Get hundreds spam every minutes

[ubuy]

one of my domain get hundreds spam each minutes, here is the report of the Brute Force


The remote system 59.37.80.127 was found to have exceeded acceptable login failures on quicktrack.techscape.co.id; there was 66 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 59.37.80.127 {bfd.exim}

The following are event logs from 59.37.80.127 on service exim (all time stamps are GMT +0700):

2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:13 no host name found for IP address 59.37.80.127
2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
2006-05-23 03:08:16 no host name found for IP address 59.37.80.127
2006-05-23 03:08:20 H=(lop10a.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(qon.lao.net) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (qon.lao.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(sahkoposti.zzn.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(chathamnc.every1.net) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:20 H=(pokemates.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(pokemates.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (pokemates.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(sahkoposti.zzn.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (sahkoposti.zzn.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(lop10a.com) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (lop10a.com) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text
2006-05-23 03:08:21 H=(chathamnc.every1.net) [59.37.80.127] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (chathamnc.every1.net) [59.37.80.127] is blacklisted at cbl.abuseat.org see dnslist_text


Here is the another one, what should I do



F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:03 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:04 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:05 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:07 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:11 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:12 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:13 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:14 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:15 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:16 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:19 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:20 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:22 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:24 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:26 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:27 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text
2006-05-23 03:05:28 H=(4D169008) [80.73.221.149] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected (4D169008) [80.73.221.149] is blacklisted at bl.spamcop.net see dnslist_text

 

[kernow]

Try banning them at your firewall. The first IP is in China so not worth making any complaint, but here's the info on it;
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 59.0.0.0 - 59.255.255.255
CIDR: 59.0.0.0/8
NetName: APNIC-59
NetHandle: NET-59-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2004-05-04
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2006-05-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to whois.apnic.net.

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 59.32.0.0 - 59.42.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20040802
changed: [email protected] 20041123
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [email protected]
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [email protected] 20051212
mnt-by: MAINT-CHINANET
source: APNIC

person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: [email protected]
address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone: +86-20-83877223
fax-no: +86-20-83877223
country: CN
changed: [email protected] 20040902
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam complaint to [email protected]
source: APNIC

 

[tweakservers]

apparently those domains are under dictionary attack by spams, try check on fashion-park.com domain on those rejected user if the user account do exist

the ip should have been blocked in apf since the alert is sent by your BFD.

 

[ubuy]

thanks for your help, that's right all of those ip has been blocked by APF.

and there's no username which is exist or active in that domain, and also the default was set to :fail. eventhough all spam email was rejected by dnslist_text. but the spam keep coming and cause a high load in my server.

And I'll complain to the china spam abuse organization, btw any good idea to solve my problem

thanks a lot

 

[abubin]

didn't you install MTA level blacklist on exim? That helps a lot with attacks from blacklisted IP which your attacker is using.

 

[_Chris_]

Try banning them at your firewall.

New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

Any help appreciated.

Chris

 

[cPanelDavidG]

New member here, so go easy on me ;-) Is there any of banning the emails at your firewall if you are on shared servers please ?

What I would really like to do is to automatically delete all emails from China and Russia, so that I never have to even see them.

Any help appreciated.

Chris

If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

If you do not see this, contact your hosting provider .

 

[_Chris_]

If you are on cPanel 11 with the X3 theme, go to the cPanel interface, in the Mail feature block click Account Level Filtering. You can create a filter for addresses ending in .cn or .ru and set the action to Fail with message to have the mail blocked at SMTP time.

If you do not see this, contact your hosting provider .

Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

The helps appreciated.

Chris.

 

[cPanelDavidG]

Many, many thanks David, I've been all round the internet over the last few months trying to get success with this, with no success so far, but hopefully, this will be it.

Ok, I've looked and it isn't there, in fact, my cPanel is cPanel X v2.6.0, but before I go to the webhosts, could you please just confirm that I should be able to do this, even if I am on shared servers and would my webhosts have any excuse for not installing this for me ?

The helps appreciated.

Chris.

2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.

 

[_Chris_]

2.6.0 is the version of the X theme. X is an old theme (from cPanel 10 and earlier) and really should no longer be used. The X3 theme is designed for cPanel 11 and as such is recommended for use on cPanel 11 machines.

Web hosting providers can enable/disable any functionality of our software. If you are shopping around for a host, it wouldn't hurt to ask if they have this functionality enabled and they are using X3.

The response just received from the hosts :

"11 is still not stable - we should wait for more stable version."

 

[wmiles]

You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on.

by the way i dont work with him, just one of his customers....

 

[mctDarren]

You should go see Chirpy at http://www.configserver.com he does a cpanel service which is brilliant, he'll check over the system, install firewalls and also mailscanner if your not using it. and the pricing is bang on

Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

Good luck and welcome to the forums.

 

[_Chris_]

Since Chris doesn't own this system and is hosted by a third party Chirpy won't be able to do a thing, sadly (I'm a customer myself and highly recommend them). Seems his host is stuck on cPanel 10 for some reason. "It isn't stable" usually is code for "we're too lazy to go to the trouble of upgrading", though it can be complex and troublesome on boxes hosting hundreds of users.

Chris, my advice is to ask them if they are willing to work with you at the box's firewall level by writing some custom rules for you. Most hosts will probably resist this since your blocking IPs may result in others on the box having troubles because of it. However it never hurts to ask. If not, might be time to find a new more accomodating host or even go the way of a VPS so you have total control.

Good luck and welcome to the forums.

Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well

Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

Is a VPS easy to setup ?

Chris.

 

[cPanelDavidG]

Many thanks for the quick input on this - it's appreciated. The friendly welcome was appreciated as well

Have I read it right, that on the link below, it's saying that the stable version won't be out until the 21st of November.

http://www.cpanel.net/products/cPanelandWHM/linux/cpanel11/index.html

Is a VPS easy to setup ?

Chris.

cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.

 

[hostyasui]

Cpanel reseller hosting

How about this site.
http://www.hostyasui.com

 

[_Chris_]

cPanel 11 is already in STABLE and has been for some time. The date you are seeing is for cPanel 11 Stage 2 entering STABLE.

To install cPanel/WHM on a VPS is the same as installing it on a dedicated server.

Many thanks David, the quick, helpful input is appreciated.

Chris.