My domain IP was listed on XBL (CBL) Spamhaus

[pioneerx01]

I am running a registration website where users receive email confirmation after successful registrations. About 4000 registrations/emails per year. Only after real "human" registration is submitted, a confirmation email goes out. I receive 0 spam/bot registrations. Nowhere on my site you will find a page where anyone can just enter email address and receive email without email and "human" verification.

 

I have a Business Plan from HostGator and a dedicated IP address. I am using swiftmailer, and I had been using it for years with no issues until now. Emails are send from email address under my domain (confirmation@my_domain.com) and not through third party email client.

 

On Dec, 1st 2015 I have gotten first email bounce stating that my IP in on Spamhaus list. I did some research and found that my HostGator account did not have SPF enabled, so I enabled it (DKIM was on). I have removed the IP address from the Spamhaus list, but 12 days later I got another bounced email and I am on the list again. CBL utility states: "It (IP) shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet. This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet." I am not sure what to do about this as this is a web hosting server. All the results I got in regards to " kelihos" were related to business network, and individual computers being compromised.

 

Any ideas on how I can go about fixing this would be appreciated. I am relatively new at all this, so use small words

 

Thanks

-Peter

[requinix]

Apparently it's ongoing, which helps.

 

Add some code that will log every time an email is sent. Include at least the date sent, subject line, recipient, and visitor's IP address. Wait a couple days and check the logs to see if it's sending emails that it shouldn't be.

Because odds are that (if it's truly sending emails then) there's some sort of exploit, or another tactic, where someone can cause an email to be sent. For sure someone could abuse the registration system to send an email to anyone, but they couldn't hijack it for spam emails so it's not really worth the effort.

[pioneerx01]

Here is the way I have it set up:

1. Registration needs to be submitted to the database first. All user (POST) info is checked, screened and validated. I have not received "fake" registration in years.
2. If the registration is submitted successfully, email script gets called and a registration ID (last id) gets passed to it.
3. Email scripts queries the registration record based on the ID provided, if one is found, it executes the email to the email addresses that have been submitted with the registration only.
4. Every time when email is sent, it is also BCC to "archive" account at the same time. 

I have been scanning through the archive email account and there is no funny business going on. No fake info, no fake emails, no duplicate email, all looks clean. 

Edited December 21, 2015 by pioneerx01

[requinix]

Have you checked whether the server itself was compromised? Somebody is running their own code on it which is blasting emails?

[pioneerx01]

This is where I show how new I am to this.

How would I go about doing that? 

[requinix]

Pretty straightforward: look at all the files on the server and see if there are any that don't belong. Files you didn't put there yourself.

It's also possible that existing files were modified, not just new ones created. As you're looking through everything, keep an eye on the modification times and consider they match up with when you last modified them yourself.

[pioneerx01]

Well, that is going to be problematic. I have many of files that were modified in last month by me alone. Going through all of them will take time. I do have SiteLock on the server and so far it came up empty. 

 

Side note: I have gone through raw FTP access logs and there are only my IP addresses listed. Also I have refreshed the Spamhaus blacklist and I am no longer listed as blocked. I did not click to have my IP removed (whitelisted). Could it be that it was somehow done automatically? As far as I know it does not. I was paying around with setting on the server though. 

 

Well, I am going to table this, for now. Maybe I will re-visit in two weeks if I get blacklisted again

Thanks for the info. Have nice holidays.