The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to get removed from SpamCop?

Discussion in 'General Discussion' started by Jeff75, Dec 12, 2006.

  1. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    I have contacted SpamCop 5 times the past week about having my server's IP address removed from their database. They wrote back one time and sent me an example email and I ended up disabling the allow "nobody" to send emails which I thought fixed the problem. My IP is in their database again and I've written them several times and they're not writing back.

    I haven't put any new clients on this box in a year and a half so I know there aren't any users who are "knowingly" sending out spam from it.

    Does anybody have any suggestions as to what to do? I'm about to start losing clients over this and it's a pain because I have no idea why the server is listed in their blacklist??
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    best to just go though your mail logs and remove the spamming account or expoited script
    If you do not know how to do this hire someone who does or it will just stay in there
     
  3. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    I would like to learn how to do it just to prevent it from happening again in the future.

    About a week ago I added "log_selector = +arguments +subject" to my Exim config.

    Here's some of the headers that one of the SpamCop people sent me:

    Does this help at all?
     
  4. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    I found this in the mainlog, but it doesn't really give any info that shows what script/user the spam was sent through:

    I have the option "Prevent the user "nobody" from sending out mail to remote addresses" checked under Tweak Settings in WHM, so I'm not sure why it's showing nobody??
     
  5. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    Is there anyway to run grep against all of the logs in the domlogs directory so I can search for "12/Dec/2006:09:53:10"?
     
    #5 Jeff75, Dec 12, 2006
    Last edited: Dec 12, 2006
  6. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    Bummer. I figured out how to search all the logs but there weren't any dynamic pages that were loaded at 09:53 (just .html, .js, gifs, etc.) and the method was also just GET and no POSTS?
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The most likely cause is a hijacked insecure form contact script, ie something that gets POSTed to by a form, intended to turn the form contents into an email to someone.

    The fix is to check for strings like \n and Bcc in the POSTed data, or to use mod_security to check and reject such attempts. You should also be able to limit the outgoing email per hour to something like 100 messages using WHM - search for info on /var/cpanel/maxemails to see how to up that limit on a per-domain basis (100 is fine for most domains).
     
Loading...

Share This Page