I just got a message from dreamhost saying that they disabled my mailing for sending out more than 200 messages a day on two occssions. This confuses me because I certainly haven’t been sending out those messages, and I have no idea what they are talking about. Does anyone have any experience with this to tell me what might be causing it so that I can have my permissions restored? I’ve never had a company do this to me before and I am just horrified. I am seriously considering asking for my money back and moving somewhere else.
well, there is a chance that dreamhost is incorrect in their counting, but I doubt it. I believe the 200 per hour limit is outgoing from your website. So do you have a form mail script that’s being used a lot of has been comprimised? Or a forum with a lot of members that you’re sending mass E-mails too?
If you’re not sure, double check that all your softawre is up-to-date and that’s there no knows security issues with any of it. I’m sure dreamhost told you which account has been disabeled so that should help narrow things down a bit.
You’ve always got the 97 days to get your money back, but I suspect that you’ll find similiar limits with other hosts - if not now, in the near future. Unfortunatly this hassel is become more common becuase of all the spam going around.
I only have one user account on my site, which has about 100 subdomains under it. So, they told me the user account, but that doesn’t narrow anything down much since all of my sites are under that one account. It could be any of them. I did ask them to help me figure out which one it is, though, because I do want to fix it.
I don’t have a forum or a newsletter, so I know it can’t be those things. They said it was 200 in 60 minutes (twice!!-- I’ve only had my account here for a little over a week!), and I know for a fact that I could not have done that. All my forms and scripts are up to date. I do have a image gallery, but the only email that is sent is for user activation, and there hasn’t been 200 in 60 minutes there because member growth isn’t that fast. I did just disable that step just in case, though.
And the only forms on the site that send email send them to me, and I would know if were them if I were getting 200 emails in an hour since they would flood my email box and no one elses. Now, none of the forms that people use to contact me work because dreamhost disabled them and that’s frustrating, you know?
Hopefully they’ll get back to me with more info so that I can fix this. I personally haven’t violated the spam policy, but I do want to fix what is.
I was at my old host for years up until a few days ago and this was never a problem there.
You appear to be between a rock and the proverbial “hard place”. It can be hard to deal with this, but make no mistake: the situation you described, if you have been completely candid, sounds very much like one or more of your form processing scripts or your applications has been exploited.
It does happen; happened to me once when I, out of laziness and misplaced trust, allowed an “up to date” formmail script, used by a client who transferred to me from another host, to remain on the server.
Spammer exploited the script and punched out a bunch of emails. Very aggravating to have my email sending capability terminated when I have never sent a spam in my life. The fact is, reviewing my logs indicated the repeated hits on the formmail script, and it became obvious to me what happened.
I resolved the matter by identifying the offending code, purging it from my system, and writing a thorough and complete account of the incidents to Dreamhost Support. Given my history of “no spam”, and the identification and removal of the compromised script, they had my email back on within an hour.
Carefully review your logs for unusual activity (your “stats” page can also help, as it will often reflect the page that got “hammered”.) Between the two resources, you should be able to identify the culprit.
Having done that, you have some work to do in removing the script and repairing that functionality with a “safe” replacement. The “over 100 subdomains” does complicate things. Having no idea what functions the subdomain provide, I could not begin to guess how complicated.
FWIW, I have never had the Dreamhost “patched” formmail.cgi form handler abused, and that is the only one I use (except that one time, and I learned my lesson).
The bottom line is, someone using one of your domains, or one of your scripts that was commandeered by some pond-scum,. blood-sucking-leech, asshle-muther-Fcker, piece-of-sh*t. low-life, worthless, son-of-a-bitch spammer, has run amok, and you have to find out what happened.
There is another possibiity that might apply you your situation. You said you had “over 100” subdomains operating as the same user. Now, 200 mails an hour can easily be generated by a popular forum with lots of bells and whistles - something like:
In 60 minutes:
20 users sign up and get and activation email =20 emails
10 messages are posted and generate notification emails to 20 users who asked to be emailed with new posts/info, etc =200 emails
Total = 220 emails
This is one of the problems with the Dreamhost email “quota” - it makes it very hard to run a dynamic site if you have any significant amount of traffic and enable email notification features.
Add to that the possibility that, in your case, if each of your “over 100 subdomains” generated only 2 emails in an hour, since they are all using the same user, that user will break the 200 email per hour limit. I strongly suggest that you not run all these domains as the same user. Run each of them as their own user. It is a major pain to manage that way, but the advantages and security is significant.
That way, if one goes amok, you at least know where to start looking as that user will be the one singled out, and all your sites will not be without email if the offender is “suspended”. I am in the same boat with this, as I was around long before Dreamhost implemented this rule, and many of my domains operate as a single user. It was really convenient to do it that way, and it is a bit of a pain oin the ass to go back now and make new users, reset all the file ownerships and permission, etc., but it has to be done: I can’t have my email, or other programs operating under my users’ email, “borked” if one site breaks, is exploited, or gets reasonably popular.
The answer to what happened lies in your stats and your logs. Seek and you will find.
Hopefully I can figure out what script it is that caused the problem so that I can fix it. I don’t run any sort of forum. And the only forms I have are for asking for site link exchanges, and I don’t get anywhere near 200 a day. Heck, 200 a year would be more like it, you know? Those forms all get sent to me, so I am able to keep tabs on how many of those are sent out.
I know it has to be some sort of script, or even the form script itself. If I can just work out what it is, though… I don’t want anyone using anything of mine for it. And I don’t want to ask to have it enabled before I’ve fixed whatever was doing it in the first place or I’ll just be back here again. Best to get it fixed before enabling email sending again. None of my sites have nearly enough visitors to hit the 200 in an hour mark.
Stats and logs, huh? I’m going to go find those in my webpanel and get to the bottom of this.
Thanks! I didn’t know that I could look in those to find out what happened (is such a novice -.-)
And, I’ll look into putting each domain on its own user account, too! so, thanks for that suggestion.
I have a question for anyone who knows a little more about the site statistic information.
I am trying to find what could be the source of the spam.
When it says something like:
62 0.37% Jul/27/06 11:28 PM /forgot_passwd.php
When people go to that page to get their password mailed to them (it’s a gallery), did that ALL happen at 11:28pm? Because that could have contributed greatly to hitting the 200 emails in an hour quota.
I think you are missing an important concept here. An exploited form will not behave as you , or the author, expected it to: It has been “owned” to a greater or lesser degree, and you have no idea whether or not they “get sent to you”, or “how many are sent out”.
Not to belabour the point, but, again, a single “visitor” (who exploits one of your forms to send 10, 50, 100 emails at a time via your compromised/exploited form) may be what you are dealing with here, and pumping out *only 3 emails “in an hour” from each of your subdomains will result in the DH user having “sent” 300 emails. Without viewing your logs or your stats, how do you even know how many “visitors” you have?
The wiki is a better source for learning how to get at this, as your stats directory and log directories are in your “home” user space reachable by ftp (or ssh to reach the shell).
Do you use the same form handler on all your domains/subdomains? If so, point us to it and we can check to see if there are known/published exploits for it.
It might also help if you published your site’s url (or if you would rather not publish it but would like me to look at your site, just PM me with the info).
I’ll have to be honest with you though, if all your forms are for setting up link exchanges, and you are using “over 100” subdomains, you probably have a real mess on your hands. I wouldn’t be at all surprised if some “link exchange script” was set up to be backdoored for exactly this purpose by a ,er, “less than honorable” SEO gamer who plasters the web with his “owned” script, and then “slams” the sites using it to send spam. It has been known to happen…
you’ve got the right idea! What “gallery” and version? That line is tellilng you that that page got hit 62 times, representing .37% of the traffic.
I suspect that page “sends mail”…
Did a little googling, after visiting some of your sites, and I think I have a possible clue to your problem.
This google search indicates that the gallery you are using has some serious exposure, and indicates exploits are available. Cross-Site-Scripting, and Register Global Variables are a real exposure. One of the original advisories also indicates that patches are available form the devloper via SVN.
I have no personal knowledge of what was involved in the decision, but DreamHost has chosen a different gallery for it’s “oneclick” install system, which kinda makes me think DreamHost feels that choice is more secure.
The application you are using, while a really neat gallery, has a long history of being hacked/patched/hacked again and so on.
Your last message, and the circumstance detailed in the google search, makes me suspect that your problem may be related. Of course, I could be completely wrong, as I can’t see your logs or stats, but I thought you should know about the above.