• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question eXploits Blocklist (XBL) & CSS Blocklist (CSS)

M

max2334

New Pleskian
Server operating system version
Debian 4.9
Plesk version and microupdate number
18.0.44

Why was this IP listed?​


116.202.... has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.


The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.


Technical information​


Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.


Recent connections:


(IP, UTC timestamp, HELO value)


116.202.....-10-05 03:50:00 gmail.com


Important points:


  • The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
  • They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
  • If the HELO does not make sense for the IP generating it, it should be looked at closely.
  • There is often more than one compromised device.
  • Guest networks should also be secured.
Click to expand...

I checked my server with ImunifyAV and delete the Wordpress site which was Hacked. But now all website are not infected. Is there any other antivirus tools, which I can use for checking my server? I have 2 IP address, one for hosting website and the other is for sending mails. I also configure it in the mail server. Could it be the issue?
Thanks for your help and suggestions.

Thanks
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
1K
carlsson
carlsson
W
Question Find source of problem sending e-mail with different HELO value
Replies
14
Views
3K
Walkum
W
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
1K
Change Maker
C
A
Resolved Unwanted redirects to gmail, when receiving emails
Replies
5
Views
2K
arunda2
A
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
5K
Alex Presland
Alex Presland
Back
Top