اسپم شدن IP هاست

وقتی از یه هاست اشتراکی استفاده می‌کنیم، ممکنه با هک شدن یکی از هاست‌ها، هکر اقدام به فرستادن اسپم کنه. فرستاده شدن اسپم همانا و بلاک شدن IP هاست شمام همانا.

اینجاست که وقتی میخواید از سایتتون به ایمیل‌های رسمی (جیمیل، یاهو، لایو … ) ایمیلتون نرفته فِیلد میشه. قدم اول اینه که اون ایمیل که براتون اومدرو درست بخونید و ببینید که از کجا اسپم شدید. متن این ایمیل به این شکله:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
This message was created automatically by mail delivery software.
 
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
 
  XXXXXXXXX@yahoo.com
    host mta6.am0.yahoodns.net [66.196.118.35]
    SMTP error from remote mail server after MAIL FROM:<XXX@YOUR_SITE.com> SIZE=1564:
    553 5.7.1 [BL21] Connections will not be accepted from XXX.XXX.XXX.XXX, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html
 
------ This is a copy of the message, including all the headers. ------
 
Return-path: <XXX@YOUR_SITE.com>
Received: from localhost ([127.0.0.1]:38081 helo=YOUR_SITE.com)
	by XXX.YOUR_SERVER.com with esmtpa (Exim 4.85)
	(envelope-from <XXX@YOUR_SITE.com>)
	id 1YU9xk-00145u-Mj
	for XXXXXXXXXXX@yahoo.com; Sat, 07 Mar 2015 11:49:57 +0330
MIME-Version: 1.0
Date: Sat, 07 Mar 2015 11:49:56 +0330
From: XXX@YOUR_SITE.com
To: XXXXXXXXXXXXX@yahoo.com
Subject: SUBJECT
Message-ID: <YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY@YOUR_SITE.com>
X-Sender: XXX@YOUR_SITE.com
User-Agent: USER_AGENT
X-OutGoing-Spam-Status: No, score=-1.5

تو این ایمیل مشخصه که شما از طرف Spamhaus بلاک شدید. IP سرورتون هم توی متن ایمیل خط نهم مشخصه.

خوب حالا با مراجعه به آدرس https://www.spamhaus.org/query/ip/54.158.21.160 * با صفحه زیر مواجه میشید:

اسپم شدن IP هاست
اسپم شدن IP هاست

اگر IP شما اسپم شده باشه یه خط قرمز به این شکل میبینید:

54.158.21.160 is listed in the XBL, because it appears in:

خوب برای رفع این مشکل دو تا راه وجود داره، یکی اینکه به مسئول سرور گزارش یا هاستینگتون گزارش بدید تا اون‌ها هم با بررسی وبسایت‌های موجود روی سرور جلوی مشکل رو بگیرند یا خودتون روی لینک کلیک کنید و IP‌ رو از لیست اسپم خارج کنید. روش اول حسنش اینه که وبسایت مشکل‌دار شناسایی میشه و این اتفاق دوباره تکرار نمیشه ولی در صورت انتخاب روش دوم و کلیک روی لینک صفحه‌ای باز میشه که توش یه کادر وجود داره که IP شما توش نوشته شده و یه کادر دیگه که مربوط به کپچاست، بعد از وارد کردن کپچا متن زیر براتون به نمایش در میاد:

نکته: نمیخواد همشو بخونید اون بخش قرمز خیلی مهمه که بعدش میگم چیه 😀

IP Address 54.158.21.160 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2017-09-20 22:33 GMT (+/- 30 minutes), approximately 4 days, 4 hours, 59 minutes ago.

This IP is infected with, or is NATting for a machine infected with s_dofoil

Note: If you wish to look up this bot name via the web, remove the “s_” before you do your search.

This was detected by observing this IP attempting to make contact to a s_dofoil Command and Control server, with contents unique to s_dofoil C&C command protocols.

This was detected by a TCP/IP connection from 54.158.21.160 on port 54511 going to IP address 192.168.1.2 (the sinkhole) on port 80.

The botnet command and control domain for this connection was “SPAMMER_WEBSITE.com”.

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.168.1.2 or host name SPAMMER_WEBSITE.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 192.168.1.2 or SPAMMER_WEBSITE.com. See Advanced Techniques for more detail on how to use wireshark – ignore the references to port 25/SMTP traffic – the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2017-09-20 22:33 (GMT – this timestamp is believed accurate to within one second).

These infections are rated as a “severe threat” by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

Norton Power Eraser is a free tool and doesn’t require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it’s a “sensor” (only) run by “the good guys”. The bot “thinks” its a command and control server run by the spambot operators but it isn’t. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any “tracks” for you to find in your mail server logs. This is even more important for the viruses described here – these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn’t working.

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With “sinkhole malware” detections such as this listing, we aren’t detecting port 25 traffic, we’re detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn’t find anything doesn’t prove that you’re not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine – meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.

WARNING: If you continually delist 54.158.21.160 without fixing the problem, the CBL will eventually stop allowing the delisting of 54.158.21.160.

If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

Click on this link to delist 54.158.21.160.

همونطور که در انتهای متن که قرمز رنگش کردم نوشته، بهتون هشدار میده که اگر IP شما مدام اسپم و بلاک بشه و شما بدون حل مشکل اصلی، یعنی پیدا کردن وبسایت خاطی اقدام به حذف خودتون از این لیست کنید بعد از چند بار تلاش Spamhaus دیگه این امکان رو بهتون نمیده.

حذف شما از لیست هم طبق توضیح خود سایت نهایتا سه ساعت طول میکشه.

* – تمام لینک‌های موجود در این مقاله با توجه به IP شما ساخته شده است، شما برای تست وبسایت و یا سرور خود می‌بایست IP وبسایت و یا سرور خود را جاگزین IP شخصی شما که در لینک‌هاست کنید.

نظری وجود ندارد. - نظر دهید

پاسخ دهید

نشانی ایمیل شما منتشر نخواهد شد. بخش‌های موردنیاز علامت‌گذاری شده‌اند *

*