New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
rDNS - Spam
Hi,
Do any providers implement anti-abuse measures when receiving a rDNS request? The last handful of requests for rDNS have all been made by spammers.
Thanks guys!
Thanked by 1sz1hosting
Comments
you mean such as looking up the domain to see if it is on any blacklists?
+1 and check fraudrecord :-)
If they send spam just terminate the vps and move on, + report to fraudrecord
Nodewatch. They'll ramp up their script, get suspended, just run ls -al on their /var/log for the container and you'll see everything symlinked to /dev/null....terminate.
Any way to achieve your goal without "just" invading the privacy of the customer right away by peeking into their private data? (and yes, what I have symlinked to where is not your fucking business). Gosh, so happy I never buy OpenVZ anymore.
Yeah signup and open 400 SMTP connections immediately and I'll show you where you can stick your privacy. It's called looking out for your actual clients. No. You can either tcpdump and spy on the packets or you can be smart and notice the signs right away.
Logs in via solusvm console to shield bash history
Symlinks logs to /dev/null
Opens a shit load of SMTP connections.
If you want to start doing all of those things without spamming just to throw a hissy fit about something that literally no non-spammer is doing be my guest but otherwise grow up and realize that adults have to run their businesses and look out for their clients that actually intend to use their services and IP ranges. This is people's livelihood not a damn toy.
Keep in mind I'm not even an OpenVZ provider.
That's monitoring network. Monitoring network is fine. But getting into people's private data should be the LAST resort, not the first thing you do.
You store your credit cards or passwords as file names or Symlinks in /var/log? Come on you're just bitching just to do it.
It's not a pretty fix to "invade" on users privacy, but seeing as most of the providers run rented gear they won't really have a decent solution in terms of monitoring traffic/specific protocol-spikes etc. I suppose it'd make sense to use something like nodewatch as it "just works" rather than fiddling with some iptables/pf-setup that may reveal more info than what you need/want.
What you could do is simply limit outgoing mail to say, 40 an hour per VM/IP, which should be more than enough for normal usage.
The provider i work for does not enforce any real limitations, but rather tries to do decent background-checks as well as actively monitor our ranges for any rbl-changes.
We verify if forward records exist only.
Though, it's rather easy (Or so I've been told by people who do auditing for us) to spot people with a history of spamming thanks to tools like FraudRecord these days.
Kinda hard when rdns is automatic, however we have alerts for flows from all the DC so, when someone is doing SMTP traffic/connections over a certain threshold, I get an email, if new customer, there is the door, if old one, blackhole until he can clean it up.
That and checking blocklists, so far worked well, we have very low spam rate.
I always laugh when it's as simple as they request DNS (especially if it's automatic and they still ask) and then their signup domain is a dead giveaway. I remember so many at Catalyst that just didn't even look like they were trying, just hoping for dumb support techs.
Any way to put a layer between your client area to check the subdomain against a dictionary file list before it's submitted? Most spammers use random noun/verb/adjective garbage then a newly registered domain name
We do, of course, use NodeWatch to prevent abuse but these "clients" can send rather a lot of emails and stay under the radar before NW will pick them up. I really liked the look of FraudRecord so that's something that'll be used in the future. Thanks for all the help here guys!
I always, when possible
(strange thing is I do not use VPSes for activity prohibited in ToS/AUP). Is the mentioned list enough reason to nullify my privacy?
The solution would be to use known blacklists of such spam herders and deny service if dubious IPs are noted in any of user' transaction.
Note: if hoster reserves right (explicitly, in ToS) to disregard my privacy and inspect my data without valid reason (i.e., without informing me of possibly dubious activity from my VMs, etc), I will most probably won't choose such a hoster at all.
Problem is most dont mention anything about that. I put it clearly in a plain english version of the tos/aup, it is not really possible to keep out all the time, you do watch processes and when you see b26 or others, have to see who's VM is that and notify them, at times you see other things.
Reasonable watch and action should be on the menu in a shared environment, if not it will most likely not work, there is no perfect privacy in a shared environment, at least the traffic can and should be monitored for DDoS, spam, congestion, etc.
Do you open 400+ SMTP connections as soon as you sign up?
Seriously, come on. I said what I said and you and one other person decided to cherry pick it to cry about it. There something the three of us should be discussing in private in the way of a problem with me or are you both just incapable of reading?
You don't erase evidence of a federal law violation on your network and rinse your hands of it like it didn't happen. When you know how to identity a spammer with a technique that invades no ones privacy and involves noticing things that all work TOGETHER, not as INDIVIDUAL PIECES, you use said technique because you're not an idiot and you have a business to protect. As I clearly stated, THE FIRST PART OF IT IS OPENING A TON OF SMTP CONNECTIONS IMMEDIATELY UPON SIGNUP. Read, people, it's good for you.
Exactly. In real world servers can't be 101% free from access by third parties. But stating the cases in ToS/AUP and notifying owner at least post factum is good idea.
Seriously, calm down. I have said the details in my longer response above. If server can be accessed without court order, such cases should be explicitly stated in ToS/AUP/other legally binding documents. That's all.
I don't need a court order to terminate a spammer and YOUR FILE NAMES IN /var/log ARE NOT PRIVATE. They're standard and I could list them without ever looking. Do you think I don't know what Linux is? Have you devised a way to store private information in these file names? Do you expect me to believe that there is someone out there who has and then meets the other criteria? Be a reasonable human being for just one second.
I suppose yopu have that written in ToS/AUP, correct? Along with spam definition.
O'RLY?
If you really think so, I don't think I should use your services. Would you be so kind to tell me whether ~/.bashrc is still private? And what if I encrypt /var/log entirely and take measures to destroy its contents if intrusion is detected -- will that be ToS/AUP violation?
Seriously, I think you should at least to re-read definition of privacy. The log files can contain information that I can decide not to disclose to anyone.
If you think there are areas of server you may inspect without customer's permit (and without them violating rules), your customers are in big trouble. No offense meant.
Whether I do or not, is none of your business. Actually, the very fact that I (may) choose not to do so, is also my private information. Anyway, I don't see what are you arguing about. Personally I will happily keep on not buying any OpenVZ ever, and nosy OpenVZ providers with no concept of customer privacy (and their clueless customers) will happily proceed with their lives as well.
I sincerely apologize to everyone who is a legitimate client of my nonexistent services (with relevance, at least) that does the following in order:
Opens 400+ SMTP connections immediately after SIGNUP.
Symlinks file names in /var/log to their credit card numbers or personal information.
Your privacy has been compromised by me and I am sincerely apologetic for this tragedy. Please proceed to the nearest whining station to collect your 35 cents.
Lol is it lonely on your soap box? Captain privacy beats the bad guy once again! Good looking out for nobody but some theoretical idiot as always!
Yeah. I bet there's a file named "messages" or "auth.log" in there.
OMG I JUST VIOLATED YOUR PRIVACY.
Grow up.
You mean you really don't understand why accessing files (without user's permit) in /var/log can be violation of privacy?
OK, I try to explain one last time.
Contents of any files on my VPS/dedicated server can contain information I do not wish to be accessed by anyone else. That includes auth.log and messages files in /var/log.
So you admit that you store private information in the file names? Should service providers now also be required to notify you that the "first name" field in billing is not encrypted should you choose to use the profile information section as a managed version of LastPass?
Should the highway patrol notify you that the side of the highway you are on is one way every 6 seconds or you are now free to drive the wrong way until you see the next sign?
You are expected to be a human being and act like one, I expect my providers to do the same. If you want dead impersonal automation please never click a link in my signature. Because I assure you that if I ever start running a vps service again, I will protect my clients with my knowledge and my personal application of real world context, not be a robot.
You find me someone who has personal information I don't already know in those file names and I'll admit I'm wrong. You start putting it there on all your services to spite me even though I'm not a provider and you'll not only be the first ever to do so, you'll be at a whole new level of dumb.
The absurdity of your complaint against no one for something that no one does is incredible. I mean really, bravo for managing to actually pull off a complaint against a hypothetical scenario that literally has 0 impact on you, ever.
No, I think he says:
1. You have no business looking at file names nor where are they linked unless you already know there was a ToS/AUP violation not in order to discover one. I see a blacklisting after high SMTP activity automatically recorded, I go and check if there was intention involved or simply a hacking IF I have a doubt. Usually, if it happens minutes after provisioning, there is no doubt, also if there is an old customer with years of good behaviour.
2. The way a customer names or links his files is his business, not yours. He can also take any measures to encrypt or hide anything he sees fit, whether from you or potential intruders due to some 0day or whatever exploit of the host node/provider.
3. You do not wish to respect the privacy of customers and think that is not a right, fine, but put it clearly in your ToS/AUP so only people which "have nothing to hide" will host with you.
I don't have a TOS or AUP for my non existent VPS services and literally no ones privacy is being violated in any way.
Just as I know that no one is using their VPS as an ash tray for their cigarettes, so do I know the contents of your /var/log. Fear me, for I have violated your privacy on both of these counts.
I also know that you all have blood flowing through your body. Seriously my violation of your privacy just doesn't end...
I can't wait to run a VPS service again and reference this thread in the strangest policy twist ever "if you spam I'm going to ls your /var/log, this policy demanded by the LET likes-to-complain-about-nothing-squad."
@Jar
Didn't you work for catalysthost.com? Did you use the same methods to detect potential spammers as you mentioned here?