Help! I think I'm under attack by a bot called startdedicated

[wilderness]

Hi everyone,
I noticed in the last few days that I was getting a whole bunch of returned mail from mail daemons of all sorts. It appeared that my own email address was sending out emails to others that I knew nothing about and were being returned. So I assumed something had taken over my site. I had to disable my form sometime ago because it had been taken over.
I checked my logs and was getting a massive amount of traffic from something called startdedicated.com which Trusted source calls malicioius. My problem is, how do I keep it out of my site? I have no idea how. Any pathetic attempts I might make are pretty much trying to use the robots.txt file, and I don't know how effective that would be.
Should I contact my host? Can they block a malicious bot? Is there a way I can?

Thanks for any help you can give me!

wilderness

[danlefree]

startdedicated.com WHOIS

First, block the IP(s) associated with the bot or bots from accessing your mail daemon and webserver.

Second, contact the abuse address at the host of the domain - malicious activity certainly qualifies as abuse.

[gawotn]

First of all, determine if the e-mails are "actually" being sent from your server.

1) Look at the "raw data" view of one of the returned e-mails.
2) Look right above where the original message says from and
take note of the IP address in parentheses (ip).

If this is NOT your ip address, then it is probable that the only
thing that is going on is that your e-mail address has been forged
as the "return" address for the crap that is going out. The spammer's
sure don't want the returned e-mails, so they figure that it might
as well be returned to you instead.

This is a lot more common than you think. The only thing that
you can do is to make sure that you have a SPF record on file
for your domain (so it makes it harder for them to do this to you)
and hope they skip your e-mail address after a while and move
onto abusing someone else's.

[joand]

It is likely that these are 2 separate problems. There has been an upswing in "backscatter" lately - quite a few clients on my server have been hit by it (myself included) - which is caused when spammers use your address as the return path so that you get all the bounced messages from their email blast. Here is a good article on backscatter:
Dealing with Backscatter

[seo4china]

You might be victim of email spoofing. Google on how to set up SPF records for your email server.

[deepsand]

Quote:

Originally Posted by seo4china

You might be victim of email spoofing. Google on how to set up SPF records for your email server.

SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.

[seo4china]

Quote:

Originally Posted by deepsand

SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.

Which includes if I am not wrong all the major free email providers, and therefore can definitely reduce the amount of spoofing. While improving the deliverability of your own emails as well.

[dtalbot]

Hi,

I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

Best of luck.
Daphne

[artglick]

Quote:

Originally Posted by dtalbot

Hi,

I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

Best of luck.
Daphne

I think you meant Matt Wright. Matt Cutt is the Google guru...

[Webnauts]

If you are on Apache, and .htaccess modules are activated, keep bad bots out of your site, adding the following rules:

Code:

### Deny Fake Bots ###
BrowserMatch "^Java/?[1-9_\.]*" bad_bot
BrowserMatch "^MJ12bot/?[1-9_\.]*" bad_bot
SetEnvIfNoCase User-Agent "8484 Boston Project v 1.0" bad_bot
SetEnvIfNoCase User-Agent "charlotte/" bad_bot
SetEnvIfNoCase User-Agent "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" bad_bot
SetEnvifNoCase User-Agent "ISC Systems iRc Search 2.1" bad_bot
SetEnvIfNoCase User-Agent "^Jakarta\ Commons-HttpClient/" bad_bot
SetEnvIfNoCase User-Agent "larbin/" bad-bot
SetEnvIfNoCase User-Agent "libwww-perl/" bad_bot
SetEnvIfNoCase User-Agent "^libcurl-agent/" bad_bot
SetEnvIfNoCase User-Agent "^Microsoft\ URL\ Control.*$" bad_bot
SetEnvIfNoCase User-Agent "MJ12bot/v1.0.8" bad_bot
SetEnvIfNoCase User-Agent "^Missigua" bad_bot
SetEnvIfNoCase User-Agent "^Mozilla/4\.0\ .*Win\ 9x\ 4\.90.*$" bad_bot
SetEnvIfNoCase User-Agent "Nutch" bad_bot
SetEnvIfNoCase User-Agent "phpversion" bad_bot
SetEnvIfNoCase User-Agent "TencentTraveler" bad_bot
SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>

and

Code:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|Arachmo|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|BecomeBot|big.brother|BlackWidow|bmclient|Boston\ Project|bot/1.0|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Clushbot|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|kalooga|KWebGet|Lachesis|larbin|Leacher|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|MJ12bot/v1\.0\.8|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|MSR-ISRCCrawler|multithreaddb|my-heritrix-crawler|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|NicheBot|noxtrumbot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pingdom|Pockey|POE-Component-Client-HTTP|Powermarks|Proxy|psbot|PSurf|psycheclone|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Yeti|zermelo|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]

Try both together. If you get a server error, test each one separately to see which works.

I did not add the bot your mentioned here, since I did not investigate it yet.

In addition, do yourself a favor and support us at Distributed Spam Harvester Tracking Network | Project Honey Pot (Free - No membeship fees).

I can only tell that we have 98% less spambots attacks, and we catch some if not all of the left 2% with the help of the honeypot.

You will be amazed.

Good luck,

John

P.S. I am writing an article which I will publish soon on my site.

[deepsand]

Quote:

Originally Posted by seo4china

Which includes if I am not wrong all the major free email providers, and therefore can definitely reduce the amount of spoofing. While improving the deliverability of your own emails as well.

Unfortunately, SPF's acceptance has been far from overwhelming.

Not only is is not the case that its users include "all the major free email providers," but, in fact, many of the paid services, consumer & business class alike, haven't implemented it either.

SPF needs to be effected at both ends in order effectively block recipients from receiving such missives as well as block backscatter from reaching the party whose e-mailed address was spoofed.

[HostRail]

This is called "Backscattered"
These links will explain.
Backscatter - Wikipedia, the free encyclopedia
Digg - 100 E-mail Bouncebacks? You've Been Backscattered

My company has been trying to fight this but its very hard to filter!

[Rovoo.com]

i don't know if i do the right thing but i spam the mailer daemon and all the bounced back letter that i received, before i received hundreds of them, a few months ago i received one or two and clicked spam on them, now i don't received the mailer daemon anymore. in my opinion it's there responsibility to investigate if the letter is from the legitimate sender. after all they are the smart people, aren't they?

[wilderness]

Hi Everyone,
I'm sorry to take so long to get back online here, especially in view of your wonderful responses, but I am out in the boondocks here, so things go slower.
I can't thank you enough for all of your suggestions, especially about the email problem. However, there were only a couple responses to the problem with my bandwidth being taken over by this startdedicated thing. I do appreciate Webnaut's suggestion for how to put the prohibited files into the .htaccess code, except that I have no idea how to activate .htaccess. And yes, I do have apache on this particular server, last time I checked.
I just wanted you all to know that I'm trying to absorb your responses, and that I can't thank you enough for taking the time out to answer my query. It's just that I'm on Chilcotin time.... so everything goes slower.

Thank you!!

J Baker (wilderness)

[wige]

Quote:

Originally Posted by wilderness

I do appreciate Webnaut's suggestion for how to put the prohibited files into the .htaccess code, except that I have no idea how to activate .htaccess. And yes, I do have apache on this particular server, last time I checked.

Do you have a shared server, or a dedicated server?

If you are on a shared server, you simply create a text file in the root directory (same folder as your main index file) called ".htaccess", provided that your hosting company allows you to use .htaccess. Then, put the directives in the file as suggested above.

[Webnauts]

Quote:

Originally Posted by Webnauts

If you are on Apache, and .htaccess modules are activated, keep bad bots out of your site, adding the following rules:

Code:

### Deny Fake Bots ###
BrowserMatch "^Java/?[1-9_\.]*" bad_bot
BrowserMatch "^MJ12bot/?[1-9_\.]*" bad_bot
SetEnvIfNoCase User-Agent "8484 Boston Project v 1.0" bad_bot
SetEnvIfNoCase User-Agent "charlotte/" bad_bot
SetEnvIfNoCase User-Agent "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" bad_bot
SetEnvifNoCase User-Agent "ISC Systems iRc Search 2.1" bad_bot
SetEnvIfNoCase User-Agent "^Jakarta\ Commons-HttpClient/" bad_bot
SetEnvIfNoCase User-Agent "larbin/" bad-bot
SetEnvIfNoCase User-Agent "libwww-perl/" bad_bot
SetEnvIfNoCase User-Agent "^libcurl-agent/" bad_bot
SetEnvIfNoCase User-Agent "^Microsoft\ URL\ Control.*$" bad_bot
SetEnvIfNoCase User-Agent "MJ12bot/v1.0.8" bad_bot
SetEnvIfNoCase User-Agent "^Missigua" bad_bot
SetEnvIfNoCase User-Agent "^Mozilla/4\.0\ .*Win\ 9x\ 4\.90.*$" bad_bot
SetEnvIfNoCase User-Agent "Nutch" bad_bot
SetEnvIfNoCase User-Agent "phpversion" bad_bot
SetEnvIfNoCase User-Agent "TencentTraveler" bad_bot
SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>

and

Code:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|Arachmo|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|BecomeBot|big.brother|BlackWidow|bmclient|Boston\ Project|bot/1.0|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Clushbot|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|kalooga|KWebGet|Lachesis|larbin|Leacher|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|MJ12bot/v1\.0\.8|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|MSR-ISRCCrawler|multithreaddb|my-heritrix-crawler|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|NicheBot|noxtrumbot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pingdom|Pockey|POE-Component-Client-HTTP|Powermarks|Proxy|psbot|PSurf|psycheclone|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Yeti|zermelo|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]

Try both together. If you get a server error, test each one separately to see which works.

I did not add the bot your mentioned here, since I did not investigate it yet.

In addition, do yourself a favor and support us at Distributed Spam Harvester Tracking Network | Project Honey Pot (Free - No membeship fees).

I can only tell that we have 98% less spambots attacks, and we catch some if not all of the left 2% with the help of the honeypot.

You will be amazed.

Good luck,

John

P.S. I am writing an article which I will publish soon on my site.

Hello there everybody. This is an urgent and important update!!!
We had an error in the above code, which made the htaccess file visible to web browsers.

Replace this part:

Code:

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch> 

with this:

Code:

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

Sorry for that. But as you seem I came back to correct the issue to avoid any future problems!!!

[Varsys]

It look like these are backscatter messages. The simpliest temporary solution is to block all emails from the backscattering domain IPs. In a long term, you might want to use SCL, Sender ID filters, create SPF record and contact the admin of the backscaterring domain to ask him to use Sender ID filters! Good luck.