The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Get hundreds spam every minutes

Discussion in 'Database Discussions' started by ubuy, May 22, 2006.

  1. ubuy

    ubuy Member

    Joined:
    Jan 5, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    151
    one of my domain get hundreds spam each minutes, here is the report of the Brute Force


    The remote system 59.37.80.127 was found to have exceeded acceptable login failures on quicktrack.techscape.co.id; there was 66 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

    Executed ban command:
    /etc/apf/apf -d 59.37.80.127 {bfd.exim}

    The following are event logs from 59.37.80.127 on service exim (all time stamps are GMT +0700):

    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
    2006-05-23 03:08:20 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <f774765c.0ecfba9@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(qon.lao.net) [59.37.80.127] F=<rknitg@qon.lao.net> rejected RCPT <c2ef9331.2846145@belitungisland.com>: Message rejected (qon.lao.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <7195bb22.b19b060@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <9fc1f1a7.cae3435@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:20 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <81a4bbbd.3a97e48@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(pokemates.com) [59.37.80.127] F=<aahme@pokemates.com> rejected RCPT <1221d440.7e5eef0@belitungisland.com>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(sahkoposti.zzn.com) [59.37.80.127] F=<barle@sahkoposti.zzn.com> rejected RCPT <51d02e2c.5b32646@belitungisland.com>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(lop10a.com) [59.37.80.127] F=<thomasamazon@lop10a.com> rejected RCPT <076eccc5.24c843e@belitungisland.com>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
    2006-05-23 03:08:21 H=(chathamnc.every1.net) [59.37.80.127] F=<cisneros@chathamnc.every1.net> rejected RCPT <e82292fb.2c35da2@belitungisland.com>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text


    Here is the another one, what should I do



    F=<bfcix@cpulife.com> rejected RCPT <anesko@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arenn@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <appeng@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:04 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <ambiens@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:05 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <alcantara@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <arnould@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<bfcix@cpulife.com> rejected RCPT <adame@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:11 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arcega@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <aiou@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <arstar@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:13 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alchev@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:14 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <baatz@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:15 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alberda@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:16 H=(4D169008) [80.73.221.149] F=<mpyahzdsqinr@webtv.net> rejected RCPT <alkema@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <agrgivi@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adamk@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:20 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <8sima@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:22 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <adjive@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:24 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <bajdas@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:26 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <ahrion@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:27 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <aohiro@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
    2006-05-23 03:05:28 H=(4D169008) [80.73.221.149] F=<wwymr@latinet.net> rejected RCPT <artl@fashion-park.com>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
     
    #1 ubuy, May 22, 2006
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    897
    Likes Received:
    12
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Try banning them at your firewall. The first IP is in China so not worth making any complaint, but here's the info on it;
    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: 59.0.0.0 - 59.255.255.255
    CIDR: 59.0.0.0/8
    NetName: APNIC-59
    NetHandle: NET-59-0-0-0-1
    Parent:
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS.LACNIC.NET
    NameServer: NS-SEC.RIPE.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    RegDate: 2004-05-04
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100
    OrgTechEmail: search-apnic-not-arin@apnic.net

    # ARIN WHOIS database, last updated 2006-05-22 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.


    Found a referral to whois.apnic.net.

    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 59.32.0.0 - 59.42.255.255
    netname: CHINANET-GD
    descr: CHINANET Guangdong province network
    descr: China Telecom
    descr: No.31,jingrong street
    descr: Beijing 100032
    country: CN
    admin-c: CH93-AP
    tech-c: IC83-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-GD
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20040802
    changed: hm-changed@apnic.net 20041123
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: lqing@chinatelecom.com.cn 20051212
    mnt-by: MAINT-CHINANET
    source: APNIC

    person: IPMASTER CHINANET-GD
    nic-hdl: IC83-AP
    e-mail: ipadm@gddc.com.cn
    address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
    phone: +86-20-83877223
    fax-no: +86-20-83877223
    country: CN
    changed: ipadm@gddc.com.cn 20040902
    mnt-by: MAINT-CHINANET-GD
    remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
    source: APNIC
     
    #2 kernow, May 23, 2006
  3. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    166
    apparently those domains are under dictionary attack by spams, try check on fashion-park.com domain on those rejected user if the user account do exist

    the ip should have been blocked in apf since the alert is sent by your BFD.
     
    #3 tweakservers, May 23, 2006
  4. ubuy

    ubuy Member

    Joined:
    Jan 5, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    151
    thanks for your help, that's right all of those ip has been blocked by APF.

    and there's no username which is exist or active in that domain, and also the default was set to :fail. eventhough all spam email was rejected by dnslist_text. but the spam keep coming and cause a high load in my server.

    And I'll complain to the china spam abuse organization, btw any good idea to solve my problem :eek: :eek:

    thanks a lot :)
     
    #4 ubuy, May 23, 2006
  5. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    402
    Likes Received:
    3
    Trophy Points:
    168
    didn't you install MTA level blacklist on exim? That helps a lot with attacks from blacklisted IP which your attacker is using.
     
    #5 abubin, May 26, 2006
  6. _Chris_

    _Chris_ Well-Known Member

    Joined:
    Oct 22, 2007
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

    What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

    Any help appreciated.

    Chris
     
    #6 _Chris_, Oct 23, 2007
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,277
    Likes Received:
    9
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

    If you do not see this, contact your hosting provider :).
     
    #7 cPanelDavidG, Oct 23, 2007
  8. _Chris_

    _Chris_ Well-Known Member

    Joined:
    Oct 22, 2007
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

    Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

    The helps appreciated.

    Chris.
     
    #8 _Chris_, Oct 23, 2007
    Last edited: Oct 23, 2007
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,277
    Likes Received:
    9
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

    Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.
     
    #9 cPanelDavidG, Oct 23, 2007
  10. _Chris_

    _Chris_ Well-Known Member

    Joined:
    Oct 22, 2007
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    The response just received from the hosts :

    "11 is still not stable - we should wait for more stable version."
     
    #10 _Chris_, Oct 24, 2007
  11. wmiles

    wmiles Member

    Joined:
    Sep 6, 2005
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    151
    You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on.

    by the way i dont work with him, just one of his customers....
     
    #11 wmiles, Oct 24, 2007
  12. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

    Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

    Good luck and welcome to the forums.
     
    #12 mctDarren, Oct 24, 2007
  13. _Chris_

    _Chris_ Well-Known Member

    Joined:
    Oct 22, 2007
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well :)

    Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

    http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

    Is a VPS easy to setup ?

    Chris.
     
    #13 _Chris_, Oct 24, 2007
  14. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,277
    Likes Received:
    9
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

    To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.
     
    #14 cPanelDavidG, Oct 24, 2007
  15. hostyasui

    hostyasui Registered

    Joined:
    Feb 19, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Kathmandu,Nepal
    #15 hostyasui, Oct 26, 2007
  16. _Chris_

    _Chris_ Well-Known Member

    Joined:
    Oct 22, 2007
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    Many thanks David, the quick, helpful input is appreciated.

    Chris.
     
    #16 _Chris_, Oct 27, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - hundreds spam every
  1. Colm Troy

    Hundreds of Excessive Resource Usage emails from lfd despite setting low memory

    Colm Troy, Jun 27, 2017, in forum: General Discussion
    Replies:
    2
    Views:
    185
    Colm Troy
    Jun 27, 2017
  2. morteza

    Apache log files growing to hundreds of gigabytes

    morteza, Mar 18, 2016, in forum: General Discussion
    Replies:
    2
    Views:
    453
    cPanelMichael
    Mar 20, 2016
  3. Ricardo Mecca

    Scoring SPAM cPanel

    Ricardo Mecca, Aug 19, 2017 at 8:39 AM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    43
    cPanelMichael
    Aug 21, 2017 at 10:53 AM
  4. silverbytes

    SpamAssassin Subject in Whitelist question

    silverbytes, Aug 16, 2017 at 7:29 AM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    42
    cPanelMichael
    Aug 16, 2017 at 10:09 AM
  5. antiqued4

    Identify account sending spam?

    antiqued4, Aug 14, 2017, in forum: E-mail Discussions
    Replies:
    2
    Views:
    60
    cPanelMichael
    Aug 14, 2017

Share This Page