Not in this case. The customer was apparently not aware that you can get blacklisted with ips.backscatterer.org for running an auto responder on just one of your email accounts.
The problem with this is that auto responders are very popular and widely used in corporate environments. If we follow Google’s KNOL, we might be convinced that they are cool. So since there are a lot of auto responders out there, backscatterer.org is quite busy in blacklisting a lot of IP ranges of service providers who allow their users to have auto responders. As I write this blog post, 154151 IP addresses have been blacklisted by their service. You might wonder why backscatterer.org blocks auto responders in the first place. Well, they try to explain it on their website and whilst they have a few good points, I will leave it up to you to make up your mind on whether auto responders are good for your domain’s users or not. Aside from their decision to block servers using auto responders, this is apparently a lucrative venture for the company behind backscatterer.org. Once blacklisted, you either need to wait 4 weeks to be de-listed or pay a charge of € 75 (a little bit above $100) for an expedited delisting. If you decide that you want to pay, you may wonder who you’re going to do business with. One of the people behind backscatterer.org identifies himself as Claus von Wolfhausen, an apparently highly controversial figure.

Anyway, my point is that our customer got blacklisted for allowing his users to use auto responders, but due to a panic attack, he thought his server was compromised. It’s never a good idea to act when you are panicking.

So our customer logged in to his server and  found the /etc/relayhosts file. He found IP addresses from third party service providers in the file and came to the conclusion that a hacker must have added the IP addresses to the file so that he could relay messages through his VPS.

Whilst this might be a viable conclusion, our customer didn’t do further research to make his case. It was so easy though:

The relayhosts file’s IP addresses are automatically added by antirelayd, a cpanel dameon. It checks /var/log/maillog for pop3 or imap logins and keeps track of valid ones for use with smtp relaying.
POP before SMTP or SMTP after POP is a method of authorization that allows users to send e-mail from any location, as long as they can demonstrably also fetch their mail from the same place.
The IPs in the relayhosts file are automatically removed from the list after a while.

I looked up the suspicious IP addresses he had listed in /var/log/maillog and suggested that he might want to disable POP before SMTP after he gave his users enough time to make the required changes in their clients.

By the way, if you have come to this page because you were looking for a way to disable antirelayd, here we go:

You can either disable it in the Service Configuration section under Service Manager of WHM or by running the following command via shell:

/usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd

If you want to double check in shell that it has been disabled, try this:

cat /usr/local/cpanel/logs/tailwatchd_log|grep Antirelay

Watch out for a line that says:

Cpanel::TailWatch::Antirelayd was successfully disabled

Alternatively, you can check the status of the tailwachd process as follows:

/usr/local/cpanel/bin/tailwatchd --status

The post cPanel: why /etc/relayhosts is not necessarily evil appeared first on sascha.us.

Though my blog is supposed to have a few rants, I rarely have the feeling that I have to get on it to complain about something.

Today however, I witnessed the most stupid business decision ever.

I happened to provide search engine optimization services for a plastic surgeon living a few miles just outside of Boston, Massachusetts. My customer was not very internet-savvy and she was used to delegating internet related tasks to other people. Her own website was in fact made by one of her patients clients at the beginning of this millennium. So this former client even paid for her domain registration fees and they had the domain registered through Godaddy. Can you see where this is going? Yes, right, I have been there done that too many times: she lost contact with the person who registered the domain for her, the person in turn forgot to renew the domain and whoops, the website was offline. That alone is bad, especially when you consider Godaddy’s horrible customer support. What made it even worse was that she had a Google ad campaign running at that time and google delivered tons of ads that lead… yes, straight to internet nirvana.

Eventually, she noticed that she was paying for an ad campaign, but didn’t get any new referrals. The weeks after this incident were a nightmare. Godaddy was ridiculously slow and unwilling in helping her to get the domain name back online (were they hoping to collect the redemption fees?). Google punished her domain name so badly that she lost her pagerank, but she couldn’t even run new ad campaigns without having to pay a minimum of $10 per click. In 9 years of search engine marketing and optimization, I have never witnessed something like that.

So once the domain name was finally renewed, we moved it to our registration service for her. I ended up spending hours of my free time on the phone with Google support (they were totally clueless by the way, which clearly opposes the image we have of Google as the search engine giant that hires the most brilliant people in the industry), as I felt bad for the client, even though none of this was really our fault. In the end, someone from Google suggested that we register an alternative domain name for the client and start over from scratch with that name, as the old name was going to be punished for a few more months and there was nothing they could do for us.

A few months later, after we brought her websites to the top 10 worldwide Google search results with white hat SEO techniques for some of her important keywords, she decided that she would like to move on to another service provider. I looked at the work they were doing and I’d say they are passing the line between white hat and black hat SEO. Today we were informed that this new service provider is going to “take over the domain registration” and guess where she is going to have her domain name registered again?

The post Digging your own internet grave appeared first on sascha.us.