Jump to content
Sign in to follow this  
gerr64

ISP blocked

Recommended Posts

I thought I would post here before looking for another host. I signed up with a small host over a year ago and didn't have spam block problems until the last month or so.

Now the isp is listed on spamcop, spamhaus and probably others.

-edit- it was previously blacklisted on spamhaus several weeks ago, but not currently apparently -

More and more of my email either bounces back as undeliverable, or doesn't go through at all.

The host owner claims someone is using PHP and makes it extremely hard to find out who is abusing the system.

I'm not sure what that statement means. Does that mean someone is spamming by using formmail, or could it be another tactic with php?

Edited by gerr64

Share this post


Link to post
Share on other sites

I am technically non-fluent so I don't know how to answer you about what it is. However, if your host is listed in spamhaus, then either they are incompetent or are happy to get the spammers' money.

There are people who will recommend competent, honest webhosts as well as explain what the problems might be.

Good Luck on finding a safe home!

Miss Betsy

Share this post


Link to post
Share on other sites

Spamcop only lists while the spam is active and a cople days after it subsides. Spamhaus is another problem though. If your IP is in Spamhaus it is time to pack you bags and leave.

Good Luck.

What is the IP?

Many will post their findings here for you.

Share this post


Link to post
Share on other sites
69.72.225.234 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 69.72.225.234 has no reverse dns

Listing History

In the past 5.0 days, it has been listed 3 times for a total of 4.8 days

Other hosts in this "neighborhood" with spam reports

69.72.225.50 69.72.226.42 69.72.226.90

sounds like you might have a serious problem..others may be able to expand on this!

Share this post


Link to post
Share on other sites

A lookup shows

69.72.225.234 is not listed in the SBL

Good start B)

Let's check some more:

http://www.moensted.dk/spam/?addr=69.72.22...4&Submit=Submit

Looks like it's only Spamcop.

Now we will check more:

(69.72.225.234) Web server hosts 561 websites

SMTP - 25 220-server1.ripplehost.com ESMTP Exim 4.42 #1 Thu, 09 Sep 2004 11:51:37 -0400

220-We do not authorize the use of this system to transport unsolicited,

220 and/or bulk e-mail.

421 server1.ripplehost.com lost input connection

POP3 - 110 +OK POP3 server1 [cppop 17.1] at [69.72.225.234]

69.72.225.234 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 69.72.225.234 has no reverse dns

Listing History

In the past 5.0 days, it has been listed 3 times for a total of 4.8 days

If it is an invalid formmail scri_pt Pegasus Web Technologies has the ability to find the bad scri_pt.

It could also be they are hosting some spammers and do not care about removing them.

Lets check sightings:

http://groups.google.com/groups?q=PWEBTECH...&sa=G&scoring=d

Well, it doesn't look that good but there should be some good info above to help you decide and others will probably post more.

Good Luck.

Share this post


Link to post
Share on other sites

As you have probably seen, the listing was due to spamtraps and spam samples.

Some of the spam samples have been sent to:

Reporting addresses:

abuse[at]nac.net

abuse[at]pwebtech.com

Some have been by mole reporters as well with no reports going to the ISP.

If you want more information, see the FAQ

220-server1.ripplehost.com ESMTP Exim 4.42 #1 Thu, 09 Sep 2004 11:57:44 -0400

220-We do not authorize the use of this system to transport unsolicited,

220 and/or bulk e-mail.

Connecting to the server shows SMTP/AUTH is enabled, so the possibility of that hack is alive. Perhaps the host owner should contact deputies<at>spamcop.net to get some more information about those spamtrap hits as well.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites

Thanks.

I haven't a clue what all this means, but I will post this thread on the ripplehost.com forum and see what happens. Apparently the owner there is either unable or unwilling to solve this.

Share this post


Link to post
Share on other sites

wow.

yep, that is my server alright server1.ripplehost.com

what is the most common way that they exploit the server?

is it by formmail - does that use php - or is it some other way?

Edited by gerr64

Share this post


Link to post
Share on other sites
Thanks.

I haven't a clue what all this means, but I will post this thread on the ripplehost.com forum and see what happens.  Apparently the owner there is either unable or unwilling to solve this.

16721[/snapback]

Who is ripplehost.com?

They do not exist:

Query : www.ripplehost.com

gethostbyname: www.ripplehost.com failed....

Query : ripplehost.com

gethostbyname: ripplehost.com failed....

There is an owner in Great Brittan though

Now I am interested.............

The plot thickens :-)

Share this post


Link to post
Share on other sites

Just to add more fun for the admin, I can not seem to pull any DNS information for that host name or rDNS for the IP in question. SamSpade showing me the same stuff.

The only server on the internet that knows anything about this host is the DNS server from the [ whois.directnic.com ] named DNS servers:

NS1.SERVERINNAC.COM

NS2.SERVERINNAC.COM

Something is not correct in this configuration.

[Edit] Merlyn, I just noticed your post on this same subject.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
Their website exists at

www.ripplehost.com

16727[/snapback]

Except that right now at least, none of the internet knows that host or domain. You are probably using their DNS servers, so everything looks OK to you.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites

Merlyn:

Using the DNS server provided by a samspade whois lookup, the www.ripplehost.com DNS information does exist, it just is not being transmitted to the rest of the internet.

P.S. I think I found the problem...

Welcome to the Ripple Host -$9.99/year hosting.
;)

> server ns1.serverinnac.com

Default Server: ns1.serverinnac.com

Address: 207.99.111.68

> set type=any

> ripplehost.com

Server: ns1.serverinnac.com

Address: 207.99.111.68

ripplehost.com MX preference = 0, mail exchanger = ripplehost.com

ripplehost.com

primary name server = ns1.serverinnac.com

responsible mail addr = root.server1.serverinnac.com

serial = 2004033105

refresh = 14400 (4 hours)

retry = 7200 (2 hours)

expire = 3600000 (41 days 16 hours)

default TTL = 86400 (1 day)

ripplehost.com nameserver = ns1.serverinnac.com

ripplehost.com nameserver = ns2.serverinnac.com

ripplehost.com internet address = 207.99.111.68

ripplehost.com internet address = 207.99.111.68

ns1.serverinnac.com internet address = 207.99.111.68

ns2.serverinnac.com internet address = 207.99.111.69

> www.ripplehost.com

Server: ns1.serverinnac.com

Address: 207.99.111.68

www.ripplehost.com canonical name = ripplehost.com

ripplehost.com nameserver = ns1.serverinnac.com

ripplehost.com nameserver = ns2.serverinnac.com

ns1.serverinnac.com internet address = 207.99.111.68

ns2.serverinnac.com internet address = 207.99.111.69

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
Welcome to the Ripple Host -$9.99/year hosting.

The phrase "you get what you pay for" comes to mind....

DT

Share this post


Link to post
Share on other sites

I know, I know.

I'll probably end up getting a host that is more responsive (expensive), but honestly, I've had fairly good uninterrupted service for over a year.

I just thought I would post here to try to understand the problem. Can someone explain how you think the host is exploited?

Share this post


Link to post
Share on other sites

I wonder if they ever fixed or addressed their serious problem, this seems to go a while back:

Please delete your spammers account and charge appropriate cleanup fees.

pwebtech.com: the message came from you or your customer

above.net: you are hosting the spammers email dropbox cheung77pui[at]internav.com

ommtouch.com: you are hosting the spammers email dropbox cheung99pui[at]mail2hongkong.com

/snip

From nobody[at]server1.ripplehost.com  Sat Sep  4 03:57:38 2004

Return-Path: <nobody[at]server1.ripplehost.com>

Received: from server1.ripplehost.com ([69.72.225.234])

by renig.nat.blars.org (8.12.3/8.12.3/Debian-6.6) with ESMTP id i84Avbec028182

for <spamtrap[at]blars.org>; Sat, 4 Sep 2004 03:57:38 -0700

Received: from nobody by server1.ripplehost.com with local (Exim 4.42)

id 1C3Y7t-0004k2-UZ; Sat, 04 Sep 2004 06:50:34 -0400

To:

Subject: REQUEST FOR ASSISTANCE

From: c_pui <cheung07[at]primposta.com>

X-Priority: 3 (Normal)

CC:

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

X-Mailer: RLSP Mailer

Message-Id: <E1C3Y7t-0004k2-UZ[at]server1.ripplehost.com>

Date: Sat, 04 Sep 2004 06:50:33 -0400

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - server1.ripplehost.com

X-AntiAbuse: Original Domain - blars.org

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]

X-AntiAbuse: Sender Address Domain - server1.ripplehost.com

X-Source:

X-Source-Args:

X-Source-Dir:

REQUEST FOR ASSISTANCE

FROM:MR. CHEUNG PUI

/snip

Let me start by introducing myself. I am Mr. Cheung Pui

director of operations of the Hang Seng Bank Ltd,Sai Wan Ho Branch.

I have a obscured business suggestion for you.

Edited by dra007

Share this post


Link to post
Share on other sites
I know, I know.

I'll probably end up getting a host that is more responsive (expensive), but honestly, I've had fairly good uninterrupted service for over a year.

I just thought I would post here to try to understand the problem.  Can someone explain how you think the host is exploited?

16735[/snapback]

At this point it would only be guesswork without more information/samples.......

Share this post


Link to post
Share on other sites

Since no one else is explaining it to you, I will make a stab. Perhaps my explanation will prompt someone to correct me and you will have your answer.

IIUC, a exploitable form is used by the spammer to send spam. I haven't seen any for a long time because I suppose most people have downloaded the fixes, but usually the spam said you asked for this. So I suppose what the spammer does is enter his spam addresses in the form, and then sends his own reply.

Fixing it would do no harm to anyone. If the admin staff hasn't cancelled the customer account who is using it, then they just want that $9.99. Usually they contact the customer with the information on how to fix it first. IIUC, any competent admin staff can identify the customer.

The other probable cause (since it is not necessarily true that what the staff is telling is correct) is that someone on the network has a trojanized machine.

If you were just on the spamcop bl, then if you got the owners to fix it, it might be worth the trouble. However, if you are on several other blocklists, the owners might not be willing to do what those blocklists require to be removed.

Surely someone can advise you on an inexpensive email service. In fact, spamcop email service is only $30 per year. You don't have to use the reporting part. I think some people like pobox.

Miss Betsy

Share this post


Link to post
Share on other sites

Miss B, the example I posted above also went into a spam-trap:

Received: from server1.ripplehost.com ([69.72.225.234])

by renig.nat.blars.org (8.12.3/8.12.3/Debian-6.6) with ESMTP id i84Avbec028182

for <spamtrap[at]blars.org>

I suspect blars would be harder to correct than spam Cop is..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×