The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Get hundreds spam every minutes

Discussion in 'Database Discussions' started by ubuy, May 22, 2006.

  1. ubuy

    ubuy Member

    Joined:
    Jan 5, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    one of my domain get hundreds spam each minutes, here is the report of the Brute Force


    The remote system 59.37.80.127 was found to have exceeded acceptable login failures on quicktrack.techscape.co.id; there was 66 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

    Executed ban command:
    /etc/apf/apf -d 59.37.80.127 {bfd.exim}

    The following are event logs from 59.37.80.127 on service exim (all time stamps are GMT +0700):

    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:20 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <f774765c.0ecfba9@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(qon.lao.net) [59.37.80.127] F=<rknitg@qon.lao.net> rejected RCPT <c2ef9331.2846145@belitungisland.com>: Message rejected (qon.lao.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <7195bb22.b19b060@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <9fc1f1a7.cae3435@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <81a4bbbd.3a97e48@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <1221d440.7e5eef0@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <51d02e2c.5b32646@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <076eccc5.24c843e@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <e82292fb.2c35da2@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text


    Here is the another one, what should I do



    F=<bfcix@cpulife.com> rejected RCPT <anesko@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arenn@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <appeng@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:04 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <ambiens@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:05 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <alcantara@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arnould@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <adame@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:11 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arcega@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <aiou@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arstar@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:13 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alchev@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:14 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <baatz@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:15 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alberda@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:16 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alkema@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <agrgivi@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adamk@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:20 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <8sima@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:22 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adjive@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:24 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <bajdas@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:26 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <ahrion@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:27 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <aohiro@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:28 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <artl@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Try banning them at your firewall. The first IP is in China so not worth making any complaint, but here's the info on it;
    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: 59.0.0.0 - 59.255.255.255
    CIDR: 59.0.0.0/8
    NetName: APNIC-59
    NetHandle: NET-59-0-0-0-1
    Parent:
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS.LACNIC.NET
    NameServer: NS-SEC.RIPE.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    RegDate: 2004-05-04
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100
    OrgTechEmail: search-apnic-not-arin@apnic.net

    # ARIN WHOIS database, last updated 2006-05-22 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.


    Found a referral to whois.apnic.net.

    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 59.32.0.0 - 59.42.255.255
    netname: CHINANET-GD
    descr: CHINANET Guangdong province network
    descr: China Telecom
    descr: No.31,jingrong street
    descr: Beijing 100032
    country: CN
    admin-c: CH93-AP
    tech-c: IC83-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-GD
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20040802
    changed: hm-changed@apnic.net 20041123
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: lqing@chinatelecom.com.cn 20051212
    mnt-by: MAINT-CHINANET
    source: APNIC

    person: IPMASTER CHINANET-GD
    nic-hdl: IC83-AP
    e-mail: ipadm@gddc.com.cn
    address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
    phone: +86-20-83877223
    fax-no: +86-20-83877223
    country: CN
    changed: ipadm@gddc.com.cn 20040902
    mnt-by: MAINT-CHINANET-GD
    remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
    source: APNIC
     
  3. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    apparently those domains are under dictionary attack by spams, try check on fashion-park.com domain on those rejected user if the user account do exist

    the ip should have been blocked in apf since the alert is sent by your BFD.
     
  4. ubuy

    ubuy Member

    Joined:
    Jan 5, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    thanks for your help, that's right all of those ip has been blocked by APF.

    and there's no username which is exist or active in that domain, and also the default was set to :fail. eventhough all spam email was rejected by dnslist_text. but the spam keep coming and cause a high load in my server.

    And I'll complain to the china spam abuse organization, btw any good idea to solve my problem :eek: :eek:

    thanks a lot :)
     
  5. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    didn't you install MTA level blacklist on exim? That helps a lot with attacks from blacklisted IP which your attacker is using.
     
  6. _Chris_

    _Chris_ Active Member

    Joined:
    Oct 22, 2007
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

    What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

    Any help appreciated.

    Chris
     
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

    If you do not see this, contact your hosting provider :).
     
  8. _Chris_

    _Chris_ Active Member

    Joined:
    Oct 22, 2007
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

    Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

    The helps appreciated.

    Chris.
     
    #8 _Chris_, Oct 23, 2007
    Last edited: Oct 23, 2007
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

    Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.
     
  10. _Chris_

    _Chris_ Active Member

    Joined:
    Oct 22, 2007
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    The response just received from the hosts :

    "11 is still not stable - we should wait for more stable version."
     
  11. wmiles

    wmiles Member

    Joined:
    Sep 6, 2005
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on.

    by the way i dont work with him, just one of his customers....
     
  12. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

    Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

    Good luck and welcome to the forums.
     
  13. _Chris_

    _Chris_ Active Member

    Joined:
    Oct 22, 2007
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well :)

    Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

    http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

    Is a VPS easy to setup ?

    Chris.
     
  14. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

    To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.
     
  15. hostyasui

    hostyasui Registered

    Joined:
    Feb 19, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kathmandu,Nepal
  16. _Chris_

    _Chris_ Active Member

    Joined:
    Oct 22, 2007
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Many thanks David, the quick, helpful input is appreciated.

    Chris.
     
Loading...

Share This Page