Portal Home > Knowledgebase > Articles Database > My IP is on blacklists. How could I detect the abused mail forms?
My IP is on blacklists. How could I detect the abused mail forms?
| Posted by albatroz, 06-13-2009, 02:09 PM |
| My IP is on blacklists. How can I detect the abused mail forms
Using the RBL query tools of mxtoolbox.com I found that the IP
of one of my email servers (207.58.136.41) is on blacklists.
However one of the most useful reports is this one
http://anti-spam.org.cn/Rbl/Query/De...=207.58.136.41
Although it is in chinese it allows to see the source of the emails
that were detected as spam. I would like to use this info for detecting
de abused forms. Any ideas on how that could be done?
I use Exim mail server, and have access to the log files.
|
| Posted by acctman, 06-13-2009, 02:32 PM |
| easiest solution request another IP from your hosting provider or your isp depending on where the blacklisted IP is from. blacklists are shared and passed around so it would be more difficult trying to get removed.
|
| Posted by miscellaneous, 06-13-2009, 03:44 PM |
| I don't care to be the bearer of bad news, but I think the suggestion that you get your ISP to assign a new IP address is a good idea.
You might want to see this:
http://www.projecthoneypot.org/ip_207.58.136.41
Sorry.
|
| Posted by alanzkorner, 06-14-2009, 09:54 AM |
| Its not a big issue .. I am a server admin.. Just make a request to the blacklist community that reported your IP is on blacklist to remove it .. With some explanation that you have removed the cause of spam . Just check and see if there is any php scripts used for mass mailing in any of your domains. That can be one reason to get blacklisted . Again see if your domains have spf records. If not try to set it ..also check exim mail log to see if high volume of nails have flown out any time. You can also use eximstats for this .
Alan
|
| Posted by alanzkorner, 06-14-2009, 10:26 AM |
| Fact is this that if we dont find the cause assigning a new ip is not a permanent solution ..
Alan
|
| Posted by fog, 06-14-2009, 01:47 PM |
| Is this a shared hosting server? It could very well be an abused mail form, but it could also be a malicious user who signed up and is directly sending mail through his account.
I take it you're running Linux? Do you have a control panel (like cPanel) or is it "straight" Linux?
You can try a few things... One is to just watch what's written to the log file:
tail -f /var/log/exim.log (substitute the actual path if /var/log/exim.log isn't the log file)
You might also try searching for some of the strings in the spam in the logs, like:
grep "montrealtractor.com" /var/log/exim.log"
But if you think it's a webmail script being abused, I'd look at the webserver (Apache?) logs instead of the Exim logs, which should help you map it up to a webpage.
|
| Posted by fog, 06-14-2009, 01:50 PM |
| Oh, how long have you had this IP? Both of the blacklist links look like the mail was sent out a few months ago. If you owned the machine back then, find the problem using what I described. (Or other tactics.) But if you've only had this IP for a couple weeks, it sounds like you got an IP that was already in blacklists.
|
| Posted by miscellaneous, 06-14-2009, 05:36 PM |
| Excellent point and I should have thought of that when I did my post, but being in too much of a hurry caused me not to use what little brain power I have. Sorry about that, albatroz.
|
Add to Favourites 
Print this Article
Also Read
