Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Anyone has issues with colocrossing IP nullroute?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone has issues with colocrossing IP nullroute?

MultiStarsMultiStars Member
edited August 2017 in General

A few months ago, I ran away from a VPS provider because they nullrouted my IP for SMTP activity. It happened a few times, and everytime it happened, I checked the mail log of the server and mail queue but didn't find anything unusual (it was like I sent email at a rate of 1 email per a few hours). At that time I thought some issues with the provider's monitoring system.

Today, a very similar problem happened to my another server at a quite a big provider here in LET. My IP was nullrouted by the datacenter. And a very similar email sent to me, said that the nullroute may be up to 48 hours. I log in to my server through the console, checked and see one email stuck at the queue (guess it could not be delivered due to some problems). Checking the mail log I see the total of sending and receiving rate is 1 email per every 0.5 to 1.5 hours, and it was nullrouted by the datacenter.

Normally, I think if the provider nullroute, they should lift it immediately upon request (since this is the first time), but no, they said it may be any time up to 48 hours.

So I believe the nullroute was done by their upstream. I check the IP address in whatismyipaddress dot com, and I see the IP is owned by colocrossing. Due to the similarity of the nullroute email notification, I also checked the IP address of the previous provider (that I ran away a few months ago), and see that IP is also owned by colocrossing.

I am managing many VPS for different clients, but I have encountered only 2 irritating problems and they are both related to colocrossing.

So, I just wonder if anyone else has the same problem with me, or I am the only one?

Comments

  • Name of the providers?

  • WSSWSS Member

    I don't tend to send too many messages through ColoCrossing since I prefer to be IPv6 native whenever possible.

    Thanked by 1brueggus
  • @doghouch said:
    Name of the providers?

    Thanks, maybe it is not advisable to name them here, since it may affect their business. And I'm still having service with one of them.

    Thanked by 1doghouch
  • Yup, happened with me as well. Cc reseller, null routed the ip because if spam emails, when it was just the server sending "service down" emails to the admin email.

  • After 6 hours of down time, finally my server is back online. I sent them details about how to investigate our server mail log. A support staffs just replied that "The threshold on this was way too low on the datacenter's end.", so if I understand correctly he has investigated and admitted due to the datacenter's fault. By saying "Datacenter" i'm not sure if he is referring to his company or his upstream.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Junkless said:
    Yup, happened with me as well. Cc reseller, null routed the ip because if spam emails, when it was just the server sending "service down" emails to the admin email.

    Their initial system just monitored PPS on port 25 and applied nullroutes based on that so sending any reasonable amount of emails (a couple a second, maybe even less) could get you smacked.

    They supposedly do have a way to whitelist people, or at the very least increase the limit.

    Francisco

  • MultiStarsMultiStars Member
    edited August 2017

    @Francisco said:

    @Junkless said:
    Yup, happened with me as well. Cc reseller, null routed the ip because if spam emails, when it was just the server sending "service down" emails to the admin email.

    sending any reasonable amount of emails (a couple a second, maybe even less) could get you smacked.

    Francisco

    Is this a typo? In my case that was a couple of email every 1-2 hours and my IP was still nullrouted.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @MultiStars said:

    @Francisco said:

    @Junkless said:
    Yup, happened with me as well. Cc reseller, null routed the ip because if spam emails, when it was just the server sending "service down" emails to the admin email.

    sending any reasonable amount of emails (a couple a second, maybe even less) could get you smacked.

    Francisco

    Is this a typo? In my case that was a couple of email every 1-2 hours and my IP was still nullrouted.

    I don't know the limits, I assumed 1 or 2 a second would be a fair number they kept it at.

    If it's that low then damn.

    Francisco

  • AnthonySmithAnthonySmith Member, Patron Provider
    edited August 2017

    MultiStars said: I ran away from a VPS provider because they nullrouted my IP for SMTP activity. It happened a few times, and everytime it happened, I checked the mail log of the server and mail queue but didn't find anything unusual.

    MultiStars said: Today, a very similar problem happened to my another server at a quite a big provider here in LET.

    And you think checking your own mail logs is the definitive answer here?

    In your shoes the questions and things in my head would be:

    1) Damn someone is using me as an open relay, how?

    2) Damn someone is proxying mail traffic via my VPS, how?

    3) Let me check the release notes for anything I have installed for updates, security patches and what they were for.

    4) Let me monitor and collate some traffic on all mail ports.

    5) Let me run tcpdump and filter port 25 for later analysis should this happen again.

    6) If I am running email from the server let me change my passwords just incase.

    Seems a bit too much of a coincidence, I think you need to do a lot more troubleshooting.

    I have had a customer call me all the names under the sun only to find out on further investigation his home PC was the problem and he was using the VPS as a VPN.

    Thanked by 3Clouvider RIYAD MasonR
  • @WSS said:
    I don't tend to send too many messages through ColoCrossing since I prefer to be IPv6 native whenever possible.

    Oh dear! Your message was sent through ColoCrossing's patented V6 proxy technology (aka. CloudFlare).

  • @Francisco said: Their initial system just monitored PPS on port 25 and applied nullroutes based on that so sending any reasonable amount of emails (a couple a second, maybe even less) could get you smacked.

    Exactly what happened with me too (and more than once on more than a couple of VPSs at different DCs but all CC locations). I had to ticket in and explain stuff to get the nullroute lifted and also to increase the limit (or whitelist - not sure what was actually done).

    After the first few hiccups though things have been very good and I've not had any issues with my usual volume of system mails/notifications/alerts (all only to my own - no general/public emails at all).

    Hopefully a similar approach (ticketing in, clarifying things) can get you sorted out @MultiStars

    Thanked by 1MultiStars
  • Well, for all of my servers I do the following: Limit SSH access only to my IPs, No open relay, enable SMTP_BLOCK setting in csf, limit each minute to send a maximum of 1 email (through MTA setting) even though my actual sending rate is much lower, update server every month.

    I have never used tcpdump to capture all traffic on port 25, since I'm not good at tcpdump analysis. I have no idea about what is "proxying mail traffic", but I would say I am a typical/regular user, and probably all my settings above are reasonably secured.

    When I went away from my first providers, I just reused all settings (including mail settings, data files) in a new provider except the root password, and it hasn't happened over the past few months. (in the old provider, it was nullrouted a few times)

  • Thanks @nullnothere, my current provider said they have requested for an increase in limit, not sure how much they increase, let's hope it will not occur again.

  • CConnerCConner Member, Host Rep
    edited August 2017

    If they impose limits on the small amount of emails you sent I think it is time to look for another provider. Who knows what other restrictions / limitation they have.

  • @Francisco said:

    @Junkless said:
    Yup, happened with me as well. Cc reseller, null routed the ip because if spam emails, when it was just the server sending "service down" emails to the admin email.

    Their initial system just monitored PPS on port 25 and applied nullroutes based on that so sending any reasonable amount of emails (a couple a second, maybe even less) could get you smacked.

    They supposedly do have a way to whitelist people, or at the very least increase the limit.

    Francisco

    Did the system monitor the difference between inbound and outbound pps?

    This sounds vulnerable to attack.

  • WSSWSS Member

    @doghouch said:

    @WSS said:
    I don't tend to send too many messages through ColoCrossing since I prefer to be IPv6 native whenever possible.

    Oh dear! Your message was sent through ColoCrossing's patented V6 proxy technology (aka. CloudFlare).

  • Nope

    Thanked by 1doghouch
  • Yes, my terms of service said 100 emails/hour max. I was well under half that (NO spams) and got null routed by colocrossing twice (once in San Jose and once in Buffalo). I asked nicely and they unblocked. It sounded like they asked the data center to fix their limits, but I'm playing it careful now.

    Thanked by 1MultiStars
Sign In or Register to comment.