spamhaus block the server, but I don't find anything wrong

[pueblosnet]

Hello!

Spamhaus blacklist my IP every night, then I de-list by the morning, that happened the last 3 days.

The server don't have:

• Any dm.cgi or dark.cgi file
• a long list of processes working
• any user sending a lot of emails, less than 80 emails/hour

suphp it's active with suEXEC, nobody was active too, so I disabled it temporaly while I find the problem. I also run rootkithunter and lynis, all it's correct.

Any idea where can I find the problem?

Thanks!

 

[minosjl]

Hi,

Did you checked this case with Spamhaus? and why they are blacklisting your IP address ?

 

[PlotHost]

Check the mail logs/queue .

 

[pueblosnet]

It was difficult to find the spammer because he only send a few every day, finally I found a lot of perl processes running from one user and checking the ftp log I found the hack.

Thanks anyway for your help, spamhaus didn't help or give me any more data than my own IP.

 

[theitjerk]

Before any conclusions are jumped to, are you on the PBL (Policy Block List) or actually blacklisted? Spamhaus places people on the PBL like its going out of style. THe entirety of Verizon subscribers (or close to all) are on the PBL because of their SMTP policies. If you're on the PBL and you keep "de-listing", at first you'll just be put back on the PBL, but I'd imagine if you are trying to remove yourself at a frequent rate, they might blacklist you out of fear you're attempting to manipulate their filtering..

 

[theitjerk]

COnsequently, is it a dedicated, vps or shared, and do you have root?

 

[theitjerk]

Depending on your answer to my previous post, either run a monitoring tool like nagios if you have root and are confident you can install the modules correctly, a php-plugservermonitor if you aren't root or don't want to deal with a (relatively) complicated install, or use a hosted monitoring solution like Free Websites Performance, Availability, Traffic Monitoring or http://www.thecpaneladmin.com/10-free-monitoring-solutions/www.247webmonitoring.com.

My choice would (of course) be Nagios, but I like to overcomplicate things on occasion. The hosted solution should work fine, and will give you a definitively untampered log of traffic coming to and from your server. If you go this route, I'd suggest 247webmonitoring, if only because I haven't played with moni.tor.us (and anything with "tor" in it arises immediate suspicion for me), and it's relatively new... And come to think of it, they offer "unlimited, free forever" services... Meh.

Let me know if you'd like some help, feel free to PM me or otherwise.

 

[theitjerk]

double post - my bad - the internet at this university is god-awful sometimes..