wolstech

AutoSSL already ran on its own. The DV succeeded and a certificate request was submitted but the request is in the pending queue waiting to be issued. I suspect something's just broken because there's requests in the queue from as far back as January 28. These usually fulfill within 24 hours. Lets have Krydos look at this.

It's Super Bowl Sunday here in the USA, there's been nobody around most of the day. Sent.

All processes for user sebas have been killed.

That sounds odd. Let's see if Krydos has any ideas or additional logs to look at.

It varies by server. If you go into the page where you create the mail accounts in cpanel, there should be an option for mail client setup. You can pick "manual client configuration" to see the actual settings.

Sent.

Sent. Sorry for the delay on that and thank you for the donation

Your email domain was execs.com, which is a known abuse domain (we've had numerous phishing sites with addresses from that and similar domains like consultant.com, and the domain itself has no actual content on it, which is the norm for abuse domains). Yes I would recommend a different email account, or even just an address @mail.com would be fine. As for your username, one of the phishing sites on the account was "microsoftexcelverification", which your username hints at (Microsoft excel -> micro excel -> micoexel). This sort of shortening is *extremely* common with intentional phishing accounts. Basically, whoever you sent your info to checked just about every box in the book when it comes to both automated and manual phishing detection. If you post a new email address, I'll send you an invite for a replacement Johnny account.

There's probably a redirect that's keeping it from reaching the validation file. Make sure the .well-known folder is accessible over plain http or it won't work.

I'm going to let one of our other root admins Krydos decide on this. Your best case scenario would be a new account with a new domain (we don't unsuspend phishing or let you reuse domains that hosted phishing content). In the meantime, can you explain the above 5 points A - E from my last post? He'll want to see your answers so he can decide.

Your IP address of registration as well the one your posting from are both showing as belonging to M247 Ltd, a Los Angeles-based company known to supply VPNs/proxies so I can't tell where you are. The forum and hosting registration IPs don't match but are both from the same Proxy/VPN service. Also, I do find it odd that: A. You registered using a VPN or proxy, which in most cases only happens when phishing is planned in advance. We do have a few legitimate accounts like this, but they're hosting legitimate blogs and such. B. The phishing is oddly related to the account's username. C. You used the same excuse that nearly every phisher we've dealt with has used ("friend did it"). D. The last login IP in cPanel is from the same proxy/VPN service, suggesting that no "friend" ever signed in. E. Your email address is from a known abuse domain that also contains no meaningful content. The odds that they'd use the exact same VPN used to create the account to sign into a friend's hosting account and upload oddly-specific phishing just doesn't happen. Can you explain? I'll let Krydos make the final call on this, but I suspect he'll stand behind me when we say you intentionally phished.

Um...that's Chase bank phishing, Office 365 phishing, and something else in that zip file that I didn't bother to inspect. root@johnny [~]# cd /home/micoexel/www root@johnny [/home/micoexel/www]# ls -R .: Best Scama Bank Chase Full Info.zip chase microsoftexcelverification cgi-bin ducuhakwe.zip ./cgi-bin: ./chase: home index.php rezlt.txt uploads ./chase/home: antibots.php css index.php verification-finished.php blocker.php css2 res verification-id.php bt.php email.php robots.txt verification-info.php chase.png error_log verification-email.php verification.php ./chase/home/css: 112.png favicon.ico alert.png jquery-3.1.0.min.js background.desktop.night.4.jpeg jquery.fileuploader-theme-thumbnails.css background.desktop.night.7.jpeg jquery.maskedinput.js background_image.png js background.mobile.night.4.jpeg logon.css background.mobile.night.7.jpeg main.css background.tablet.night.7.jpeg new-bg.png blue-ui.css next-bg.png builderstyle.css opensans-regular.eot Capture.PNG opensans-regular.woff chasefavicon.ico opensans-semibold.woff chase-touch-icon-120x120.png php chase-touch-icon-152x152.png sample-photo-id-card.svg chase-touch-icon-76x76.png sample-selfie-card.svg chase-touch-icon.png src css warning.png css.css ./chase/home/css/css: background.desktop.night.7.jpeg jquery.fileuploader-theme-thumbnails.css css.css ./chase/home/css/js: custom.js jquery-3.1.1.min.js ./chase/home/css/php: form_upload.php upload_file.php upload_remove.php ./chase/home/css/src: class.fileuploader.php jquery.fileuploader.js jquery.fileuploader.css jquery.fileuploader.min.js ./chase/home/css2: background.mobile.night.4.jpeg jquery.maskedinput.js background.mobile.night.7.jpeg opensans-regular.eot blue-ui.css opensans-regular.woff chasefavicon.ico opensans-semibold.ttf chase-touch-icon-120x120.png videoplayer.eot chase-touch-icon-152x152.png videoplayer.ttf chase-touch-icon-76x76.png videoplayer.woff chase-touch-icon.png ./chase/home/res: post1.php post3.php post4.php post5.php system.php view-success.php ./chase/uploads: 1 gsTafzc-lQ261udNR81msA.jpeg ./microsoftexcelverification: images index.php login.php New Folder phone.php post.php verification.php ./microsoftexcelverification/images: favicon.ico m1.png m2.png m3.png m4.png m5.png m6.png ./microsoftexcelverification/New Folder: root@johnny [/home/micoexel/www]#

That account is suspended for Phishing. HelioHost does not tolerate phishing activity of any kind, and for security reasons will not unsuspend, back up, or delete an account that was involved in phishing. Because this was intentional phishing, you are no longer welcome to utilize our services and we ask that you find another web host. We apologize for any inconvenience and would like to thank you for interest in HelioHost.

We don't officially support such configurations, which is why we advise people not to do this, though if this setup is working for you, that's fine. Just be aware that if you ever need to reset your password and cannot get to the email box associated with the account for any reason, your only option will be to abandon the account and create a new one. You won't be able to delete it or get backups either.

An invite has been sent the email address associated with your forum account.

Actually you'd be surprised. Oftentimes the email accounts used were phished or had weak passwords. As someone who has a gmail account that it happened to (weak password), it's more common than you think. Other times they just use random addresses in hopes of not needing the verification (blog comment systems are often like this by default).

$1 or more. You should receive an email within 24 hours of donating with a link to register for tommy.

If your personal email was given to a spam bot, and the bot used it to try to sign up for 1000s of websites so it could spam them, you'd receive 1000s of emails as a result of the bot. Would you report those 1000s of unwanted emails as spam? I bet you would.

What you're missing here is that it's not even our policy unfortunately. Our provider Hurricane Electric requires us to suspend or ban users who receive abuse reports, so our system suspends all users who receive a report regardless of its content (the large majority of these reports are for phishing and other cybercrime, but unfortunately legitimate ones will get flagged too). If we fail to do so, they take the entire server offline (and if it happens too much, they could in theory put us out of business by cancelling our service). As a result, as ridiculous as it sounds, we have no choice. Most users who run larger forums here simply use an external SMTP server for their forum and call it a day.

You're suspended for distributing hacking tools, which is against our terms of service.

Gone.

Done. You should now be able to log in and your website should start working within 2 hours.

Unarchiving.

I'm aware it's not "spam" in the traditional sense, but it was unwanted by its recipient (which appears to be a rather dubious email address), and as a result you need to respect that by preventing that user from receiving further email from your account. Some email services automatically report spam on their users' behalves and not even deliver them. AOL (Verizon) is the most famous for doing this, though Comcast and GMX have been known to do it automatically as well. This might be what has happened since it was a Comcast address, however since there's no way of knowing, you need to make sure that particular address never receives another email from you (usually that means banning them from your forum). We also usually recommend our users disable registration emails on forums for this exact reason. We receive a lot of reports for forum registration email being marked as spam, usually when a forum get hit by spambots trying to sign up to post their spam. Also, while this email wasn't "technically" spam, this unfortunately isn't something we're able to take lightly because if we don't suspend users for spam reports and your emails continue to get marked as spam, the entire server you're on (several thousand websites) can end up on major spam blacklists, meaning nobody sharing the same server is able to send email without it being marked as spam. Needless to say, that's a massive inconvenience to everyone else, and even worse, it can take months to fix and get unblocked.

You're suspended because someone reported your email as spam. Please make sure that the email address referenced in the abuse report below never receives email from you again. Unsuspended. It should start working again in the next few minutes... We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From fbl@bounce.mailstream.senderscore.net Wed Jan 23 09:58:51 2019 Return-Path: <fbl@bounce.mailstream.senderscore.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from he.net (he.net [216.218.186.2]) by abuse.he.net (Postfix) with ESMTPS id 0362F54030A for <report@abuse.he.net>; Wed, 23 Jan 2019 09:58:51 -0800 (PST) Authentication-Results: he.net; dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=Hv7NYjJ2 Received: from mrd.us-east-1a.returnpath.net ([54.84.12.226]) by he.net with ESMTPS (ECDHE-RSA-AES128-GCM-SHA256:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(128):Mac=AEAD) for <abuse@he.net>; Wed, 23 Jan 2019 09:58:47 -0800 Received: (Haraka outbound); Wed, 23 Jan 2019 17:57:44 +0000 Received: from localhost (ip-10-252-38-11.ec2.internal [10.252.38.11]) by mrd.us-east-1a.returnpath.net (Haraka/2.8.21) with ESMTP id 9246F72A-53F3-4855-9E80-ED8B9554B9A5.1 envelope-from <fbl@bounce.mailstream.senderscore.net>; Wed, 23 Jan 2019 17:57:44 +0000 From: Comcast FBL Service <feedbackloop@comcastfbl.senderscore.net> Date: Wed, 23 Jan 2019 17:57:44 +0000 Mime-Version: 1.0 X-Rp-Fbl: type=arf; Content-Type: multipart/report; report-type=feedback-report; boundary=f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Message-Id: <01D1XXRNVKVDR2ZA9N4SKR4WZC.fbl@bounce.mailstream.senderscore.net> To: abuse@he.net Subject: Comcast Abuse Report DKIM-Signature: v=1;a=rsa-sha256;bh=vBZvOW7xirtr8ACHEKiwFk0Uc9XP+SNuYTAfh4u6AQw=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=Hv7NYjJ2j5+jzvjkkK7kDtkEItBINBLDY0FbNW4DZbdNqlrh9crocItY2s/+3t+5JMwqX2AXNEwdD4D0S5e5lhej2PL/ZyQO+KCwGADSAMZMa8UmFKop7bb19T6+lONE8+BPds88+XeA49lQGEPvH5bn0x7bBMuky9KsdNVu8vg= --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable This is a Comcast Abuse Report for an email message received from domain gu= mbroker.heliohost.org, IP 64.62.211.134, on Wed, 23 Jan 2019 09:18:21 +0000= . --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/feedback-report Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/122002 User-Agent: ReturnPathFBL/2.0 Original-Mail-From: gbadmin@gumbroker.heliohost.org Source-Ip: 64.62.211.134 Source: Comcast Abuse-Type: complaint Feedback-Type: abuse Version: 1 Arrival-Date: Wed, 23 Jan 2019 09:18:21 +0000 Original-Rcpt-To: d3ff0f8c850b855cd77b0562f5609996@comcast.net Reported-Domain: gumbroker.heliohost.org --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/rfc822 Return-Path: <gbadmin@gumbroker.heliohost.org> Delivered-To: d3ff0f8c850b855cd77b0562f5609996@comcast.net Received: from dovdir4-ch2g-03o.email.comcast.net ([69.252.207.19]) by dovback4-ch2g-03o.email.comcast.net with LMTP id SBduBVtQSFxELQAAfXIGpw for <d3ff0f8c850b855cd77b0562f5609996@comcast.net>; Wed, 23 Jan 2019 11:30:35 +0000 Received: from dovpxy-asb-14o.email.comcast.net ([69.252.207.19]) by dovdir4-ch2g-03o.email.comcast.net with LMTP id GMQgA1tQSFyKKwAAuRYs6A ; Wed, 23 Jan 2019 11:30:35 +0000 Received: from resimta-ch2-19v.sys.comcast.net ([69.252.207.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by dovpxy-asb-14o.email.comcast.net with LMTP id +A5oJ1VQSFxUaQAAfOHJ6w ; Wed, 23 Jan 2019 11:30:34 +0000 Received: from ricky.heliohost.org ([64.62.211.134]) by resimta-ch2-19v.sys.comcast.net with ESMTP id mGjpgOMSQvvn5mGjqgd8j9; Wed, 23 Jan 2019 11:30:34 +0000 X-CAA-SPAM: 00000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedtledriedtgdeftdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihenuceurghilhhouhhtmecufedttdenucdntegttghouhhnthculddvtddmnecujfgurhepuffvhfhrshggkffftgfgrfgioffqsehtkehjtdertdejnecuhfhrohhmpedfifhumheurhhokhgvrhcuhfhorhhumhhsfdcuoehgsggrughmihhnsehguhhmsghrohhkvghrrdhhvghlihhohhhoshhtrdhorhhgqeenucffohhmrghinhephhgvlhhiohhhohhsthdrohhrghenucfkphepieegrdeivddrvdduuddrudefgeenucfrrghrrghmpehhvghloheprhhitghkhidrhhgvlhhiohhhohhsthdrohhrghdpihhnvghtpeeigedriedvrddvuddurddufeegpdhmrghilhhfrhhomhepghgsrggumhhinhesghhumhgsrhhokhgvrhdrhhgvlhhiohhhohhsthdrohhrghdprhgtphhtthhopehkvghnnhgvthhhpghstghhlhgvihgthhgvrhestghomhgtrghsthdrnhgvthenucevlhhushhtvghrufhiiigvpedt X-Xfinity-CCat: updates X-Xfinity-VMeta: sc=20;st=transactional:account X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=1;DMARC= Authentication-Results: resimta-ch2-19v.sys.comcast.net; dkim=pass header.d=gumbroker.heliohost.org header.b=cYcUrNcA DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gumbroker.heliohost.org; s=default; h=Content-Transfer-Encoding: Content-Type:Date:Message-ID:MIME-Version:Sender:Reply-To:From:To:Subject:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3HY9oUCl8DFnJdnNGZJbr+8cGq59xbKb6S8vhQmGiis=; b=cYcUrNcAp3h1vpC93NbS3LRQZ VN1pDZiP3jOf7kRKs5WYmwVbQbt8HmvseaPXnqB+HCk9y/oHIihx4PoC4sY+tvPKCtiFw0kRah5ed inYS3ofCvMYuxLdWViHZMEjf3GukyYohOnAnyR4vkXR0NUJ1NMfyc1Lged3/iQQMl8cDdRoEtqtIY MupqvSoNsIa8L/PYkict9cY1G46WGiaQBf5V6MtNZF53QxcPGOkVKtDq8o1y4VeJSGsY28zkXftRn /6+r30Ey1CPWgKE9GtHFxi5ilEbt2BE+3um6a9ocw4iGouR/TGUgeRb+TFVK3XuUVTP+quhM9FfgW mERzBxkDA==; Received: from ricky.heliohost.org ([64.62.211.134]:45692) by ricky.heliohost.org with esmtpsa (TLSv1:ECDHE-RSA-AES128-SHA:128) (Exim 4.89) (envelope-from <gbadmin@gumbroker.heliohost.org>) id 1gmEfu-000SJ8-UN for d3ff0f8c850b855cd77b0562f5609996@comcast.net; Wed, 23 Jan 2019 01:18:23 -0800 Subject: Welcome to "GumBroker" To: ab07afaef698e4357206005e678b0140 <d3ff0f8c850b855cd77b0562f5609996@comcast.net> From: "=?UTF-8?B?R3VtQnJva2VyIEZvcnVtcw==?=" <gbadmin@gumbroker.heliohost.org> Reply-To: "=?UTF-8?B?R3VtQnJva2VyIEZvcnVtcw==?=" <gbadmin@gumbroker.heliohost.org> Sender: <gbadmin@gumbroker.heliohost.org> MIME-Version: 1.0 Message-ID: <0a4eca5528e742af3c5ad7845ff719ac@gumbroker.heliohost.org> Date: Wed, 23 Jan 2019 09:18:21 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: phpBB3 X-MimeOLE: phpBB3 X-phpBB-Origin: phpbb://gumbroker.heliohost.org/forum X-AntiAbuse: Board servername - gumbroker.heliohost.org X-AntiAbuse: User_id - 1 X-AntiAbuse: Username - Anonymous X-AntiAbuse: User IP - 188.138.188.34 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ricky.heliohost.org X-AntiAbuse: Original Domain - comcast.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - gumbroker.heliohost.org X-Get-Message-Sender-Via: ricky.heliohost.org: authenticated_id: smtp_daemon@gumbroker.heliohost.org X-Authenticated-Sender: ricky.heliohost.org: smtp_daemon@gumbroker.heliohost.org X-Source: X-Source-Args: X-Source-Dir: Welcome to GumBroker forums Please keep this email for your records. Your account information is as follows: ---------------------------- Username: ab07afaef698e4357206005e678b0140 Board URL: http://gumbroker.heliohost.org/forum ---------------------------- Your account is currently inactive and will need to be approved by an administrator before you can log in. Another email will be sent when this has occurred. Your password has been securely stored in our database and cannot be retrieved. In the event that it is forgotten, you will be able to reset it using the email address associated with your account. Thank you for registering.