We’ve been notified by our domain registrar, Enom.com, that they have been experiencing a new malware scam/phishing attempt that is being carried out. This scam is attempting to look like an email being sent out from a registrar’s email address (for example, abuse@enom.com) saying that a customer’s domain name has been suspended for a violation of an abuse policy. In order to find out what the abuse is you have to click on a link which will attempt to download something to your computer. The email looks like this:

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: [redacted]
Registrar: ENOM, INC.
Registrant Name: [name on whois information]

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here [LINK] and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@enom.com for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

According to several online forums, it looks like other registrars are being spoofed as well. If you do happen to receive an email like this it is important that you do not click on any links inside, and do not download anything on to your computer.

As always, it’s important to be wary of an email that comes from an address you don’t recognize, and even sometimes from addresses that you do recognize. Spammers are always trying to find newer, better ways of getting you to open their emails and potentially infect your computer. If you ever receive an email that you aren’t sure about you can contact our support team and we’d be happy to help sort it out.

As you may have noticed, we recently removed all of the “BBB Accredited” images from our website. That’s because for the time being we will not longer be affiliated with the Better Business Bureau. The reason being is outlined below.

In January, the BBB announced they would be changing their rating system. Part of the change to the rating system included the way that the BBB would be recognizing the size of a given company. In the past, the BBB determined business size by the number of clients a company had. The new determination is based on total revenue, instead.

This means that instead of the BBB rating being based on the number of complaints compared to your total amount of clients, the rating is being gathered by number of complaints based on revenue. In theory, now you could have a company with 5 clients and a gross revenue of $500,000. If 2 of your clients file BBB complaints you can still have an A because it doesn’t matter that 40% of your client base filed a complaint. Instead, your rating will be high because you made $500,000 and only had 2 customers complain.

This change in the way their system rates businesses negatively affected our score, since we have a good number of customers but our revenue is relatively low comparatively because our hosting prices are so low. The BBB saw this as us being a smaller company and thus, lowered our rating from an A to a B+. Absolutely nothing changed on our end, yet our rating was lowered.

This, to us, just doesn’t seem fair. We work hard to provide you with an affordable service, both short term and long term. According to the BBB, though, 9 complaints over the course of 3 years just isn’t good enough because we simply don’t make enough money. Frankly, that’s a bit disheartening. And that’s why we are no longer accredited.

If you’ve been following the last few blog posts I’ve made, or if you’ve been unlucky enough to experience it first hand, you’d see that the StealRat botnet has become a huge issue not just for us, but for the vast majority of shared hosting companies. We’ve been working hard over the last month to try and come up with a permanent fix without affecting your websites or hosting service. Luckily, we’ve finally found one.

What we’ve found is a sort of firewall solution. We’ve been testing it on one of our servers and it has been incredibly effective, essentially stopping all of the spam issues that have been caused by StealRat. The way it works is relatively simple. A firewall sits between the internet and your hosting account, and any time a new file is uploaded it is scanned. If the file being uploaded is recognized as an exploit it is moved to a quarantine area to avoid it from infecting the rest of the hosting account.

The firewall looks for more than 3,000 known exploits, searching for simple things like suspicious file names and file types to complex issues like binary executables and CGI uploads.

The best part about this is, so far, we have seen absolutely zero false positives. Our initial concern was the firewall blocking legitimate files from being uploaded, but over the past month this hasn’t happened once. It has also virtually stopped all spamming from infected accounts from the one server that we have been testing.

We feel that this is the best, most effective way to protect all of you (and us) from further StealRat issues and will be rolling out the firewall on the rest of our servers. This should resolve all of the recent RBL issues that we’ve been having, and there shouldn’t be any difference in the way your hosting account or website runs.

As you may have noticed, there has been a recent influx of HostMetro mail servers getting flagged on blacklists for sending spam. What you may not know is that this is part of a worldwide botnet called StealRat that is affecting many shared (and other) hosting companies around the world. While we are doing our best to combat StealRat, the truth is there is only so much we are able to do without actually accessing and modifying your websites, which is something we don’t want to do.

To give you a better understanding of why we would have to modify your websites, I need to give you a better understanding of how StealRat works. The basics of it are that StealRat targets websites that have popular, but outdated plugins, themes, and modules for content management systems like WordPress, Joomla, and Drupal. They then use these compromised websites to send out massive amounts of spam. Since shared servers (like the ones we have) host 500 or so websites each, one or two compromised websites can cause a whole server to be blacklsited. For a very in depth description you can click here.

For example, some of the most targeted files we’ve come across on our servers are the following:

• JetPack plugin for WordPress
• Yoast SEO plugin for WordPress
• RevSlider plugin for WordPress
• CKEditor plugin for Joomla
• Checklist API for Drupal

This is a relatively small list, but these are some of the most popular plugins/modules available, most of which have millions of installations worldwide, which is why they are the most targeted by hackers.

While we are trying our best to make sure all of our servers are able to send and receive mail without issue, we need your help. Short of actually going on to every one of your accounts and updating all of your plugins, themes, etc., we can only do so much to combat the spam. We don’t want to modify your websites in any way because they are yours and that, frankly, is no business of ours.

What we can do is urge all of you to update all of your plugins, themes, and CMS installations to their latest versions. Not only that, but it’s incredibly important to keep them updated as new versions are rolled out. As these plugins get older they become more targeted by hackers because they are able to find ways to exploit them. Updates are made to plugins to patch these exploits so that they stay secure

To give you an idea of how we’re trying to stop it before it starts, we’ve tried multiple fixes on our end. What we’ve come up with now is a system to recognize as soon as an account is sending massive amounts of mail, then we access the account to see if the email is legitimate or spam. If it’s spam, we find the location (usually a php file on the account) and remove the source. After that we run a malware scan on the whole account to ensure that there are no other compromised files.

Our head administrator is also working on a script that will (hopefully) block the malicious files from being uploaded to any account. This should effectively stop the problem before it starts. We are currently testing this script to make sure that it will work without having any adverse effects to any hosting account or server. If the tests go as we hope then this will be rolled out on all of our live servers.

Truth be told, if every one of our customers were to keep their plugins and scripts up to date, none of this would have happened and nobody would be having issues sending emails. Unfortunately, people have their reasons for not updating these things. All we can do is ask you all to pretty please with sugar on top do your best to keep all of your websites up to date. It will make a better, safer, more secure hosting environment for everyone.