New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
If this has been an ongoing issue, then this seems like a normal escalation. It wasn't just one IP. That Spamhaus listing shows 3 IPs so 5% of your IP space was affected.
I don't know the whole story, so I am not taking sides. But from a DC perspective, these spam complaints cause no end of headaches especially when you get whole blocks listed. Part of being a VPS provider is to actively monitor your server for abuse, its going to happen and its going to happen regularly. So you need to find a way to detect excessive outbound SMTP and either block the IP or shutdown the VM.
Well, mission accomplished for whoever wrote that.
And typically I do, within 5 mins of notification. But in this case I didn't even really get the chance. I'm not knocking Dacentec, my initial post was just wondering if this was a normal way to go about things. As the last DC I actively worked with was Liquid Web several years ago, so I was curious if this was normal practice now a days... I'm starting to think the only way to keep spam from happening is to require photo ID before opening ports, though I don't like limiting people in that way.
I was also just corrected, I was on ZEN and XBL but I caught that one before an abuse ticket was created. ( I think that was the guy that was sending out all of those Chase emails (that Chase didn't care about) )
Any-who I think I will be making some changes to how someone gets port 25 opened, again. I appreciate all of your guy's help
if my DC/Upstream starts to null my own IP range(s) i will go batshit insane and run them down, while minimally excuseable for their own ranges sub-allocated/assigned to a customer i see absolutely zero reason to ever touch my own space. Even more so if i run my own BGP with them. They can cancel the contract (within the written timeframe), sure, but not simply go around nulling shit - if this is in the contract i simply don't sign it (Atrato for example has such a clause).
Today you have to be extra careful on such things, you never know who wants to fuck around with you (and with some contacts it is very simple to get a fake SBL up as Spamhaus relies majorly on external "sources") - i rather be "safer" by using a "criminal" upstream than waking up and having a /24 filtered/ACLd/nulled due to a spamhaus listing for 5% of it.
I have seen this happen, but with due notice and warning.
One incident a month ago about the same spammer might trigger some nerve twitching.
It is a bit bizarre this was done for the customer's space, but not unheard of, no.
Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?
Only ever been nulled once, and the DC had just gotten a call from the FBI that the guy was hosting child porn. Of course, that's not including ColoCrossing's trigger happy SMTP null routing and DDoS attacks.
Null or drop outbound 25 on the offending IPs only + 24 hours notice to remove the spamming customer.
It depends on how many notices, the severity of the notices, account history.
If a customer signed up for a server and large block of IPs and started getting SBLs right away we might terminate the entire account.
Now that actually sounds like a good reason for nulling without warning.
In US you don't have much choice on that - Though if the FBI calls (yes, i had this before, also secret service and something called "National Cyber Security Division" which seems to be some homeland security thing) and have a nice story (or even proof) i still can't touch the servers, i simply cannot follow laws from other countries or i risk legal problems myself. They should go the usual way and call my local police (or a higher up instance like the government or federal police) and send me a local court order (depending on crime, for CP a mail or fax is enough, but i need that or i cannot open and verify the content without incriminating myself), then i will happily comply.
It was (and is) a perfectly good reason, except the DC told me to go look at the content to verify. I was like, nope. No thank you, the FBI calling is proof enough.
I was told to just terminate the client. They didn't ask for his info or anything, which I found a bit weird.
So you don't get much sleep do you?
Actually no, but I check it with a script which emails me what IP's are on what blacklists, manually checking would suck, lol.
https://github.com/ConnorStr/blacklist_checker
Part of growing, finding that sweet spot where people who want to abuse your services no longer feel welcome, while everyone else does.
Here's something I made that you can copy:
https://catalysthost.com/refund-request-form/
That actually makes a lot of sense. The contact info you have on file in these cases is either complete baloney, or doesn't belong to the true perpetrator.
@Jar you actually have people ask for a refund? The people I have just chargeback...
So... can I get that refund then? I only sent 500,000 viagra emails to people who definitely subscribed to it.
I dunno I don't really handle that anymore, only thing I do for Catalyst is manage shared hosting email under the roof of MXroute. But...I like to joke too
This usually isn't enough. As others have mentioned you need some blocking or active countermeasures.
Typically I do too, today has just been one of those days that nothing has gone right... BTW I'm still waiting for Spamhaus (who would of guessed) to de-list me or to tell me why they won't...
and I keep trying to find something that works half way decent, right now all IPs have port 25 blocked whilst I figure out what I'm going to do later tonight.
Do yourself a favor a limit port 25, if over a certain limit block. Maybe @dacentec can help setup a switch /router level acl.
So you've seen and handles the spamhaus, spamcop, and multitude of SBL listings?
From the IPs listed on the spamhaus listing:
From [email protected] Mon Oct 12 12:04:58 2015
Delivery-date: Mon, 12 Oct 2015 12:04:58 -0400
Received: from [172.98.196.13] (helo=oxp6bv.mesego.review)
by mail.victim.example with esmtp (Exim 4.63)
(envelope-from XareltoClaimSupport@mesego.review)
id 1Zlfas-0000Ao-Ah
for [email protected]; Mon, 12 Oct 2015 12:04:58 -0400
Received: from 01f8996f.oxp6bv.mesego.review (amavisd, port 6222)
From [email protected] Mon Oct 12 13:09:06 2015
Delivery-date: Mon, 12 Oct 2015 13:09:06 -0400
Received: from [172.98.196.17] (helo=sd57mhy.cajixic.faith)
by mail.victim.example with esmtp (Exim 4.63)
(envelope-from J.G.Wentworth@cajixic.faith)
id 1Zlgaw-00086E-Bd
for [email protected]; Mon, 12 Oct 2015 13:09:06 -0400
Received: from 02063b33.sd57mhy.cajixic.faith (amavisd, port 11223)
From [email protected] Mon Oct 12 14:02:34 2015
Delivery-date: Mon, 12 Oct 2015 14:02:34 -0400
Received: from [172.98.196.19] (helo=jtznkyc.heduhe.review)
by mail.victim.example with esmtp (Exim 4.63)
(envelope-from LendingTreePartners@heduhe.review)
id 1ZlhQg-0003A7-Ax
for [email protected]; Mon, 12 Oct 2015 14:02:34 -0400
Received: from 01f5f395.jtznkyc.heduhe.review (amavisd, port 11224)
So if your DC asks you for customer data on an abuse report you cannot even independently verify you just give it to them? Under which legal obligation? You know giving it to them very likely violates US law, right?
Another ISP to never use, list gets longer every week.
Says the ISP that does no such thing on their own VPS.... you should eat your own soup before you complain.
They'll null the main IP of your server for a DMCA complaint. 1st complaint ever and similarly, they open the ticket and expect some kind of response within an hour or two. I responded within a reasonable 24 hours.
Spamhaus is shaking down providers hard with their extortion scheme of mandating they use SMTP filtering which they kindly refer you to and clear proof the Spamhaus mafia/extortion scheme.
@StealthyHosting You just pasted the same stuff that this whole thread is about, just trying to get your signature spam in?
I had the port limited with iptables when this happened, and I tested it over and over again to verify it was working. But in this case it seems like something to do with the emails themselves not the amount of emails sent.
Why would the DC even ask for the customer info; they're not paid for directing investigations on behalf of the FBI. From the sidelines here, I thought the poster was wondering why the FBI didn't ask for the customer info.
I meant the FBI didn't want it.