As you may have noticed, there has been a recent influx of HostMetro mail servers getting flagged on blacklists for sending spam. What you may not know is that this is part of a worldwide botnet called StealRat that is affecting many shared (and other) hosting companies around the world. While we are doing our best to combat StealRat, the truth is there is only so much we are able to do without actually accessing and modifying your websites, which is something we don’t want to do.

To give you a better understanding of why we would have to modify your websites, I need to give you a better understanding of how StealRat works. The basics of it are that StealRat targets websites that have popular, but outdated plugins, themes, and modules for content management systems like WordPress, Joomla, and Drupal. They then use these compromised websites to send out massive amounts of spam. Since shared servers (like the ones we have) host 500 or so websites each, one or two compromised websites can cause a whole server to be blacklsited. For a very in depth description you can click here.

For example, some of the most targeted files we’ve come across on our servers are the following:

  • JetPack plugin for WordPress
  • Yoast SEO plugin for WordPress
  • RevSlider plugin for WordPress
  • CKEditor plugin for Joomla
  • Checklist API for Drupal

This is a relatively small list, but these are some of the most popular plugins/modules available, most of which have millions of installations worldwide, which is why they are the most targeted by hackers.

While we are trying our best to make sure all of our servers are able to send and receive mail without issue, we need your help. Short of actually going on to every one of your accounts and updating all of your plugins, themes, etc., we can only do so much to combat the spam. We don’t want to modify your websites in any way because they are yours and that, frankly, is no business of ours.

What we can do is urge all of you to update all of your plugins, themes, and CMS installations to their latest versions. Not only that, but it’s incredibly important to keep them updated as new versions are rolled out. As these plugins get older they become more targeted by hackers because they are able to find ways to exploit them. Updates are made to plugins to patch these exploits so that they stay secure

To give you an idea of how we’re trying to stop it before it starts, we’ve tried multiple fixes on our end. What we’ve come up with now is a system to recognize as soon as an account is sending massive amounts of mail, then we access the account to see if the email is legitimate or spam. If it’s spam, we find the location (usually a php file on the account) and remove the source. After that we run a malware scan on the whole account to ensure that there are no other compromised files.

Our head administrator is also working on a script that will (hopefully) block the malicious files from being uploaded to any account. This should effectively stop the problem before it starts. We are currently testing this script to make sure that it will work without having any adverse effects to any hosting account or server. If the tests go as we hope then this will be rolled out on all of our live servers.

Truth be told, if every one of our customers were to keep their plugins and scripts up to date, none of this would have happened and nobody would be having issues sending emails. Unfortunately, people have their reasons for not updating these things. All we can do is ask you all to pretty please with sugar on top do your best to keep all of your websites up to date. It will make a better, safer, more secure hosting environment for everyone.

2 Thoughts on “Email blacklists, Botnets, and more.

  1. Pingback: Another day, another WordPress Update - Company Blog

  2. Pingback: StealRat and Server Updates - Company Blog

Leave a Reply

Post Navigation