My domain IP was listed on XBL (CBL) Spamhaus.?

Question:

My domain IP was listed on XBL (CBL) Spamhaus.?

Pioneer

2015-12-21 13:08:55 UTC

I am running a registration website where users receive email confirmation after successful registrations. Only after "human" registration is submitted, a confirmation email goes out. Nowhere on my site you will find a page where anyone can just enter email address and receive email without verification.

I have a Business Plan from HostGator and a dedicated IP. I am using swiftmailer, and I had been using it for years with no issues until now. Emails are send from email address under my domain (confirmation@my_domain.com) and not through third party email client.

On Dec, 1st I have gotten first email bounce stating that my IP in on Spamhaus list. I did some research and found that my HostGator account did not have SPF enabled, so I enabled it (DKIM was on). I have removed the IP address from the Spamhaus list, but 12 days later I got another bounced email and I am on the list again. CBL utility states: "It (IP) shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet. This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet." I am not sure what to do about this as this is a web hosting server. All the results I got in regards to " kelihos" were related to business network, and individual computers being compromised.

Any ideas on how I can go about fixing this would be appreciated. I am relatively new at all this, so use small words :)

Thanks

Four answers:

Robert J

2015-12-21 13:48:19 UTC

Is it possible someone is misusing the "registration" part of the system with other peoples email addresses to cause you or them trouble??

If people keep getting confirmation requests for a site they have not visited, they could well be filing spam reports.

If it's part of something like a bulletin board or web shop, it is possible that software/web site is being targeted or has been compromised by a spam / phishing system and is responding with emails.

I'd check the web site logs (wherever people are supposed to register to get the confirmation mail) and also very carefully check the files on the web server - look for any files / directories modified since you set up the site.

You may find eg. some stuff stashed in one of the data directories with php scripts, or the main index hacked and extra code inserted.

I've seen both on compromised web sites.

Pioneer

2015-12-21 13:52:02 UTC

Here is the way I have it set up:

Registration needs to be submitted to the database first. All user (POST) info is checked, screened and validated. I have not received "fake" registration in years.

If the registration is submitted successfully, email script gets called and a registration ID (last id) gets passed to it.

Email scripts queries the registration record based on the ID provided, if one is found, it executes the email to the email addresses that have been submitted with the registration only.

Every time when email is sent, it is also BCC to "archive" account at the same time.

I have been scanning through the archive email account and there is no funny business going on. No fake info, no fake emails, no duplicate email, all looks clean.

Adrian

2015-12-21 13:20:54 UTC

If the mail server is on HostGator, it is their mail server that is getting flagged, and all customers using their service get the same treatment.

The key is the mail server itself, where it is located (IP address). It is possible HostGator is hosting some other spam web site, and that puts Hostgator on the blacklists. Hostgator has to clean up the user that is doing this, as it affects all their customers.

?

2016-09-18 13:58:02 UTC

It should be possible for sure

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese

Loading...