Help! I think I'm under attack by a bot called startdedicated

[wilderness]

Hi everyone,
I noticed in the last few days that I was getting a whole bunch of returned mail from mail daemons of all sorts. It appeared that my own email address was sending out emails to others that I knew nothing about and were being returned. So I assumed something had taken over my site. I had to disable my form sometime ago because it had been taken over.
I checked my logs and was getting a massive amount of traffic from something called startdedicated.com which Trusted source calls malicioius. My problem is, how do I keep it out of my site? I have no idea how. Any pathetic attempts I might make are pretty much trying to use the robots.txt file, and I don't know how effective that would be.
Should I contact my host? Can they block a malicious bot? Is there a way I can?

Thanks for any help you can give me!

wilderness

[danlefree]

startdedicated.com WHOIS

First, block the IP(s) associated with the bot or bots from accessing your mail daemon and webserver.

Second, contact the abuse address at the host of the domain - malicious activity certainly qualifies as abuse.

[gawotn]

First of all, determine if the e-mails are "actually" being sent from your server.

1) Look at the "raw data" view of one of the returned e-mails.
2) Look right above where the original message says from and
take note of the IP address in parentheses (ip).

If this is NOT your ip address, then it is probable that the only
thing that is going on is that your e-mail address has been forged
as the "return" address for the crap that is going out. The spammer's
sure don't want the returned e-mails, so they figure that it might
as well be returned to you instead.

This is a lot more common than you think. The only thing that
you can do is to make sure that you have a SPF record on file
for your domain (so it makes it harder for them to do this to you)
and hope they skip your e-mail address after a while and move
onto abusing someone else's.

[joand]

It is likely that these are 2 separate problems. There has been an upswing in "backscatter" lately - quite a few clients on my server have been hit by it (myself included) - which is caused when spammers use your address as the return path so that you get all the bounced messages from their email blast. Here is a good article on backscatter:
Dealing with Backscatter

[seo4china]

You might be victim of email spoofing. Google on how to set up SPF records for your email server.

[deepsand]

You might be victim of email spoofing. Google on how to set up SPF records for your email server.

SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.

[seo4china]

SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.

Which includes if I am not wrong all the major free email providers, and therefore can definitely reduce the amount of spoofing. While improving the deliverability of your own emails as well.

[dtalbot]

Hi,

I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

Best of luck.
Daphne

[artglick]

Hi,

I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

Best of luck.
Daphne

I think you meant Matt Wright. Matt Cutt is the Google guru...

[Webnauts]

If you are on Apache, and .htaccess modules are activated, keep bad bots out of your site, adding the following rules:

Code:

### Deny Fake Bots ###
BrowserMatch "^Java/?[1-9_\.]*" bad_bot
BrowserMatch "^MJ12bot/?[1-9_\.]*" bad_bot
SetEnvIfNoCase User-Agent "8484 Boston Project v 1.0" bad_bot
SetEnvIfNoCase User-Agent "charlotte/" bad_bot
SetEnvIfNoCase User-Agent "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" bad_bot
SetEnvifNoCase User-Agent "ISC Systems iRc Search 2.1" bad_bot
SetEnvIfNoCase User-Agent "^Jakarta\ Commons-HttpClient/" bad_bot
SetEnvIfNoCase User-Agent "larbin/" bad-bot
SetEnvIfNoCase User-Agent "libwww-perl/" bad_bot
SetEnvIfNoCase User-Agent "^libcurl-agent/" bad_bot
SetEnvIfNoCase User-Agent "^Microsoft\ URL\ Control.*$" bad_bot
SetEnvIfNoCase User-Agent "MJ12bot/v1.0.8" bad_bot
SetEnvIfNoCase User-Agent "^Missigua" bad_bot
SetEnvIfNoCase User-Agent "^Mozilla/4\.0\ .*Win\ 9x\ 4\.90.*$" bad_bot
SetEnvIfNoCase User-Agent "Nutch" bad_bot
SetEnvIfNoCase User-Agent "phpversion" bad_bot
SetEnvIfNoCase User-Agent "TencentTraveler" bad_bot
SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>

and

Code:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|Arachmo|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|BecomeBot|big.brother|BlackWidow|bmclient|Boston\ Project|bot/1.0|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Clushbot|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|kalooga|KWebGet|Lachesis|larbin|Leacher|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|MJ12bot/v1\.0\.8|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|MSR-ISRCCrawler|multithreaddb|my-heritrix-crawler|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|NicheBot|noxtrumbot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pingdom|Pockey|POE-Component-Client-HTTP|Powermarks|Proxy|psbot|PSurf|psycheclone|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Yeti|zermelo|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]

Try both together. If you get a server error, test each one separately to see which works.

I did not add the bot your mentioned here, since I did not investigate it yet.

In addition, do yourself a favor and support us at Distributed Spam Harvester Tracking Network | Project Honey Pot (Free - No membeship fees).

I can only tell that we have 98% less spambots attacks, and we catch some if not all of the left 2% with the help of the honeypot.

You will be amazed.

Good luck,

John

P.S. I am writing an article which I will publish soon on my site.