Solved

Is my server sending spam?

Posted on 2014-10-07
15
119 Views
Last Modified: 2016-02-11
I have a FreeBSD server and according to Yahoo, it's sending spam:

http://cbl.abuseat.org/lookup.cgi?ip=216.55.161.147

Can someone help me look into this?  I have root access but not sure what to look for.
0
Comment
Question by:hrolsons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40366524
That IP is hosting multiple domains, I assume you manage the whole server?
Could be any of those domains that have been hacked, if any of them are running Wordpress, Drupal etc

You are only listed on one DB so it could be just Yahoo having a hissy fit
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366531
And the offending website seems to be
blueapplehouses.com
0
 

Author Comment

by:hrolsons
ID: 40366578
Yes, I manage the whole server.  blueapplehouses.com just completed a transition to Wordpress from a paid web developer.  How can I look deeper into the problem and hopefully eradicate it.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 58

Expert Comment

by:Gary
ID: 40366603
Check the index pages for any base64 code.
0
 

Author Comment

by:hrolsons
ID: 40366621
due to .htaccess none of the index pages are available.  Everything forwards to www.blueappleproperties.com, which is the WordPress site that Dex made.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366626
Uh?
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 40366657
Hrolsons,
     What Gary is trying to explain is to look at your index.php files and find a string that looks like the following:


<?php eval(base64 decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCPC9pZnJhbWU+PC9kaXY+JzsNCn0='));
the real code will be much longer.

in a nutshell your index.php files were modified by a virus or someone being malicious


/r
-= Richard
0
 

Author Comment

by:hrolsons
ID: 40366679
I don't have any index.php file in the base directory.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366697
There must be an index.php file in the WP root directory - if there wasn't it wouldn't work
0
 

Author Comment

by:hrolsons
ID: 40366717
That file must be on the server that is redirected to, which I don't have access to.  I control blueapplehouses.com but in the .htaccess:

RewriteCond %{REQUEST_URI} !^/Intranet
RewriteCond %{REQUEST_FILENAME} .*\.html$
RewriteRule . http://blueappleproperties.com [L]

Open in new window


It sends users on to blueappleproperties.com, which I don't control.
0
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 40366822
It may not be that site, it was just an educated guess.

Check through your mail logs, see if you can identify any spam.
It could be that you have an open relay, if so you need to clamp down on your security and require authorisation for all email.
You can test for open relay's here
http://www.dnsgoodies.com/
0
 

Author Comment

by:hrolsons
ID: 40367004
I ran 216.55.161.147 and blueapplehouses.com through the open relay check on the site you suggested and it was clean.

I can't figure out why Yahoo is rejecting mail from the server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40367024
Check the other sites on the server as well
0
 
LVL 29

Expert Comment

by:serialband
ID: 40367430
It' possible that you didn't spam and yahoo filters went overboard.

Yahoo will sometimes block you even if you're not sending spam.  If you have a legitimate mailing list and it got sent out a little too quickly, yahoo will block you.  Even if you've done the throttling to not trigger yahoo right now, yahoo may someday just decide that you're still spamming, even after you've called them before and verified with them about the mailman mailing lists that people must manually sign up for and verify.  They're the only large company that causes problems for legitimate mailers.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 40367840
Another site to test if your mail server is an open relay.
www.mxtoolbox.com

DirkMare
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Enabling exchange 2013 read receipt 7 51
Exchange Server 2007 to 2013 Migration 13 63
How to use 2 separate DNS names. 5 56
SonicWall port forward 4 31
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question