068 ? S 15:20 0:00 \_ /bin/sh /usr/local/sbin/bfd -s
root 5917 0.0 0.0 2100 468 ? R 15:20 0:00 \_ /bin/sh /usr/local/sbin/bfd -s
root 5918 0.0 0.0 2096 976 ? S 15:20 0:00 \_ /bin/sh /usr/local/bfd/tlog /v
root 5922 0.0 0.0 2096 564 ? R 15:20 0:00 | \_ /bin/sh /usr/local/bfd/tlo
root 5919 0.0 0.0 1572 472 ? S 15:20 0:00 \_ grep sshd
root 5920 0.0 0.0 1572 484 ? S 15:20 0:00 \_ grep -viw error: Bind
root 5921 0.0 0.0 1516 468 ? S 15:20 0:00 \_ sed s/::ffff://
root 5924 0.0 0.0 1572 420 ? R 15:20 0:00 \_ grep -vi invalid
root 1434 0.0 0.0 4044 804 ? Ss 2006 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shado
root 1444 0.0 0.0 4044 464 ? S 2006 0:00 \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a s
root 1508 0.0 0.0 1480 392 ? Ss 2006 0:00 /usr/sbin/portsentry -tcp
root 32126 0.0 0.0 3828 1324 ? Ss 2006 0:00 pure-ftpd (SERVER)
root 32130 0.0 0.0 3568 928 ? S 2006 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr
root 3137 0.0 0.0 7008 5256 ? S 2006 0:35 cpbandwd
root 3279 0.0 0.1 10812 8312 ? SN 2006 7:40 cpanellogd - sleeping for logs
mailnull 3299 0.0 0.0 7712 5264 ? S 2006 0:34 eximstats
mailnull 32022 0.0 0.0 7348 1984 ? Ss Jan02 0:00 /usr/sbin/exim -bd -oX 26
mailnull 32030 0.0 0.0 7348 1996 ? Ss Jan02 0:20 /usr/sbin/exim -bd -q180m
mailnull 32046 0.0 0.0 7348 1964 ? Ss Jan02 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
root 32128 0.0 0.0 3044 1176 ? S Jan02 0:47 antirelayd
root 17635 0.0 0.2 25752 23600 ? Ss Jan02 0:32 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfil
root 22098 0.0 0.3 29440 27060 ? S 04:20 0:02 \_ spamd child
root 9762 0.1 0.3 30216 28136 ? S 11:16 0:19 \_ spamd child
postgres 1351 0.0 0.0 16732 2148 ? S Jan21 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 1354 0.0 0.0 7532 880 ? S Jan21 0:00 \_ postgres: stats buffer process
postgres 1355 0.0 0.0 6540 1024 ? S Jan21 0:00 | \_ postgres: stats collector process
postgres 29997 0.0 0.1 17544 11528 ? S 09:56 0:02 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 30561 0.0 0.1 18104 11852 ? S 09:56 0:02 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 31864 0.0 0.1 17592 11532 ? S 09:57 0:02 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 32183 0.0 0.1 17496 11288 ? S 09:57 0:01 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 32285 0.0 0.1 17580 11536 ? S 09:57 0:01 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 32299 0.0 0.1 18016 11708 ? S 09:57 0:03 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 3076 0.0 0.1 18080 11732 ? S 09:58 0:02 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 5427 0.0 0.1 17488 11280 ? S 09:59 0:02 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 26225 0.0 0.1 17544 11280 ? S 10:12 0:01 \_ postgres: wifidog wifidog 127.0.0.1 idle
postgres 27895 0.0 0.1 17544 11292 ? S 10:20 0:01 \_ postgres: wifidog wifidog 127.0.0.1 idle
root 28058 0.0 0.1 17508 9088 ? S Jan30 0:02 cpsrvd - waiting for connections
root 29793 0.0 0.1 19096 9928 ? Ss 09:56 0:00 /usr/local/apache/bin/httpd -DSSL
nobody 29829 0.0 0.1 19408 9556 ? S 09:56 0:03 \_ /usr/local/apache/bin/httpd -DSSL
nobody 29830 0.0 0.1 19444 9560 ? S 09:56 0:02 \_ /usr/local/apache/bin/httpd -DSSL
nobody 29831 0.0 0.1 19448 9820 ? S 09:56 0:04 \_ /usr/local/apache/bin/httpd -DSSL
nobody 29832 0.0 0.1 20576 9708 ? S 09:56 0:04 \_ /usr/local/apache/bin/httpd -DSSL
nobody 29833 0.0 0.1 20572 9936 ? S 09:56 0:05 \_ /usr/local/apache/bin/httpd -DSSL
nobody 30225 0.0 0.1 19332 9472 ? S 09:56 0:03 \_ /usr/local/apache/bin/httpd -DSSL
nobody 31771 0.0 0.1 19452 9532 ? S 09:57 0:03 \_ /usr/local/apache/bin/httpd -DSSL
nobody 31872 0.0 0.1 20584 9724 ? S 09:57 0:03 \_ /usr/local/apache/bin/httpd -DSSL
nobody 22289 0.0 0.1 19456 9588 ? S 10:10 0:03 \_ /usr/local/apache/bin/httpd -DSSL
nobody 22324 0.0 0.1 19328 9464 ? S 10:10 0:03 \_ /usr/local/apache/bin/httpd -DSSL
root@ns1 [~]#
4 times already this month we been listed by CBL
i cant for the life of me figure out why!
IP Address XX.XX.XX.XX was found in the CBL.
It was detected at 2007-11-30 16:00 GMT (+/- 30 minutes), approximately 17 hours, 30 minutes ago.
It has been relisted following a previous removal at 2007-11-25 23:59 GMT
I emailed them and it seems i get an autoresponse which makes no sense they reply me the following:
The IP was detected most recently at:
2007:11:20 ~21:00 UTC+/- 15 minutes (approximately 18 hours ago)
sending email in such a way as to strongly indicate that the IP itself
was operating an open http or socks proxy, or a trojan spam package.
In short, this IP is impersonating being a machine we know it _cannot_
be. No properly configured mail server does this under any circumstances.
You will need to examine the machine for a spam trojan or open
proxy. Up-to-date anti-virus tools are essential.
If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.
Software notes: If you are running Email Architect, set the
"Masqueraded domain" in SMTP service to be the fully qualified
domain name for the machine.
If you are using an Internet Security Systems firewall (eg:
Proventia M10), please contact ISS and obtain new firmware.
They are aware of issues with the CBL. The firmware version
that fixes this bug is, we believe, "3.5" (at least for
the M10).
Useful links:
[url]
[url](see "Securing your System" and "proxies")
[url]
For more information on securing NAT firewalls/gateways, please
see [url]
This entry has already been delisted from the CBL. Unless otherwise
stated, the CBL will relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.
has anyone been in this problem before? ive got myself delisted but its just a pain keep waking up each morning to find this happening
is it possible that someoen who is accessing their email through outlook has a virus on their pc?
Which file can I find my nameservers listed in?
Godaddy was disallowing me to edit nameservers, so cPanel prevented me from setting up ns1.domain.com and ns2.domain.com, this has meant now I have a major problem: A client paid me to develop his site and he has now gone on holiday, he wanted it finished today but I can't put it online because he set the nameservers to ns1.domain.com ns2.domain.com whereas I have had to set up the nameservers as one.domain.com and two.domain.com due to godaddy disallowing me to create ns1 and ns2.
Now my question is: Is it possible to edit a config file that can set up NS1 and NS2 to work along side ONE and TWO? I'm using cPanel and I have root access.
They kindly provided me with timestamp as to when detection was happening and they sent me this description:
Timestamp: 2007-12-02 22:55:32
(ive attached the logs from below for around couople of minutes) If anyone knows how to solve this much appreicate it..or if anyone know what could be the issue!
In a nutshell, your IP is forging a well known domain as theEHLO/HELO - imagine connecting to, say aol.com and having your IPHELO as "apple.com". Understandably, when an IP connects to ourservers and presents such an obvious forgery, we're going to consider ita virus emitter or otherwise compromised.] This is what you need to keep in mind when you're trying to resolvesituations like this: 1) Our detections are based on port 25 SMTP connections your IP makesto one or more of our mail servers. The CBL listing _itself_ is theevidence/"proof"/log of the incident. We generally do not keep samples of CBL detections, because thevolumes are so horrendously high (presently more than 700,000detections per day). They never provide any additional information,because the headers, if any, are all fake anyway. In order to preserve the effectiveness of the CBL, informationbeyond what we've already given you will not be revealed.We can sometimes give additional information (eg: more precisetimestamps) if and only if we know it's necessary to find/fixthe problem. 2) The CBL detects suspicious SMTP activity, NOT spamming per-se. Inother words, the CBL detects email being sent in such a way as toindicate that the sender is compromised in some fashion into sendingviruses or spam.
As such, the CBL focuses on identifying how to prevent the behavior infuture, instead of, for example, identifying spammers that need to beterminated. Indeed, in the case of NAT firewalls, it is almost always impossiblefor us to precisely identify which machine behind your NAT is infected. Only your NAT logs (if you keep any and know what to look for) knowwhich machine is infected. In the case of NATs, our focus is on blocking the malicioustraffic getting to the Internet. We can give tips/pointers on howyou can identify specific infected machines behind a NAT, but ourpriority is to prevent _any_ infected machine behind your NATspewing junk to the Internet, because we know that for everyinfected machine you fix, another one (or more) will eventuallyspring up in its place, and we (and we suspect you) don't likeplaying a never-ending game of whack-a-mole. 3) The viruses we detect carry their own SMTP clients with them, and donot attempt to relay through your mail servers. Hence, email transitfilters (either inbound or outbound) on your mail servers can't help.Only AV scanning the infected machine does.
Similarly, the spamware (open proxy or spam trojan) we detect donot route through your mail servers either. 4) Most AV tools aren't very good at detecting/cleaning out establishedinfections. Especially those resulting from day-zero attacks.Particularly since many of these infections open back doors, and theoriginal infection vector downloads many pieces of software that _may_not be in themselves malware, just used in a malicious fashion. 5) The headers don't help at all. Since the virus/spamware has its ownclient, and doesn't pass through your server[s], the only thing knowableabout the virus/spamware is the peer (connection) address at therecipient's mail server - which is what we've listed - your NAT firewallif you have a NAT... Only your NAT firewall logs can tell you anydifferent. Short of AV scanning the infected machine, the only useable informationabout which machine is infected is in your NAT firewall logs - ifyou actually make any logs and keep them long enough. For the most part, then, a CBL listing of an IP means that the IPneeds to be fixed. If it's a NAT IP - port 25 blocking (and youcan find/fix the infected machine[s] at your leisure), if it's nota NAT - virus/malware eradication. 6) Outbound port 25 connection blocking on NAT firewalls (permittingonly your authorized mail servers) is the best solution for NATs. 7) If you have a NAT, once you've implemented port 25 blocking, younot only contain the viruses, your NAT firewall logs will immediatelytell you who is infected or is compromised with a spam trojan oropen proxy. 8) As far as we're aware, once port 25 blocking is instituted in ANAT, the only times people have continued to have trouble with CBLlistings is when the blocking wasn't working for some reason. Itwould be a good idea to test whether the blocking is in fact working.We have suggested procedures for this if you want - ask us.
2007-12-02 22:55:05 [19907] list matching forced to fail: failed to find host name for 201.58.9.244
2007-12-02 22:55:05 [9913] SMTP connection from [81.129.182.181]:60329 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:06 [9913] SMTP connection from [85.177.218.230]:9468 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:06 [19907] H=(20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 F=<vash989@lfcc.edu> rejected RCP$
2007-12-02 22:55:06 [19907] SMTP connection from (20158009244.user.veloxzone.com.br) [201.58.9.244]:61429 I=[69.16.237.199]:25 closed by DROP$
2007-12-02 22:55:07 [19908] ident connection to 71.217.38.129 timed out
2007-12-02 22:55:07 [19909] ident connection to 81.129.182.181 timed out
2007-12-02 22:55:08 [9913] SMTP connection from [213.36.8.1]:3542 I=[69.16.237.199]:25 (TCP/IP connection count = 4)
2007-12-02 22:55:08 [19909] H=host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25 F=<markhuu.Fabris@$
2007-12-02 22:55:08 [19909] SMTP connection from host81-129-182-181.range81-129.btcentralplus.com [81.129.182.181]:60329 I=[69.16.237.199]:25$
2007-12-02 22:55:09 [19910] H=e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 F=<Vesterinenowao@jcel.com> rejected RCP$
2007-12-02 22:55:09 [19910] SMTP connection from e177218230.adsl.alicedsl.de [85.177.218.230]:9468 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19908] H=71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 F=<0agwampler@rapidreply.net> rejected $
2007-12-02 22:55:09 [19908] SMTP connection from 71-217-38-129.tukw.qwest.net [71.217.38.129]:63507 I=[69.16.237.199]:25 closed by DROP in ACL
2007-12-02 22:55:09 [19911] H=dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.237.199]:25 F=<Norbe$
2007-12-02 22:55:09 [19911] SMTP connection from dyn-213-36-8-1.ppp.tiscali.fr (dyn-213-36-8-129.ppp.tiscali.fr) [213.36.8.1]:3542 I=[69.16.2$
2007-12-02 22:55:13 [9913] SMTP connection from [201.212.156.23]:51905 I=[69.16.237.199]:25 (TCP/IP connection count = 1)
2007-12-02 22:55:13 [9913] SMTP connection from [200.122.38.174]:1152 I=[69.16.237.199]:25 (TCP/IP connection count = 2)
2007-12-02 22:55:14 [9913] SMTP connection from [201.233.222.43]:2980 I=[69.16.237.199]:25 (TCP/IP connection count = 3)
2007-12-02 22:55:16 [19915] ident connection to 201.233.222.43 timed out
2007-12-02 22:55:17 [19915] H=cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.199]:25 F=<Chasityse$
2007-12-02 22:55:17 [19915] SMTP connection from cable201-233-222-43.epm.net.co (castellanos.une.net.co) [201.233.222.43]:2980 I=[69.16.237.1$
2007-12-02 22:55:18 [19920] cwd=/home/annajwa/public_html/forum 2 args: /usr/sbin/sendmail bloochunc@bk.ru
2007-12-02 22:55:18 [19920] 1IyxiY-0005BI-5f <= annajwa@host.mpadc.com U=annajwa P=local S=747 T="Welcome to An- Najwa" from <annajwa@host.mp$
2007-12-02 22:55:18 [19921] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IyxiY-0005BI-5f
I have a server that keeps getting listed by DSBL. It is RHEL 3 running Plesk and Qmail. In the MAIL config SMTP relay is set to "Authorization is Required" and the SMTP box is checked. I have a couple other very similar server setups and they have never been listed, so I dont know why this one is. I suspect it may be a bug.
As for the last listing (yesterday) here is the exerpt from the maillog showing the SMTP relay
===================
Aug 26 13:36:48 slv3 qmail-queue[426]: scan: the message(drweb.tmp.0PW0bG) sent by nobody@cor.neva.ru to listme@listme.dsbl.org should be passed without checks, because contains uncheckable addresses
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: to=listme@listme.dsbl.org
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: recipient[3] = 'listme@listme.dsbl.org'
Aug 26 13:36:48 slv3 qmail-queue-handlers[428]: handlers dir = '/var/qmail//handlers/before-queue/recipient/listme@listme.dsbl.org'
Aug 26 13:36:48 slv3 qmail: 1188153408.989183 starting delivery 7244: msg 2327042 to remote listme@listme.dsbl.org
Aug 26 13:36:48 slv3 qmail-remote-handlers[430]: to=listme@listme.dsbl.org
===================
why my server is relaying?
I signed up with a new VPS provider and got three IPs and ordered an additional IPS. It turns out all six IPS were listed by SORBS as spam sources.
So I contact the provider and they give me one clean IP but I have to keep the remaining 5 SORBS marked spam IPs that I am going to use for nameservers and "reseller" account with nameservers.
My quetion is . . . is being marked by SORBS going to have any negative effect on my VPS? Alot of places will mention this when looking up a domain like Domain Tools and DNS Stuff, so is this going to make my web sites come off as spammers?
I did a site for a UK company that has a .com address, and for various reasons the site is hosted in the US. Unfortunately the site doesn't appear under the google search for pages in the UK.
One reason I chose the US hosting company is that they provide ColdFusion hosting, and my plan is to upgrade the site to use ColdFusion in the near future.
They do also have the .co.uk address registered, which is currently set to forward to the .com address, and that doesn't show up in google at all.
I'm thinking the solutions might be:
1) Move the .com hosting to the UK
2) Get additional hosting for the .co.uk address (uk mirror)
3) Both?
The company is based in the UK, and provides holidays in Montenegro, primarily aiming at the UK market.
When I originally looked into it I could not find a UK host that provided ColdFusion and mySQL 5 - and those that had ColdFusion and other database applicaitons were far more expensive than the US one we're using currently.
What would be the best way forward?
I would like to know there is any.
View 14 Replies View RelatedI just got a vps and I realised that all email sent to hotmail automatically goes into the spam box (until i approve an email address as being "safe").
I believe that hotmail's senderid and a spf record is the way to go
I have already submitted the senderid form saying i dont have an spf record
for the "domains to be added to the senderid program", i listed a couple of my domains.
1) do i still need an spf record?
2) in the future, will i need to tell customers to use outgoing mailservers under one of the domains i submitted (in the senderid form)?
Is it normal for dedicated server providers to give out IPs that are listed on spam database?
I was under the impression that they would check first before assigning it to new clients.
I installed chirpy's csf / lfd firewall and when starting firewall I get this
Error: IP [ipaddress] is listed twice in ifconfig!, at line 657
How do I fix this?
My IP 69.65.102.49 seems to have been listed in this set of RBLs
(block.blars.org, spammers.v6net.org) any ideas on how to get off them?
I have been told that these blacklists are not mainstream however
it is really a mess that they are used by hotmail.com for instance...
Plesk12 has been installed on Windows2012R2. In the Tools and Settings/Database Servers list we have
· Local MySQL server (default for MySQL)
· .MSSQLSERVER2012
· sql-db-1 (default for MS SQL)
We only expect to use the remote sql-db-1 database for user databases.
Can we delete the other 2 databases and is this recommended? Does the Local MySQL server contain the Plesk Management database/schema?
I'm looking for a way to get a report of the top domains that are continuously greylisted so I can determine which ones need to be put on the "domains- whitelist" because they use different IPs when resending, causing very long delays (hours/days/never) for each message sent.We're using Plesk11 on CentOS 6.4 with Postfix and the Plesk built-in Greylisting option enabled.
# /usr/local/psa/bin/grey_listing --info-server
Grey listing configuration.
Grey listing checking enabled
Grey interval 5 minutes
Expire interval 51840 minutes
Penalty interval 2 minutes
Penalty disabled
Personal grey listing
configuration allowed
[code]....
Black domains patterns list:
SUCCESS: Gathering of server wide information complete.Click to expand...
