OVH Community, your new community space.

Spam J-3


Myatu
29-10-2010, 17:53
Quote Originally Posted by LawsHosting
I'd love to know how we can tell if a new client will be a spammer (fake / non payment is one way to raise alarm bells, granted) - basically, no-one can, and if 1 spams and, lets say, we have ~50 on the same server with the same IP, that means the 49 will be duped.
One way is to make the spammer directly responsible for any direct/indirect costs involved. Of course this requires that you have valid contact details on file - so perhaps limiting SMTP until they have verified themselves (akin to OVH) could ensure that.

You can also run a spam filter on outgoing e-mail as well; anything that is within a certain level still goes through but you receive a warning. Anything above that level is blocked, until you approve it. One could say "well, that's sniffing/spying on e-mails!" - but the same would happen anyway on the receiving end's spam filter...

Just some suggestions...

fozl
29-10-2010, 16:23
Best to have a read of this: http://www.spamcop.net/reported.shtml

LawsHosting
29-10-2010, 15:41
We do limit emails to 250 per 24hrs (and monitor the queues frequently), which will somewhat help this issue, then when we feel they are trustworthy, lift the limit.... Saying that though, is 250 spam messages within limits with this SpamCop?

marks
29-10-2010, 12:36
Quote Originally Posted by LawsHosting
I'd love to know how we can tell if a new client will be a spammer (fake / non payment is one way to raise alarm bells, granted) - basically, no-one can, and if 1 spams and, lets say, we have ~50 on the same server with the same IP, that means the 49 will be duped.
That would be a job for spamcop.net to decide, but you've got a point there: if it's decided that a claim is possitive, the IP will be blocked from sending mails.

I see your point that there may be other licit customers sending mails using the same IP but, up to date, I don't think there is another way to block rogue servers.

The main and first person responsible to ensure the users sending emails from the server are legitimate would be the system administrator (the OVH customer). If you put professional customers and spammers to work on the same mail server, you know you're running a risk.

LawsHosting
29-10-2010, 11:04
IPs that spam will be blocked on port 25. That is, if we consider that a server sends spam, we'll stop it. All the rest of the service, including receiving emails continue to operate.
I'd love to know how we can tell if a new client will be a spammer (fake / non payment is one way to raise alarm bells, granted) - basically, no-one can, and if 1 spams and, lets say, we have ~50 on the same server with the same IP, that means the 49 will be duped.

marks
26-10-2010, 15:20
Quote Originally Posted by Speedy059
So does this mean OVH will let the customers fix their servers instead of terminating them?
note:

The entire process will be automatic and public. Thus, we'll highlight the network of spammers (if any) but also say who OVH is currently blocking and why.
That's only for spam issues. If you have any other sort of hack, that'll go the normal process as usual.

Speedy059
25-10-2010, 13:44
So does this mean OVH will let the customers fix their servers instead of terminating them?

Myatu
24-10-2010, 19:27
Finally?!?

oles@ovh.net
24-10-2010, 18:12
example, I dunno 188.165.192.90?

http://www.senderbase.org/senderbase...188.165.192.90
http://www.spamcop.net/w3m?action=ch...88.165.195.199

804 N Sep 20 23:30:46 5217492847@repo ( 68) [SpamCop (188.165.195.199) id:5217492847]It is the chance o =?iso-88..
2327 N Sep 23 01:46:16 Sergey Gorovoy ( 61) [SpamCop (188.165.195.199) id:5220330235]Reliable online ph =?iso-88..
4196 N Sep 26 14:27:42 5225062129@repo ( 60) [SpamCop (188.165.195.199) id:5225062129]What is your healt =?iso-88..
4532 N Sep 26 19:03:02 5226070613@repo ( 79) [SpamCop (188.165.195.199) id:5226070613]Reveal the secret =?iso-88..
5182 N Sep 26 03:22:08 GMH in the Unit ( 61) [SpamCop (188.165.195.199) id:5227605200]Hi, take health pi =?iso-88..
7073 N Sep 29 10:10:04 Jay Bangle ( 64) [SpamCop (188.165.195.199) id:5231568740]Life health in you =?iso-88..
7635 N Sep 29 21:54:05 Simon Hova ( 35) [SpamCop (188.165.195.199) id:5232785775]\/\/\/NUMBER ONE ONLINE DRUG-STORE!\/\/\
9030 N Oct 01 19:41:02 Johnny Oesterga ( 69) [SpamCop (188.165.195.199) id:5236118942]Become a real expe =?iso-88..
9902 N Oct 03 20:17:35 Roanan ( 66) [SpamCop (188.165.195.199) id:5238547171]Be proud of what y =?iso-88..
13994 N Oct 08 23:33:52 Johnny Oesterga ( 69) [SpamCop (188.165.195.199) id:5247626051]Just live a full l =?iso-88..
14359 N Oct 09 02:27:38 Stephen Ermann ( 69) [SpamCop (188.165.195.199) id:5248453071]Anxiety, stress, d =?iso-88..
14468 N Oct 10 03:53:02 blackhole@abuse ( 138) ARF report from TDC regarding IP 188.165.195.199, report id 4711043
15830 N Oct 11 10:10:23 Minoru TODA ( 76) [SpamCop (188.165.195.199) id:5251407819]1
16808 N Oct 12 22:33:59 Mister Dave ( 75) [SpamCop (188.165.195.199) id:5253656555]Let them call you =?iso-88..
16809 N Oct 13 02:33:59 Mister Dave ( 61) [SpamCop (188.165.195.199) id:5253657095]Drive your problem =?iso-88..
17514 N Oct 13 10:43:56 5255286955@repo ( 81) [SpamCop (188.165.195.199) id:5255286955]Life health in you =?iso-88..
17633 N Oct 14 02:08:34 GMH in the Unit ( 61) [SpamCop (188.165.195.199) id:5255698447]Make women dream a =?iso-88..
18826 N Oct 15 07:58:29 Jay Bangle ( 64) [SpamCop (188.165.195.199) id:5258630197]Make women dream a =?iso-88..
19123 N Oct 16 11:57:28 Spam Hater ( 52) [SpamCop (188.165.195.199) id:5259895793]This is your fair =?iso-88..
19182 N Oct 16 04:56:06 Karen Bagnall ( 44) [SpamCop (188.165.195.199) id:5260183071]Your wife will nev =?iso-88..
19810 N Oct 18 01:19:06 WeFrySpam ( 65) [SpamCop (188.165.195.199) id:5262476429]What is your healt =?iso-88..
20145 N Oct 18 02:06:11 WeFrySpam ( 60) [SpamCop (188.165.195.199) id:5263711880]Let your potency d =?iso-88..
21362 N Oct 20 02:48:38 Simeon Tankard ( 65) [SpamCop (188.165.195.199) id:5266781485]Let your men?s pow =?iso-88..
22500 N Oct 21 17:23:14 blackhole@abuse ( 119) ARF report from TDC regarding IP 188.165.195.199, report id 4916609
23840 N Oct 24 12:26:55 Gankoj Samurai ( 63) [SpamCop (188.165.195.199) id:5274073894]Join those who liv =?iso-88..

and on the server:

Niglos 30683 0.0 0.0 5172 500 ? S Jun23 0:00 /usr/bin/perl inbox.pl
Niglos 30717 0.0 0.0 5172 500 ? S Jun22 0:00 /usr/bin/perl inbox.pl
Niglos 30815 0.0 0.1 4944 3460 ? Ss Oct09 0:00 /usr/bin/perl inbox.pl
Niglos 30859 0.0 0.1 5164 3788 ? S Oct09 0:00 /usr/bin/perl inbox.pl
Niglos 30952 0.0 0.0 4944 1048 ? Ss Aug28 0:00 /usr/bin/perl inbox.pl
Niglos 30953 0.0 0.1 5176 3800 ? S Oct09 0:02 /usr/bin/perl inbox.pl
Niglos 30956 0.0 0.0 4944 1048 ? Ss Aug04 0:00 /usr/bin/perl inbox.pl
Niglos 30970 0.0 0.1 4944 3460 ? Ss Oct16 0:00 /usr/bin/perl inbox.pl
Niglos 30976 0.0 0.0 4944 404 ? Ss Jun25 0:00 /usr/bin/perl inbox.pl
Niglos 30988 0.0 0.1 5172 3796 ? S Oct09 0:01 /usr/bin/perl inbox.pl
Niglos 30990 0.0 0.0 4944 1048 ? Ss Aug29 0:00 /usr/bin/perl inbox.pl
Niglos 30991 0.0 0.0 5164 500 ? S Jun25 0:00 /usr/bin/perl inbox.pl
Niglos 31027 0.0 0.0 5164 1296 ? S Aug28 0:00 /usr/bin/perl inbox.pl
Niglos 31065 0.0 0.0 5168 1324 ? S Aug28 0:00 /usr/bin/perl inbox.pl
Niglos 31071 0.0 0.0 5172 1300 ? S Aug04 0:00 /usr/bin/perl inbox.pl
Niglos 31113 0.0 0.0 4944 1048 ? Ss Aug12 0:00 /usr/bin/perl inbox.pl
Niglos 31118 0.0 0.1 5176 3800 ? S Oct16 0:00 /usr/bin/perl inbox.pl
Niglos 31166 0.0 0.1 5172 3796 ? S Oct16 0:00 /usr/bin/perl inbox.pl
Niglos 31175 0.0 0.0 4944 1048 ? Ss Aug12 0:00 /usr/bin/perl inbox.pl
Niglos 31196 0.0 0.0 5176 1332 ? S Aug29 0:00 /usr/bin/perl inbox.pl
Niglos 31234 0.0 0.0 5164 1300 ? S Aug12 0:00 /usr/bin/perl inbox.pl
Niglos 31245 0.0 0.0 5164 1296 ? S Aug12 0:00 /usr/bin/perl inbox.pl
Niglos 31266 0.0 0.0 4944 404 ? Ss Jul17 0:00 /usr/bin/perl inbox.pl

tcp 0 0 188.165.195.199:37417 89.167.219.1:25 ESTABLISHED 15160/perl
tcp 0 0 188.165.195.199:37040 89.167.219.1:25 ESTABLISHED 3616/perl
tcp 0 0 188.165.195.199:43671 89.167.219.1:25 ESTABLISHED 26116/perl
tcp 0 0 188.165.195.199:60018 89.167.219.1:25 ESTABLISHED 4571/perl
tcp 0 0 188.165.195.199:44990 89.167.219.1:25 ESTABLISHED 24511/perl
tcp 0 0 188.165.195.199:41900 89.167.219.1:25 ESTABLISHED 18319/perl
tcp 0 0 188.165.195.199:44189 210.145.113.10:25 ESTABLISHED 21621/perl
tcp 0 0 188.165.195.199:58052 89.167.219.1:25 ESTABLISHED 20858/perl
tcp 0 0 188.165.195.199:35796 89.167.219.1:25 ESTABLISHED 11028/perl
tcp 0 0 188.165.195.199:37043 89.167.219.1:25 ESTABLISHED 16731/perl
tcp 0 0 188.165.195.199:34803 89.167.219.1:25 ESTABLISHED 13643/perl
tcp 0 0 188.165.195.199:37344 89.167.219.1:25 ESTABLISHED 973/perl
tcp 0 0 188.165.195.199:58165 89.167.219.1:25 ESTABLISHED 4768/perl
tcp 0 0 188.165.195.199:49812 89.167.219.1:25 ESTABLISHED 2114/perl
tcp 0 0 188.165.195.199:58141 89.167.219.1:25 ESTABLISHED 23610/perl
tcp 0 0 188.165.195.199:36088 89.167.219.1:25 ESTABLISHED 24483/perl
tcp 0 0 188.165.195.199:57828 89.167.219.1:25 ESTABLISHED 22184/perl
tcp 0 0 188.165.195.199:42590 89.167.219.1:25 ESTABLISHED 22212/perl
tcp 0 0 188.165.195.199:51452 89.167.219.1:25 ESTABLISHED 23516/perl
tcp 0 0 188.165.195.199:48609 89.167.219.1:25 ESTABLISHED 19231/perl
tcp 0 0 188.165.195.199:48024 89.167.219.1:25 ESTABLISHED 27181/perl
tcp 0 0 188.165.195.199:38390 210.145.113.10:25 ESTABLISHED 18690/perl
tcp 0 0 188.165.195.199:54245 89.167.219.1:25 ESTABLISHED 15935/perl
tcp 0 0 188.165.195.199:56757 89.167.219.1:25 ESTABLISHED 30988/perl
tcp 0 0 188.165.195.199:38066 210.145.113.10:25 ESTABLISHED 29321/perl
tcp 0 0 188.165.195.199:35592 89.167.219.1:25 ESTABLISHED 17304/perl
tcp 0 0 188.165.195.199:38764 89.167.219.1:25 ESTABLISHED 2479/perl
tcp 0 0 188.165.195.199:34920 89.167.219.1:25 ESTABLISHED 14353/perl


[root@ns310321 root]# lsof -n |grep 21621
inbox.pl 21621 Niglos cwd DIR 9,2 4096 23093250 /home/Niglos/cgi-bin
inbox.pl 21621 Niglos rtd DIR 9,1 4096 2 /
inbox.pl 21621 Niglos txt REG 9,1 708188 41456 /usr/bin/perl
inbox.pl 21621 Niglos mem REG 9,1 90006 124422 /lib/ld-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 7867 66655 /usr/lib/perl5/5.6.0/i386-linux/auto/Sys/Hostname/Hostname.so
inbox.pl 21621 Niglos mem REG 9,1 86812 124429 /lib/libnsl-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 13966 124427 /lib/libdl-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 174032 124428 /lib/libm-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 1363451 124425 /lib/libc-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 25283 124426 /lib/libcrypt-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 95207 66496 /usr/lib/perl5/5.6.0/i386-linux/auto/POSIX/POSIX.so
inbox.pl 21621 Niglos mem REG 9,1 18333 66482 /usr/lib/perl5/5.6.0/i386-linux/auto/IO/IO.so
inbox.pl 21621 Niglos mem REG 9,1 19591 66651 /usr/lib/perl5/5.6.0/i386-linux/auto/Socket/Socket.so
inbox.pl 21621 Niglos mem REG 9,1 45283 124436 /lib/libnss_files-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 46697 124439 /lib/libnss_nisplus-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 15888 124435 /lib/libnss_dns-2.2.5.so
inbox.pl 21621 Niglos mem REG 9,1 65212 124440 /lib/libresolv-2.2.5.so
inbox.pl 21621 Niglos 0r CHR 1,3 93524 /dev/null
inbox.pl 21621 Niglos 1w REG 9,2 0 23093351 /home/Niglos/cgi-bin/sys/error.log (deleted)
inbox.pl 21621 Niglos 2w REG 9,2 0 23093351 /home/Niglos/cgi-bin/sys/error.log (deleted)
inbox.pl 21621 Niglos 3u IPv4 92836087 TCP 188.165.195.199:44189->210.145.113.10:smtp (ESTABLISHED)
inbox.pl 21621 Niglos 8u REG 9,1 1024 229927 /var/webmin/sessiondb.pag
inbox.pl 21621 Niglos 9u REG 9,1 0 229926 /var/webmin/sessiondb.dir

Razakel
24-10-2010, 17:05
Hello,
We are currently completing developments related
the fight against spam generated by our network. We
think we can pass mechanisms in the week.
Development was initiated 9 months ago and will take
another 2 months.

IPs that spam will be blocked on port 25 output.
That is, if we consider that a server sends
spam, we'll stop him. All the rest of the service,
including receiving emails continue to operate.

We will rely on complaints received by several
Sites like http://www.spamcop.net The customer will thus first
fix the problem on these sites out there more
problems on the IP unblocked Ovh sending emails
from the server. Meanwhile, the customer may not
not order a new server or have a new IP.

Entire process will be automatic and the public. Thus, we
highlight the network of spammers (if any)
but also say that OVH is currently blocking and why. Then
OVH that unlocks and why. Total transparency. We will
OVH is exactly what (or not) to prevent spam
part of our network.

So if you receive spam from our network, we can
not send complaints to the state but abuse@ovh.net
spam from http://www.spamcop.net ... simply. Them
we go forward and we will arrange it ...

The same methods will be used for phishing,
malware and botnets. At the same time, we should also make
public IP that are spam on our network and to
Obviously (our turn) networks that specialize
in this activity there ... Technically the code
originally written is evolving to be based on
the "cabinet tokyo" and "Kyoto" that we already use for
the proposed anti-phishing (which you could test the speed
there is approx 1 week). It only needs the "privateCloud"
for a development to go directly to prod
and we can evolve the infrastructure project
very flexible way with a few clicks ... There are still losing
time to do the "sysadmin-1999-like" ...

More:
http://fallabs.com/tokyocabinet/
http://fallabs.com/kyotocabinet/

Regards
Octave

oles@ovh.net
24-10-2010, 17:04
Hello,

We are currently completing a new development related in the fight against spam generated by our network. We think we can bring it online this week. Development was initiated 9 months ago and will take another 2 months.

IPs that spam will be blocked on port 25. That is, if we consider that a server sends spam, we'll stop it. All the rest of the service, including receiving emails continue to operate.

We will rely on complaints received by several sites like http://www.spamcop.net. The customer will have to first fix the problem on these sites, then if there is no more problems on the IP, OVH will unblock the sending of emails from the server. Meanwhile, the customer cannot order a new server or have a new IP.

The entire process will be automatic and public. Thus, we'll highlight the network of spammers (if any) but also say who OVH is currently blocking and why. Then who OVH unblocks and why. Total transparency. You will know exactly what OVH is doing (or not) to prevent spam from our network.

So if you receive spam from our network, don't send your complaint to abuse@ovh.net but simply inform http://www.spamcop.net about the spam. They will let us know and we will take care of it ...

The same methods will be used for phishing, malware and botnets. At the same time, we should also make public the IPs that are spamming from our network and to reveal (on our turn) the networks that specialize in this activity... Technically speaking, the code originally written is evolving to be based on the "cabinet tokyo" and "kyoto" that we already use for the anti-phishing project (for which you could test the speed approx 1 week ago). It only needs the "privateCloud" for a development to go directly to prod and for evolving the infrastructure of a project very flexibly in a few clicks ... We are still losing time doing the "sysadmin-1999-like" ...

More:

http://fallabs.com/tokyocabinet/
http://fallabs.com/kyotocabinet/

Regards
Octave