• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question eXploits Blocklist (XBL) & CSS Blocklist (CSS)

M

max2334

New Pleskian
Server operating system version
Debian 4.9
Plesk version and microupdate number
18.0.44

Why was this IP listed?​


116.202.... has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.


The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.


Technical information​


Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.


Recent connections:


(IP, UTC timestamp, HELO value)


116.202.....-10-05 03:50:00 gmail.com


Important points:


  • The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
  • They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
  • If the HELO does not make sense for the IP generating it, it should be looked at closely.
  • There is often more than one compromised device.
  • Guest networks should also be secured.
Click to expand...

I checked my server with ImunifyAV and delete the Wordpress site which was Hacked. But now all website are not infected. Is there any other antivirus tools, which I can use for checking my server? I have 2 IP address, one for hosting website and the other is for sending mails. I also configure it in the mail server. Could it be the issue?
Thanks for your help and suggestions.

Thanks
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
1K
carlsson
carlsson
W
Question Find source of problem sending e-mail with different HELO value
Replies
14
Views
4K
Walkum
W
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
2K
Change Maker
C
A
Resolved Unwanted redirects to gmail, when receiving emails
Replies
5
Views
2K
arunda2
A
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
6K
Alex Presland
Alex Presland
Back
Top