Issues with Emails After Possible Domain Hack
Hello everyone,
This situation may sound more like a back-end than a front-end, that's why I prefer to ask it here, even though my page has nothing back-end, it's just a presentation page.
About a month ago, I uploaded the website I designed for a food import company to their existing domain. The domain and hosting were previously managed by another developer, whom I’ll call Alex. He owns his own hosting service. I uploaded the website on September 16, replacing the old version.
Last Friday, the company started experiencing issues with their emails. Alex blamed me, claiming that the website lacked security and that it caused a phishing attack. However, what really caught my attention was when he mentioned that the domain was "hacked" between August 20 and 24, well before I uploaded the new website.
Upon checking the cPanel, I noticed that the number of email accounts had increased from the original 28 to 40, confirming that someone had unauthorized access. I immediately took action by deleting the newly created email accounts and changing all the passwords for cPanel and the email accounts.
To address the ongoing issues, I had the company change hosting providers to see if that would resolve the problem and to stop relying on Alex.
Now, the issue is that when I try to send emails from some of these accounts, I get the following error message:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
[email protected]
host eig-east.smtp.a.cloudfilter.net [3.228.35.199]
SMTP error from remote mail server after end of data:
550 <[email protected]> message rejected AUP#POL
The message is much longer but due to server directives I am making it short. If you can help me with this I would appreciate it.
25 Replies
you're probably in some blacklist
https://multirbl.valli.org/ <-- type one of the emails here
https://mxtoolbox.com/Problem/blacklist <-- you can also try this one
then, if you show in a blacklist, literally follow whatever instructions it gives you (just don't provide any passwords or private stuff from the server) and wait some days
also, make sure your message isn't too spammy
there are services to test sending an email to, that will check it
The page is on two blacklists out of 72, I previously removed it from another one but I have not done so on those two, they are:
UCEPROTECTL2
UCEPROTECTL3
then do what the blacklists tell you to do
I literally send a test, hello how are you, something like that and it also gives me the error
but this is not a guarantee
https://www.reddit.com/r/email/comments/15jrcgk/comment/k7jkn6y/ <-- i also found this
which may or may not help
this is a configuration in your server
When I submit the IP of the page I get this message from UCEPROTECT
IP Information Your IP XXX.XXX.XXX.XXX is part of AS 46606 UNIFIEDLAYER-AS-1, US and networks 162.240.0.0/15 162.241.148.0/24 The reverse DNS (PTR) exists and claims to be: XXX-XXX-XXX-XXX.unifiedlayer.com WARNING: There is no A record matching your reverse DNS.
The DNS is INCONSISTENT.
Please ask your administrator or provider to fix this problem.
This IP is NOT registered at ips.whitelisted.org. You can find more information about whitelisted.org here.
if you have free support for your server, this is a good chance to contact them
also, i would consider seriously if you need to send emails
The customer support of this garbage hosting provider is terrible, they don't solve anything for me, they question and criticize me instead of helping me, that's why I turn to the community
do you pay for support? or is it included?
if so, they are required to give you support, even if they don't want to
Let me finish telling you the rest of the story, sorry if it's too long.
Interestingly, this issue only affects some email accounts, not all of them. After doing some research, I found out it could be related to DNS settings.
Upon reviewing the Email Delivery options, I see there is an error in Reverse DNS (PTR), which states:
“To resolve this issue, please contact your system administrator and request that they replace all PTR records for “xxx.xxx.xxx.xxx.in-addr.arpa” with the following record at 'ns1.unifiedlayer.com' and 'ns2.unifiedlayer.com'.”
I contacted Alex to request this change that cPanel itself recommends, and he responded rather rudely, stating that the hosting server is working fine and that the problem is a “security” issue.
Additionally, I would like to clarify that this problem has been occurring since last Friday, as I mentioned earlier. However, the change made in the WebMail was this:
“The Horde webmail application has been removed in cPanel & WHM version 108. All Horde email, contacts, and calendars will be automatically migrated to Roundcube. For more information, read our cPanel Deprecation Plan documentation.”
Since I’m still relatively new to managing hosting and DNS configurations, I would really appreciate any advice or guidance from the community to resolve this issue.
Literally it is a guy with a server at home hosting pages on the internet, maximum it will be a team of 3 people
you've really picked the finest of the finest :/
In the end I decided to tell the company to migrate the domain to another provider and try to see if that fixes the problem.
And that's what I'm doing now
it probably may not fix it, but that company may have much better support
but seriously, you should really consider not using emails, if you can
just out of curiosity, is it a php website that you have?
It's a very old-fashioned company, they haven't modernized at all, the company is literally in trouble because they can't answer emails.
I made the page purely in Boostrap and a bit of JS
It is a purely presentation page, nothing complex, no purchases or anything.
if you chose a service that sells a shared vps, it's possible that someone else was hacked and you ate from that turd sandwich as collateral
i've seen my fair share of wordpress websites being infected because someone else got hacked and the virus was spread into the entire server
and even non-wordpress websites were caught in that
At this point I honestly think I entered a battle that was already lost, probably the server was about to be hacked and just as I arrived I had to carry the dead man.
or you were caught in the shitstorm
you couldn't have stopped this
the server providers wash their hands and blame you because it removes all liability from them
and obviously, the fewer that know the better
When I log out of the domain management page and so on, it takes me to a rather strange page full of garbage written in Indonesian.
that's ,,, sketchy ...
And Casino shit
that's extra sketchy
It's literally logging out of the domain manager and redirecting to that shit.
you should talk with the support, because that's not normal
also, you may have to provide an har file showing the network traffic
Thank you for your help, I will tell you that everything that is happening is not my fault, probably through that page they managed to gain access to the server where my website was hosted and from there they began to send emails and spam
i mean, if you have a webpage that's just bootstrap and images, it's impossible to have been you
but sadly, you're the one that suffer the consequences
the domain gets blacklisted and messages get rejected
hopefully, in a new server, you can get away from that bad reputation
if you can't, well, there's paid bs like mandrill (which is $20 for 25000 emails a month)
and that way, it's a little more likely for your email to be delivered