Dedicated Servers

How to block Yandex using IPTABLES or APF

Re: Yandex IP range, Yandex subnets, Block Yandex Robots

Across our server range we are finding that Yandex continues to ignore robots.txt files and crawls some sites constantly, so how do you stop such an abuse of your network resources?

If you use IPTABLES or APF (you should!) then you can block all Yandex spiders using the following IP ranges:

77.88.0.0/18 # yandex.ru
77.88.22.0/23 # yandex.ru
77.88.24.0/21 # yandex.ru
77.88.24.0/22 # yandex.ru
77.88.28.0/22 # yandex.ru
77.88.36.0/23 # yandex.ru
77.88.42.0/23 # yandex.ru
77.88.44.0/24 # yandex.ru
77.88.50.0/23 # yandex.ru
87.250.224.0/19 # yandex.ru
87.250.230.0/23 # yandex.ru
87.250.252.0/22 # yandex.ru
93.158.128.0/18 # yandex.ru
93.158.137.0/24 # yandex.ru
93.158.144.0/21 # yandex.ru
93.158.144.0/23 # yandex.ru
93.158.146.0/23 # yandex.ru
93.158.148.0/22 # yandex.ru
95.108.128.0/17 # yandex.ru
95.108.128.0/24 # yandex.ru
95.108.152.0/22 # yandex.ru
95.108.216.0/23 # yandex.ru
95.108.240.0/21 # yandex.ru
95.108.248.0/23  # yandex.ru
178.154.128.0/17 # yandex.ru
178.154.160.0/22 # yandex.ru
178.154.164.0/23 # yandex.ru
199.36.240.0/22 # yandex.ru
213.180.192.0/19 # yandex.ru
213.180.204.0/24 # yandex.ru
213.180.206.0/23 # yandex.ru
213.180.209.0/24 # yandex.ru
213.180.218.0/23 # yandex.ru
213.180.220.0/23 # yandex.ru

Simply restart APF and Yandex will no longer be a problem (until they extend their network!).

How can I tell if PHP SOAP is installed?

Re: Is PHP SOAP installed? Which version of PHP SOAP do I have?

For dedicated servers, you can tell if PHP SOAP is installed by the running the following command on the console:

# php -i phpinfo | grep soap

The following outpout will confirm you have PHP SOAP installed:

soap
soap.wsdl_cache => 1 => 1
soap.wsdl_cache_dir => /tmp => /tmp
soap.wsdl_cache_enabled => 1 => 1
soap.wsdl_cache_limit => 5 => 5
soap.wsdl_cache_ttl => 86400 => 86400

If you have a shared hosting account and need PHP SOAP, simply contact the Helpdesk to arrange a transfer of your account to a suitable server.

Where is the Plesk maillog located?

Re: Where can I find the mail log in Plesk?

The mail logs in Plesk qmail are stored here:

/usr/local/psa/var/log/maillog

You can view the entire maillog like this:

# cat /usr/local/psa/var/log/maillog

Or you can look at the last 150 lines like this:

# tail -150 /usr/local/psa/var/log/maillog

You can watch the maillog devlop in real time like this:

# tail -f /usr/local/psa/var/log/maillog

You can search for specific entries like this:

# tail -500 /usr/local/psa/var/log/maillog | grep test@domain.co.uk

The Plesk maillog is your friend when it comes to finding spammers and email problems on your server.

How do I find the SPAM source on a Plesk server using qmail?

Re: Finding spammers in Plesk, find source of spam on Plesk server

If you are hosting a Plesk server wilth multiple sites then eventually you will find that spam will appear from one of those sites and it will be difficult to determine where the spam is coming from. This will put your server IP at risk of being suspended by your server provider.

First things first, let’s check to see if the spam is being sent by a mailbox user, this would indicate deliberate spamming from a client or a compromised password on a mailbox account.

Out of the ordinary authentications

A large number of authentications to a particular mailbox, ie. thousands, can indicate massive email activity, you can check this quickly as follows:

# cat /usr/local/psa/var/log/maillog |grep -I "LOGIN"|awk {'print $12'}|sort|uniq -c|sort -n

If you cannot see anything out of the ordinary, the search continues.

The Maillog is your friend

Let’s take a look at the plesk qmail maillog:

# tail -500 /usr/local/psa/var/log/maillog

Entries like the following indicate the domain and mailbox that the email is being sent from:

Dec  7 10:51:01 server qmail-local-handlers[29265]: from=info@spammerdomain.com

This leaves you no further work to do, possibly suspend the account and contact the client in question. You might want to clear the mail queue in the Plesk panel also.

Difficult to locate spammers

A more difficult situation is where the email is being sent using the Apache user or as anonymous. This type of email spam cannot so easily be traced to a sender as it is not being sent from a mailbox.

These entries look something like this:

Dec  7 10:50:17 server qmail-queue-handlers[29080]: from=anonymous@server.hostname.com

Or like this:

Dec  7 10:50:17 server qmail: 1323255017.404624 info msg 47220220: bytes 501 from <anonymous@server.hostname.com> qp 29081 uid 48

It is not possible to determine the spammer from the maillog in this situation. These emails are being sent using a form processor or other PHP mailer / PERL mailer script.

Track, Trace and Remove

To solve this problem you need to

  • Login to the Plesk Control Panel > Home > Mail Settings > Mail Queue
  • Click on one of the many SPAM emails you will see listed

Look for this at the top of the mail header:

Received: (qmail 2583 invoked by uid 10211)

Once you have the UID (which in this case in 10211) you can now trace the client like this:

# grep 10211 /etc/passwd

Which will show something like this:

dom74628:x:10211:2523::/var/www/vhosts/thespammerdomain.com:/bin/false

You can now proceed suspend the spam account and remove all the mails from the mail queue.

How do I use iptables to route to another port?

You can use iptables pre-routing to route from one port to another.

For example, the following command will enable mail users to use port 26 or port 25 for SMTP request. All port 26 requests will be routed to port 25.

# iptables -t nat -A PREROUTING -p tcp -d 192.168.167.2 --dport 26 -j DNAT --to 192.168.167.2:25

Now your clients can use port 26 or port 25 without any problems.