|
to TBBroadband
Re: Outbound mail server Spoofed.You got "Joe Jobbed" |
|
|
to PToN
the problem with doing much with HG is they're at the power of everything, especially on a shared/rented machine that wasn't dedicated. But hopefully everything will be fully taken away from this week as planned and moved over. I have a huge billing system there on WHMCS that is currently being backed up and being moved to my T1. And that will be the last thing. |
|
TBBroadband |
to H_T_R_N
that domain only has 2 email addresses. I was hosting about 15 websites with them. They had everything as far as my websites and emails. |
|
TBBroadband |
to izy
the spammers were actually sending through the mail server. But yet still claim that since it was a shared server they're unable to implement any security on the POP/IMAP/STMP server as it would "break" the internet and their servers. |
|
|
TBBroadband |
to tomdlgns
I am moving away from HG right now. My question was basically if it was just me.
I used to use GoogleApps but ran into problems with a couple of my domains. A couple of the domains that were tied to the account would stop working. So that was when I made the move. But I'm working on bringing my websites in house and working with another company on creating my own "cloud" as a back-up. |
|
PToN Premium Member join:2001-10-04 Houston, TX |
to TBBroadband
It looks like backscatter to me. We had some of that going on earlier this year. Tuning up the spam filter to actually check for backscatter solved the problem. |
|
|
to TBBroadband
my question is....why are you still with hostgator?
also, with that small number of users, you are better off using hosted exchange from another provider (or using google apps, free for 10 users or less). |
|
H_T_R_N (banned) join:2011-12-06 Valencia, PA |
to TBBroadband
said by TBBroadband:nope. I always use my drivers licenses number with special marks afterwords Did you check to see if you were an open relay? If you only have 2 email address why in the world you you outsource that? Share an ip address with a lightly used one you have on your T1. |
|
izy MVM join:2000-09-21 endless loop ProCurve (HP) V1810-24g SonicWALL TZ215 Ubiquiti UniFi AP-LR
|
to TBBroadband
said by TBBroadband:Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again. Best idea in this thread so far. Host your own email and use a 3rd party to filter spam. Still, nothing you can do to prevent spammers from using a return address on your domain other than SPF. |
|
|
to urbanriot
I know that it would do nothing. It was the fact the HostGator's answer was to fix the problem-- turn on domain keys (which is used for incoming mail) and SPF. None which would really correct the problem.
After rebuilding the server and changing the IP that was assigned to it, the SPAM did stop, but the fact is, i pay them the manage the server and all, and nothing was done but passing the buck.
Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again. |
|
|
to TBBroadband
Even with SPF turned on, you still have servers on the internet firing off spam in your name and there's nothing you can do to stop it. SPF doesn't stop people from sending, it bounces back from the servers that support SPF that lookup your domain and even then, much of the internet doesn't even support SPF. |
|
|
to WireHead
it is an issue when they're wide open and anyone can send email through them. That does become a big issue. Especially when it becomes a hosting customer's problem when the host won't help correct their mistakes. |
|
TBBroadband |
to H_T_R_N
nope. I always use my drivers licenses number with special marks afterwords |
|
H_T_R_N (banned) join:2011-12-06 Valencia, PA |
to TBBroadband
Easy to guess password? I always assign passwords so that they don't end up being easy. |
|
WireHeadI drive to fast Premium Member join:2001-05-09 Muncie, IN |
to TBBroadband
I can't imagine unencrypted mail servers..
The horror.. The horror.. |
|
|
to urbanriot
I blame the host as they claim my information was stolen, but then they admit that they do not require any security when using a mail client. Just put in their default server information and you're good to go. If they would have set up SSL i don't think i would have had this problem.
I have used Google Apps, Outlook.com, DreamHost, Hostpapa, Fatcow and never had this problem until this last Friday with Hostgator- who puts EVERYTHING on their "help site" so they don't have to provide support. It even took 3 calls and "online chats" to get a ticket created for the abuse department. otherwise the poorly trained reps would just pass the buck after 1hour+ on hold and say it was fixed. |
|
TBBroadband |
to WireHead
I checked and didn't see anything. but the domain is: pugzbrand.com |
|
TBBroadband |
to nonymous
Since they were using my mailserver if HostGator would have SSL turned on by default I don't see how this would have gone through since the emails where going directly through my server. They also claim that I would not see them in my "sent" folder on webmail due to the items being sent through a client. Which I told them before I do NOT use client email programs for security. But they kept blaming my computer and still did in the end. They refused to take any responsibility on it. The only way they deploy SSL is on webmail which is total BS since I found out by their own "abuse team" their outgoing mail servers are listed on their website and state that no encryption is required. *smh* |
|
nonymous (banned) join:2003-09-08 Glendale, AZ |
to TBBroadband
I use Google Apps for my home use. had asked the almost same question in security recently. Knew they were spoofed though and not coming from my Google Apps account. Did and do have spf and domain keys setup and working. Answer was it happens and nothing besides spf and domain keys will help verify my own email. Will not stop the spoofing.
Just wanted to confirm you were not hacked. As you said hacked or spoofed. As said I did not get any way to stop the spoofing. |
|
|
to TBBroadband
I have the same situation with one of my domains and basically I enabled SPF and that's all I can do. I analyze all the bounce backs and it's not originating from my location (based on IP's of senders and the fact I get the SPF failure bounce back as well).
This has nothing to do with the host and everything to do with the internet. |
|
WireHeadI drive to fast Premium Member join:2001-05-09 Muncie, IN |
to TBBroadband
Like you said I did not see any spf in there that will help hosts that receive the sent mail reject it instantly. Can't look up your domain since you xxx'd it out. Be worth checking into the block lists after you get it sorted out and see if anyone is now rejecting you. |
|
|
to nonymous
here is the latest one that shows that it was spoofed:
Reporting-MTA: dns; gatewayXX.websitewelcome.com X-Postfix-Queue-ID: 282E1897E94A6 X-Postfix-Sender: rfc822; kyle@pugzXXXXX.com Arrival-Date: Sat, 17 Nov 2012 21:58:50 -0600 (CST)
Final-Recipient: rfc822; joachim@jrbusiness.se Action: failed Status: 5.4.4 Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error for name=jrbusiness.se type=A: Host not found
Return-Path: Received: by gatewayXX.websitewelcome.com (Postfix, from userid 5007) id 282E1897E94A6; Sat, 17 Nov 2012 21:58:50 -0600 (CST) Received: from vinacXXXX.websitewelcome.com (vinacXXXX.websitewelcome.com [50.97.101.199]) by gatewayXX.websitewelcome.com (Postfix) with ESMTP id 1D679897E9486 for ; Sat, 17 Nov 2012 21:58:50 -0600 (CST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pugzXXXX.com; s=default; h=Message-ID:Content-Transfer-Encoding:Content-Type:To:Reply-To:From:Subject:Date:MIME-Version; bh=oPiuRkyWuObK/ivNhY7v46UF9VBuUOKsVr88zlDnlQM=; b=Q87mMeN/iUCJRU2FIHxveDxMgzMM7w34DAo47MxdpzmCytc/9bpPr7R4IORhRInYYLbAL7xwuuI/FLKw2FovuB2xOksWl3dTevaCsV7KXuSkh9ZQN2e90jgo1VZ+cY60; Received: from [220.246.40.143] (port=1546 helo=SPORTSMARK-SRV.sportsmark.com.hk) by vinacXXXn.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from ) id 1TZw1x-0000hb-Io for joachim@jrbusiness.se; Sat, 17 Nov 2012 21:58:49 -0600 MIME-Version: 1.0 Date: Sun, 18 Nov 2012 11:46:35 +0800 X-Priority: 3 (Normal) X-Mailer: Apple Mail (3.619) Subject: transportation} firm From: kyle@pugzXXXXX.com Reply-To: Editheys001@hotmail.com To: joachim@jrbusiness.se Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vinacXXXXX.websitewelcome.com X-AntiAbuse: Original Domain - jrbusiness.se X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - pugzXXXXX.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (SPORTSMARK-SRV.sportsmark.com.hk) [220.246.40.143]:1546 X-Source-Auth: kyle@pugzXXXX.com X-Email-Count: X-Source-Cap: cHVnZ3k7dHJheGxlcjt2aW5hY29taW4ud2Vic2l0ZXdlbGNvbWUuY29t |
|
TBBroadband |
to nonymous
HostGator has claimed its being spoofed. I don't have anything in my sent folders and i only have 2 accounts - the default account and my own account. The emails are showing my personal account as the sender in the "reply to" filed. Here is a copy and paste on one of the emails --- well part of the email. This is one that was sent to an AT&T customer/user that bounced back: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: steph404@bellsouth.net SMTP error from remote mail server after initial connection: host gateway-f2.isp.att.net [207.115.11.16]: 550-50.97.101.199 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See » att.net/blocks------ This is a copy of the message, including all the headers. ------ Return-path: Received: from [203.109.245.253] (port=19080 helo=server2008.BRUSTICS.local) by vinaXXXXX.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from ) id 1TZunN-0000IM-OW for steph404@bellsouth.net; Sat, 17 Nov 2012 20:39:42 -0600 MIME-Version: 1.0 Date: Sun, 18 Nov 2012 15:39:37 +1300 X-Priority: 3 (Normal) X-Mailer: Microsoft Outlook Express 7.02.3157.3188 From: kyle@pugzXXXX.com (i edited my domain) Reply-To: Michalekei710@hotmail.com To: steph404@bellsouth.net Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: |
|
nonymous (banned) join:2003-09-08 Glendale, AZ |
to TBBroadband
Is the mail spoofed or have they actually gained access to your outgoing mail server. |
|
|
to Moffetts
Thanks! I prefer to outsource due to redundancy and allow someone to else have the headache even though I can host internally on my own T1. But this makes me start thinking on what I'm going to move in house. Especially my email, sine my private/personal email is the one attached to the spam messages and not a general or catch all email. |
|
|
to TBBroadband
I certainly would look into it. I recommend Appriver, personally. |
|
|
I currently outsource my company's webserver to HG. Yesterday it started I started to get bounce backs from Mail Demon on messages being returned. Upon reading the messages (over 90 of them in 3 hours) I realized I was either hacked, or spoofed. I contacted the company and basically nothing they can/willing to do except turn on Domain Keys for inbox spam filtering and SPF but yet I have the problem.
I never had the problem with other hosts (google apps, outlook.com/office365,etc), as they generally used SSL for outgoing mail servers, etc. HG uses regular login - no protection to send using a mail client.
I've come to realize I would probably be best moving my website. Does anyone agree with me and moving or ????? |
|