Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Tricks to keep spammers off your network

[Testtube302]

What type of tricks do you guys use to keep spammers off your servers/network

Especially servers that you are leasing to other customers where you don't necessarily have access to the server

[StealthyHosting]

Fraud protection and red flags on bulk IP orders will drastically cut down spammers.

[Testtube302]

I recently had several orders make it through fraud checks And they were US based customers.

Is there any technology available that will help indicate that there might be a problem before the abuse complaints start rolling in from your upstream providers?

[net]

Moved > Hosting Security and Technology.

[StealthyHosting]

Register your IP blocks with spamcop so that you get reports also and not just your upstream. Did these customers that passed your fraud check order only order the 5 IPs you offer per server or did they order /27 IP block? Did you ask for IP justification? Did the justification make sense or did they try to justify with a bunch of SSL's on a bunch of .info domains?

[enigma-1]

From what I faced each server has its own challenges. For example with the mail server I had to setup postfix to reject mail (not bounce) when the recipient is wrong. Looking at the maillog I see lots of attempts to bounce email via invalid email accounts relying on backscatter something that previously was neglected. The result is these emails stay on the machine that sends the spam so there is a better chance the admin realizes faster his system is compromised.

Another area, outbound requests from servers. It's easy enough to detect some types of attacks like LFIs or RFIs with webservers and these can easily be used to identify the compromised systems and fix the problems. I find the server logs vital to isolate and rectify issues quickly.

[davet]

We have strict fraud protection rules in place using MaxMind.

As for accounts that are activated on our servers we use CSF. There's a setting in the CSF config tha emails an alert anytime there is a large mailing sent from the server.

====================
# This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
# appear with the same cwd= path in them within an hour. This can be useful in
# identifying spamming scripts on a server, especially PHP scripts running
# under the nobody account. The email that is sent includes the exim log lines
# and also attempts to find scripts that send email in the path that may be the
# culprit
LF_SCRIPT_ALERT = Default: 1 [0-1]

# The limit afterwhich the email alert for email scripts is sent. Care should
# be taken with this value if you allow clients to use web scripts to maintain
# pseudo-mailing lists which have large recipients
LF_SCRIPT_LIMIT = Default: 100 [0-5000]
====================

[BlazingSwitch]

We used to have a lot of issues in the past. We have to take some drastic steps to prevent it because it impacts other clients. What we ended up doing was as follows. This may not be the solution for everyone, but for us it cleaned up the network and fast!

1. You make sure your AUP clearly details what you do, and do not allow.
2. We have developed a network monitor to check for outgoing mail. There are freebies out there as well.
3. We have developed a IP reputation monitor that kicks out a report twice daily.
4. MaxMind fraud checks for ALL new orders. If you do not pass it, no service.

It will let you know if any of your IP space (whether you own it, or getting from elsewhere and have it swipped) is racking up black listings. This is one of the easiest ways for us to nail em within 12-24 hours, and have proof to prevent chargeback/dispute issues.

You have to be mindful of both the abuse (catch quickly), and processing, issues (PP/MA).

/2cts