Get hundreds spam every minutes

ubuy · May 22, 2006

one of my domain get hundreds spam each minutes, here is the report of the Brute Force

The remote system 59.37.80.127 was found to have exceeded acceptable login failures on quicktrack.techscape.co.id; there was 66 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 59.37.80.127 {bfd.exim}

The following are event logs from 59.37.80.127 on service exim (all time stamps are GMT +0700):

2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
2006-05-23 03:08:20 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <f774765c.0ecfba9@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(qon.lao.net) [59.37.80.127] F=<rknitg@qon.lao.net> rejected RCPT <c2ef9331.2846145@belitungisland.com>: Message rejected (qon.lao.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <7195bb22.b19b060@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <9fc1f1a7.cae3435@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <81a4bbbd.3a97e48@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <1221d440.7e5eef0@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <51d02e2c.5b32646@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <076eccc5.24c843e@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <e82292fb.2c35da2@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text

Here is the another one, what should I do

F=<bfcix@cpulife.com> rejected RCPT <anesko@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arenn@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <appeng@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:04 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <ambiens@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:05 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <alcantara@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arnould@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <adame@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:11 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arcega@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <aiou@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arstar@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:13 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alchev@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:14 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <baatz@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:15 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alberda@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:16 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alkema@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <agrgivi@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adamk@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:20 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <8sima@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:22 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adjive@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:24 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <bajdas@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:26 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <ahrion@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:27 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <aohiro@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:28 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <artl@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text

kernow · May 23, 2006

Try banning them at your firewall. The first IP is in China so not worth making any complaint, but here's the info on it;
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 59.0.0.0 - 59.255.255.255
CIDR: 59.0.0.0/8
NetName: APNIC-59
NetHandle: NET-59-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2004-05-04
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-05-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Found a referral to whois.apnic.net.

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 59.32.0.0 - 59.42.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20040802
changed: hm-changed@apnic.net 20041123
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: lqing@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
source: APNIC

person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: ipadm@gddc.com.cn
address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone: +86-20-83877223
fax-no: +86-20-83877223
country: CN
changed: ipadm@gddc.com.cn 20040902
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
source: APNIC

tweakservers · May 23, 2006

apparently those domains are under dictionary attack by spams, try check on fashion-park.com domain on those rejected user if the user account do exist

the ip should have been blocked in apf since the alert is sent by your BFD.

ubuy · May 23, 2006

thanks for your help, that's right all of those ip has been blocked by APF.

and there's no username which is exist or active in that domain, and also the default was set to :fail. eventhough all spam email was rejected by dnslist_text. but the spam keep coming and cause a high load in my server.

And I'll complain to the china spam abuse organization, btw any good idea to solve my problem

thanks a lot

abubin · May 26, 2006

didn't you install MTA level blacklist on exim? That helps a lot with attacks from blacklisted IP which your attacker is using.

_Chris_ · Oct 23, 2007

kernow said: ↑

Try banning them at your firewall.
Click to expand...

New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

Any help appreciated.

Chris

cPanelDavidG · Oct 23, 2007

_Chris_ said: ↑

New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

Any help appreciated.

Chris
Click to expand...

If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

If you do not see this, contact your hosting provider .

_Chris_ · Oct 23, 2007

cPanelDavidG said: ↑

If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

If you do not see this, contact your hosting provider .
Click to expand...

Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

The helps appreciated.

Chris.

cPanelDavidG · Oct 23, 2007

_Chris_ said: ↑

Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

The helps appreciated.

Chris.
Click to expand...

2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.

_Chris_ · Oct 24, 2007

cPanelDavidG said: ↑

2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.
Click to expand...

The response just received from the hosts :

"11 is still not stable - we should wait for more stable version."

wmiles · Oct 24, 2007

You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on.

by the way i dont work with him, just one of his customers....

mctDarren · Oct 24, 2007

wmiles said: ↑

You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on
Click to expand...

Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

Good luck and welcome to the forums.

_Chris_ · Oct 24, 2007

serversphere said: ↑

Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

Good luck and welcome to the forums.
Click to expand...

Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well

Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

Is a VPS easy to setup ?

Chris.

cPanelDavidG · Oct 24, 2007

_Chris_ said: ↑

Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well

Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

Is a VPS easy to setup ?

Chris.
Click to expand...

cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.

hostyasui · Oct 26, 2007

Cpanel reseller hosting

How about this site.
http://www.hostyasui.com

_Chris_ · Oct 27, 2007

cPanelDavidG said: ↑

cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.
Click to expand...

Many thanks David, the quick, helpful input is appreciated.

Chris.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Get hundreds spam every minutes

ubuy Member

kernow Well-Known Member

tweakservers Well-Known Member

ubuy Member

abubin Well-Known Member

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

_Chris_ Well-Known Member

wmiles Member

mctDarren Well-Known Member

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

hostyasui Registered

_Chris_ Well-Known Member

Hundreds of failed root access each day

Hundreds of Excessive Resource Usage emails from lfd despite setting low memory

New Thread Why is SpamBox not enabled by default?

SOLVED DKIM for 'root' user, to avoid emails going to spam

Emails Bypassing RBL Reject and SpamAssassin Bounce

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Get hundreds spam every minutes

ubuy Member

kernow Well-Known Member

tweakservers Well-Known Member

ubuy Member

abubin Well-Known Member

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

_Chris_ Well-Known Member

wmiles Member

mctDarren Well-Known Member

_Chris_ Well-Known Member

cPanelDavidG Technical Product Specialist

hostyasui Registered

_Chris_ Well-Known Member

Hundreds of failed root access each day

Hundreds of Excessive Resource Usage emails from lfd despite setting low memory

New Thread Why is SpamBox not enabled by default?

SOLVED DKIM for 'root' user, to avoid emails going to spam

Emails Bypassing RBL Reject and SpamAssassin Bounce

Share This Page