Web Hosting Talk : Web Hosting Main Forums : VPS Hosting : vps help

[shakybaky]

hi im new to vps and ive only had this one a few months. Everything is going good with m hosting. my problem is that today i noticed i had bounced emails in my in box. I then noticed my domain name is blacklisted. i am the only person who uses this domain. there isnt even a index page on the domain. Now it got blacklisted in the last day or two. how can i save this from happening to my other emails. why did this happen. I run spamassasin and never had any problems.
now my server says it sends no emails but i am getting bounced emails and blacklisting.

[ctaborda]

Make sure your server is not open to mail-relay.

[iHubNet-Matt]

Search your mail server IP if it is listed in spam database. Check the mail logs and see if there is any unwanted mails routing. Block all suspicious IPs on server.

[Cirtex]

Quote:

Originally Posted by ctaborda

Make sure your server is not open to mail-relay.

Quote:

Originally Posted by iHubNet-Matt

Search your mail server IP if it is listed in spam database. Check the mail logs and see if there is any unwanted mails routing. Block all suspicious IPs on server.

Both are good points, but also be sure to test with new ip address, try to get new ip assigned and see if it's still problem.

Cheers

[The Universes]

You might also want to put up a SPF record so others can't spoof your domain in emails as easily.

[shakybaky]

okay i can see in whm that someone has sent out alot of email through the server. i just did a spf record too.
but i think its a deeper issue.
my shell quit working three days ago, now my ip is listed in some blacklist sites.

how do i make sure it is not open to relay, i am the only user of this server. and the domain name that it is coming from is actually my domain name i use only for emailing.

linux,WHM /CPanel

[The Universes]

Try a open relay test like this one:
http://www.abuse.net/relay.html

or google for many others

[shakybaky]

<<< 220-server.ski.org ESMTP Exim 4.68 #1 Thu, 12 Jun 2008 14:02:30 -0400
<<< 220-We do not authorize the use of this system to transport unsolicited,
<<< 220 and/or bulk e-mail.
>>> HELO www.abuse.net
<<< 250 server.ski.org Hello www.abuse.net [208.31.42.77]
Relay test 1
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 OK
>>> RCPT TO:<securitytest@abuse.net>
<<< 550-Verification failed for <spamtest@abuse.net>
<<< 550-Called: 208.31.42.109
<<< 550-Sent: RCPT TO:<spamtest@abuse.net>
<<< 550-Response: 553 Not our message (5.7.1)
<<< 550 Sender verify failed
Relay test 2
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest>
<<< 501 <spamtest>: sender address must contain a domain
Relay test 3
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<>
<<< 250 OK
>>> RCPT TO:<securitytest@abuse.net>
<<< 550-www.abuse.net [208.31.42.77] is currently not permitted to relay through
<<< 550-this server. Perhaps you have not logged into the pop/imap server in the
<<< 550-last 30 minutes or do not have SMTP Authentication turned on in your email
<<< 550 client.
Relay test 4
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@ski.com>
<<< 250 OK
>>> RCPT TO:<securitytest@abuse.net>
<<< 550-www.abuse.net [208.31.42.77] is currently not permitted to relay through
<<< 550-this server. Perhaps you have not logged into the pop/imap server in the
<<< 550-last 30 minutes or do not have SMTP Authentication turned on in your email
<<< 550 client.
Relay test 5
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@[66.197.153.186]>
<<< 501 <spamtest@[66.197.153.186]>: domain literals not allowed
Relay test 6
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@kanafoski.com>
<<< 250 OK
>>> RCPT TO:<securitytest%abuse.net@ski.com>
<<< 250 Accepted
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.


so it says there open how do i stop it.

[shakybaky]

i suspended the account which is sending out the email, to stop any from going out. i noticed since i started this thread 9 emails have went out. so i disabled the cpanel account they are supposeable coming from

[shakybaky]

i ran chkrootkit

Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... find: WARNING: Hard link count is wrong for /proc/sys/net: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
not tested: can't exec
Checking `rexedcs'... not found