e mails and blocked server

[daryl66]

About 14 years ago I created a domain for SWMBO at GO DADDY. For what ever reason, a few years later I moved it to MAC HIWAY, and pretty much forgot about it because it worked. What’s the problem?

Over the years with numerous computer acquisitions  and software upgrades, all of a sudden she is unable to send emails from any of the 3 or 4 email accounts which are apparently all pointed to the domain’s c panel server.

Chat with Machiway reveals that Google has designated this domain  hacked and is “Dangerous” and blocked it.

SWMBO has basically retired, however has MANY sites that uses the domain’s email ie: B***@domain.com as “user id”, which needless to say makes her VERY unhappy.

The provider MH indicates that a complete wipe is one solution. ( I ThINK I have the original files sent to them many years ago). So far I have not decided what to do. I am looking for ideas. 

Paddy you still live here???

Daryl

[Paddy]

So...is it hacked? If you give us the URL (or want to send me a PM if you're not comfortable sharing it here) I can have a look. Is it a static site? Wordpress? Is the underlying software (PHP etc.) up to date? Current version is 8.2.

Has DKIM etc. been set up in Cpanel? https://bravonet.digital/2024/01/29/guide-to-setup-dkim-spf-and-dmarc-record-in-cpanel/

Has Google blocked the domain itself - i.e., if you go to it do you get the big red warning about an unsafe site?

What is the site's IP address - and have you looked to see if that IP is blacklisted? If this is shared hosting (likely) it might be someone else's site on the same IP - not your wife's - that is the problem.

Also - Google cannot prevent email from going to non-Gmail addresses - so if she cannot send to ANYONE then the issue is not Google. Google is not THAT powerful. If, however the issue is sending to Gmail addresses only, then Google has likely flagged her domain. Wiping the site won't fix that - there is a process she'll need to go through: https://www.hostpapa.com/blog/marketing/what-to-do-if-your-website-was-blacklisted-by-google/

BTW - I'm a webmaster, so have some knowledge of all this stuff, though in 24 years of building websites, I've only had 2 hacked. (one an injection hack which I was never able to track down - didn't harm the site, but I did rebuild the site to solve the problem, and another over 2 decades ago which was as the result of a massive attack on the host I was then using - definitely not a site-specific issue in that instance). That said, if you've got a Wordpress site with something like Wordfence installed, you quickly become aware that almost all sites everywhere constantly face attempts at hacking, all day, every day - usually by bots trying passwords and common user names. (never, ever use "admin" as the user name for a website - though it's the PW that is far more important - it needs to be long, complex and unguessable).

[daryl66]

HELLO PADDY & Welcome. It has been quite some time since I visited TS and I just hoped ya'll would still be here. It has been even quite a while longer since this domain was visited (years and years) so please bear with me.

URL is elliff-legal-med.com. Static ??, created with the mac web builder iWeb I think. My one and only web page.

PHP??.
 
I was unable to access the Cpanel (cockpit problem probably)

Yes get the big red warning.

I have not looked to see if the IP is blacklisted.

She has 3 emails and cannot send from any of them.    brenda@elliff-legal-med.com, "server setting cp02 machighway.com",  yahoo, icloud.

She has basically retired and does not really need or want the web page, but over the years has accumulated  many  sites requiring e mail id for access.

any and all input is gratefully appreciated.

[Paddy]

Well, I visited the "dangerous" page and whatever iWeb site was there before is long gone - someone has removed it and installed their own minimal bit of HTML with a "coming soon" and a countdown timer script (which isn't working) and a Wordpress logo, though WP itself is not installed. The details in the dangerous site warning say that the site was used for phishing - so the home page is not the page that has the phish installed.

So - first off, you need to get access to Cpanel again, change the password for Cpanel and then you do indeed need to wipe the site out. COMPLETELY. No telling where they've buried the bodies - but there could be scripts and redirects and all sorts of nasty stuff on there. Spamhaus thinks there is a bot/malware that is associated with ransomware. Bad stuff.

You don't, btw, need an actual website to have working domain email. You need to have email hosting somewhere, attached to the domain - but you (your wife) may want to investigate other options besides MacHighway for that. You will, however, have to deal with the blacklisting if you want to keep those email addresses.

The site is on Spamhaus' blacklist and as that's one used by many, many ISPs, it's pretty obvious why email just isn't going.

https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3aelliff-legal-med.com&run=toolpage

Here's the info from Spamhaus (go directly to their site and put in the IP address if you want to see it directly. IP address is below)

199.204.248.169 has 1 listing
Robot speaking
Please don’t be alarmed! We understand finding your IP address, domain, URL or ASN on a blocklist can be worrying. This website will give you information about why you are listed and what you can do to ensure you don’t get listed again.

Where it is possible to request removal, we will help you through the process. However, if your IP is listed on the Spamhaus Blocklist (SBL), removal can only be requested by your Internet Service Provider (ISP).

eXploits Blocklist (XBL) - Why was this IP address listed?
The machine using this IP is infected with malware that is emitting spam or is sharing a connection with an infected device.

As a result, this IP address is listed in the eXploits Blocklist (XBL)

Click on Show Details to see if you can request a delisting from this blocklist. This will also display any further information we have relating to this listing.

Hide details
Why was this IP listed?
A machine using 199.204.248.169 is infected with malware associated with the avalanche/andromeda family.

199.204.248.169 initiated contact with a nymaim command and control server, using contents unique to nymaim C&C command protocols.

Technical details of the nymaim detection
199.204.248.169 initiated a tcp connection from 199.204.248.169 using source port 48164, to the sinkhole IP address 216.218.185.162 on destination port 80.

The most recent detection was on: April 19 2024, 17:40:35 UTC.

Information about the nymaim botnet
The Andromeda/Avalanche botnet was associated with 80 different malware families: Andromeda, Win3/Dofoil, Gamarue, Smoke Loader, W32/Zurgop.BK!tr.dldr, and many others. The Avalanche network also provided the Command & Control communications for these other botnets: TeslaCrypt, Nymaim, Corebot, GetTiny, Matsnu, Rovnix, Urlzone, QakBot, etc. This botnet was taken down in 2016 but malware associated with it remains active.

Additional information on nymaim can be found on Wikipedia.

What should be done about it?
If this is a shared server, please call your hosting company or ISP!

This listing is the result of what we believe to be a security issue. Your machine is still infected, and it is probable that there is more than one type of malware present. To stop ongoing listings and to secure your network, websites, devices and data we recommend both prevention and remediation of the issue.

Prevention
Spamhaus has an FAQ about general security best practices that should be followed.

Remediation
If this is a server, please set up logging to find the source of the problem. Check for compromised websites and follow the directions on our FAQ
If you have a Windows machine; To find and remove the malware please see the Microsoft website and run Microsoft Defender to catch any other related malware that may be present.
Removal from XBL
XBL listings expire automatically some time after the last detection. If necessary, once the security issue is solved, you can request removal.

********************
At this point, if your wife doesn't need the website, the email addresses can be easily changed to something else (I'd suggest a Gmail addy) - yes, there will be some time spent going to the various websites using the domain email address and changing them to something else. Can she GET her email ok?? (Some sites might send confirmation emails to the old email - though most will send it to the new one.)

I HOPE she's using a password manager that will list all these sites and their login details...that will make things 100% easier. Can't recommend the app 1Password enough if you don't have anything in place atm.

I am a little confused by "She has 3 emails and cannot send from any of them.    brenda@elliff-legal-med.com, "server setting cp02 machighway.com",  yahoo, icloud."

There is no reason that yahoo or iCloud email addresses should be affected by this. (is she using a Mac?)

If you do want to keep the domain & associated emails, and you want some help with this, get a new Cpanel PW, PM the login to me, and I'll have a look for you. MacHighway should also be able to clean this up - and then deal with the blacklisting by Spamhaus (the request to un-blacklist HAS to come from the host - not you) but this may take some time to take effect. I'd also tell them to move the domain to another IP - they likely have multiple servers with multiple domains. However it shouldn't be moved until it's cleaned up. And then just throw a page up there with the domain name on it or something - plain old HTML - just to be able to check the status of the danger warning etc.

You will have to request that Google review the site once it's cleaned up in order for the deceptive website warning to be removed. See: https://kinsta.com/blog/deceptive-site-ahead/

[daryl66]

Problems resolved. e mails now working,(re-configured send servers to the correct ones), wiped the domain completely (she does not need it in "retirement"). Thanks Paddy.