dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3608
share rss forum feed

unixwolf

join:2007-05-04
Flower Mound, TX
reply to TBBroadband

Re: Outbound mail server Spoofed.

You got "Joe Jobbed"

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to PToN
the problem with doing much with HG is they're at the power of everything, especially on a shared/rented machine that wasn't dedicated. But hopefully everything will be fully taken away from this week as planned and moved over. I have a huge billing system there on WHMCS that is currently being backed up and being moved to my T1. And that will be the last thing.

TBBroadband

join:2012-10-26
Fremont, OH
reply to H_T_R_N
that domain only has 2 email addresses. I was hosting about 15 websites with them. They had everything as far as my websites and emails.

TBBroadband

join:2012-10-26
Fremont, OH
reply to izy
the spammers were actually sending through the mail server. But yet still claim that since it was a shared server they're unable to implement any security on the POP/IMAP/STMP server as it would "break" the internet and their servers.

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to tomdlgns
I am moving away from HG right now. My question was basically if it was just me.

I used to use GoogleApps but ran into problems with a couple of my domains. A couple of the domains that were tied to the account would stop working. So that was when I made the move. But I'm working on bringing my websites in house and working with another company on creating my own "cloud" as a back-up.


PToN
Premium
join:2001-10-04
Houston, TX
reply to TBBroadband
It looks like backscatter to me. We had some of that going on earlier this year. Tuning up the spam filter to actually check for backscatter solved the problem.

tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1
reply to TBBroadband
my question is....why are you still with hostgator?

also, with that small number of users, you are better off using hosted exchange from another provider (or using google apps, free for 10 users or less).

H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
Reviews:
·voip.ms
reply to TBBroadband
said by TBBroadband:

nope. I always use my drivers licenses number with special marks afterwords

Did you check to see if you were an open relay?

If you only have 2 email address why in the world you you outsource that? Share an ip address with a lightly used one you have on your T1.


izy
Premium,MVM
join:2000-09-21
endless loop
kudos:2
reply to TBBroadband
said by TBBroadband:

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.

Best idea in this thread so far. Host your own email and use a 3rd party to filter spam.

Still, nothing you can do to prevent spammers from using a return address on your domain other than SPF.
--
"Intellectuals solve problems, geniuses prevent them." Einstein

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to urbanriot
I know that it would do nothing. It was the fact the HostGator's answer was to fix the problem-- turn on domain keys (which is used for incoming mail) and SPF. None which would really correct the problem.

After rebuilding the server and changing the IP that was assigned to it, the SPAM did stop, but the fact is, i pay them the manage the server and all, and nothing was done but passing the buck.

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to TBBroadband
Even with SPF turned on, you still have servers on the internet firing off spam in your name and there's nothing you can do to stop it. SPF doesn't stop people from sending, it bounces back from the servers that support SPF that lookup your domain and even then, much of the internet doesn't even support SPF.

TBBroadband

join:2012-10-26
Fremont, OH
reply to WireHead
it is an issue when they're wide open and anyone can send email through them. That does become a big issue. Especially when it becomes a hosting customer's problem when the host won't help correct their mistakes.

TBBroadband

join:2012-10-26
Fremont, OH
reply to H_T_R_N
nope. I always use my drivers licenses number with special marks afterwords

H_T_R_N
Premium
join:2011-12-06
Valencia, PA
kudos:1
reply to TBBroadband
Easy to guess password? I always assign passwords so that they don't end up being easy.


WireHead
I drive to fast
Premium
join:2001-05-09
Muncie, IN
reply to TBBroadband
I can't imagine unencrypted mail servers..

The horror..
The horror..

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to urbanriot
I blame the host as they claim my information was stolen, but then they admit that they do not require any security when using a mail client. Just put in their default server information and you're good to go. If they would have set up SSL i don't think i would have had this problem.

I have used Google Apps, Outlook.com, DreamHost, Hostpapa, Fatcow and never had this problem until this last Friday with Hostgator- who puts EVERYTHING on their "help site" so they don't have to provide support. It even took 3 calls and "online chats" to get a ticket created for the abuse department. otherwise the poorly trained reps would just pass the buck after 1hour+ on hold and say it was fixed.

TBBroadband

join:2012-10-26
Fremont, OH
reply to WireHead
I checked and didn't see anything. but the domain is: pugzbrand.com

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to nonymous
Since they were using my mailserver if HostGator would have SSL turned on by default I don't see how this would have gone through since the emails where going directly through my server. They also claim that I would not see them in my "sent" folder on webmail due to the items being sent through a client. Which I told them before I do NOT use client email programs for security. But they kept blaming my computer and still did in the end. They refused to take any responsibility on it. The only way they deploy SSL is on webmail which is total BS since I found out by their own "abuse team" their outgoing mail servers are listed on their website and state that no encryption is required. *smh*

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to TBBroadband
I use Google Apps for my home use. had asked the almost same question in security recently. Knew they were spoofed though and not coming from my Google Apps account. Did and do have spf and domain keys setup and working.
Answer was it happens and nothing besides spf and domain keys will help verify my own email. Will not stop the spoofing.

Just wanted to confirm you were not hacked. As you said hacked or spoofed. As said I did not get any way to stop the spoofing.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to TBBroadband
I have the same situation with one of my domains and basically I enabled SPF and that's all I can do. I analyze all the bounce backs and it's not originating from my location (based on IP's of senders and the fact I get the SPF failure bounce back as well).

This has nothing to do with the host and everything to do with the internet.


WireHead
I drive to fast
Premium
join:2001-05-09
Muncie, IN
reply to TBBroadband
Like you said I did not see any spf in there that will help hosts that receive the sent mail reject it instantly. Can't look up your domain since you xxx'd it out. Be worth checking into the block lists after you get it sorted out and see if anyone is now rejecting you.
--
Retired BBR Team Starfire Team Q III Host
Live by chance. Love by choice. Kill by profession.

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to nonymous
here is the latest one that shows that it was spoofed:

Reporting-MTA: dns; gatewayXX.websitewelcome.com
X-Postfix-Queue-ID: 282E1897E94A6
X-Postfix-Sender: rfc822; kyle@pugzXXXXX.com
Arrival-Date: Sat, 17 Nov 2012 21:58:50 -0600 (CST)

Final-Recipient: rfc822; joachim@jrbusiness.se
Action: failed
Status: 5.4.4
Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=jrbusiness.se type=A: Host not found

Return-Path:
Received: by gatewayXX.websitewelcome.com (Postfix, from userid 5007)
id 282E1897E94A6; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
Received: from vinacXXXX.websitewelcome.com (vinacXXXX.websitewelcome.com [50.97.101.199])
by gatewayXX.websitewelcome.com (Postfix) with ESMTP id 1D679897E9486
for ; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pugzXXXX.com; s=default;
h=Message-ID:Content-Transfer-Encoding:Content-Type:To:Reply-To:From:Subject:Date:MIME-Version; bh=oPiuRkyWuObK/ivNhY7v46UF9VBuUOKsVr88zlDnlQM=;
b=Q87mMeN/iUCJRU2FIHxveDxMgzMM7w34DAo47MxdpzmCytc/9bpPr7R4IORhRInYYLbAL7xwuuI/FLKw2FovuB2xOksWl3dTevaCsV7KXuSkh9ZQN2e90jgo1VZ+cY60;
Received: from [220.246.40.143] (port=1546 helo=SPORTSMARK-SRV.sportsmark.com.hk)
by vinacXXXn.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZw1x-0000hb-Io
for joachim@jrbusiness.se; Sat, 17 Nov 2012 21:58:49 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 11:46:35 +0800
X-Priority: 3 (Normal)
X-Mailer: Apple Mail (3.619)
Subject: transportation} firm
From: kyle@pugzXXXXX.com
Reply-To: Editheys001@hotmail.com
To: joachim@jrbusiness.se
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vinacXXXXX.websitewelcome.com
X-AntiAbuse: Original Domain - jrbusiness.se
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - pugzXXXXX.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (SPORTSMARK-SRV.sportsmark.com.hk) [220.246.40.143]:1546
X-Source-Auth: kyle@pugzXXXX.com
X-Email-Count:
X-Source-Cap: cHVnZ3k7dHJheGxlcjt2aW5hY29taW4ud2Vic2l0ZXdlbGNvbWUuY29t

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to nonymous
HostGator has claimed its being spoofed. I don't have anything in my sent folders and i only have 2 accounts - the default account and my own account. The emails are showing my personal account as the sender in the "reply to" filed. Here is a copy and paste on one of the emails --- well part of the email.

This is one that was sent to an AT&T customer/user that bounced back:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

steph404@bellsouth.net
SMTP error from remote mail server after initial connection:
host gateway-f2.isp.att.net [207.115.11.16]: 550-50.97.101.199 blocked by ldap:ou=rblmx,dc=att,dc=net
550 Error - Blocked for abuse. See »att.net/blocks

------ This is a copy of the message, including all the headers. ------

Return-path:
Received: from [203.109.245.253] (port=19080 helo=server2008.BRUSTICS.local)
by vinaXXXXX.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZunN-0000IM-OW
for steph404@bellsouth.net; Sat, 17 Nov 2012 20:39:42 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 15:39:37 +1300
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook Express 7.02.3157.3188
From: kyle@pugzXXXX.com (i edited my domain)
Reply-To: Michalekei710@hotmail.com
To: steph404@bellsouth.net
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to TBBroadband
Is the mail spoofed or have they actually gained access to your outgoing mail server.

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
reply to Oedipus
Thanks! I prefer to outsource due to redundancy and allow someone to else have the headache even though I can host internally on my own T1. But this makes me start thinking on what I'm going to move in house. Especially my email, sine my private/personal email is the one attached to the spam messages and not a general or catch all email.

Oedipus

join:2005-05-09
kudos:1
reply to TBBroadband
I certainly would look into it. I recommend Appriver, personally.

TBBroadband

join:2012-10-26
Fremont, OH
Reviews:
·AT&T U-Verse
·MegaPath
I currently outsource my company's webserver to HG. Yesterday it started I started to get bounce backs from Mail Demon on messages being returned. Upon reading the messages (over 90 of them in 3 hours) I realized I was either hacked, or spoofed. I contacted the company and basically nothing they can/willing to do except turn on Domain Keys for inbox spam filtering and SPF but yet I have the problem.

I never had the problem with other hosts (google apps, outlook.com/office365,etc), as they generally used SSL for outgoing mail servers, etc. HG uses regular login - no protection to send using a mail client.

I've come to realize I would probably be best moving my website. Does anyone agree with me and moving or ?????