• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Question eXploits Blocklist (XBL) & CSS Blocklist (CSS)

M

max2334

New Pleskian
Server operating system version
Debian 4.9
Plesk version and microupdate number
18.0.44

Why was this IP listed?​


116.202.... has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.


The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.


Technical information​


Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.


Recent connections:


(IP, UTC timestamp, HELO value)


116.202.....-10-05 03:50:00 gmail.com


Important points:


  • The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
  • They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
  • If the HELO does not make sense for the IP generating it, it should be looked at closely.
  • There is often more than one compromised device.
  • Guest networks should also be secured.
Click to expand...

I checked my server with ImunifyAV and delete the Wordpress site which was Hacked. But now all website are not infected. Is there any other antivirus tools, which I can use for checking my server? I have 2 IP address, one for hosting website and the other is for sending mails. I also configure it in the mail server. Could it be the issue?
Thanks for your help and suggestions.

Thanks
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
280
carlsson
carlsson
W
Question Find source of problem sending e-mail with different HELO value
Replies
14
Views
2K
Walkum
W
A
Resolved Unwanted redirects to gmail, when receiving emails
Replies
5
Views
1K
arunda2
A
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
zigojacko
Question Suddenly getting loads of 'Undelivered Mail Returned to Sender' failures from mailer-daemon
Replies
7
Views
5K
WebHostingAce
WebHostingAce
Back
Top