larryk Posted February 13, 2006 Posted February 13, 2006 hello, I'm not sure where to start, but I'm sure someone at SpamCop can help me figure out who got my server blocked, why, how, etc. etc. Last night, my server "send mail" process went through the roof!!! I'm assuming someone hacked my server or somehow was able to send out spam via my server. My hosting clients are few and I know them personally.... so I doubt it was any of them. My hosting support needs email header info... to try to find the cause. I personally, cant' do things myself (as I don't know linux)... so I'm relying on everyone else anyway... 1) Is there a way that spam cop could let me know any information that caused my server to be listed on spam cop? 2) what do I do to get off the list? 3) how can I prevent or what can I do to be proactive to not let any one send spam on my server Thanks for you help!!! I read that "after I find the problem/rid my server the reason or thing that sent out the spam" I can submit to have my server taken off the Spamcop list? is this correct? Thanks Larry
Jeff G. Posted February 13, 2006 Posted February 13, 2006 hello,40404[/snapback] Hello, Larry.I'm not sure where to start, but I'm sure someone at SpamCop can help me figure out who got my server blocked, why, how, etc. etc. Last night, my server "send mail" process went through the roof!!! I'm assuming someone hacked my server or somehow was able to send out spam via my server. My hosting clients are few and I know them personally.... so I doubt it was any of them. My hosting support needs email header info... to try to find the cause. I personally, cant' do things myself (as I don't know linux)... so I'm relying on everyone else anyway... 1) Is there a way that spam cop could let me know any information that caused my server to be listed on spam cop? 40404[/snapback] That is certainly possible, but we or the SpamCop Deputies would need the IP Address of your server as a starting point.2) what do I do to get off the list?40404[/snapback] First, you need to find and fix the problem, then your server will be delisted 24 hours after the last SpamCop spam report is submitted about it.3) how can I prevent or what can I do to be proactive to not let any one send spam on my server40404[/snapback] There are anti-spam recommendations for many different mail server software packages - it would be helpful to know which package you are running.I read that "after I find the problem/rid my server the reason or thing that sent out the spam" I can submit to have my server taken off the Spamcop list? is this correct? 40404[/snapback] Yes, that is correct. Please see Why am I Blocked? for details.Thanks40404[/snapback] You're welcome.
Telarin Posted February 13, 2006 Posted February 13, 2006 I'm not sure where to start, but I'm sure someone at SpamCop can help me figure out who got my server blocked, why, how, etc. etc. Any one of the FAQs at the top of the forums would be an ideal place to start. Last night, my server "send mail" process went through the roof!!! I'm assuming someone hacked my server or somehow was able to send out spam via my server. My hosting clients are few and I know them personally.... so I doubt it was any of them. Thats certainly a possibility, but without any troubleshooting information (IP address, etc) we will never know. My hosting support needs email header info... to try to find the cause. I personally, cant' do things myself (as I don't know linux)... so I'm relying on everyone else This is a bit confusing. Are you running your own mailserver or not? The earlier information about your sendmail process would seem to indicate that you are running your own server, yet this bit seems to conflict with that. Perhaps some more details about your setup would be in order? anyway... 1) Is there a way that spam cop could let me know any information that caused my server to be listed on spam cop? Those reports would have been sent to the registered abuse address for your mail servers IP address. Without knowing the IP address of your mail server, I couldn't even begin to quess what that might be. 2) what do I do to get off the list? Your server will automatically be removed from the list approximately 24 hours after it stops sending spam 3) how can I prevent or what can I do to be proactive to not let any one send spam on my server Make sure you aren't running an open relay. Make sure you are using secure passwords and an adequate firewall. Basically all your general network security issues. But again, this is a bit confusing. Are you running your own mail server, or do you have an ISP hosting it for you? If the later is the case, THEY should be doing these things. It is after all what you pay them for. I read that "after I find the problem/rid my server the reason or thing that sent out the spam" I can submit to have my server taken off the Spamcop list? That is correct, however, you can only do a quick delisting one time, so make sure the problem is fixed before doing so. If you can provide us with the sending servers IP address, we can provide you with a lot more information concerning why your server is listed, and what your problem might be.
larryk Posted February 13, 2006 Author Posted February 13, 2006 65.109.242.251 is my server I've created a ISP account --- and signed up to be monitored... I guess the daily emails will tell me if I get on a list in the future? Although I will problably figure it out BEFORE the email comes THANKS for you help.... I saw the reports, etc. someone on the site... It appears my thoughts were correct. The spammer did it last night... as the dailly magnitued/monthly magnitued are 2.6 ?? Will you be able to tell me what IP address the spammer used? What program, etc. he was using? Or how he did it? I have about 70 sites on the server.. so hard to figure it out on my on. THANKS AGAIN!!!
larryk Posted February 13, 2006 Author Posted February 13, 2006 not sure if this helps or not, on one of my websites (a messag board) I got some spam post last night with these IP addresses: 60.1.113.75 60.1.119.237 60.1.99.147 60.1.113.75
turetzsr Posted February 13, 2006 Posted February 13, 2006 Hi, Larry! 65.109.242.251 is my server40407[/snapback] ...Thanks, that's the bit we need! <g>I've created a ISP account --- and signed up to be monitored... I guess the daily emails will tell me if I get on a list in the future?40407[/snapback] ...Don't know that, myself, as I do not have a server and, therefore, have no ISP account.Although I will problably figure it out BEFORE the email comes 40407[/snapback] ...Sure hope so -- good luck on that! <g><snip> ...Will you be able to tell me what IP address the spammer used? What program, etc. he was using? Or how he did it? <snip> 40407[/snapback] ...Going to the aforementioned SpamCop F A Q (see link near top of page) entry "SpamCop Blocking List - Am I listed?" then pasting your server IP address into the text box next to the button labeled "Numeric IP address" and clicking the button, then clicking the link labeled "Trace IP," it seems that reports (except for spam sent to spam Traps -- those are only available from SpamCop staff -- if you provide sufficient information verifying your responsibility for the server in question to deputies[at]spamcop.net, they may send something back to you) have gone to abuse[at]alabanza.com. If you contact them, they should be able to provide you with the reports from SpamCop. However, it won't answer your questions directly. You will probably have to look through server logs to try to find those answers.
Jeff G. Posted February 13, 2006 Posted February 13, 2006 Report History for 65.109.242.251 (just one actual Report, the rest of the 11-20 were spamtrap hits) follows: Submitted: Monday 2006/02/13 05:47:17 -0500: Website Visitor Request: 1656717959 ( 65.109.242.251 ) To: spamcop[at]imaphost.com 1656717923 ( 65.109.242.251 ) To: abuse[at]alabanza.com
Telarin Posted February 13, 2006 Posted February 13, 2006 Hmm, that "Website Visitor Request:" subject makes me suspect that you have some kind of abusable form to mail scri_pt on your server that someone may be abusing. In which case it is not a "hacker" at all, just a spammer that discovered you have an unsecured scri_pt that they can use to send spam.
larryk Posted February 13, 2006 Author Posted February 13, 2006 Hmm, that "Website Visitor Request:" subject makes me suspect that you have some kind of abusable form to mail scri_pt on your server that someone may be abusing. In which case it is not a "hacker" at all, just a spammer that discovered you have an unsecured scri_pt that they can use to send spam. 40418[/snapback] okay... now we are getting some place... yes, i have php forms that allow people to send (email) the form information. The subject title looks like one of the form email subjects. What IP or domain is it coming from? Can I see the reports? Any thoughts on what needs to be protected/secured on the php code? I had thought its typical stuff? code like mail("emailaddress", "subject", "body"); So I guess someone found a way to automate the submitting of that form and to somehow overide the "TO EMAIL ADDRESS"??? thanks
Telarin Posted February 13, 2006 Posted February 13, 2006 okay... now we are getting some place... yes, i have php forms that allow people to send (email) the form information. ok, that is probably part of your problem. If the form allows anyone to send email anywhere, then spammers can and will use it to send their garbage. The subject title looks like one of the form email subjects. What IP or domain is it coming from? It is coming from the IP address of your server. In order to trace it back any further than that, you would need to check your servers web access logs to figure out who filled out the form. Can I see the reports? For the non spamtrap reports, you should contact the abuse desk for your IP block, apparently abuse[at]alabanza.com, they should have received the original reports. For the spamtrap hits, you would have to contact deputies[at]spamcop.net directly for assistance. Any thoughts on what needs to be protected/secured on the php code? I had thought its typical stuff? code like mail("emailaddress", "subject", "body"); So I guess someone found a way to automate the submitting of that form and to somehow overide the "TO EMAIL ADDRESS"??? The main thing would be to make sure that there is no way for them to override the "emailaddress" field. The to email address should be hard coded in your scri_pt. If you are using a field like: <input type=hidden name=toemail value=youremail[at]domain.com> Then a spammer will just replace the submitted value in their bot and send it wherever they want.
larryk Posted February 13, 2006 Author Posted February 13, 2006 thanks... 1) some reports went to alabanza -- I will not see those -- they are too busy for my small problems??????? I sent email and called... there is nothing else I can do. Can you please email them to me? 2) for sending email to deputies[at]spamcop.net, what do I say? 3) I'm going through my server domains/websites and adding code to prevent "php email spam" === I think it was called "emai injection" but I have 70 sites... not all of them have email forms. not all are the problem... but I wish I knew were to look first?!?!!? 4) php question: ALL OF MY php email forms hard code the "to email address". Some have an email address that people enter. NONE (I think) allow a person to enter email address and send to the entered email address. question: with the above said: I assume the "email injection" problem allows hackers to add code to the body or a field that allows the email to be sent out elsewhere. BUT can it over ride my hard coded email adress??????? shouldn't I have an email account getting a ton of spam ALONG with all the emails going out? I'm trying VERY hard to fix this problem, but a) can't get any real information I'm waitingn on other people to supply me with information c) i'm trying to figure out the problem. I can't be the first person this has happen too... isn't there a "SIMPLE" and EASY step by step websit to follow to fix this or solve my issues... I'm assuming this type of spam happens all the time???? Why is it so hard to get info to fix or solve it? OR am I not looking in the right places? thanks again.... at least I'm getting some place or closer to the solution here.... -Larry PS> I would preferr not to wait till it happens again?
Jeff G. Posted February 13, 2006 Posted February 13, 2006 2) for sending email to deputies[at]spamcop.net, what do I say?40425[/snapback] Just say who you are and reference this Topic http://forum.spamcop.net/forums/index.php?showtopic=5959 - that should be enough.
Telarin Posted February 13, 2006 Posted February 13, 2006 At this point, yes, I would say you are probably looking in the wrong place. All of us on this forum are users of spamcop, and have the same access to reports that you do. For more details on the reports, you would have to contact deputies[at]spamcop.net If your ISP doesn't have time to forward spam reports to you, I would find a new ISP. As far as finding out how to fix the problem, Google is your friend. There are literally hundreds of sites out there on PHP coding, and I'm sure several of them would have exactly what you are looking for. I'm not positive about exactly how they could inject an email into your particular scri_pt, but a good rule of thumb is to strip control characters such as <, >, %, and ' out of all user input fields. That will prevent most cases of HTML or SQL injection.
agsteele Posted February 13, 2006 Posted February 13, 2006 Can you please email them to me? 2) for sending email to deputies[at]spamcop.net, what do I say? 40425[/snapback] Hi larryk, I'm not sure if it is clear to you that these forums are peer-support areas. ie all the help you've received so far is from other users like yourself. So it isn't, normally, possible for any of us to send you copies of the reports you request. This sort of help is provided by the deputies at the address already provided. Just explain what you are trying to do and what information you would appreciate. They are busy folk but generally helpful. Andrew
larryk Posted February 13, 2006 Author Posted February 13, 2006 THanks.... I'm just very fustrated that I can't fix my problem. Don't mean to take it out you, users of spamcop, etc. I know you are just trying to help. And I'm getting there (i think)... its just that I've been dealing with this for several hours and I have not solved much? FROM JEFF... Submitted: Monday 2006/02/13 05:47:17 -0500: Website Visitor Request: 1656717959 ( 65.109.242.251 ) To: spamcop[at]imaphost.com 1656717923 ( 65.109.242.251 ) To: abuse[at]alabanza.com where did this come from? Is this part of a report? The email subject "Website Visitor Request: "... if i saw the rest of the report or header or anything... I might be able to solve my problem. But from what I know... that report was emailed to my hosting provider... why can't it be email to me? It seems like I can do more with that report than the hosting provider... That is what I don't understand. I'm actively trying to solve the server problem. FYI: I did send email to deputies also, I talked with my hostingn support some more... I know the spam with out between 8-12pm last night. it does appear that the "www" was the user, meaning a web page was used. if I only knew which domain (s)... I could practically solve the problme in minutes. thanks
StevenUnderwood Posted February 13, 2006 Posted February 13, 2006 But from what I know... that report was emailed to my hosting provider... why can't it be email to me? It seems like I can do more with that report than the hosting provider... That is what I don't understand.40429[/snapback] It is emailed to the owner of the IP address that sent the spam. Reports routes for 65.109.242.251: routeid:998104 65.108.0.0 - 65.109.255.255 to:abuse[at]alabanza.com Administrator interested in all reports It is their job to determine who was using the specific IP at that time and deal with it, which could (should) be to contact you and let you know there were reports against your IP.
Jeff G. Posted February 13, 2006 Posted February 13, 2006 If your ISP doesn't have time to forward spam reports to you, I would find a new ISP.40427[/snapback] I concur.
turetzsr Posted February 13, 2006 Posted February 13, 2006 THanks.... I'm just very fustrated that I can't fix my problem. Don't mean to take it out you, users of spamcop, etc. I know you are just trying to help. 40429[/snapback] ...Not speaking for the others, just myself: I don't think anything you've written (either publicly in the forum or privately to me via PM) constitutes "taking it out on us." I, for one, really appreciate that you are trying to fix the problem and can imagine how frustrating it is! <g><snip> FROM JEFF... Submitted: Monday 2006/02/13 05:47:17 -0500: Website Visitor Request: 1656717959 ( 65.109.242.251 ) To: spamcop[at]imaphost.com 1656717923 ( 65.109.242.251 ) To: abuse[at]alabanza.com where did this come from? Is this part of a report? 40429[/snapback] ...If I understand correctly, this is from information that Jeff G has access to by virtue of his status as a "paid" SpamCop reporter (I don't have access to this because I am a "free" SpamCop reporter).The email subject "Website Visitor Request: "... if i saw the rest of the report or header or anything... I might be able to solve my problem.40429[/snapback] ...And, unfortunately, as far as I know, only your hosting provider's Abuse desk and the SpamCop Deputies are able to provide this to you.But from what I know... that report was emailed to my hosting provider... why can't it be email to me? It seems like I can do more with that report than the hosting provider... That is what I don't understand.40429[/snapback] ...It can be in the future, if Alabanza changes the "abuse" address for your server from itself to you. However, at the time the spam was reported by the victim, the abuse address was Alabanza's abuse e-mail address and those reports are gone and unavailable to anyone but Alabanza and SpamCop employees, such as the Deputies.I'm actively trying to solve the server problem.40429[/snapback] ...Clearly so ... thank you! <g>FYI: I did send email to deputies <snip> 40429[/snapback] ...Excellent -- hopefully they'll be able to reply soon with useful information. ...Good luck!
larryk Posted February 13, 2006 Author Posted February 13, 2006 arggggggg... i'm not one to sit down and wait... BUT in this case, I guess I've been "defeated". my head hurts trying to figure out things --alabanza is no help till tomorrow. --spam cop deputies... I'm guesssing have a long que and i'm not at the top of the list -- clients complaining that emails are being blocked -- from 1 to 10... 1 is knowing of the problem and 10 is problem solved.... I'm at 1.5 and spent all day doing it but hey... look at the bright side... tomorrow isn't today thanks to all (especially the person who explained "WHY" the report was emailed to the owner of the server IP --- that makes since.) last question: with all this technology... you would think its easier. So why does so much technology make things harder? uhm... i think the answer is this: when things go right --- ITS great. when things go bad --- its horrible. the more technology, the greater the "good" or the "bad"
Wazoo Posted February 13, 2006 Posted February 13, 2006 From another perspective .... You say "linux" but didn't mention the flavor, they all do some things a bit differently One could make a logical assumption that you are also then using Apache for your web server ... if true, then there are number of questions; what logging is turned on have you looked at these logs? have you scanned your hosted sites for any 'mailform' / 'formmail' type scripts? what access rights do the hosted sites have to the sevices on the server? is there a firewall in use, have you looked at logs there? Just a few things to come to mind ... while you're waiting <g> I could offer to take a look at things, but that would mean that you'd have to either PM me your credentials to log in as root or ask that you set up another user account on the system with root access/powers and PM me that data ... and as you have no idea who I am, there is no way in the world that you should consider doing this. Edit: 2006/02/13 18:35 EST -0500 Jeff G. changed the ol and li tags to BBCode to make the list work.
Jeff G. Posted February 13, 2006 Posted February 13, 2006 my server "send mail" process went through the roof!!!40404[/snapback] If you're writing about sendmail, please upgrade to 8.9.3 or 8.10, or see Anti-spam Provisions in Sendmail 8.8. Thanks!
turetzsr Posted February 13, 2006 Posted February 13, 2006 <snip> --spam cop deputies... I'm guesssing have a long que and i'm not at the top of the list 40436[/snapback] ...Very likely! In fact, sometimes e-mails to them get lost and some (rarely, I expect) never make it to the top of the queue, for some unknown reason, so best to send to them again if you don't hear from them within two or three days.-- clients complaining that emails are being blocked40436[/snapback] ...They should call the people to whom they are sending their e-mail to ask if their (your clients') e-mail address can be "whitelisted."<snip> last question: with all this technology... you would think its easier. So why does so much technology make things harder? uhm... i think the answer is this: when things go right --- ITS great. when things go bad --- its horrible. the more technology, the greater the "good" or the "bad" 40436[/snapback] ...Add to that: when spammers, hackers and the like take advantage of the "trust" inherent in the internet, it's really horrible!
larryk Posted February 21, 2006 Author Posted February 21, 2006 hello well last week was not very fun. bad news... well, there is none good news: my server is running better. I learned about "netstat" and how to spot things on my server my server is off the spam cop list I'm making my server "more secure" --- a little pain, but ouce of prevention goes 1000s of mile :) What I think can help others like me... is a "simple" / "easy" FAQ that is straight to the point. One that looks like this: Question: Is your server listed on a spam Cop List? Yes, continue reading -- Not sure, check it here. Question: Why is my server on the spam cop list? Answer: Because your server has been sending out spam... with or with out your knowledge. Question: How can that be? Answer: Because spammers are smart and do things you don't think they can do. Question: Are you sure? Answer: YES! ---- you are not the first person to think we are making it up. BUT here is what you can do to: a) find the spammers/reason for spammers/how to track down the source of spam, etc. etc. etc. [ just list out things that are common ] === many of the things I learned last week. once you find the source or reason --- stop it ! Make sure it doesn't happen again. c) if you have prevented the spammers from using your server... DO THIS CLICK HERE Question: I don't own or manage the server. What do I Do? Answer: Find the owner or manager of the server and tell them to look at this page. We will not take the server off the list until it has been dealth with. Your server has been sending out spam and we (and EVERY ONE ELSE in the world) don't want any more spam. thanks Larry PS. I can't edit the above message that list my server IP... can someone take it off? thanks PSS. forgot to mention... above I said "simple and easy".... the spamcop site is FULL of page, links and info... almost too much, its to overwhelming to find things... ESPECIALLY when your server just got put on the list and your freaking out and can't call anyone and your clients are calling, saying "I can't send out email"... when will it be fixed. AND all you can say to any question is: "I Don't know"
Wazoo Posted February 21, 2006 Posted February 21, 2006 above I said "simple and easy".... the spamcop site is FULL of page, links and info... almost too much, its to overwhelming to find things... ESPECIALLY when your server just got put on the list and your freaking out and can't call anyone and your clients are calling, saying "I can't send out email"... when will it be fixed. AND all you can say to any question is: "I Don't know" 40641[/snapback] You seem to point to the www.spamcop.net Help pages .... have you looked at the SpamCop FAQ linked to at the top of this page? Have you looked at the (still incomplete) KnowledgeBase view of things via the SCKB link at the top of this page? Did you notice that there is a FAQ Development Forum section available here for FAQ development work?
Miss Betsy Posted February 22, 2006 Posted February 22, 2006 <snip> PSS. forgot to mention... above I said "simple and easy".... the spamcop site is FULL of page, links and info... almost too much, its to overwhelming to find things... ESPECIALLY when your server just got put on the list and your freaking out and can't call anyone and your clients are calling, saying "I can't send out email"... when will it be fixed. AND all you can say to any question is: "I Don't know" 40641[/snapback] I have a lot of empathy with you. IMHO, there should be some sort of entry (which should be on the spamcop pages, but that's impossible and so it could be in the forum) that is so obvious and hand holds you from step to step so that you either find the answer or calm down enough to find it on your own. What would you think you would have looked at that would have helped you? How could you have been attracted to the 'right' FAQ? Miss Betsy
Recommended Posts
Archived
This topic is now archived and is closed to further replies.