My IP was Hijacked from a DNS A record !!!

Posted on 2006-04-26
Last Modified: 2010-04-11
I cant believe this,
Today I get an email from my dedicated hosting company telling me my server has been perminently shut down !

The reason, has my IP black listed ?????

Turns out some jerk who has a domain, lets call it has an A record that reloves to my IP,
now this fool bulk emails a zillion people with spoofed emails, and gets my ip black listed.
Now because my hosting provider uses they think Im spamming and shut me down !

I have quite a few dedi servers, only one is used for webhosting, so there was never a need to add an A record in my
name servers.

Lesson to all network admins, ADD A records to all server IP,s even if they are just subdomains !!!

So Now my question to you folks, who should I contact to help report this scam ?
I have already emailed my hosting provider, and the registrar.

Question by:ghboom
    LVL 2

    Accepted Solution

    I would go to and do a spam database lookup anybody who has you listed as spam gets an email explaining the situation. While there look at some of the other tools such as whois mabey the jerk put more info then he should.

    I would also do a thourough virus scan to make sure that your server has not been hijacked or infected with a worm.

    Best of luck
    LVL 57

    Expert Comment

    Umm.  I a bit confused.  How would adding a A record to point to my IP address prevent somebody else from adding a A record that also points to my IP address?   Me having an A record in my domain does not prevent somebody else from adding a A record in their domain that points to my IP address, either on purpose or by mistake.

    Could you give us a bit more detail on what occured?  I don't see how me setting up a A record that points to your IP address will allow me to send e-mail as if it came from you.

    Author Comment


    My take on this is,

    say you have a server with an ip of and you have a server running on it,
    but an empty server, not even an index.html, so it replys on 80
    you also did not set up any DNS to it, so there is no conflict as no domain
    is pointing to it anywhere

    say jerk has access to his dns, he adds an a record for pointing to
    now his domain resovles to your ip ...

    your server replys now when typing in the address bar...

    now jerk has an email server setup somewhere else,
    he spams the world, gets caught, but he doesnt care. his domain pointed to your server,
    his domain gets blacklisted, your datacenter gets an email saying your IP is the one...

    even if his mail server ran on another system, All he has to do is say it came from
    Netsol has "domain protect" Im prety certain major domain registras also have simmilar features.
    I was under the assumption that adding another A record to a bogus name server would not work
    because you already had it set up within a leagal one, one that was locked up.

    now that I think about it, I dont know i will have to see what measures
    the dns system takes against this stuff....

    I just cant believe that
    someone can create an A record for and point it to
    a major server like google and have resolve....

    in any case I had nothing to do with the domain that was registered to my ip,  in any way shape or form.
    but my datacenter shut me down.

    On a positive note, I was finaly able to contact a human where he (jerk) has his domain registered
    and they removed my ip from his domains records.

    Any one have anything to add that might clear thing up chime in !


    LVL 57

    Expert Comment

    That is not how getting on a blacklist works.  They do not use the domain name that the e-mail claims to come from, or even the IP address that the domain name used on the HELO command resloves to.  The IP address that gets put on the black list is the one that actually connects to the SMTP server and sends the e-mail.

    Do you have your own SMTP server?  Could by chance it be allowing  SMTP relaying?  having your SMTP server configured to allow SMTP relaying is generally how you get your IP address on a blacklist.
    LVL 32

    Expert Comment

    SPAMHAUS does not blacklist web servers.  They blacklist EMAIL servers which are known sources of SPAM or servers which relay or otherwise permit SPAM to be transmistted through them.

    A person simply adding an "A" record to a DNS server and then sending out SPAM would NOT cause your server to be blacklisted unless your server is somehow being used by this spammer to send out the email.  Unless the email actually comes from or through your server, and if so the IPs in the headers of the message will prove that, SPAMHAUS.ORG will not be listing your IP.

    I think there is more to this story than you've told here.  Or, possibly, you don't fully understand how your server is configured...

    Author Comment

    giltjr, and jhance,
    I wish you were right about the way spamhaus gets its bans but the email that came to me with the so called proof was
    because the domaiin resolved to my ip.

    As far as my server being compromised, no chance. It has never had a mail server run on it, for my purposes, on every server
    I shut off and disable EVERY unused service, including SMTP. There is no reason for this server to get or send an emial.

    So it goes back to the A record as far as I can see...
    Jhance, I thought headers can be faked to a certain extent ?

    Since my server was terminated, there are no more alerts
    at spamhaus, I would have copied/pasted there point of view...
    Anyway, the way to protect myself still is not totaly clear ;(

    LVL 57

    Expert Comment

    I can guarantee there is more to this than you are telling us, or than SPAMHAUS is telling you.   Something it not right.

    As jhance stated SPAMHAUS does not block based on domain name, NO blacklist service does.   I know this because I have had SMTP server that were not setup properly by somebody else and were used for as a relay and it got put on SPAMHAUS.  I have dealt with them to get it removed and I know how they put you on the list.  If you notice when you go to their site you remove IP addresses, not domain names.

    I can easily, very easily, setup a A record in my domain to point to ANY IP address I want.  I can setup a A record in my domian that resloved to the IP address of Experts-Exchange.  There is NOTHING in the Internet that prevents me from doing so.  

    Headers to an extent can be faked.  However, the last SMTP server to receive the e-mail will have a valid last entry for the server it received the e-mail from.

    In the e-mail that SPAMHAUS sent you, what was the last IP address that sent the e-mail to the receiver's SMTP server?  Please not, in the SMTP headers the IP addresses that appear should be the IP address that the RECEIVING SMTP server received the e-mail from.  It should NEVER (at least I have never seen it) print the IP address that some domain name/host name resovled to.
    LVL 32

    Expert Comment

    Seems to me you should be working with your hosting company to get your server back online. If it is true that your server is in no way running an smtp service then it is irrelevant if spamhaus blacklists it or not. At the very least the hosting company can assist you in tracking the problem. Maybe you can ask them to block outgoing port 25 to get your server turned back on.

    Good luck.
    LVL 32

    Expert Comment

    >>Jhance, I thought headers can be faked to a certain extent ?

    Yes they can but it's easy to spot.  Nobody (at least nobody with any sense) is fooled by spoofed email headers anymore.

    But again I stress, SPAMHAUS.ORG manages their list based on  SPAM not web sites.  But regardless of that, you ISP must have been LOOKING FOR A REASON to get rid of you since, as you note, there is nothing to prevent anyone from adding your IP as an "A" record on their DNS server.  But that is all that is, a piece of bogus data in an irrelevant DNS server.

    I'd get a new ISP or make peace with the one you have.  Obviously they are unhappy with you as a customer!
    LVL 2

    Expert Comment

    You might want to use a packet sniffer and make sure you are not spaming anyone all it takes if for one of your computers to be infected with a worm not neccesarilly your server. And then once you are sure that you are not spamming call up your isp and anyone else who is blocking you

    Author Comment


    Strange how if its unexplainable by you, that it must be my fault. Same mentality as my isp....
    Maybe your in the IT profession ?

    Naa, only kidding ( mostly ;)

    It seams as though my ISP did not want to loose me as my server is back onlne ;)
    No official word if it is perm or not, but I am glad.

    Imagine for a second if you could, you taking delivery on a brand new server, and running apps that cannot send even one email,
    like half life, css ect... Shutting down ANY service that is not needed, just enough to boot and and have connectivity.

    Then getting an email 3-4 weeks later saying that the ip your box is on has been black listed because of spam !
    Then get on the phone with the tec that is about to pull the plug, and he says "well your ip resolves to
    the domain in question ..."

    There is nothing else to this story, that is what happend.
     If my server was hacked, I would certainly see it in my bandwith logs.

    I freeking hate spam, I use spampal at home, and use spamassin on another server ffor my site.
    I hope they get the jerks and hangem high.

    LVL 32

    Assisted Solution

    In that case I'd get a different ISP, one that isn't staffed by a a bunch of dufus'.  It doesn't take a rocket scientist to figure out if SPAM or other such stuff is really coming from your server or if you really are hosting SPAMvertised web sites.  Either of which MAY be against their AUP.

    Don't read me wrong.  If indeed your ISP did what you say for no better reason that what's been stated, they are, plainly and simply, morons.  You should want to take your business elsewhere.

    But simply having your IP appear in a blocking list, many of which are VERY poorly managed and are about as useful as a list of random numbers, as being the reason to suspend or terminate your account is simply irresponsible.

    If your server is/was really compromised, used for SPAM relay, or otherwise participating in unacceptable activities there would be proof and they should be able to prove it to you.  If not, find another provider.  There are many.
    LVL 17

    Expert Comment

    Try to install Sygate firewall and try to identify your full traffic paths.

    BR Dushan

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now