IP Reputation Clean up -- ?

Discussion in 'Mail Server Support' started by Big Dan, Oct 3, 2015.

  1. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    Hi Guys,

    A few weeks ago I moved a client's WordPress install over to my server. It was badly infected. I thought I got rid of all the hacked scripts but I didn't. It sent out ~10k emails before I caught the bad scripts and trashed them.

    Now mail sent from my server ends up in people's spam folder. Just last night a friend informed me that my email went directly to Gmail's spam folder even though I'm on his contact list.

    According to MX Toolbox I'm not on any black lists https://mxtoolbox.com/SuperTool.aspx?action=blacklist:107.182.166.86 so why does my email go to spam (well I know why) but how do I fix it?
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    The overall reputation if your IP address matters more than a simple blacklist check:

    https://senderscore.org/lookup.php?lookup=107.182.166.86

    17 is terrible. You need to get that back over 80. It looks like you had a great score in the 90's until around 3 weeks ago.

    From the graph it appears you're still suffering from bursts of spam from your IP address.

    Who is responsible for keeping that wordpress up to date? If it's the client, I recommend you have them get their own web hosting so your sites don't suffer when their site isn't kept up to date.
     

    Big Dan likes this.
  3. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    Hi Ray,

    Thanks for the reply. I apologize for not responding sooner. I wound up just dumping the server and getting a new one with new IPs. Namely because of this issue and I had a tech work to install ffmpeg, they had files strewn all over the place and it never worked. I wanted a fresh start.

    Anyhow, I'm responsible for maintaining the WP install. If I don't manage it, I won't host it. You cannot depend on clients to be vigilant about updates. In the past year I've updated a couple of WP installs that were still running 2.x!

    Once I caught the email issue I went through every folder in the account and found several php scripts with base64 encoding in the uploads folder. I neglected to check the wp-content/uploads folder when I did the original clean up. I rarely check /uploads as it's usually just pictures but this infection was particularly nasty. It placed PHP scripts named similar to WPs scripts all over the account (hard to detect) in addition to randomly named scripts which were easier to pin out. I wound up dumping all PHP files and manually uploading clean WP, plugin, and theme files. I had no problems after the more aggressive cleanup.

    Finally, I moved this particular guy to a reseller account I have at a pretty awesome host. They have very strict email and abuse polices. I'm sure if there were still spam going out they would've been on my case by now.
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    Contact me offline when they come up and I'll start walking you through Linux SA types of tasks. Any interest in being connected with a WP install/security type and trying to pick up more work?
     
    Big Dan likes this.
  5. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    Thanks Ray. I appreciate the offer. I'm sure I'll be dropping you a line in the near future. My biggest issue is fear of the unknown. I really don't know a whole lot about Yum and have read quite a few horror stories of dependency hell with Red Hat. I'm also not as confident installing packages on a server. Someone's always trying to exploit public servers and if I miss a config setting somewhere who knows what back doors I'm inviting hackers through. Maybe it's time I setup a Fedora VM to play with locally just to get confident with Yum.

    At the same time, I'm very familiar with aptitude from using Ubuntu and am reasonably proficient in with it but would still be a little hesitant mucking with it server side due to hackers.

    Definitely on the WP security deal. I'll shoot you a message with how I've been operating.
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...