spamhaus block the server, but I don't find anything wrong

pueblosnet

Active Member
Dec 23, 2003
38
0
156
Hello!

Spamhaus blacklist my IP every night, then I de-list by the morning, that happened the last 3 days.

The server don't have:

  • Any dm.cgi or dark.cgi file
  • a long list of processes working
  • any user sending a lot of emails, less than 80 emails/hour

suphp it's active with suEXEC, nobody was active too, so I disabled it temporaly while I find the problem. I also run rootkithunter and lynis, all it's correct.

Any idea where can I find the problem? :confused:

Thanks!
 

pueblosnet

Active Member
Dec 23, 2003
38
0
156
It was difficult to find the spammer because he only send a few every day, finally I found a lot of perl processes running from one user and checking the ftp log I found the hack.

Thanks anyway for your help, spamhaus didn't help or give me any more data than my own IP.
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Before any conclusions are jumped to, are you on the PBL (Policy Block List) or actually blacklisted? Spamhaus places people on the PBL like its going out of style. THe entirety of Verizon subscribers (or close to all) are on the PBL because of their SMTP policies. If you're on the PBL and you keep "de-listing", at first you'll just be put back on the PBL, but I'd imagine if you are trying to remove yourself at a frequent rate, they might blacklist you out of fear you're attempting to manipulate their filtering..
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Depending on your answer to my previous post, either run a monitoring tool like nagios if you have root and are confident you can install the modules correctly, a php-plugservermonitor if you aren't root or don't want to deal with a (relatively) complicated install, or use a hosted monitoring solution like Free Websites Performance, Availability, Traffic Monitoring or http://www.thecpaneladmin.com/10-free-monitoring-solutions/www.247webmonitoring.com.

My choice would (of course) be Nagios, but I like to overcomplicate things on occasion. The hosted solution should work fine, and will give you a definitively untampered log of traffic coming to and from your server. If you go this route, I'd suggest 247webmonitoring, if only because I haven't played with moni.tor.us (and anything with "tor" in it arises immediate suspicion for me), and it's relatively new... And come to think of it, they offer "unlimited, free forever" services... Meh.

Let me know if you'd like some help, feel free to PM me or otherwise.