Results 1 to 7 of 7
  1. #1

    Someone has to know how to get my server from re-appearing on blacklist

    I can only assume that I have a virus or adware on my server but Acunett says that there is nothing. I double checked all of my email sending php scripts and all of them are secure and not sending any spam. However in my mail queue in WHM I see spam emails and my server's IP keeps getting relisted on the blacklist located at:

    http://www.kloth.net/services/dnsbl.php


    AM I THE ONLY PERSON IN THE WORLD WITH THIS PROBLEM? This is getting frustrating I have probably spent over 200 hours trying to get this resolved but it seems like no one knows what to do. This is hurting my business since I have tons of emails stacked in my queue and being blocked by email providers due to that blacklist. I remove my server's IP successfully and the next day it is blacklisted again. If anything how can I check my linux server for viruses?

  2. #2
    Join Date
    Dec 2001
    Location
    Franklin, TN, USA
    Posts
    1,322
    Can you email me the ticket ID ([email protected])? If it is constantly being listed by multiple spam lists, it is clearly obvious there is a spamming issue going on. If this is the ticket I believe it is concerning, the question raised was why the server was originally in spam lists when it was deployed to you.

    If none of your scripts are compromised, then the culprit is most likely a compromised mail user. Check the headers for an auth_id that should tell you who the sender is.

    Ronny
    Linux Problems Solved. | Built for the Hosting Industry
    Server Management. Node Management. Helpdesk Management.
    ( AcuNett, Est. 15 Years, RateLobby 5 Stars )

  3. #3
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    How to get server to stop appearing on blacklist?
    Stop spamming

    Find competent administrators who are experienced in dealing with outgoing spam, have them go over your server and update things

    Use mail header patches for php which will identify the spamming script (if it's sent by php)

    Secure your server.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  4. #4
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    There might be some php scripts that may be used for spamming on any one of the user account. Try enabling extended logging in exim and see if you can find any. Certain blog softwares will have 777 permission to its folders and someone from outside can use this vulnerability to upload scripts to these folders for mailing purpose. Have a check of the user folders for 777 permission and suspicious files. Also check /tmp partition.

    http://www.webhostgear.com/118.html

    To find directories with 777 permission.

    find /home/username -type d -perm 777
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  5. #5
    Yeah the spamming ones have no aut_id or anything assigned. Here are the headers from the spamming emails (my sitename replaced with mysite in this topic)

    1JxYwi-0007KL-Vp-H
    mailnull 47 12
    <>
    1211078904 0
    -ident mailnull
    -received_protocol local
    -body_linecount 470
    -max_received_linelength 160
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    [email protected]

    161P Received: from mailnull by server.mysite.com with local (Exim 4.68)
    id 1JxYwi-0007KL-Vp
    for [email protected]; Sat, 17 May 2008 21:48:24 -0500
    046 X-Failed-Recipients: [email protected]
    029 Auto-Submitted: auto-replied
    063F From: Mail Delivery System <[email protected]>
    036T To: [email protected]
    059 Subject: Mail delivery failed: returning message to sender
    052I Message-Id: <[email protected]>
    038 Date: Sat, 17 May 2008 21:48:24 -0500


    1JxYwi-0007KL-Vp-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    [email protected]
    (generated from [email protected])
    retry timeout exceeded

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <[email protected]>
    Received: from [208.118.64.29] (helo=SANDRAPRINT.COM)
    by server.mysite.com with esmtp (Exim 4.68)
    (envelope-from <[email protected]>)
    id 1JxYwg-0007KH-HQ
    for [email protected]; Sat, 17 May 2008 21:48:22 -0500
    Received: by SANDRAPRINT.COM id h5uceu0cd90u for <[email protected]>; Sat, 17 May 2008 22:48:09 -0400 (envelope-from <[email protected]>)
    Received: by reducing.SANDRASTRUCT.COM id id2igcp42bta; Sat, 17 May 2008 22:48:09 -0400 (envelope-from [email protected])
    From: "Activation Department" <[email protected]>
    To: <[email protected]>
    Subject: Your line of credit has been approved
    Date: Sat, 17 May 2008 22:48:09 -0400
    MIME-Version: 1.0
    Content-Type: text/html;
    Thread-Index: pvv5zhymfc7e25mhe5tpv38faas5pqgo77e6bkfbmlhbn
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    Message-Id: <[email protected]>
    Status:
    X-cPanel-MailScanner-Information: Please contact the ISP for more information
    X-cPanel-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
    X-cPanel-MailScanner-SpamCheck:
    X-cPanel-MailScanner-From: [email protected]
    X-Spam-Status: No
    SANDRASTRUCT.COM is spamming my server somehow. Also all of the spam domains are always in ALL CAPS text. So far the spammers in my mail queue are:

    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    I do not know how to stop them can you advise?

  6. #6
    Join Date
    Jun 2003
    Posts
    364
    Hi,

    The example you provided appears to be incoming spam and will not get you on a blacklist. This is a separate issue from the original problem you mentioned.

    I would suggest that you either follow some tutorials/guides on locking down exim and/or hiring a systems administrator to do it for you.

  7. #7
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Quote Originally Posted by AcuNett View Post
    Can you email me the ticket ID ([email protected])? If it is constantly being listed by multiple spam lists, it is clearly obvious there is a spamming issue going on. If this is the ticket I believe it is concerning, the question raised was why the server was originally in spam lists when it was deployed to you.

    If none of your scripts are compromised, then the culprit is most likely a compromised mail user. Check the headers for an auth_id that should tell you who the sender is.

    Ronny
    I'm surprised you guys aren't subscribed to receive spam reports from all the major anti-spam groups for every machine on your netblock.


    If you have spam coming out of your server, and you don't know how to make it stop, then you should immediately hire a server administrator. You've done enough damage to the internet by helping propagate spam throughout it. Asking for free help is just selfish.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •