شناحته شدن ip و سرور به عنوان spammer

[mdf092]

سلام
دوستان سرور من به عنوان اسپمر شناخته شده و به هر جا ایمیل میرنیم رد میکنن و IP من بلاک شده
و تقریبا نمیدونم چه کنم
سیستم عامل ContOS هست و روش qmail نصب شده
اول فکر کردم مشکل از relay هست اما توی لاگ رو دیدم که درخواستهای غیرمجاز رو رد کرده

من داره دیگه ای به نظرم نمیرسه
اگر کسی نظری داشته باشه و سریعتر بدادم برسه خیلی خیلی خیلی ممنون میشم

[Online24]

ip شما دقیقا در black list چه سرویس دهنده ای وارد شده ؟

رویه رفع این مشکل به این ترتیب هست :

1- پیدا کردن مشکل
2- رفع مشکل
3- تماس با سرویس دهنده ( یا ... ) که ip شما را وارد black listکرده و اعلام اینکه مشکل حل شده
4- صبر برای خارج شدن از black list

* این رویه زمان بر هست .

راه حل عمومی حل این مشکل : استفاده از ipجدیدی که مطمئن هستید برای ارسال spam استفاده نشده . ( اصطلاحا Fresh ip

[mdf092]

ممنون از پاسخ سریع
این پیامها برام فرستاده میشه:

کد:

Hi. This is the qmail-send program at XXXXX Host.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<xxxxxxxxx@hotmail.com>:
Connected to 65.54.188.72 but sender was rejected.
Remote host said: 550 OU-001 Unfortunately, messages from x.x.x.x  weren't sent. Please contact your Internet service provider since part  of their network is on our block list. You can also refer your provider  to Troubleshooting.

اصل جایی که گفته بلاک شدم آدرس زیره:
The CBL

[Online24]

روش حل مشکل در همون پیام به شما گفته شده .

550 OU-001

Mail rejected by Windows Live Hotmail for policy reasons. If you are not an email/network admin please contact your Email/Internet Service Provider for help. For more information about this block and to request removal please go to: The Spamhaus Project

.

حل مشکل از طریق Spamhaus.org

http://www.spamhaus.org/lookup.lasso

this lookup tool will tell you which one and will give you a link to information on what to do.

---------- Post added at 07:12 PM ---------- Previous post was at 07:10 PM ----------

اصل جایی که گفته بلاک شدم آدرس زیره:
The CBL

I'm listed, what do I do?

The CBL has easy self-removal. See: CBL Lookup AND Removal It will provide you with information on why the IP was listed, and a link to do self-removal. The rest of these web pages are intended to help you understand what could cause a listing, and how to diagnose the problem.

[Mehrdad201]

ضمن تشکر از انلاین 24 عزیز

الان مشکلی که من هم اسیرش شدم همینه. ما نمایندگی لینوکس از شرکتی داریم. من مطمئنم که اکانتهای زیر دست من اسپم نکردن چون اصلا بلد نیستند. اما چون ای پی به صورت اشتراکی داره استفاده میشه فکر میکنم تو پنل های نمایندگی دیگه این اتفاق داره میفته

تا الان 2 بار رفتم در اوردم اما باز رفته تو بلک لیست

این دفعه هم اخطار جدی داده که اگه مشکل رو حل نکنید دیگه کلا بی خیال این ای پی باید بشید.

اینم متن ارورش

کد:

IP Address ###.###.###.### is listed in the CBL. It appears to be infected with a spam sending trojan or *****.

It was last detected at 2012-01-11 21:00 GMT (+/- 30 minutes), approximately 2 days, 12 hours, 30 minutes ago.

It has been relisted following a previous removal at 2011-12-31 11:56 GMT (13 days, 22 hours, 2 minutes ago)

This IP is infected with the DarkMailer/YellSOFT DirectMailer or other similar trojan. This involves perl or PHP scripts being uploaded to web servers resulting in the sending of large quantities of spam email (usually pharmacy pill spams).

PAY VERY CLOSE ATTENTION TO THE FOLLOWING

Darkmailer infects web hosting environments. ONLY the hosting company can fix these infections properly.

If you are not the administrator of this hosting environment, there is probably nothing you can do to fix this infection, you MUST refer this listing to them. The hosting administrator has to do the fix.

This is a checklist of the four things the administrator needs to do before delisting. There is more detailed information about each of these later.
Check your FTP logs to find uploads of Darkmailer scripts. Forward to us a copy of the FTP log records that you find. These logs will often be in /var/log/messages, but this depends on your system configuration.
Identify, kill and remove all Darkmailer scripts currently on the web server. NOTE: Many Darkmailer operators cause the Darkmailer scripts to be removed either after they're used, or even during their use. If you cannot find the scripts, this does NOT mean that the CBL is in error in this listing NOR does it mean that you are not presently vulnerable to anotherDarkmailer infection.
Change the passwords of every userid identified as performing FTP uploads, and warn these users that their passwords had been compromised by a keylogger infection. They need to run anti-virus software on their computers.
NEW WARNING: we're getting indications that once initially compromised by FTP, the attackers are uploading alternate file transfer programs that do not rely on the user's password. See below under "r57shell"
Implement port 25 blocking so that only your mail server software userid can make outbound port 25 connections from this machine.
Darkmailer/DirectMailer Background

This detection is that of a spammer who has broken into your web server (usually) via cracked or keylogged FTP credentials. Once they've logged in via FTP, they install perl scripts that do the spamming. These perl scripts are usually installed in a cgi-bin directory, and present (usually) a Russian language spam control panel that the spammer can use to blast out large quantities of spam (most often illegal Pharmaceutical drugs or replica watches).

See, for example, Darkmailer in Wikipedia and this thread in the CPanel Forum.

CPanel and Plesk installations on Linux are the usual targets of this attack, but the reality is that ANY web server on ANY operating system capable of running Perl CGIs and permitting uploads is susceptible to this problem. We've seen it on Solaris or FreeBSD, we've seen it on Windows, we've seen it uploaded with FrontPage, we've seen it under many different web server packages.

You can often identify this (on UNIX/Linux systems) by doing "ps" (process status) and finding many (often 10 or more) long-running processes named ".cgi", ".php" or ".pl" that are owned by the same user as your web server instance. As an example, one infectee saw 25 copies of a "dm.cgi" program running under his Apache server's userid. But this will only help if the script is currently running.

Another approach is running the command "netstat -nap" as root. Lines like this (with random program names rather than your MTA software) shows the Darkmailer software in operation:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address   State       PID/Program name
tcp    0     1 192.168.2.2:58246 212.69.102.240:25 SYN_SENT    12614/b.pl      
tcp    0     0 192.168.2.2:35843 209.85.201.27:25  ESTABLISHED 7996/ciwhcnsb.pl
tcp    0     0 192.168.2.2:53051 81.13.48.2:25     TIME_WAIT   -
tcp    0     0 192.168.2.2:53623 77.243.121.126:25 TIME_WAIT   -
tcp    0     0 192.168.2.2:57816 217.13.210.81:25  TIME_WAIT   -
tcp    0     1 192.168.2.2:50531 217.16.16.81:25   SYN_SENT    12270/nxhbo.pl  
tcp    0     0 192.168.2.2:52437 217.198.11.26:25  TIME_WAIT   -
tcp    0     1 192.168.2.2:50140 195.64.222.2:25   SYN_SENT    9273/yzezihd.pl 

Foreign addresses that end with ":25" indicate _outbound_ email connections. TIME_WAIT means the connection has been shutdown, but other states indicate active outbound connections. You may not be able to find the program names (eg: b.pl, ciwhcnsb.pl, nxhbo.pl etc) on your file system, because they deleted themselves immediately after starting. But you will be able to find the process via "ps" based on process id (PID).

Again, this ONLY works if you catch it while it is running. See the next paragraph:

The spammers run this spamware in several different ways. The first way is that the spammer simply uploads the software and runs it at will. You will sometimes be able to find these in the cgi-bin directory. The second way is that they upload the software, run it, and then delete it (perhaps when it's STILL running). You won't be able to find the files in the cgi-bin. Either way if you don't secure your system, the spammer can just do it again at any time.
Checking FTP logs/Securing Users

Normally, web hosting environments log FTP uploads, often in /var/logs/syslog, /var/log/messages or some similar file.

For example, this is some logs an administrator found from a Darkmailer infection - notice how it ws deleted after every upload:

Mar  4 04:02:11 enam pure-ftpd: (example@117.41.229.131) [NOTICE]
/home2/example//public_html/rocker/dark.cgi uploaded  (74627 bytes,
126.66KB/sec)
Mar  4 05:03:54 enam pure-ftpd: (example@117.41.229.131) [NOTICE] Deleted
dark.cgi
Mar  4 07:04:42 enam pure-ftpd: (example@117.41.229.131) [NOTICE]
/home2/example//rocker/dark.cgi uploaded  (74627 bytes, 122.25KB/sec)
Mar  4 07:11:43 enam pure-ftpd: (example@117.41.229.131) [NOTICE] Deleted
dark.cgi

Assuming you're running some flavor of UNIX, simply grep the log file for "ftp", "cgi", "\.pl" or "php" and see if you can identify such log records. The CGI scripts are usually around 74K bytes in size. There is frequently also an upload of small test script (around 1-2K) called "test.pl" that the spammer uses to test whether the big script will work. Sometimes the spammer uploads the files under different names and renames them by FTP to an executable suffix (like ".cgi" or ".php" etc). So your grep may only find the rename commands.

We are providing Law Enforcement with whatever intelligence we can find about where these come from, so, please forward such log records to us - the timestamps (tell us what timezone you are in) and IP addresses are the most important.

It's not always FTP that is used to upload these scripts. Eg: scftp, rsync, rcp, server-side FrontPage extensions etc. We have reports of the scripts being uploaded via a Joomla vulnerability. Check their logs, and disable any access that you/your customers do not really need.

The account used ("example" in the above example) will tell you which users' passwords have been compromised. Reset their passwords and warn them that their computer is probably compromised with a spam trojan and they should run anti-virus software to find it.

Unfortunately, anti-virus software has fallen FAR behind in being able to find such things, so, the user telling you that A-V didn't find an infection doesn't prove anything. Such users should reformat their computers and reinstall from trusted media.

It's possible that SOME of these users are the spammer, so you may be tempted to terminate their account. Don't do that - once you configure your firewall correctly, it doesn't matter. If they aren't the spammer, they'll continue to be your customer and will be unaffected by the firewall change. If they are the spammer, they'll leave on their own because the firewall prevents them spamming.
Finding and removing the Darkmailer scripts

If you find the FTP (or other) logs, that will tell you where the scripts were placed. You will still need to scan the cgi-bin and other directories to find any other copies. Remember that these files are usually around 74K in size, so that will help you find them quicker. Remove them if they still exist.
Securing your server from future Darkmailer infections

You MUST configure your web server to prevent DarkMailer/DirectMailer infections being able to spam the Internet. Once you've done this correctly, it doesn't matter whether the spammer can still upload this malware, they can't spam with it, so they'll leave you alone.

There are a variety of ways to do this. In short, you're implementing a firewall restriction that only permits root and the mail server userid to make outbound port 25 (email) connections. You can either do it yourself with a software firewall, or, use third party software to do the same thing.

configserver.com has a variety of products and services that can deal with this issue. Note that the CBL has no connection whatsoever with ConfigServer. If you know of other software packages that can deal with Darkmailer please let us know and we'll mention them here.

The most commonly used ConfigServer product appears to be ConfigServer Security and Firewall (CSF) and it's FREE. The feature you want to turn on is "CSF SMTP_BLOCK" which, as far as we can tell, does exactly the firewall restrictions we describe above.

Another product that ConfigServer offers is ConfigServer eXploit Scanner (CXS). This software is not free ($75 regular price, currently $50). This software monitors FTP uploads in real-time, will automatically detect Darkmailer and other malicious downloads, and remove them.

Most Cpanel implementations already have something called "SMTP Tweak" (aka "WHM SMTP Tweak") available. It apparently doesn't do the firewall configuration we describe, but it wouldn't hurt to turn it on too.

If necessary, you can implement the firewall restrictions yourself without using any extra software.

iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

You may need to add or change the "-m owner ... ACCEPT" to be consistent with your mail server. Eg: you'll need different entries for Qmail.

You will also have to ensure that these iptables commands are executed every time the system reboots, perhaps by an init script.

If you're using cPanel and APF, APF by default will wipe out iptables rules you enter manually leaving the server vulnerable. If you are using APF, you should make the above change via APF and that will take care of reissuing the commands upon reboot or reset.

Note: in some virtual hosting environments, the above commands will return error messages. This generally means that the host (not virtually hosted) operating system does not support the iptables kernel modules. If you do get such errors, make sure that the base operating system has the iptables module fully installed.
r57shell Infestations

In one case, it turned out to be a file called "info.php" in the user's images directory. Info.php turned out to be a modified copy of the "r57shell" PHP script which provides a backdoor through which an attacker can do virtually anything on your web server.

Thus, even though you have changed the passwords, the spammer could still upload the spamming scripts at will - this was found by noticing invocations of the PHP file in the web server logs from the same IP address the original FTP connections came from. You will need to search for such files as well, and we recommend preventing the execution of scripts (.php, .pl, .cgi, etc) in directories that do not need it. Eg: only the cgi-bin directory should permit execution. Nullamatix has a discussion on some simple ways to find r57shell.

It is known that Symantec EndPoint Protection can detect the original r57shell. The index.php file described above was a modified r57shell, and SEP doesn't detect it. A handful of AV detectors detect it as Backdoor.PHP.Rst!, but this doesn't help on Linux/UNIX. Note in particular, ClamAV not detect the "info.php" variant mentioned above.

If you don't need PHP capabilities in your web server, turn it off. Or consider enabling it only for specific hostings that need it.
WARNING: If you continually delist ###.###.###.### without fixing the problem, the CBL will eventually stop allowing the delisting of ###.###.###.###.

If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

حالا من یه سوال دارم. این پلن های نمایندگی ، ای پی اختصاصی هم میتونن داشته باشند. اگه ما ای پی اختصاصی بگیریم میتونیم میل سرور نمایندگی خودمون رو بیاریم رو ای پی اختصاصی که دیگه ای پیش مال خودمون باشه ؟!