The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Important!I have a theory on how to Protect Against SPEWS!

Discussion in 'General Discussion' started by surfturtle, Sep 17, 2002.

  1. surfturtle

    surfturtle Member

    Joined:
    Jan 7, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I am sure everyone here by now has had many spammers on their servers and like most of the responsible webhosts worldwide you have deleted their accounts as soon as you find out.

    Also I am sure that most of you have been listed by a stupid organization called SPEWS which is doing more harm than good.

    SPEWS claims that it is helping stop spam but instead it is just helping to hurt the reputation of Honest Web Hosts with their clients.

    What it does is that once it detects that you have a spammer on your server or even a site that is itself not sending spam but promotes spam SPEWS immediately lists the IP address of your server or sometimes your whole IP range in its database which many ISPs use to filter spam e-mails. Now any e-mail originating from those IPs will be blocked by ISPs using the SPEWS databse.

    The main problem is that even after we delete the spammers from our servers SPEWS does not remove our IPs. ANd for those of us who do name-based hosting this is very very dangerous as just becuase of one spammer whoi was on our server for not more than a few days the other 500 Honest, Innocent clients who are not spammers have to pay the price as their e-mails are blocked too.
    This proves that just to prevent one spammer who by the way quickly changes hosts and is not affected at all, hundreds of our clients have to pay the price.

    I have tried to contact SPEWS without any luck so I have decided to beat the SPEWS system instead of trying to change it.

    I am SICK of SPEWS and other databases like this becuase instead of helping us they are hurting us.

    Now lets get to solving the problem.

    -=-=-=-=-= SOLUTION =-=-=-=-=-

    SPEWS only lists the IP address that the spammers website is hosted on so I think that if we change the IP address of the mailserver then our e-mails could no longer be blocked by SPEWS. I am not a linux expert so I need your help to figure out how to accomplish this.

    Is there a way that we can change the IP address of the mailserver?

    -=-=-=-=-= IMPORTANT =-=-=-=-=-
    Those who have not read this full post should not think that I am a pro-spam activists. Infact I hate spam and do everything possible to keep my network spam free but there is no 100% gurantee that one of them won't slip by my defences. Infact my screening method is so tough that many genuine clients leave me for being too tough on them. I do not mind that as that is my duty.
     
  2. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    &What it does is that once it detects that you have a spammer on your server or even a site that is itself not sending spam but promotes spam SPEWS immediately lists the IP address of your server or sometimes your whole IP range in its database...&

    This is untrue.

    &I have tried to contact SPEWS without any luck so I have decided to beat the SPEWS system instead of trying to change it.&

    One does not contact SPEWS. Trying to find ways around ISP's blocks on you - like altering the mailserver IP - is a very fine way to land yourself in blacklists from which you will never emerge. That won't be the fault of SPEWS (and in fact any blocks done on your mail right now isn't, either).

    If you have a specific SPEWS case and feel that the listing is unjusitifed, take your case to news.admin.net-abuse.email. If you want advice, contact me off the forum. We've helped people get out of SPEWS before and no doubt we'll be doing it again.

    I am not aware of a way to change the IP of the mailserver. It has always run as the server IP since we've had systems running cPanel, and there's no good reason to change that, since it works fine.
     
  3. leat

    leat Member

    Joined:
    Jul 23, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    iptables -t nat -I POSTROUTING -p tcp --dport 25 -j SNAT --to-source IP_Address

    I agree about SPEWS. My servers at RackSpace suddenly were blocked because some customer of RackSpace brought in bulkbarn.com. SPEW blocked the whole C net on which my servers resided. I used to use RBL/Osirus in qmail, but after been a inncoent victim like this, I have removed all RBL's from the mailservers. IMO SPEWS is a bad tool against spam and I won't support any RBL.
     
  4. surfturtle

    surfturtle Member

    Joined:
    Jan 7, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Annette,
    I can prove every one of my claims. Although at the end of the day if I fail to convice a few of the supports of SPEWS then thats life.

    Anyway here goes.

    &What it does is that once it detects that you have a spammer on your server or even a site that is itself not sending spam but promotes spam SPEWS immediately lists the IP address of your server or sometimes your whole IP range in its database...&

    I have proof becuase take my case for instance, I want to stress again that I am 1000% AGAINST SPAM, and strongly feel that we need a system or database to protect us from spammers. But SPEWS is definately a very costly failure for the web hosting industry. Now here is my proof.

    http://spews.org/html/S1532.html, my IP is 66.78.3.211 and quickads.net was the domain that got me banned. This S.O.B. bought hosting from me 2(1/2) months ago. I am so comitted to fighting spam that twice every week i check the mail records of every site on my servers and see who is sending unusual number of mails and I did not find anything unusual about this site.(please excuse the language, but i'm sure you can understand my frustration) The reason for this was that he did not use my server to send spam, his site was promoting spam though but I don't have time to visit each and every one of my client's sites. Anyway SPEWS did help me to find out that this site was a spammer so I immediately deleted it more than a month ago. But my ip is still listed there and more than 600 other customer have been suffering for 2 months now just becuase of one spammer whom i already mentioned that I terminated as soon as I found out. By the way this person had 30 domains hosted with me and I deleted each and every one of them and you can read about the kind of threats he made to me as they are similar to the ones at http://spews.org/html/S1532.html

    Now my moral and common sense question to you all is is it worth it to punish 600+ innocent clients just becuase of ONE spammer who had already been kicked off the server? Who in his right mind would say that that is ok.

    And if you are such a supporter of spam than just look at http://spews.org/html/S1532.html and you will see that this person has no difficulty whatsoever in finding new hosting companies to ruin just like mine. He jumps from one server to another so easily.

    This brings me to another suggestion I think that we Web Hosting Companies should have a spammer database of our own that will warn us about spam-related domain names before we host them. This way spammers are the losers instead of us. They never get hosted so they never get to benefit from our hard honest work.

    My second problem with SPEWS is that they have blocked the whole IP range of my datacenter and I am the innocent victim just take a look http://spews.org/html/S1377.html

    Also it seems to me that you have no idea about how harmful SPEWS is to so many of us, I encourage everyone who has been effected by spews to post here to show the scope of the damage caused by spews.
     
  5. leat

    leat Member

    Joined:
    Jul 23, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    It is possible to route mail (smtp) through another IP that the main one by using iptables:

    iptables -t nat -I POSTROUTING -p tcp --dport 25 -j SNAT --to-source IP_Address

    where IP_Address is another IP than the main one that is blocked.
     
  6. surfturtle

    surfturtle Member

    Joined:
    Jan 7, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    [quote:7b7805ac03][i:7b7805ac03]Originally posted by leat[/i:7b7805ac03]

    It is possible to route mail (smtp) through another IP that the main one by using iptables:

    iptables -t nat -I POSTROUTING -p tcp --dport 25 -j SNAT --to-source IP_Address

    where IP_Address is another IP than the main one that is blocked.

    [/quote:7b7805ac03]

    thanks,
    i will try that on my one of my servers.
     
  7. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    This is going to be long, and I apologize for that. I am not a tremendously staunch supporter of SPEWS, nor do we as a company use SPEWS for filtering purposes. Most of the hardcore antispammers in nanae get on my last nerve because they seem more interested in fighting or hassling every n00b who goes through than anything else. I think the broad ranges that are included in the db are sometimes excessive. SPEWS is effective because of how ISPs treat it as a tool and because they can point to the level of spam their users received prior to using it and the level of spam their users have received after using it and show a difference. Listings are made for known spammers when their new locations are found, but a single incident - even a spam run of several hundred or even a thousand emails - is not enough to wind up in SPEWS. If it were that simple, everyone here would be listed, because I can't imagine there's no one here who hasn't had some spammer they've had to nuke.

    Your language is excused - I say the same things (or worse) about spammers when we're hunting them. :)

    Your first case (and I'm presuming that you are midashosting):

    http://spews.org/html/S1532.html - this is listed as a 2, with a dead? notation. This is probably because the domain is still using your nameservers and has not been changed, but a 2 is not as serious as a 1, so at least there's progress there (although some providers will use both tiers and not just the level 1 listing). The guy who owns the site is a known spammer.

    http://www.spamhaus.org/rokso/spammers.lasso?-database=spammers.db&-layout=list&-maxrecords=100&-response=roksolist.lasso&-noresultserror=rocksonorecords.html&-operator=eq&spammer=Kelly%20Joe%20Ellis%20/%20WebMark%20inc%20/%20Marketforce%20inc&status=live&-clientusername=guest&-clientpassword=guest&-sortfield=priority&-sortorder=descending&-sortfield=subject&-search

    Your problem is not necessarily with that particular domain, however. You are also currently hosting an &unsubscribe& form for another spammer at http://mahnoor.midashosting.com/mailman/listinfo/offers_fast-earnings.com
    for the domain fast-earnings.com. As of this moment, that site is still operational. This falls under the umbrella of spam support, just like providing DNS services if the site is actually hosted elsewhere, and is a good way to wind up blocked.

    There is no indication that you have asked anyone at nanae to verify that the quickads guy is dead from your servers and request that the listing be updated. Even if you did, though, someone would bring up Mr. Fast-Earnings and his mailing list and you'd be back to square one.

    However, you have larger problems....

    Your second case:
    http://spews.org/html/S1377.html

    This is the fault of your provider (VDI). VDI is much discussed in the groups about their time to respond on spam complaints. A quick search in only the two main admin groups dealing with email abuse brought up over 1500 matches for VDI. One complaint selected at random from early August is a site still riding in VDI's IP block. If you're irked at having entire netblocks in the database, you should talk to your provider and find out why they are so slow to respond that they wind up in SPEWS - and if you're as adamantly anti-spam as you say, I'd think you'd want to know. Worse than that, too, is that some admins just block all of VDI as a lost cause. They'll never get out of those lists.

    &..you have no idea how harmful SPEWS is to most of us..&

    For varying levels of &most&, I'd imagine, since &most& hosts have no problems with SPEWS unless they choose a provider who does. We don't select providers who are known to house spammers or not act on them, and we deal with spam complaints swiftly and without mercy, as any of our resellers could tell you. Every order is researched when it comes in to make sure that the person is not a known spammer or has used other domains in the past that were connected to spam. We have even rejected orders from people who list a return address at a domain that itself has spam complaints. We don't speak spammish here.

    You haven't asked for my advice, but I'm giving it anyway (such is the nature of an open forum) in the hopes that you'll understand why I think you're fighting the wrong war here.

    1. Get rid of your unsubscribe guy.
    2. Post a note to nanae - politely and in a civil tone, not in the stampeding, &I'm gonna sue you!& manner some hosts do - referencing the SPEWS record, and indicating that the quickads guy and the unsubscribe guy are both gone and in the first case, have been gone for some time.
    3. Ask VDI why they are in SPEWS, and don't accept the stock &SPEWS sucks& argument that some providers give. That's a load of crap. If any host/provider wants to deal with their spam problem, they can. It's very simple, as you very well know from your own nuking runs. Even Sprint is making movements in that direction, although it will be a long, long time before some of their ranges emerge from the pits.

    We keep a blacklist of nuke-on-sight domains and spammers for ourselves and our resellers. It's also available at hostcoalition, although that forum is failling into disuse lately and may be discontinued. You can also look up domains and peruse a long list of known spammers/spamgangs at spamhaus.org. There are any number of ways to protect yourself from having to deal with things like this. We, for instance, only deal with SPEWS-related stuff when some other host asks us about some listing or when we (I) give unsolicited advice like this. And I'll say that not dealing with - or even having to think about - SPEWS is a lot better than the alternative.

    In deference to the support related question about the mailserver IP (although you should note that things like leaving your unsubscribe guy in place will negate the effect of changing the mailserver IP, since listings will just expand to include any IP that can be found to be associated with you), I'll leave off any further SPEWS-related posting. If you'd like to discuss it further, drop me a note. It is possible to get out of SPEWS individually - we've helped people do it half a dozen times. Getting your provider to cooperate might not be so easy.
     
  8. surfturtle

    surfturtle Member

    Joined:
    Jan 7, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I had deleted fast-earnings.com along with quickads.net more than a month ago, I think they are owned by the same person, but its still using my DNS which I cannot stop it from doing. I have contacted VDI who told me that they are working on the problem.

    And as for SPEWS, I am so disgussted with the way they have built up their system that I am in no mood to contact them. Although their intentions are good they are doing me more harm than all the spammers that i have nuked so far.
     
  9. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Choosing to fight spews, while maybe a good gut reaction, is not necessarily the wisest choice. It will likely only make it more difficult to get you and your customers ip's out of their lists. I tend to take Annette's approach to this problem (maybe because I was once a reseller with Annette's hosting company and I learned a lot from her). You have more at stake than just satisfying your desire to take vengance on spews. You have your clients well being to think about.

    Personally, if my upstream provider was soft on spam, I would be looking for a new provider to eliminate the problem. Changing the ip of your email server, will eventually get that ip listed. If you change it enough, it is likely that you will see blocks of ip's get listed.

    The best approach for the sake of you clients is to politely state your case, pointing out that both domains have been nuked from your servers and that only the nameservers are pointing to your server.

    Furthermore, I have been successfull in contacting the registrars for such domains and getting the nameservers changed. I would suggest this in addition to what Annette has already suggested.

    I would also suggest that if your upstream is the major problem, change it.
     
  10. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    [quote:004c439c90][i:004c439c90]Originally posted by surfturtle[/i:004c439c90]

    I had deleted fast-earnings.com along with quickads.net more than a month ago, I think they are owned by the same person, but its still using my DNS which I cannot stop it from doing. I have contacted VDI who told me that they are working on the problem.

    And as for SPEWS, I am so disgussted with the way they have built up their system that I am in no mood to contact them. Although their intentions are good they are doing me more harm than all the spammers that i have nuked so far.[/quote:004c439c90]

    (I know, I know...one more from me.)

    http://mahnoor.midashosting.com/mailman/listinfo/offers_fast-earnings.com is still active. You might want to nuke that list to remove all traces of it, because people in nanae will find exactly what I did and ask you about it.

    For the second part: That's a bad position to take, and an unproductive one. As Marty indicates, it isn't just winning some battle to satisfy your ego here. Clients won't be terribly pleased about tilting at windmills. If you are going to take that tack, I hope you're settled in for a long stay in SPEWS.
     
  11. surfturtle

    surfturtle Member

    Joined:
    Jan 7, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I think this is a bug in CPanel/WHM, I deleted fast-earnings.com in July but its mailing list was'nt deleted, thanks for telling me. I have deleted that also but no mail was sent through this e-mail since mid july anyway so this was just a dead list.
     
  12. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    This kind of silly and biased comments make me puke!
     
Loading...
Similar Threads - Important theory Protect
  1. John Tadros
    Replies:
    2
    Views:
    161

Share This Page