OT: Best Website Hosting?

It was a typical case. A complete domain (IP address range) was blocked, no matter what the email prefix.

There are technical reasons not to like GoDaddy and to question their competence. We ran into some of them recently.

GoDaddy had decided to move the account to a different server. Normally, that would be transparent to the user with minimal downtime. When the move was completed, all the files beginning with "." were gone and had not been moved. The problem was not the screwup in the script used for the move, but rather that GoDaddy support didn't understand what we were talking about, provided excuses that made little sense, offered no help, and consistently tried to pass responsibility to the customer, even though the move was their idea. In the end, we had to upload replacement dot files. A few months later, we jumped ship to another provider.

Recently, I had to deal with the Heart Bleed SSL security mess. I checked all my customers sites for vulnerability and made sure that their ISP was doing something about fixing it. I eventually got around to checking the web sites run by friends and former customers, when I ran into one that had not been fixed. I contacted the customer, who contacted their web designer, who contacted their hosting company, which was GoDaddy. The problem was that the web designer was reselling hosting and email services on a dedicated server. According to GoDaddy support, the reseller was responsible for security on their dedicated server, and that this was not a GoDaddy problem. GoDaddy didn't even bother to warn their dedicated server and virtual private server customers that there was a problem. That all changed a day or two later, when GoDaddy did supply a warning and instructions on how to fix the Heart Bleed problem. I did not have the displeasure of dealing with GoDaddy support in this exchange, but did receive copies of the email exchange. Mostly excuses and attempts to deflect responsibility, which seemed all too familiar. I recommended my former customer move to another provider, but they're locked in by the web designers package deal.

While it may look like there are a large number of web hosting companies available, most of them are owned by EIG: (including Bluehost). They're all the same operation, differing only in name and offerings. The smaller hosting companies are often virtual operations, reselling dedicated or virtual private server space leased from large cloud providers or server farms. Their ability to deal with upstream problems that are out of their control is very limited. Tech support is usually from LiveChat/LivePerson, which is ok for simple problems, and useless for everything else. Even the billing is outsourced: and who has its own problems:

Drivel: List of know spam operations:

For additional entertainment, it's sometimes interesting to find who is hosting your friends and neighbors web sites:

Yep. Here's the shopping list of spammer friendly ISP's which changes quite often: The list comes from the SBL: to which many ISP's subscribe to protect their mail servers from being flooded by incoming spam email.

Although this is from 2008, it shows that even the big guys host spammers:

It's a real problem. Spammers do make money for ISP's. If the ISP is struggling financially, it's difficult to turn down a well paying "premium" customer, even if they are a spammer.

Incidentally, I managed to get my static IP address listed on one of the block lists recently. I was working on a customers machine removing a rootkit and some assorted evilware, some of which was apparently sending spam. I usually unplug the machine from the internet while scanning for malware, but forgot this time. A few hours later, I discovered my email ISP was blocking all my outgoing email. Oops. It took about 30 minutes to get delisted and about an hour for the changes to propagate back to the ISP.

forward the mail from the 100+ addresses into 2 new addresses on the same server as the 100+. Use IMAP or POP3 to download from the

You are correct that everyone is tarred with the same brush. But what generally happens is you can sign up for hosting without ever talking to a live human being. So the spammer sets up an account with a credit card, probably stolen, uses a burner email address to get the needed data for the hosting company, then dumps a pile of spam. The spam sniffers detect where the spam is coming from, and the whole IP is blocked. Since headers can be faked, it would be too lenient just to block one address.

The medical office email hosting companies want no foreign users. It is just for the US since it is our law. They use an automated scheme to give you a password via a phone call. The call must be to the US. Of course it is possible to fake a US phone number, but it has been my experience these medical email hosting companies don't get hacked. There are too many easier targets.

If you look at your domain registration, the website and MX record (email) have different fields. You can put the hosting at one address, and MX at another.

I suspect if you put your MX record at a large hosting company like google or Microsoft, they would not dare block the entire IP address.

One of the worst email hosting companies is GMX. Lots of spam comes from them. Google and Outlook send them to spam immediately. Usually the Germans are on top of stuff, but GMX is an incredibly shitty company, borderline criminal. So if you ever think of moving your MX record, GMX would not be on my list.

MX record hacking is one way spammers get past all the control. This has been going on for years. Wiki has a decent write up on it.

GoDaddy is my last registrar of choice. Too many up-sells.

A catch all account is where mail goes if the address doesn't exist. Obviously the domain has to exist. So the spammer sends email to snipped-for-privacy@yourdomain.com, hoping Joe Blow exists. I really don't see the relevance here, not that you brought it up.

If you want 100 accounts, you are stuck using a hosting company. It would be very expensive to use an email hosting company since you would pay for every account.

One alternative, though I have no first hand knowledge of this, is to use Amazon AWS. They have a simple email server (SES) as part of the package.

Amazon will give you a small account for free, just to hack. It lasts a year. I know some people who have set up VPNs over it, stuff like that. Amazon runs SLES (suse enterprise linux) as a VM. Maybe other flavors.

SES over AWS wouldn't be all that expensive since it doesn't use a lot of traffic.

Was that a computer trojan or a cell phone hack?

he's not having problems with his MX, the problem is it can't send.

Microsoft is poor choice, they can't do DKIM worth a damn so their DMARC impementations is worthless (not that they will acknoledge this) as a result lots of legit mail will end up in the spam folder, Google will gladly take $5/month per email address (if you want more than 5), and will read your email too..

Yahoo, well they can't even get SMTP AUTH right, dunno what they charge,

Won't block gmail? sure they will.

Seems like a vague desctiption of one of the things they can do by using MX records contrary to reccomended practice,

That is what I do. Many email addresses for different purposes. In fact, when I give out an address on a web site it is usually the form of "url"@arius.com so I know *exactly* who to thank for spam when it arrives. You wouldn't believe who shares your email addresses sometimes, like Xilinx and Altera for example. Not that they are selling it, but they give it out to reps and distis, then it works it's way around the circuit until the junk mail comes from vendors selling grey market parts.

I'm with a small outfit, eboundhosting.com. I do have some issues with them, but mostly on the account I still have running on the Plesk server. Seems Cpanel is their preferred approach, but it is not so straighforward to port over to it, so I have never taken the step to move my own domain over. I have moved all the domains that I host for friends though. They have actually said they will cut off the Plesk server someday, but I've never received a final notice.

Sounds more like abusers than friends.

?-)

Relying solely on such sites is IMO sub-par IT management. What is so difficult about, for example, white-listing anyone who has ever been sent email from the domain to be "protected"? That can be fully automated.

The worst ever was T-Online in Germany which must have blacklisted a whole big domain (IIRC it was the AT&T domain) for a while. German Engineers contacted me because they no longer received email response from companies here and some were stuck with a project because of that. Later I suggested to ditch T-Online and some did. Eventually this sort of primitive blanket strategy backfires.

While 1and1 appears to poorly police spammers from an originator point of view I must say that AFAIR they never resorted to such incompetent behavior to protect the receiving side. I have never lost email because of a blanket-block.

Long term this will backfire. I know at least one new company that now chose a competitor over 1and1. Once they grow that'll be big bucks that have been left on the table.

Sure, but here is the puzzler: Why is it that some ISP are dumb and blanket-block while smarter ones filter correctly? An example is 1and1 which I use. They appear to do a lousy job of preventing outgoing spam but for incoming they weed out lots of spam while valid emails even from the gmx domain get through. I receive them regularly and not one trnasmission gets lost. Yet no spam.

Which is why many IT guys should brush up on know-how and learn something from each other, for example from 1and1, from the IEEE IT folks, and others.

I'm dumping them too. Their email server got blacklisted for spam, so I switched to Rackspace for email late last year. Hosting gets switched whenever I have two minutes to rub together.

Cheers

Phil Hobbs

Try Bluehost. We have everything for our start-up company there, works like a charm.

follow the money.

it seems obvious that the bckup should be secured to the same standard as the main MX

I think it was an Android smartphone app that stole my contacts list. I don't recall exactly which one. It may also have been a trojan horse on my laptop, which managed to get infected when I wasn't paying attention. Since then, I've "salted" my various address books and contacts lists with various throw away account addresses on my domains. If I start getting spam to these addresses, at least I know which machine has been compromised. So far, my Droid X2 and Google Nexus 7 tablet are the major leaks, with the PC's and Mac's staying apparently secure. Unfortunately, since I sync everything to Google Gmail, I can't tell if the leaks are coming from my Android devices, or from Google. One clue was when I again wasn't paying attention, and stupidly gave Google my cell phone number for "secondary authentication". (Note: Wine and computing do not mix well). A few minutes later, I realized my mistake. It only took me 30 minutes of cursing and swearing to figure out how to remove the phone number. Too late. I started receiving SMS spam almost immediately which fortunately stopped after about 2 weeks. So, there's another leak.

Incidentally, another really bad idea was setting incoming email addressed to any unassigned email address in my various domains to go to a single mailbox. 1and1.com has this feature, which I thought might be useful for dealing with my contacts that can't spell my name or mistype my email address. Instead, what I received was a huge deluge of spam, where some moronic spammer was trying every possible combination of user name in my domain. I felt much like Mickey Mouse in the Walt Disney version of the Sorcerers Apprentice as I cleaned up the mess.

No new technology is considered successful unless it has been abused.

The problem with white lists is that I get quite a bit of incoming email from previously unknown addresses, which would not be in such a white list. There are challenge/response schemes that return a message to the sender, asking them to do something that proves they are a human, not a bot, but those are tedious and tend to chase away those with minimal computer experience. If the user is sufficiently clueless to mark such a message as spam, they will never receive a follow up, or any other such challenge/response emails.

Agreed. It's difficult to catch spammers that hop from one ISP to another. They'll sign up for a 1and1 account, spew a few thousand emails until they are caught, abandon the account, and sign up for a new account. If they have a collection of stolen credit card numbers, they can do it endlessly on a single ISP. Unfortunately, the only way for 1and1 to police such a system is AFTER the spam has been sent, and the damage done. Conglomerate enough spammers on one ISP and it makes them look like they're spam friendly, which is hardly the case.

My experience has been quite different. As long as the service remains reliable and stays up, most companies will tolerate almost any type of ethical problem. Some of my customers are multi-homed (two paths to the internet) for reliability. If it takes a bunch of spammers to keep the ISP in business and to keep the monthly bill affordable, many companies will not even complain. I'm not sure exactly what it takes to inspire a company to switch ISP's, but I know it's not the ISP's spammer friendly activities.

I probably shouldn't mention this, but I suspect that I invented spam before Canter and Siegel in 1994. I wrote a shell script to extract the admins email addresses from the UUCP Mapping Project database to solicit donations for what was considered a worthy cause. Fortunately, it was never used, or I would have probably been lynched.

I have friends and I have customers. The difference is that the customers pay me. Otherwise, they're the same.