Email disabled

I just got a message from dreamhost saying that they disabled my mailing for sending out more than 200 messages a day on two occssions. This confuses me because I certainly haven't been sending out those messages, and I have no idea what they are talking about. Does anyone have any experience with this to tell me what might be causing it so that I can have my permissions restored? I've never had a company do this to me before and I am just horrified. I am seriously considering asking for my money back and moving somewhere else.

well, there is a chance that dreamhost is incorrect in their counting, but I doubt it. I believe the 200 per hour limit is outgoing from your website. So do you have a form mail script that's being used a lot of has been comprimised? Or a forum with a lot of members that you're sending mass E-mails too?

If you're not sure, double check that all your softawre is up-to-date and that's there no knows security issues with any of it. I'm sure dreamhost told you which account has been disabeled so that should help narrow things down a bit.

You've always got the 97 days to get your money back, but I suspect that you'll find similiar limits with other hosts - if not now, in the near future. Unfortunatly this hassel is become more common becuase of all the spam going around.



--Matttail
art.googlies.net - personal website

I only have one user account on my site, which has about 100 subdomains under it. So, they told me the user account, but that doesn't narrow anything down much since all of my sites are under that one account. It could be any of them. I did ask them to help me figure out which one it is, though, because I do want to fix it.

I don't have a forum or a newsletter, so I know it can't be those things. They said it was 200 in 60 minutes (twice!!-- I've only had my account here for a little over a week!), and I know for a fact that I could not have done that. All my forms and scripts are up to date. I do have a image gallery, but the only email that is sent is for user activation, and there hasn't been 200 in 60 minutes there because member growth isn't that fast. I did just disable that step just in case, though.

And the only forms on the site that send email send them to me, and I would know if were them if I were getting 200 emails in an hour since they would flood my email box and no one elses. Now, none of the forms that people use to contact me work because dreamhost disabled them and that's frustrating, you know?

Hopefully they'll get back to me with more info so that I can fix this. I personally haven't violated the spam policy, but I do want to fix what is.

I was at my old host for years up until a few days ago and this was never a problem there.

You appear to be between a rock and the proverbial "hard place". It can be hard to deal with this, but make no mistake: the situation you described, if you have been completely candid, sounds very much like one or more of your form processing scripts or your applications has been exploited.

It *does* happen; happened to me *once* when I, out of laziness and misplaced trust, allowed an "up to date" formmail script, used by a client who transferred to me from another host, to remain on the server.

Spammer exploited the script and punched out a bunch of emails. Very aggravating to have my email sending capability terminated when I have *never* sent a spam in my life. The fact is, reviewing my logs indicated the repeated hits on the formmail script, and it became obvious to me what happened.

I resolved the matter by identifying the offending code, purging it from my system, and writing a thorough and complete account of the incidents to Dreamhost Support. Given my history of "no spam", and the identification and removal of the compromised script, they had my email back on within an hour.

*Carefully* review your logs for unusual activity (your "stats" page can also help, as it will often reflect the page that got "hammered".) Between the two resources, you should be able to identify the culprit.

Having done that, you have some work to do in removing the script and repairing that functionality with a "safe" replacement. The "over 100 subdomains" does complicate things. Having no idea what functions the subdomain provide, I could not begin to guess how complicated.

FWIW, I have *never* had the Dreamhost "patched" formmail.cgi form handler abused, and that is the only one I use (except that one time, and I learned my lesson).

The bottom line is, someone using one of your domains, or one of your scripts that was commandeered by some pond-scum,. blood-sucking-leech, assh*le-muther-F*cker, piece-of-sh*t. low-life, worthless, son-of-a-bitch spammer, has run amok, and *you* have to find out what happened.

There is another possibiity that might apply you your situation. You said you had "over 100" subdomains operating as the same user. Now, 200 mails an hour can *easily* be generated by a popular forum with lots of bells and whistles - something like:

In 60 minutes:

20 users sign up and get and activation email =20 emails

10 messages are posted and generate notification emails to 20 users who asked to be emailed with new posts/info, etc =200 emails

Hopefully I can figure out what script it is that caused the problem so that I can fix it. I don't run any sort of forum. And the only forms I have are for asking for site link exchanges, and I don't get anywhere near 200 a day. Heck, 200 a year would be more like it, you know? Those forms all get sent to me, so I am able to keep tabs on how many of those are sent out.

I know it has to be some sort of script, or even the form script itself. If I can just work out what it is, though... I don't want anyone using anything of mine for it. And I don't want to ask to have it enabled before I've fixed whatever was doing it in the first place or I'll just be back here again. Best to get it fixed before enabling email sending again. None of my sites have nearly enough visitors to hit the 200 in an hour mark.

Stats and logs, huh? I'm going to go find those in my webpanel and get to the bottom of this.

Thanks! I didn't know that I could look in those to find out what happened (*is such a novice* -.-)

And, I'll look into putting each domain on its own user account, too! so, thanks for that suggestion.

I have a question for anyone who knows a little more about the site statistic information.

I am trying to find what could be the source of the spam.

When it says something like:
62 0.37% Jul/27/06 11:28 PM /forgot_passwd.php

When people go to that page to get their password mailed to them (it's a gallery), did that ALL happen at 11:28pm? Because that could have contributed greatly to hitting the 200 emails in an hour quota.

In reply to:

---

And the only forms I have are for asking for site link exchanges, and I don't get anywhere near 200 a day. Heck, 200 a year would be more like it, you know? Those forms all get sent to me, so I am able to keep tabs on how many of those are sent out.

---

I think you are missing an important concept here. An exploited form *will not* behave as you , or the author, expected it to: It has been "owned" to a greater or lesser degree, and you have *no idea* whether or not they "get sent to you", or "how many are sent out".

In reply to:

---

None of my sites have nearly enough visitors to hit the 200 in an hour mark

---

Not to belabour the point, but, again, a single "visitor" (who exploits one of your forms to send 10, 50, 100 emails *at a time* via your compromised/exploited form) may be what you are dealing with here, and pumping out *only *3* emails "in an hour" from each of your subdomains will result in the DH user having "sent" 300 emails. Without viewing your logs or your stats, how do you even know how many "visitors" you have?

In reply to:

---

Stats and logs, huh? I'm going to go find those in my webpanel and get to the bottom of this.

---

The wiki is a better source for learning how to get at this, as your stats directory and log directories are in your "home" user space reachable by ftp (or ssh to reach the shell).

Do you use the same form handler on all your domains/subdomains? If so, point us to it and we can check to see if there are known/published exploits for it.

It *might* also help if you published your site's url (or if you would rather not publish it but would like me to look at your site, just PM me with the info).

I'll have to be honest with you though, if all your forms are for setting up link exchanges, and you are using "over 100" subdomains, you probably have a real mess on your hands. I wouldn't be *at all* surprised if some "link exchange script" was set up to be backdoored for exactly this purpose by a ,er, "less than honorable" SEO gamer who plasters the web with his "owned" script, and then "slams" the sites using it to send spam. It has been known to happen...

--rlparker

you've got the right idea! What "gallery" and version? That line is tellilng you that that page got hit 62 times, representing .37% of the traffic.

I suspect that page "sends mail"...

--rlparker

Did a little googling, after visiting some of your sites, and I think I have a possible clue to your problem.

This google search indicates that the gallery you are using has some serious exposure, and indicates exploits are available. Cross-Site-Scripting, and Register Global Variables are a *real* exposure. One of the original advisories also indicates that patches are available form the devloper via SVN.

I have no personal knowledge of what was involved in the decision, but DreamHost has chosen a different gallery for it's "oneclick" install system, which kinda makes me think DreamHost feels that choice is more secure.

The application you are using, while a really neat gallery, has a long history of being hacked/patched/hacked again and so on.

Your last message, and the circumstance detailed in the google search, makes me suspect that your problem may be related. Of course, I could be completely wrong, as I can't see your logs or stats, but I thought you should know about the above.

--rlparker


Edited by rlparker on 07/30/06 03:19 AM (server time).