gerr64 Posted September 9, 2004 Share Posted September 9, 2004 I thought I would post here before looking for another host. I signed up with a small host over a year ago and didn't have spam block problems until the last month or so. Now the isp is listed on spamcop, spamhaus and probably others. -edit- it was previously blacklisted on spamhaus several weeks ago, but not currently apparently - More and more of my email either bounces back as undeliverable, or doesn't go through at all. The host owner claims someone is using PHP and makes it extremely hard to find out who is abusing the system. I'm not sure what that statement means. Does that mean someone is spamming by using formmail, or could it be another tactic with php? Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 9, 2004 Share Posted September 9, 2004 I am technically non-fluent so I don't know how to answer you about what it is. However, if your host is listed in spamhaus, then either they are incompetent or are happy to get the spammers' money. There are people who will recommend competent, honest webhosts as well as explain what the problems might be. Good Luck on finding a safe home! Miss Betsy Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 Does exploiting formmail entail PHP? Why wouldn't my ISP owner want to use one of the recommended fixes found in the FAQ here http://www.spamcop.net/fom-serve/cache/270.html Would this make other users lose some functionality on their website? I only use my account for email. Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 Spamcop only lists while the spam is active and a cople days after it subsides. Spamhaus is another problem though. If your IP is in Spamhaus it is time to pack you bags and leave. Good Luck. What is the IP? Many will post their findings here for you. Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 I use ripplehost.com this is from spamcop http://www.spamcop.net/bl.shtml?69.72.225.234 Link to comment Share on other sites More sharing options...
dra007 Posted September 9, 2004 Share Posted September 9, 2004 69.72.225.234 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 69.72.225.234 has no reverse dns Listing History In the past 5.0 days, it has been listed 3 times for a total of 4.8 days Other hosts in this "neighborhood" with spam reports 69.72.225.50 69.72.226.42 69.72.226.90 sounds like you might have a serious problem..others may be able to expand on this! Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 A lookup shows 69.72.225.234 is not listed in the SBL Good start Let's check some more: http://www.moensted.dk/spam/?addr=69.72.22...4&Submit=Submit Looks like it's only Spamcop. Now we will check more: (69.72.225.234) Web server hosts 561 websites SMTP - 25 220-server1.ripplehost.com ESMTP Exim 4.42 #1 Thu, 09 Sep 2004 11:51:37 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. 421 server1.ripplehost.com lost input connection POP3 - 110 +OK POP3 server1 [cppop 17.1] at [69.72.225.234] 69.72.225.234 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 69.72.225.234 has no reverse dns Listing History In the past 5.0 days, it has been listed 3 times for a total of 4.8 days If it is an invalid formmail scri_pt Pegasus Web Technologies has the ability to find the bad scri_pt. It could also be they are hosting some spammers and do not care about removing them. Lets check sightings: http://groups.google.com/groups?q=PWEBTECH...&sa=G&scoring=d Well, it doesn't look that good but there should be some good info above to help you decide and others will probably post more. Good Luck. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 9, 2004 Share Posted September 9, 2004 As you have probably seen, the listing was due to spamtraps and spam samples. Some of the spam samples have been sent to: Reporting addresses: abuse[at]nac.net abuse[at]pwebtech.com Some have been by mole reporters as well with no reports going to the ISP. If you want more information, see the FAQ 220-server1.ripplehost.com ESMTP Exim 4.42 #1 Thu, 09 Sep 2004 11:57:44 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. Connecting to the server shows SMTP/AUTH is enabled, so the possibility of that hack is alive. Perhaps the host owner should contact deputies<at>spamcop.net to get some more information about those spamtrap hits as well. Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 Thanks. I haven't a clue what all this means, but I will post this thread on the ripplehost.com forum and see what happens. Apparently the owner there is either unable or unwilling to solve this. Link to comment Share on other sites More sharing options...
Chris Parker Posted September 9, 2004 Share Posted September 9, 2004 http://www.spamcop.net/bl.shtml?69.72.225.234 Ugh, it's being used to send 419 scams... Sample 1 Sample 2 Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 wow. yep, that is my server alright server1.ripplehost.com what is the most common way that they exploit the server? is it by formmail - does that use php - or is it some other way? Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 Thanks. I haven't a clue what all this means, but I will post this thread on the ripplehost.com forum and see what happens. Apparently the owner there is either unable or unwilling to solve this. 16721[/snapback] Who is ripplehost.com? They do not exist: Query : www.ripplehost.com gethostbyname: www.ripplehost.com failed.... Query : ripplehost.com gethostbyname: ripplehost.com failed.... There is an owner in Great Brittan though Now I am interested............. The plot thickens :-) Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 Their website exists at www.ripplehost.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 9, 2004 Share Posted September 9, 2004 Just to add more fun for the admin, I can not seem to pull any DNS information for that host name or rDNS for the IP in question. SamSpade showing me the same stuff. The only server on the internet that knows anything about this host is the DNS server from the [ whois.directnic.com ] named DNS servers: NS1.SERVERINNAC.COM NS2.SERVERINNAC.COM Something is not correct in this configuration. [Edit] Merlyn, I just noticed your post on this same subject. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 9, 2004 Share Posted September 9, 2004 Their website exists at www.ripplehost.com 16727[/snapback] Except that right now at least, none of the internet knows that host or domain. You are probably using their DNS servers, so everything looks OK to you. Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 There is no www.ripplehost.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 9, 2004 Share Posted September 9, 2004 Merlyn: Using the DNS server provided by a samspade whois lookup, the www.ripplehost.com DNS information does exist, it just is not being transmitted to the rest of the internet. P.S. I think I found the problem... Welcome to the Ripple Host -$9.99/year hosting. > server ns1.serverinnac.com Default Server: ns1.serverinnac.com Address: 207.99.111.68 > set type=any > ripplehost.com Server: ns1.serverinnac.com Address: 207.99.111.68 ripplehost.com MX preference = 0, mail exchanger = ripplehost.com ripplehost.com primary name server = ns1.serverinnac.com responsible mail addr = root.server1.serverinnac.com serial = 2004033105 refresh = 14400 (4 hours) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 86400 (1 day) ripplehost.com nameserver = ns1.serverinnac.com ripplehost.com nameserver = ns2.serverinnac.com ripplehost.com internet address = 207.99.111.68 ripplehost.com internet address = 207.99.111.68 ns1.serverinnac.com internet address = 207.99.111.68 ns2.serverinnac.com internet address = 207.99.111.69 > www.ripplehost.com Server: ns1.serverinnac.com Address: 207.99.111.68 www.ripplehost.com canonical name = ripplehost.com ripplehost.com nameserver = ns1.serverinnac.com ripplehost.com nameserver = ns2.serverinnac.com ns1.serverinnac.com internet address = 207.99.111.68 ns2.serverinnac.com internet address = 207.99.111.69 Link to comment Share on other sites More sharing options...
DavidT Posted September 9, 2004 Share Posted September 9, 2004 Welcome to the Ripple Host -$9.99/year hosting. The phrase "you get what you pay for" comes to mind.... DT Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 I know, I know. I'll probably end up getting a host that is more responsive (expensive), but honestly, I've had fairly good uninterrupted service for over a year. I just thought I would post here to try to understand the problem. Can someone explain how you think the host is exploited? Link to comment Share on other sites More sharing options...
dra007 Posted September 9, 2004 Share Posted September 9, 2004 I wonder if they ever fixed or addressed their serious problem, this seems to go a while back: Please delete your spammers account and charge appropriate cleanup fees. pwebtech.com: the message came from you or your customer above.net: you are hosting the spammers email dropbox cheung77pui[at]internav.com ommtouch.com: you are hosting the spammers email dropbox cheung99pui[at]mail2hongkong.com /snip From nobody[at]server1.ripplehost.com Sat Sep 4 03:57:38 2004 Return-Path: <nobody[at]server1.ripplehost.com> Received: from server1.ripplehost.com ([69.72.225.234]) by renig.nat.blars.org (8.12.3/8.12.3/Debian-6.6) with ESMTP id i84Avbec028182 for <spamtrap[at]blars.org>; Sat, 4 Sep 2004 03:57:38 -0700 Received: from nobody by server1.ripplehost.com with local (Exim 4.42) id 1C3Y7t-0004k2-UZ; Sat, 04 Sep 2004 06:50:34 -0400 To: Subject: REQUEST FOR ASSISTANCE From: c_pui <cheung07[at]primposta.com> X-Priority: 3 (Normal) CC: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: RLSP Mailer Message-Id: <E1C3Y7t-0004k2-UZ[at]server1.ripplehost.com> Date: Sat, 04 Sep 2004 06:50:33 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.ripplehost.com X-AntiAbuse: Original Domain - blars.org X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - server1.ripplehost.com X-Source: X-Source-Args: X-Source-Dir: REQUEST FOR ASSISTANCE FROM:MR. CHEUNG PUI /snip Let me start by introducing myself. I am Mr. Cheung Pui director of operations of the Hang Seng Bank Ltd,Sai Wan Ho Branch. I have a obscured business suggestion for you. Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 I know, I know. I'll probably end up getting a host that is more responsive (expensive), but honestly, I've had fairly good uninterrupted service for over a year. I just thought I would post here to try to understand the problem. Can someone explain how you think the host is exploited? 16735[/snapback] At this point it would only be guesswork without more information/samples....... Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 9, 2004 Share Posted September 9, 2004 Since no one else is explaining it to you, I will make a stab. Perhaps my explanation will prompt someone to correct me and you will have your answer. IIUC, a exploitable form is used by the spammer to send spam. I haven't seen any for a long time because I suppose most people have downloaded the fixes, but usually the spam said you asked for this. So I suppose what the spammer does is enter his spam addresses in the form, and then sends his own reply. Fixing it would do no harm to anyone. If the admin staff hasn't cancelled the customer account who is using it, then they just want that $9.99. Usually they contact the customer with the information on how to fix it first. IIUC, any competent admin staff can identify the customer. The other probable cause (since it is not necessarily true that what the staff is telling is correct) is that someone on the network has a trojanized machine. If you were just on the spamcop bl, then if you got the owners to fix it, it might be worth the trouble. However, if you are on several other blocklists, the owners might not be willing to do what those blocklists require to be removed. Surely someone can advise you on an inexpensive email service. In fact, spamcop email service is only $30 per year. You don't have to use the reporting part. I think some people like pobox. Miss Betsy Link to comment Share on other sites More sharing options...
dra007 Posted September 9, 2004 Share Posted September 9, 2004 Miss B, the example I posted above also went into a spam-trap: Received: from server1.ripplehost.com ([69.72.225.234]) by renig.nat.blars.org (8.12.3/8.12.3/Debian-6.6) with ESMTP id i84Avbec028182 for <spamtrap[at]blars.org> I suspect blars would be harder to correct than spam Cop is.. Link to comment Share on other sites More sharing options...
Merlyn Posted September 9, 2004 Share Posted September 9, 2004 Here is some info on the formmail hack: http://www.atlasassurity.com/hacking.html Link to comment Share on other sites More sharing options...
gerr64 Posted September 9, 2004 Author Share Posted September 9, 2004 Thanks, Miss Betsy, and Merlyn. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.