The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spamhaus block the server, but I don't find anything wrong

Discussion in 'Security' started by pueblosnet, Apr 4, 2012.

  1. pueblosnet

    pueblosnet Active Member

    Joined:
    Dec 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Hello!

    Spamhaus blacklist my IP every night, then I de-list by the morning, that happened the last 3 days.

    The server don't have:

    • Any dm.cgi or dark.cgi file
    • a long list of processes working
    • any user sending a lot of emails, less than 80 emails/hour

    suphp it's active with suEXEC, nobody was active too, so I disabled it temporaly while I find the problem. I also run rootkithunter and lynis, all it's correct.

    Any idea where can I find the problem? :confused:

    Thanks!
     
  2. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Did you checked this case with Spamhaus? and why they are blacklisting your IP address ?
     
  3. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Check the mail logs/queue .
     
  4. pueblosnet

    pueblosnet Active Member

    Joined:
    Dec 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    It was difficult to find the spammer because he only send a few every day, finally I found a lot of perl processes running from one user and checking the ftp log I found the hack.

    Thanks anyway for your help, spamhaus didn't help or give me any more data than my own IP.
     
  5. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Before any conclusions are jumped to, are you on the PBL (Policy Block List) or actually blacklisted? Spamhaus places people on the PBL like its going out of style. THe entirety of Verizon subscribers (or close to all) are on the PBL because of their SMTP policies. If you're on the PBL and you keep "de-listing", at first you'll just be put back on the PBL, but I'd imagine if you are trying to remove yourself at a frequent rate, they might blacklist you out of fear you're attempting to manipulate their filtering..
     
  6. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    COnsequently, is it a dedicated, vps or shared, and do you have root?
     
  7. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Depending on your answer to my previous post, either run a monitoring tool like nagios if you have root and are confident you can install the modules correctly, a php-plugservermonitor if you aren't root or don't want to deal with a (relatively) complicated install, or use a hosted monitoring solution like Free Websites Performance, Availability, Traffic Monitoring or http://www.thecpaneladmin.com/10-free-monitoring-solutions/www.247webmonitoring.com.

    My choice would (of course) be Nagios, but I like to overcomplicate things on occasion. The hosted solution should work fine, and will give you a definitively untampered log of traffic coming to and from your server. If you go this route, I'd suggest 247webmonitoring, if only because I haven't played with moni.tor.us (and anything with "tor" in it arises immediate suspicion for me), and it's relatively new... And come to think of it, they offer "unlimited, free forever" services... Meh.

    Let me know if you'd like some help, feel free to PM me or otherwise.
     
  8. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    double post - my bad - the internet at this university is god-awful sometimes..
     
Loading...

Share This Page