My IP was Hijacked from a DNS A record !!!

I cant believe this,
Today I get an email from my dedicated hosting company telling me my server has been perminently shut down !

The reason, has my IP black listed ?????

Turns out some jerk who has a domain, lets call it has an A record that reloves to my IP,
now this fool bulk emails a zillion people with spoofed emails, and gets my ip black listed.
Now because my hosting provider uses they think Im spamming and shut me down !

I have quite a few dedi servers, only one is used for webhosting, so there was never a need to add an A record in my
name servers.

Lesson to all network admins, ADD A records to all server IP,s even if they are just subdomains !!!

So Now my question to you folks, who should I contact to help report this scam ?
I have already emailed my hosting provider, and the registrar.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would go to and do a spam database lookup anybody who has you listed as spam gets an email explaining the situation. While there look at some of the other tools such as whois mabey the jerk put more info then he should.

I would also do a thourough virus scan to make sure that your server has not been hijacked or infected with a worm.

Best of luck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Umm.  I a bit confused.  How would adding a A record to point to my IP address prevent somebody else from adding a A record that also points to my IP address?   Me having an A record in my domain does not prevent somebody else from adding a A record in their domain that points to my IP address, either on purpose or by mistake.

Could you give us a bit more detail on what occured?  I don't see how me setting up a A record that points to your IP address will allow me to send e-mail as if it came from you.
ghboomAuthor Commented:

My take on this is,

say you have a server with an ip of and you have a server running on it,
but an empty server, not even an index.html, so it replys on 80
you also did not set up any DNS to it, so there is no conflict as no domain
is pointing to it anywhere

say jerk has access to his dns, he adds an a record for pointing to
now his domain resovles to your ip ...

your server replys now when typing in the address bar...

now jerk has an email server setup somewhere else,
he spams the world, gets caught, but he doesnt care. his domain pointed to your server,
his domain gets blacklisted, your datacenter gets an email saying your IP is the one...

even if his mail server ran on another system, All he has to do is say it came from
Netsol has "domain protect" Im prety certain major domain registras also have simmilar features.
I was under the assumption that adding another A record to a bogus name server would not work
because you already had it set up within a leagal one, one that was locked up.

now that I think about it, I dont know i will have to see what measures
the dns system takes against this stuff....

I just cant believe that
someone can create an A record for and point it to
a major server like google and have resolve....

in any case I had nothing to do with the domain that was registered to my ip,  in any way shape or form.
but my datacenter shut me down.

On a positive note, I was finaly able to contact a human where he (jerk) has his domain registered
and they removed my ip from his domains records.

Any one have anything to add that might clear thing up chime in !


Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

That is not how getting on a blacklist works.  They do not use the domain name that the e-mail claims to come from, or even the IP address that the domain name used on the HELO command resloves to.  The IP address that gets put on the black list is the one that actually connects to the SMTP server and sends the e-mail.

Do you have your own SMTP server?  Could by chance it be allowing  SMTP relaying?  having your SMTP server configured to allow SMTP relaying is generally how you get your IP address on a blacklist.
SPAMHAUS does not blacklist web servers.  They blacklist EMAIL servers which are known sources of SPAM or servers which relay or otherwise permit SPAM to be transmistted through them.

A person simply adding an "A" record to a DNS server and then sending out SPAM would NOT cause your server to be blacklisted unless your server is somehow being used by this spammer to send out the email.  Unless the email actually comes from or through your server, and if so the IPs in the headers of the message will prove that, SPAMHAUS.ORG will not be listing your IP.

I think there is more to this story than you've told here.  Or, possibly, you don't fully understand how your server is configured...
ghboomAuthor Commented:
giltjr, and jhance,
I wish you were right about the way spamhaus gets its bans but the email that came to me with the so called proof was
because the domaiin resolved to my ip.

As far as my server being compromised, no chance. It has never had a mail server run on it, for my purposes, on every server
I shut off and disable EVERY unused service, including SMTP. There is no reason for this server to get or send an emial.

So it goes back to the A record as far as I can see...
Jhance, I thought headers can be faked to a certain extent ?

Since my server was terminated, there are no more alerts
at spamhaus, I would have copied/pasted there point of view...
Anyway, the way to protect myself still is not totaly clear ;(

I can guarantee there is more to this than you are telling us, or than SPAMHAUS is telling you.   Something it not right.

As jhance stated SPAMHAUS does not block based on domain name, NO blacklist service does.   I know this because I have had SMTP server that were not setup properly by somebody else and were used for as a relay and it got put on SPAMHAUS.  I have dealt with them to get it removed and I know how they put you on the list.  If you notice when you go to their site you remove IP addresses, not domain names.

I can easily, very easily, setup a A record in my domain to point to ANY IP address I want.  I can setup a A record in my domian that resloved to the IP address of Experts-Exchange.  There is NOTHING in the Internet that prevents me from doing so.  

Headers to an extent can be faked.  However, the last SMTP server to receive the e-mail will have a valid last entry for the server it received the e-mail from.

In the e-mail that SPAMHAUS sent you, what was the last IP address that sent the e-mail to the receiver's SMTP server?  Please not, in the SMTP headers the IP addresses that appear should be the IP address that the RECEIVING SMTP server received the e-mail from.  It should NEVER (at least I have never seen it) print the IP address that some domain name/host name resovled to.
Seems to me you should be working with your hosting company to get your server back online. If it is true that your server is in no way running an smtp service then it is irrelevant if spamhaus blacklists it or not. At the very least the hosting company can assist you in tracking the problem. Maybe you can ask them to block outgoing port 25 to get your server turned back on.

Good luck.
>>Jhance, I thought headers can be faked to a certain extent ?

Yes they can but it's easy to spot.  Nobody (at least nobody with any sense) is fooled by spoofed email headers anymore.

But again I stress, SPAMHAUS.ORG manages their list based on  SPAM not web sites.  But regardless of that, you ISP must have been LOOKING FOR A REASON to get rid of you since, as you note, there is nothing to prevent anyone from adding your IP as an "A" record on their DNS server.  But that is all that is, a piece of bogus data in an irrelevant DNS server.

I'd get a new ISP or make peace with the one you have.  Obviously they are unhappy with you as a customer!
You might want to use a packet sniffer and make sure you are not spaming anyone all it takes if for one of your computers to be infected with a worm not neccesarilly your server. And then once you are sure that you are not spamming call up your isp and anyone else who is blocking you
ghboomAuthor Commented:

Strange how if its unexplainable by you, that it must be my fault. Same mentality as my isp....
Maybe your in the IT profession ?

Naa, only kidding ( mostly ;)

It seams as though my ISP did not want to loose me as my server is back onlne ;)
No official word if it is perm or not, but I am glad.

Imagine for a second if you could, you taking delivery on a brand new server, and running apps that cannot send even one email,
like half life, css ect... Shutting down ANY service that is not needed, just enough to boot and and have connectivity.

Then getting an email 3-4 weeks later saying that the ip your box is on has been black listed because of spam !
Then get on the phone with the tec that is about to pull the plug, and he says "well your ip resolves to
the domain in question ..."

There is nothing else to this story, that is what happend.
 If my server was hacked, I would certainly see it in my bandwith logs.

I freeking hate spam, I use spampal at home, and use spamassin on another server ffor my site.
I hope they get the jerks and hangem high.

In that case I'd get a different ISP, one that isn't staffed by a a bunch of dufus'.  It doesn't take a rocket scientist to figure out if SPAM or other such stuff is really coming from your server or if you really are hosting SPAMvertised web sites.  Either of which MAY be against their AUP.

Don't read me wrong.  If indeed your ISP did what you say for no better reason that what's been stated, they are, plainly and simply, morons.  You should want to take your business elsewhere.

But simply having your IP appear in a blocking list, many of which are VERY poorly managed and are about as useful as a list of random numbers, as being the reason to suspend or terminate your account is simply irresponsible.

If your server is/was really compromised, used for SPAM relay, or otherwise participating in unacceptable activities there would be proof and they should be able to prove it to you.  If not, find another provider.  There are many.
Dushan De SilvaTechnology ArchitectCommented:
Try to install Sygate firewall and try to identify your full traffic paths.

BR Dushan
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.