Solved

Is my server sending spam?

Posted on 2014-10-07
15
111 Views
Last Modified: 2016-02-11
I have a FreeBSD server and according to Yahoo, it's sending spam:

http://cbl.abuseat.org/lookup.cgi?ip=216.55.161.147

Can someone help me look into this?  I have root access but not sure what to look for.
0
Comment
Question by:hrolsons
15 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40366524
That IP is hosting multiple domains, I assume you manage the whole server?
Could be any of those domains that have been hacked, if any of them are running Wordpress, Drupal etc

You are only listed on one DB so it could be just Yahoo having a hissy fit
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366531
And the offending website seems to be
blueapplehouses.com
0
 

Author Comment

by:hrolsons
ID: 40366578
Yes, I manage the whole server.  blueapplehouses.com just completed a transition to Wordpress from a paid web developer.  How can I look deeper into the problem and hopefully eradicate it.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366603
Check the index pages for any base64 code.
0
 

Author Comment

by:hrolsons
ID: 40366621
due to .htaccess none of the index pages are available.  Everything forwards to www.blueappleproperties.com, which is the WordPress site that Dex made.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366626
Uh?
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 40366657
Hrolsons,
     What Gary is trying to explain is to look at your index.php files and find a string that looks like the following:


<?php eval(base64 decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCPC9pZnJhbWU+PC9kaXY+JzsNCn0='));
the real code will be much longer.

in a nutshell your index.php files were modified by a virus or someone being malicious


/r
-= Richard
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:hrolsons
ID: 40366679
I don't have any index.php file in the base directory.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366697
There must be an index.php file in the WP root directory - if there wasn't it wouldn't work
0
 

Author Comment

by:hrolsons
ID: 40366717
That file must be on the server that is redirected to, which I don't have access to.  I control blueapplehouses.com but in the .htaccess:

RewriteCond %{REQUEST_URI} !^/Intranet
RewriteCond %{REQUEST_FILENAME} .*\.html$
RewriteRule . http://blueappleproperties.com [L]

Open in new window


It sends users on to blueappleproperties.com, which I don't control.
0
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 40366822
It may not be that site, it was just an educated guess.

Check through your mail logs, see if you can identify any spam.
It could be that you have an open relay, if so you need to clamp down on your security and require authorisation for all email.
You can test for open relay's here
http://www.dnsgoodies.com/
0
 

Author Comment

by:hrolsons
ID: 40367004
I ran 216.55.161.147 and blueapplehouses.com through the open relay check on the site you suggested and it was clean.

I can't figure out why Yahoo is rejecting mail from the server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40367024
Check the other sites on the server as well
0
 
LVL 27

Expert Comment

by:serialband
ID: 40367430
It' possible that you didn't spam and yahoo filters went overboard.

Yahoo will sometimes block you even if you're not sending spam.  If you have a legitimate mailing list and it got sent out a little too quickly, yahoo will block you.  Even if you've done the throttling to not trigger yahoo right now, yahoo may someday just decide that you're still spamming, even after you've called them before and verified with them about the mailman mailing lists that people must manually sign up for and verify.  They're the only large company that causes problems for legitimate mailers.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 40367840
Another site to test if your mail server is an open relay.
www.mxtoolbox.com

DirkMare
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
New MX Records 12 62
Open Camera IP 8 94
Bulk Email Transport Rule Setup for Internal Recipients 7 34
liboauth-php x oauth-1.2.3 3 12
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now