dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3529
share rss forum feed

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath

Outbound mail server Spoofed.

I currently outsource my company's webserver to HG. Yesterday it started I started to get bounce backs from Mail Demon on messages being returned. Upon reading the messages (over 90 of them in 3 hours) I realized I was either hacked, or spoofed. I contacted the company and basically nothing they can/willing to do except turn on Domain Keys for inbox spam filtering and SPF but yet I have the problem.

I never had the problem with other hosts (google apps, outlook.com/office365,etc), as they generally used SSL for outgoing mail servers, etc. HG uses regular login - no protection to send using a mail client.

I've come to realize I would probably be best moving my website. Does anyone agree with me and moving or ?????


Oedipus

join:2005-05-09
kudos:1

I certainly would look into it. I recommend Appriver, personally.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath

Thanks! I prefer to outsource due to redundancy and allow someone to else have the headache even though I can host internally on my own T1. But this makes me start thinking on what I'm going to move in house. Especially my email, sine my private/personal email is the one attached to the spam messages and not a general or catch all email.


nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to TBBroadband

Is the mail spoofed or have they actually gained access to your outgoing mail server.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath

HostGator has claimed its being spoofed. I don't have anything in my sent folders and i only have 2 accounts - the default account and my own account. The emails are showing my personal account as the sender in the "reply to" filed. Here is a copy and paste on one of the emails --- well part of the email.

This is one that was sent to an AT&T customer/user that bounced back:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

steph404@bellsouth.net
SMTP error from remote mail server after initial connection:
host gateway-f2.isp.att.net [207.115.11.16]: 550-50.97.101.199 blocked by ldap:ou=rblmx,dc=att,dc=net
550 Error - Blocked for abuse. See »att.net/blocks

------ This is a copy of the message, including all the headers. ------

Return-path:
Received: from [203.109.245.253] (port=19080 helo=server2008.BRUSTICS.local)
by vinaXXXXX.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZunN-0000IM-OW
for steph404@bellsouth.net; Sat, 17 Nov 2012 20:39:42 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 15:39:37 +1300
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook Express 7.02.3157.3188
From: kyle@pugzXXXX.com (i edited my domain)
Reply-To: Michalekei710@hotmail.com
To: steph404@bellsouth.net
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to nonymous

here is the latest one that shows that it was spoofed:

Reporting-MTA: dns; gatewayXX.websitewelcome.com
X-Postfix-Queue-ID: 282E1897E94A6
X-Postfix-Sender: rfc822; kyle@pugzXXXXX.com
Arrival-Date: Sat, 17 Nov 2012 21:58:50 -0600 (CST)

Final-Recipient: rfc822; joachim@jrbusiness.se
Action: failed
Status: 5.4.4
Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=jrbusiness.se type=A: Host not found

Return-Path:
Received: by gatewayXX.websitewelcome.com (Postfix, from userid 5007)
id 282E1897E94A6; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
Received: from vinacXXXX.websitewelcome.com (vinacXXXX.websitewelcome.com [50.97.101.199])
by gatewayXX.websitewelcome.com (Postfix) with ESMTP id 1D679897E9486
for ; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pugzXXXX.com; s=default;
h=Message-ID:Content-Transfer-Encoding:Content-Type:To:Reply-To:From:Subject:Date:MIME-Version; bh=oPiuRkyWuObK/ivNhY7v46UF9VBuUOKsVr88zlDnlQM=;
b=Q87mMeN/iUCJRU2FIHxveDxMgzMM7w34DAo47MxdpzmCytc/9bpPr7R4IORhRInYYLbAL7xwuuI/FLKw2FovuB2xOksWl3dTevaCsV7KXuSkh9ZQN2e90jgo1VZ+cY60;
Received: from [220.246.40.143] (port=1546 helo=SPORTSMARK-SRV.sportsmark.com.hk)
by vinacXXXn.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZw1x-0000hb-Io
for joachim@jrbusiness.se; Sat, 17 Nov 2012 21:58:49 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 11:46:35 +0800
X-Priority: 3 (Normal)
X-Mailer: Apple Mail (3.619)
Subject: transportation} firm
From: kyle@pugzXXXXX.com
Reply-To: Editheys001@hotmail.com
To: joachim@jrbusiness.se
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vinacXXXXX.websitewelcome.com
X-AntiAbuse: Original Domain - jrbusiness.se
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - pugzXXXXX.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (SPORTSMARK-SRV.sportsmark.com.hk) [220.246.40.143]:1546
X-Source-Auth: kyle@pugzXXXX.com
X-Email-Count:
X-Source-Cap: cHVnZ3k7dHJheGxlcjt2aW5hY29taW4ud2Vic2l0ZXdlbGNvbWUuY29t


WireHead
I drive to fast
Premium
join:2001-05-09
Muncie, IN
reply to TBBroadband

Like you said I did not see any spf in there that will help hosts that receive the sent mail reject it instantly. Can't look up your domain since you xxx'd it out. Be worth checking into the block lists after you get it sorted out and see if anyone is now rejecting you.
--
Retired BBR Team Starfire Team Q III Host
Live by chance. Love by choice. Kill by profession.



urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to TBBroadband

I have the same situation with one of my domains and basically I enabled SPF and that's all I can do. I analyze all the bounce backs and it's not originating from my location (based on IP's of senders and the fact I get the SPF failure bounce back as well).

This has nothing to do with the host and everything to do with the internet.


nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to TBBroadband

I use Google Apps for my home use. had asked the almost same question in security recently. Knew they were spoofed though and not coming from my Google Apps account. Did and do have spf and domain keys setup and working.
Answer was it happens and nothing besides spf and domain keys will help verify my own email. Will not stop the spoofing.

Just wanted to confirm you were not hacked. As you said hacked or spoofed. As said I did not get any way to stop the spoofing.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath

Since they were using my mailserver if HostGator would have SSL turned on by default I don't see how this would have gone through since the emails where going directly through my server. They also claim that I would not see them in my "sent" folder on webmail due to the items being sent through a client. Which I told them before I do NOT use client email programs for security. But they kept blaming my computer and still did in the end. They refused to take any responsibility on it. The only way they deploy SSL is on webmail which is total BS since I found out by their own "abuse team" their outgoing mail servers are listed on their website and state that no encryption is required. *smh*


TBBroadband

join:2012-10-26
Fremont, OH
reply to WireHead

I checked and didn't see anything. but the domain is: pugzbrand.com


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to urbanriot

I blame the host as they claim my information was stolen, but then they admit that they do not require any security when using a mail client. Just put in their default server information and you're good to go. If they would have set up SSL i don't think i would have had this problem.

I have used Google Apps, Outlook.com, DreamHost, Hostpapa, Fatcow and never had this problem until this last Friday with Hostgator- who puts EVERYTHING on their "help site" so they don't have to provide support. It even took 3 calls and "online chats" to get a ticket created for the abuse department. otherwise the poorly trained reps would just pass the buck after 1hour+ on hold and say it was fixed.



WireHead
I drive to fast
Premium
join:2001-05-09
Muncie, IN

I can't imagine unencrypted mail servers..

The horror..
The horror..


H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
reply to TBBroadband

Easy to guess password? I always assign passwords so that they don't end up being easy.


TBBroadband

join:2012-10-26
Fremont, OH

nope. I always use my drivers licenses number with special marks afterwords


TBBroadband

join:2012-10-26
Fremont, OH
reply to WireHead

it is an issue when they're wide open and anyone can send email through them. That does become a big issue. Especially when it becomes a hosting customer's problem when the host won't help correct their mistakes.



urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to TBBroadband

Even with SPF turned on, you still have servers on the internet firing off spam in your name and there's nothing you can do to stop it. SPF doesn't stop people from sending, it bounces back from the servers that support SPF that lookup your domain and even then, much of the internet doesn't even support SPF.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath

I know that it would do nothing. It was the fact the HostGator's answer was to fix the problem-- turn on domain keys (which is used for incoming mail) and SPF. None which would really correct the problem.

After rebuilding the server and changing the IP that was assigned to it, the SPAM did stop, but the fact is, i pay them the manage the server and all, and nothing was done but passing the buck.

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.



izy
Premium,MVM
join:2000-09-21
endless loop
kudos:2

said by TBBroadband:

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.

Best idea in this thread so far. Host your own email and use a 3rd party to filter spam.

Still, nothing you can do to prevent spammers from using a return address on your domain other than SPF.
--
"Intellectuals solve problems, geniuses prevent them." Einstein

H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
Reviews:
·voip.ms
reply to TBBroadband

said by TBBroadband:

nope. I always use my drivers licenses number with special marks afterwords

Did you check to see if you were an open relay?

If you only have 2 email address why in the world you you outsource that? Share an ip address with a lightly used one you have on your T1.

tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1
reply to TBBroadband

my question is....why are you still with hostgator?

also, with that small number of users, you are better off using hosted exchange from another provider (or using google apps, free for 10 users or less).



PToN
Premium
join:2001-10-04
Houston, TX
reply to TBBroadband

It looks like backscatter to me. We had some of that going on earlier this year. Tuning up the spam filter to actually check for backscatter solved the problem.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to tomdlgns

I am moving away from HG right now. My question was basically if it was just me.

I used to use GoogleApps but ran into problems with a couple of my domains. A couple of the domains that were tied to the account would stop working. So that was when I made the move. But I'm working on bringing my websites in house and working with another company on creating my own "cloud" as a back-up.


TBBroadband

join:2012-10-26
Fremont, OH
reply to izy

the spammers were actually sending through the mail server. But yet still claim that since it was a shared server they're unable to implement any security on the POP/IMAP/STMP server as it would "break" the internet and their servers.


TBBroadband

join:2012-10-26
Fremont, OH
reply to H_T_R_N

that domain only has 2 email addresses. I was hosting about 15 websites with them. They had everything as far as my websites and emails.


TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to PToN

the problem with doing much with HG is they're at the power of everything, especially on a shared/rented machine that wasn't dedicated. But hopefully everything will be fully taken away from this week as planned and moved over. I have a huge billing system there on WHMCS that is currently being backed up and being moved to my T1. And that will be the last thing.


unixwolf

join:2007-05-04
Flower Mound, TX
reply to TBBroadband

You got "Joe Jobbed"