Hi,
i recently received an e-mail from abuse@rackshack.net
informing me of this:

"We received notice that a site on your server (207.44.200.14) is causing a
portion of your netblock to be black-listed in various databases:
(http://spews.org/html/S1914.html)"

The ip address of 207.44.200.14 is indeed one of mine. I looked
at the report located at the provided URL and listed next to
that ip address is the domain 1-yes.com
This is a domain that I've never heard of, so I did an nslookup
on it and sure enough it resolves to my ip address 207.44.200.14
Also, the MX record for that domain is also set to my ip address.
This isn't by my doing, however.

I spoke to someone in support today and was told that the
spam e-mails are originating from my server and that I must
be running an open relay. I don't run any mail server
software on any of my rackshack boxes, so I can't be running
an open relay. A port scan of the box reveals that only the
SSH port and HTTP (80) are open. Also, my HTTP server
is configured to serve only static HTML files, so there aren't
any mail related CGI scripts that can be exploited.

Does anyone have any suggestions on what might be going on?
I'm not familiar with SPEWS - does that report indicate that
e-mail or e-mails originated from my actual ip address?

Any help or suggestions would be greatly appreciated.

- Ronin

ps. the server is always kept up-to-date with latest patches
and latest kernel.

You don't appear to be running an open relay, so I don't possibly see how you could be the mail exchanger for that domain if your not even answering port 25 (SMTP), could someone have possibly abused a form mail or cgi interface?

-Phrost

Looks more like an issue with RS's nameservers.

They're doing a look up for 1-yes.com and RS's name servers are saying that the domain points to your server.

Could you have a new server and this is left over from an earlier customer? I don't see a date in that section for ther report.

1-yes.com is a spammer. google proves that.

are you sure the domain isn't on your server?

-drmike

It also appears that the entire 207.44.200 block is blocked by SPEWS thanks to customers at 207.44.200.144 and 207.44.200.3

http://spews.org/html/S2015.html

-drmike

Gotta love SPEWS, ban the entire internet and ask questions later

-Phrost

You're in SPEWS for hosting the domain 1-yes.com, not for email relaying. Spamcop shows no relay emails or other spams.

If it's not a domain of yours or your customers, better get RS to update their DNS rather quick.

I would also make an issue about whatever tech that was at RS for saying you were relaying for not being able to understand teh SPEWS report and saying that you were relaying.

-drmike

Hi,
thanks for the all the reponses. here are some
answers to the questions posed.

1-yes.com is not a domain that i host on the box. Whowever
owns it has used rackshack's nameservers to point
www.1-yes.com to my server as well as set the MX record
for the domain to my server. However, since I'm not
running any mail server software, I can't see that what
good setting their MX record to my server will do. I also
have no idea how long www.1-yes.com has been pointing
to my ip.

In regards to CGI script:
my HTTP server is configured to handle on.y static HTML
files. It isn't configured to handle CGI scripts at all, so there
aren't any mail related scripts that can be abused.

Since there is no date on the report, I did wonder when
the report was created. It looks like 1-yes.com was
registered on Jan 13, 2003.
I've had that server since Jan 24, 2003.

I've contacted rackshack abuse and have given them all
of this information and have also asked to the have a look
on my box. That was two days ago, just waiting to hear back.
The fellow in support that I spoke with said that they were
a little backed up and that they would get back to me as soon
as possible, so hopefully will receive something in the next
day or two.

The only possible conclusions that I can
currently come to are:

1) SPEWS has made an error
or
2) 1-yes.com used the box prior to when i owned it and
the report dates back to then.
or
3) my box has been hacked and is being used without my
knowledge.



- Ronin