Am blacklisted due to Webhosting UK hosting other blacklisted sites?

[xina_s]

Hi
I am somewhat concerned that since moving to a dedicated server with Webhosting UK my IP addresses are now beginning to be seen on blacklists;

The site used for the check was Email Blacklist Check - See if your server is blacklisted

I check the blacklists occasionally to ensure we are clean and late last week saw that we are black listed on 510 Software Group

I wrote to them as the site referenced is nothing to do with us and recieved this response:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> The message is “IP address 109.75.171.40 is listed here as
> pantscup.com misc.”

We saw indications of bulk mail from that /24, including from systems with reverse dns names in domains with web content that is list on sight here. A current scan shows:

109.75.171.54 is listed on sbl
109.75.171.117 server.bircicekal.net. is listed on bircicekal.net.dbl.spamhaus.org
109.75.171.184 bossroof.com. is simple unsubscribe
109.75.171.185 pantscup.com. is listed on pantscup.com.dbl.spamhaus.org, is simple unsubscribe 109.75.171.240 tanbottle.com. is simple unsubscribe
109.75.171.241 cupsaddle.com. is simple unsubscribe
109.75.171.242 hosedrum.com. is simple unsubscribe
109.75.171.243 indigobice.com. is simple unsubscribe
109.75.171.244 hosehat.com. is simple unsubscribe

Those need to disappear first. webhosting.uk.com needs to address that issue, or specify the boundaries of that infestation.

I raised a ticket with WHUK for advice and have had no response.

Today I checked the RBL lists again and find we are now also listed on ivmSIP/24, I have been through their removal process but I am naturally worried the problem is spreading.

Does anyone have any suggestions / experience with this issue.

I appreaciate that if one is on a shered server ther is a risk of cross-contamination but I am somewhat dismayed to see this on a dedicated server.

Thanks

Christina

[Dan]

Hi Christina,

Support are able to assist you with this issue.

It's unfortunate when an entire /24 is blacklisted due to the selfishness of spammers alike.

[Gerrad8]

Quote:

Originally Posted by xina_s

Hi
I am somewhat concerned that since moving to a dedicated server with WHUK my IP addresses are now beginning to be seen on blacklists;

The site used for the check was Email Blacklist Check - See if your server is blacklisted

I check the blacklists occasionally to ensure we are clean and late last week saw that we are black listed on 510 Software Group

I wrote to them as the site referenced is nothing to do with us and recieved this response:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> The message is “IP address 109.75.171.40 is listed here as
> pantscup.com misc.”

We saw indications of bulk mail from that /24, including from systems with reverse dns names in domains with web content that is list on sight here. A current scan shows:

109.75.171.54 is listed on sbl
109.75.171.117 server.bircicekal.net. is listed on bircicekal.net.dbl.spamhaus.org
109.75.171.184 bossroof.com. is simple unsubscribe
109.75.171.185 pantscup.com. is listed on pantscup.com.dbl.spamhaus.org, is simple unsubscribe 109.75.171.240 tanbottle.com. is simple unsubscribe
109.75.171.241 cupsaddle.com. is simple unsubscribe
109.75.171.242 hosedrum.com. is simple unsubscribe
109.75.171.243 indigobice.com. is simple unsubscribe
109.75.171.244 hosehat.com. is simple unsubscribe

Those need to disappear first. webhosting.uk.com needs to address that issue, or specify the boundaries of that infestation.

I raised a ticket with WHUK for advice and have had no response.

Today I checked the RBL lists again and find we are now also listed on ivmSIP/24, I have been through their removal process but I am naturally worried the problem is spreading.

Does anyone have any suggestions / experience with this issue.

I appreaciate that if one is on a shered server ther is a risk of cross-contamination but I am somewhat dismayed to see this on a dedicated server.

Thanks

Christina

Hello Christina,

I apologies for the delay in responding to your post. I have responded to your ticket Ticket #DHK-88521-284

Regards

[xina_s]

Thanks - a solution (new set of IPs) was provided and am gradually getting sorted thanks to a lot of help from Support (Cheers Raymond)

Christina

[MisterT]

Hi there! I'm new here and I'm a bit concerned about this information. What are the ways wherein a website will be blacklisted? Is there a way wherein we will know if our website is blacklisted without checking websites that are blacklisting?

[vzfever]

Quote:

Originally Posted by MisterT

Hi there! I'm new here and I'm a bit concerned about this information. What are the ways wherein a website will be blacklisted? Is there a way wherein we will know if our website is blacklisted without checking websites that are blacklisting?

Your website may get blacklisted if there is virus / malicious content in web pages of your site and cause for network abuse.
Other reason for blacklist is if your site has phishing content. In both the cases website can be blacklisted.

Generally we send inform our client if we receive any abuse complaint against their site.

[xina_s]

Hi MisterT - I don't think there is any cause for alarm. I came across this as I check my IP addesses against DNS blacklists regularly: we keep a close eye on our email deliverability and if our IP ends up on a blacklist we need to find the reason and clear it. It's the IP address asscociated with the site that was found to be a blacklist rather than the site itself. We were on another list too not sure if it was the same reason... but they permitted us to remove ourselves: the attitude of the one that wouldn't seems rather extreme.

Web Hosting have provided me with new IPs and support helped get everything sorted - a bit of disruption for sure but is all sorted.

Hope this helps clarify.

Christina

[MillenniumF]

How could this happen on a dedicated server? Was the IP hacked or spoofed or is there another way that I am unaware of. I was under the impression that if you were on a dedicated server you had an IP that isn't shared.

[Dan]

Quote:

Originally Posted by MillenniumF

How could this happen on a dedicated server? Was the IP hacked or spoofed or is there another way that I am unaware of. I was under the impression that if you were on a dedicated server you had an IP that isn't shared.

Indeed. Dedicated server IP addresses aren't shared. Unfortunately sometimes an anti-spam provider can block an entire /24 range because of a selfish spam user within that range.

[MisterT]

Quote:

Originally Posted by Dan

Unfortunately sometimes an anti-spam provider can block an entire /24 range because of a selfish spam user within that range.

Can you please explain a bit more on how this happens? How is the range made up? How does this affects the websites being registered in that range?

[mark146]

Seems to me that the lack of adequate firewalls and AV software in the provision is letting the customers down. Time and again my VPS has been compromised and the IPs blacklisted as there is no real proactive service protecting the systems.

Changing the IP is just a quick and dirty fix - I would suspect that the real cause is rogue code injections in the server...

[WHUKSam]

Quote:

Originally Posted by mark146

Seems to me that the lack of adequate firewalls and AV software in the provision is letting the customers down. Time and again my VPS has been compromised and the IPs blacklisted as there is no real proactive service protecting the systems.

Changing the IP is just a quick and dirty fix - I would suspect that the real cause is rogue code injections in the server...

Most of the code injections & phishing attacks are done through ftp. A brute force attack is done through ftp to gain access & upload files. In such cases the firewall is also not able to stop such attacks. On cpanel server we recommend to disable the ftp access to default cpanel user & add a separate ftp user for the document root directory.

[mark146]

There is no IDS to monitor this activity and since when do you 'recommend' that the FTP access is removed, first I've heard about it and been on system for 13 months.