ghboom
asked on
My IP was Hijacked from a DNS A record !!!
I cant believe this,
Today I get an email from my dedicated hosting company telling me my server has been perminently shut down !
The reason, spamhaus.org has my IP black listed ?????
Turns out some jerk who has a domain, lets call it somejerk.com has an A record that reloves to my IP,
now this fool bulk emails a zillion people with spoofed emails, and gets my ip black listed.
Now because my hosting provider uses spamhaus.org they think Im spamming and shut me down !
I have quite a few dedi servers, only one is used for webhosting, so there was never a need to add an A record in my
name servers.
Lesson to all network admins, ADD A records to all server IP,s even if they are just subdomains !!!
So Now my question to you folks, who should I contact to help report this scam ?
I have already emailed my hosting provider, spamhaus.org and the registrar.
GHBoom
Today I get an email from my dedicated hosting company telling me my server has been perminently shut down !
The reason, spamhaus.org has my IP black listed ?????
Turns out some jerk who has a domain, lets call it somejerk.com has an A record that reloves to my IP,
now this fool bulk emails a zillion people with spoofed emails, and gets my ip black listed.
Now because my hosting provider uses spamhaus.org they think Im spamming and shut me down !
I have quite a few dedi servers, only one is used for webhosting, so there was never a need to add an A record in my
name servers.
Lesson to all network admins, ADD A records to all server IP,s even if they are just subdomains !!!
So Now my question to you folks, who should I contact to help report this scam ?
I have already emailed my hosting provider, spamhaus.org and the registrar.
GHBoom
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
giltjr,
My take on this is,
say you have a server with an ip of 11.111.1.11 and you have a server running on it,
but an empty server, not even an index.html, so it replys on 80
you also did not set up any DNS to it, so there is no conflict as no domain
is pointing to it anywhere
say jerk has access to his dns, he adds an a record for jerk.com pointing to 11.111.1.11
now his domain resovles to your ip ...
your server replys now when typing jerk.com in the address bar...
now jerk has an email server setup somewhere else,
he spams the world, gets caught, but he doesnt care. his domain pointed to your server,
his domain gets blacklisted, your datacenter gets an email saying your IP is the one...
even if his mail server ran on another system, All he has to do is say it came from jerk.com...
Netsol has "domain protect" Im prety certain major domain registras also have simmilar features.
I was under the assumption that adding another A record to a bogus name server would not work
because you already had it set up within a leagal one, one that was locked up.
now that I think about it, I dont know i will have to see what measures
the dns system takes against this stuff....
I just cant believe that
someone can create an A record for somejunksite.com and point it to
a major server like google and have somjunksite.com resolve....
in any case I had nothing to do with the domain that was registered to my ip, in any way shape or form.
but my datacenter shut me down.
On a positive note, I was finaly able to contact a human where he (jerk) has his domain registered
and they removed my ip from his domains records.
Any one have anything to add that might clear thing up chime in !
GH
My take on this is,
say you have a server with an ip of 11.111.1.11 and you have a server running on it,
but an empty server, not even an index.html, so it replys on 80
you also did not set up any DNS to it, so there is no conflict as no domain
is pointing to it anywhere
say jerk has access to his dns, he adds an a record for jerk.com pointing to 11.111.1.11
now his domain resovles to your ip ...
your server replys now when typing jerk.com in the address bar...
now jerk has an email server setup somewhere else,
he spams the world, gets caught, but he doesnt care. his domain pointed to your server,
his domain gets blacklisted, your datacenter gets an email saying your IP is the one...
even if his mail server ran on another system, All he has to do is say it came from jerk.com...
Netsol has "domain protect" Im prety certain major domain registras also have simmilar features.
I was under the assumption that adding another A record to a bogus name server would not work
because you already had it set up within a leagal one, one that was locked up.
now that I think about it, I dont know i will have to see what measures
the dns system takes against this stuff....
I just cant believe that
someone can create an A record for somejunksite.com and point it to
a major server like google and have somjunksite.com resolve....
in any case I had nothing to do with the domain that was registered to my ip, in any way shape or form.
but my datacenter shut me down.
On a positive note, I was finaly able to contact a human where he (jerk) has his domain registered
and they removed my ip from his domains records.
Any one have anything to add that might clear thing up chime in !
GH
That is not how getting on a blacklist works. They do not use the domain name that the e-mail claims to come from, or even the IP address that the domain name used on the HELO command resloves to. The IP address that gets put on the black list is the one that actually connects to the SMTP server and sends the e-mail.
Do you have your own SMTP server? Could by chance it be allowing SMTP relaying? having your SMTP server configured to allow SMTP relaying is generally how you get your IP address on a blacklist.
Do you have your own SMTP server? Could by chance it be allowing SMTP relaying? having your SMTP server configured to allow SMTP relaying is generally how you get your IP address on a blacklist.
SPAMHAUS does not blacklist web servers. They blacklist EMAIL servers which are known sources of SPAM or servers which relay or otherwise permit SPAM to be transmistted through them.
A person simply adding an "A" record to a DNS server and then sending out SPAM would NOT cause your server to be blacklisted unless your server is somehow being used by this spammer to send out the email. Unless the email actually comes from or through your server, and if so the IPs in the headers of the message will prove that, SPAMHAUS.ORG will not be listing your IP.
I think there is more to this story than you've told here. Or, possibly, you don't fully understand how your server is configured...
A person simply adding an "A" record to a DNS server and then sending out SPAM would NOT cause your server to be blacklisted unless your server is somehow being used by this spammer to send out the email. Unless the email actually comes from or through your server, and if so the IPs in the headers of the message will prove that, SPAMHAUS.ORG will not be listing your IP.
I think there is more to this story than you've told here. Or, possibly, you don't fully understand how your server is configured...
ASKER
giltjr, and jhance,
I wish you were right about the way spamhaus gets its bans but the email that came to me with the so called proof was
because the domaiin resolved to my ip.
As far as my server being compromised, no chance. It has never had a mail server run on it, for my purposes, on every server
I shut off and disable EVERY unused service, including SMTP. There is no reason for this server to get or send an emial.
So it goes back to the A record as far as I can see...
Jhance, I thought headers can be faked to a certain extent ?
Since my server was terminated, there are no more alerts
at spamhaus, I would have copied/pasted there point of view...
Anyway, the way to protect myself still is not totaly clear ;(
I wish you were right about the way spamhaus gets its bans but the email that came to me with the so called proof was
because the domaiin resolved to my ip.
As far as my server being compromised, no chance. It has never had a mail server run on it, for my purposes, on every server
I shut off and disable EVERY unused service, including SMTP. There is no reason for this server to get or send an emial.
So it goes back to the A record as far as I can see...
Jhance, I thought headers can be faked to a certain extent ?
Since my server was terminated, there are no more alerts
at spamhaus, I would have copied/pasted there point of view...
Anyway, the way to protect myself still is not totaly clear ;(
I can guarantee there is more to this than you are telling us, or than SPAMHAUS is telling you. Something it not right.
As jhance stated SPAMHAUS does not block based on domain name, NO blacklist service does. I know this because I have had SMTP server that were not setup properly by somebody else and were used for as a relay and it got put on SPAMHAUS. I have dealt with them to get it removed and I know how they put you on the list. If you notice when you go to their site you remove IP addresses, not domain names.
I can easily, very easily, setup a A record in my domain to point to ANY IP address I want. I can setup a A record in my domian that resloved to the IP address of Experts-Exchange. There is NOTHING in the Internet that prevents me from doing so.
Headers to an extent can be faked. However, the last SMTP server to receive the e-mail will have a valid last entry for the server it received the e-mail from.
In the e-mail that SPAMHAUS sent you, what was the last IP address that sent the e-mail to the receiver's SMTP server? Please not, in the SMTP headers the IP addresses that appear should be the IP address that the RECEIVING SMTP server received the e-mail from. It should NEVER (at least I have never seen it) print the IP address that some domain name/host name resovled to.
As jhance stated SPAMHAUS does not block based on domain name, NO blacklist service does. I know this because I have had SMTP server that were not setup properly by somebody else and were used for as a relay and it got put on SPAMHAUS. I have dealt with them to get it removed and I know how they put you on the list. If you notice when you go to their site you remove IP addresses, not domain names.
I can easily, very easily, setup a A record in my domain to point to ANY IP address I want. I can setup a A record in my domian that resloved to the IP address of Experts-Exchange. There is NOTHING in the Internet that prevents me from doing so.
Headers to an extent can be faked. However, the last SMTP server to receive the e-mail will have a valid last entry for the server it received the e-mail from.
In the e-mail that SPAMHAUS sent you, what was the last IP address that sent the e-mail to the receiver's SMTP server? Please not, in the SMTP headers the IP addresses that appear should be the IP address that the RECEIVING SMTP server received the e-mail from. It should NEVER (at least I have never seen it) print the IP address that some domain name/host name resovled to.
Seems to me you should be working with your hosting company to get your server back online. If it is true that your server is in no way running an smtp service then it is irrelevant if spamhaus blacklists it or not. At the very least the hosting company can assist you in tracking the problem. Maybe you can ask them to block outgoing port 25 to get your server turned back on.
Good luck.
Good luck.
>>Jhance, I thought headers can be faked to a certain extent ?
Yes they can but it's easy to spot. Nobody (at least nobody with any sense) is fooled by spoofed email headers anymore.
But again I stress, SPAMHAUS.ORG manages their list based on SPAM not web sites. But regardless of that, you ISP must have been LOOKING FOR A REASON to get rid of you since, as you note, there is nothing to prevent anyone from adding your IP as an "A" record on their DNS server. But that is all that is, a piece of bogus data in an irrelevant DNS server.
I'd get a new ISP or make peace with the one you have. Obviously they are unhappy with you as a customer!
Yes they can but it's easy to spot. Nobody (at least nobody with any sense) is fooled by spoofed email headers anymore.
But again I stress, SPAMHAUS.ORG manages their list based on SPAM not web sites. But regardless of that, you ISP must have been LOOKING FOR A REASON to get rid of you since, as you note, there is nothing to prevent anyone from adding your IP as an "A" record on their DNS server. But that is all that is, a piece of bogus data in an irrelevant DNS server.
I'd get a new ISP or make peace with the one you have. Obviously they are unhappy with you as a customer!
You might want to use a packet sniffer and make sure you are not spaming anyone all it takes if for one of your computers to be infected with a worm not neccesarilly your server. And then once you are sure that you are not spamming call up your isp and anyone else who is blocking you
ASKER
jhance,
Strange how if its unexplainable by you, that it must be my fault. Same mentality as my isp....
Maybe your in the IT profession ?
Naa, only kidding ( mostly ;)
It seams as though my ISP did not want to loose me as my server is back onlne ;)
No official word if it is perm or not, but I am glad.
Imagine for a second if you could, you taking delivery on a brand new server, and running apps that cannot send even one email,
like half life, css ect... Shutting down ANY service that is not needed, just enough to boot and and have connectivity.
Then getting an email 3-4 weeks later saying that the ip your box is on has been black listed because of spam !
Then get on the phone with the tec that is about to pull the plug, and he says "well your ip resolves to
the domain in question ..."
There is nothing else to this story, that is what happend.
If my server was hacked, I would certainly see it in my bandwith logs.
I freeking hate spam, I use spampal at home, and use spamassin on another server ffor my site.
I hope they get the jerks and hangem high.
gh
Strange how if its unexplainable by you, that it must be my fault. Same mentality as my isp....
Maybe your in the IT profession ?
Naa, only kidding ( mostly ;)
It seams as though my ISP did not want to loose me as my server is back onlne ;)
No official word if it is perm or not, but I am glad.
Imagine for a second if you could, you taking delivery on a brand new server, and running apps that cannot send even one email,
like half life, css ect... Shutting down ANY service that is not needed, just enough to boot and and have connectivity.
Then getting an email 3-4 weeks later saying that the ip your box is on has been black listed because of spam !
Then get on the phone with the tec that is about to pull the plug, and he says "well your ip resolves to
the domain in question ..."
There is nothing else to this story, that is what happend.
If my server was hacked, I would certainly see it in my bandwith logs.
I freeking hate spam, I use spampal at home, and use spamassin on another server ffor my site.
I hope they get the jerks and hangem high.
gh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try to install Sygate firewall and try to identify your full traffic paths.
BR Dushan
BR Dushan
Could you give us a bit more detail on what occured? I don't see how me setting up a A record that points to your IP address will allow me to send e-mail as if it came from you.