Why is my email blocked

+2 votes

I get this message from a spam blocker:
"The host at this IP address is infected with the CryptPHP PHP malware."

Then I get another that says:

 host mx3.hotmail.com [65.55.92.168]
    SMTP error from remote mail server after MAIL FROM:<w-----@runaprinsloo.co.za> SIZE=3008:
    550 OU-002 (SNT004-MC3F55) Unfortunately, messages from 197.242.144.138 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

This is urgent please as this address is my work email and I cant have my work emails bounce back to me. I also get reports from clients that their emails to me bounce back to them. Your email server also seems slower as I tested it and see that emails to my gmail arrive almost instantly while that to my work email from 15min to 2 hours later. It's clearly a problem on the server side. So can you please look into it and let me know what's been done about it.

 

asked May 18, 2015 in Email Hosting by anonymous
reshown Jun 11, 2015 by AfriDude

1 Answer

0 votes
Hi Anon!
 
Now, CryptPHP is a horror that's haunted several hosts, And even websites. 
Websites often get infected with CryptPHP via "Nulled" scripts, Such as Paid Plugins
which are offered from an alternative website without any cost. Usually these "Null"
providers will inject their own "special" code. This is where things get nasty.
 
So the web host themselves won't get affected (We're talking credit stuff and personal things)
Because they usually jail the websites hosted on their servers, But what this will do is open backdoors
on the website that installed this "Pirated" plugin, etc. These scripts often cannot be "simply" removed, 
and alot of the time, require that the CMS is completely re-installed (Yea, being a pirate was never a good thing)
 
So, These "Nulled" scripts Are reffered to as CryptPHP and are often identified as being names "social.png" Which 
seems like a photo file, but contains malicious executable code. The result of executing can range from Sending spam,
or creating open connections to other web servers.
 
(opening webpages on other web servers)-- Now say you have 100 compromised websites that you managed
to get CryptPHP installed on. You now have slight controll of 100 Websites here, Immagine that you send a command
to these 100 "robots" to each open a connection to sanral.co.za, This may exhaust some of their web resources 
(This is very bad mkay.) 
 
ANYHOW --TL;DR--
 
This is now affecting you because some other person [with a website ](now fancy website because he has a ""free"" plugin installed) managed to affect the server you're hosted in, hence getting the shared server you're probably hosted on as well, blacklisted. Yes, There are ways to detect this script automatically, but as I mentioned
earlier, It's not always the same, and damage to the website is often very very hectic. Alot of the time, this requires manual detection, until a system can be put in 
place to automatically detect and disable the site. ( These will have to learn the pattern first )
 
How to go about this
You usually need to notify your host on this issue (For your case, Afrihost) and let them know of the error you're getting, and how they can replicate it.
They'll first have to manually scan the server, Lock the infected domain, and request the delisting of the shared server you're on. 
Some cases this goes very quickly, or some cases (in Microsoft Cases) A report will have to be filed by the host to Microsoft for review. and Microsoft will remove the listing.
 
Now if you ever get this with any other host, you can do a whois lookup on the domain that's being affected (Even if it's not the "infected" domain) And you will
notice "abuse@afrihost.com" This is the department within that hosting provider that has direct contact with the blacklists and usually know how to deal with these issues
as fast as possible. (It's recommended you email  abuse@afrihost.com if this hasn't been fixed by now)
 
Anyhow, This is as much as I have on this issue, I may be wrong in some places (or all of the places) But this is my view on the issue, Others can comment in
which may be able to assist more on this issue.
 
p.s. This isn't really a support platform, but more of a public realm that can get you some useful advice or knowlege. Things here
could range from how to groom your dog the correct way, to why pac-man looks funny. So it is strongly recommended, for any issue that's affecting business
or your stress levels, Email support@afrihost.com. Also, another pro-tip, If it's anything department specific, you can use some of the emails below which could
get you help much faster than usual.
 
hosting@afrihost.com -- This should goto Afrihost's Hosting department (Not recommended for your issue)
support@afrihost.com -- This should just goto their general support (Also not recommended but you can if you want)
abuse@afrihost.com -- This is the department that deals with abusive cases such as malicious code on shared servers and such (Recommended for you)
 
There's other things I could include, but I'd say the request will have to be a bit more specific!
 
 
answered Jun 11, 2015 by MurdR93 (6,070 points)
...