My hosting site has been comprimised by spammers: I'm blacklisted at Spamhaus.org

[MichaelD]

I'm really hoping to get some good advice here. 🙁

A few days ago, 99% of the emails I was sending from home starting being bounced back. I read the auto-generated messages, and it led me to Spamhaus.org.

I contacted Spamhaus, who told me to go to PWebtech.com. I contacted them and they gave me the lowdown.

Apparently, a spammer was sending from my server, which is with Ripplehost.com. 66.246.44.78

While they believed me that it wasn't ME doing it (it's not!) they said "When you get it fixed, email us and we'll verify and un-blacklist you."

I went into my site (via the Control Panel applet) and poked around. I didn't see anything that stood out as "foul." But then again, aside from an obvious .exe or .vbs, I've no idea what I'm looking for. Aside from the pictures I've got out there, I didn't see anything else. I emailed them and told them this. They want a detailed explanation of "how I got rid of the offending script/host." WTF? 😕 I reiterated that I found nothing. Apparently, I'm hosed. :|



I am tired of the BS with Ripplehost. Nuff said on that. I'm looking for new hosting and already have a very well-known company in mind.

SCENARIO

I own my own domain. My email addy is "Mike@mikesdomain.com"

If I change hosting, and therefore mail servers, will the spam go away, or will it stay b/c it's tied to my domain name?

Will I have to change my email addy? I.E. instead of "Mike" change it to "Mike1"? See what I'm getting at?

Please advise.

 

[mugs]

Is it possible that the spam could be coming from a different domain hosted on the same server?

 

[MichaelD]

Originally posted by: mugs
Is it possible that the spam could be coming from a different domain hosted on the same server?

Thanks, Mugs. I don't know. I only have one domain hosted on that server. Wait...

What you're saying is: Maybe someone ELSE has a domain hosted on that server and it's not me it's coming from? Well, that's entirely possible.

But, I've had a BAD problem with spam for about a month. So it probably "is me". 🙁

 

[Aimster]

Michael,

There are two possibilities. 1) Your computer has a Trojan, which is sending the spam 2) A spammer has your address is and spoofing/forging your address.

Run Ad-ware and check for Trojans.

Also setup a firewall that blocks all outgoing ports/applications and forces you to ask permission when you want to use the application. It will most likely point you to the problem.

 

[MichaelD]

Originally posted by: Aimster
Michael,

There are two possibilities. 1) Your computer has a Trojan, which is sending the spam 2) A spammer has your address is and spoofing/forging your address.

Run Ad-ware and check for Trojans.

Also setup a firewall that blocks all outgoing ports/applications and forces you to ask permission when you want to use the application. It will most likely point you to the problem.

Thanks for the reply. I have four different Ad/Spam Killers, plus Symantec AV Corp edtion on my network at home. Spybot S&D finds nothing.

I'm on a clean/new (two weeks) install of XP. I'm clean.

I've looked at the headers on the spam. They have BOTH my email addresses; my main one I use for most things AND the MAIN, main one that you get from Ripplehost when you set up with them. It sure looks like it's in Ripplehost's servers, and knowing Alan, he could care less.

Anyway, can someone answer me on my original quesiton? If I get new hosting BUT keep my domain name, will all the probs go away?

 

[vi edit]

The way it sounds, they added your mail servers IP to the spam list, not necessarily your domain. But, since you are using their mail server to send out mail, it's being flagged because it's associated with that IP.

I would assume that that you can get around this by changing hosts or find another mail server that you can send from. Your domain should be okay.

It sounds like ripplehost had an open relay on their server and people took advantage of it.

 

[MichaelD]

Thanks, vi_edit. I appreciate the help. 🙂

Give me a buzz next time your in the hood. 🙂

 

[skyking]

Vi has it right. I USE spamcop, spamhaus, and other dnsbl's to keep the crap out of mailservers I adminster, and it is done by IP address.

 

[MichaelD]

Originally posted by: skyking
Vi has it right. I USE spamcop, spamhaus, and other dnsbl's to keep the crap out of mailservers I adminster, and it is done by IP address.

Good; I've got a "second opinion" that agrees with the first opinion, which I respect very much. 🙂 I do feel much better now.

 

[JackMDS]

I do not know specifically what Ripplehost uses, but most entry level Host services have one Mail server shared by the people that are on the same appliance.

Your IP is probably also shared IP. I.e. other people on the same appliance use this IP.

It seem to me that it is RippleHost problem they should take care of it or switch to another Host service.

The price differential between the Entry Level services is so small that it does not worse the aggravation.

:sun:

 

[MichaelD]

Thanks, JackMDS. I'm switching today.

 

[ToeJam13]

Apparently, a spammer was sending from my server, which is with Ripplehost.com. 66.246.44.78

Spamhaus typically blacklists based on IP address, not domains.

I looked at your domain, and I saw that 66.246.44.78 belongs to ns1.ripplehost.com, and that 207.99.111.68 belongs to ripplehost.com. This isn't what you posted. Have you changed things since posting your question?

Also, it seems odd that your domain's name services are being handled by ns1.serverinnac.com, not your own four DNS servers (ns1, ns2, ns5 & ns6.ripplehost.com)

Regardless, I queried each of your servers listed under the *.ripplehost.com domain and did not see any running a SMTP server. I also queried your ISP's DNS servers for ripplehost's mail exchange (MX), and didn't see anything listed. This leads me to ask, do you actually use one of your own servers to send mail, or do you just run a mail program on them and then use one of serverinnac's servers as your POP/IMAP/SMTP server?

IF you are running your own SMTP server, but its just disabled right now, a word of warning: you will have to lock it down so that nobody can use it as a relay. This is where anyone from the Internet can send mail to anyone else on the Internet using your server. If it's running properly, it should allow this:
[*] Anyone from the Internet can connect to it and send mail to a valid ripplehost.com user. Their FROM address should NOT be a ripplehost.com user. This is a common trick spammers use to hide their identity.
[*] Anyone from your network (207.99.111.68 & 66.246.44.73-79) can connect to it and send mail to any valid email address. Their FROM address MUST be a ripplehost.com user.
[*] Anyone from your network should be forced to use authentication to send mail outside of the ripplehost.com domain. This prevents viruses that infect one of your authorized servers to start spewing using the SMTP server it finds in Outlook.

IF you are NOT running your own SMTP server, but you are using your ISP's server, then your ISP is the one with the Spam problem. They need to clean themselves up. If they don't, find a new mail server or (after a LOT of reading and studying), start your own up.

 

[villager]

Originally posted by: Aimster
Michael,

There are two possibilities. 1) Your computer has a Trojan, which is sending the spam 2) A spammer has your address is and spoofing/forging your address.

Run Ad-ware and check for Trojans.

Also setup a firewall that blocks all outgoing ports/applications and forces you to ask permission when you want to use the application. It will most likely point you to the problem.

2 is a classic joe job. They get your email address, or just guess it off your domain, and use it to send out spam email. Nothing you can do about it either except delete the tons of bounced email you receive.