Hi,

I'm getting DDOSSED to the hilt. Now using cloudflare and have a new IP for the forums. It appears the IP can be revealed still as it's in the email headers.

How can I mask this or prevent this from happening?

As at the moment I have had to disable all email features including email to friend, contact us forms, notification emails and even human verification for new users.

Can't leave busy forums (x4) like that for long.

Can anybody help? Ever had this before?

<a href="https://vborg.vbsupport.ru/showthread.php?t=242034&highlight=Firewall" target="_blank">https://vborg.vbsupport.ru/showt...light=Firewall</a>
Or get in touch with your host they will be able to help better than this plugin

You can't really prevent this from happening if you send the emails from your own server, it will always contain the originating IP in the email headers as far as I know. I make use of http://www.critsend.com/ to hide my server IP, a (paid) SMTP relay.

Note that you can also easily grab the server IP using the remote image uploading feature @avatar and signature upload.

Okay I'll disable those features now too.

And I'll take a look at critsend.

Will Google Apps / Gmail SMTP service (which you pay for) not do it?

Is there a way to get around the uploading feature showing the IP?

Okay I'll disable those features now too.

And I'll take a look at critsend.

Will Google Apps / Gmail SMTP service (which you pay for) not do it?

Is there a way to get around the uploading feature showing the IP?

The only option would be deleting that functionality, the remote upload basically makes your server contact the URL they enter. Whoever has their own server could easily check their logs for your server IP.

Any SMTP relay server should hide your server IP, I have no experience with Google Apps though. I tried Gmail SMTP service a long time ago and my account got blocked in no-time.

I've disabled any uploading for newer usergroups. Only established members have the option now.

I'll need to get my head around this SMTP and see what leaves the IP in the headers.

--------------- Added 1404470353 at 1404470353 ---------------

The only option would be deleting that functionality, the remote upload basically makes your server contact the URL they enter. Whoever has their own server could easily check their logs for your server IP.

Any SMTP relay server should hide your server IP, I have no experience with Google Apps though. I tried Gmail SMTP service a long time ago and my account got blocked in no-time.

Do you mean when we link to an image and then allow remote hosting of it?
Does that need removing?

Get Google Apps for Business. It's $5/mo and solves your IP problem.

I've disabled any uploading for newer usergroups. Only established members have the option now.

I'll need to get my head around this SMTP and see what leaves the IP in the headers.

--------------- Added 1404470353 at 1404470353 ---------------



Do you mean when we link to an image and then allow remote hosting of it?
Does that need removing?

I'm talking about this feature: "Option 1 - Enter the URL to the Image on Another Website".
That function may leak your server IP.

Hi,

I'm getting DDOSSED to the hilt. Now using cloudflare and have a new IP for the forums. It appears the IP can be revealed still as it's in the email headers.

How can I mask this or prevent this from happening?

As at the moment I have had to disable all email features including email to friend, contact us forms, notification emails and even human verification for new users.

Can't leave busy forums (x4) like that for long.

Can anybody help? Ever had this before?

All someone has to do is get a dns check or a whois check to reveal the sites ip address. Doing a simple ping via the windows command console also reveals the site's ip. At this point you need to look into ddos protection services or get a stronger server and configure a firewall addon for it.

How exactly are you getting a ddos attack? How many ip's are showing up in your server security log? Which port are they attacking?

All someone has to do is get a dns check or a whois check to reveal the sites ip address. Doing a simple ping via the windows command console also reveals the site's ip. At this point you need to look into ddos protection services or get a stronger server and configure a firewall addon for it.

That's not completely true when using Cloudflare, they mask your server's IP address.
Unless, of course, you have DNS records active which still resolve to your server's IP address.

Watch, let me show you an example.

Yes, but if you resolve that IP address, it resolves to Cloudflare.
http://www.ip-adress.com/ip_tracer/108.162.199.26

Use a third party server, like a cheap VPS to send your mail from and then just modify the mail headers of exim to hide the sender ip, that the only IP being shared is that of the vps and not the actual source server (vbulletin) that hosts the mail sending script.

Double up with this www.vbulletin.org/forum/showthread.php?t=313353

If they are getting your Server IP through Email (Email Headers), why not buy an Email Subscription? Will that work? Because then the attacker will get the Email Service provider IP, correct? Or am I wrong?

If you want to get an Email Subscription, Namecheap's OX Private Mail service is really good. I only have my Domain and Email hosted with Namecheap, and they have a REALLY good Email Service. I have the second package, which costs me about $29 per year, and it comes with One Mail Box, I think 10 Alias's, 10GB Mail Storage, 10GB File Storage, Full Mobile Support, and the server runs on HTTPS/SSL. I use Namecheap's OX Private Mail for my vBulletin forum too, and its great, its a really great service.

How do you know they are getting your ip from your email? That does not make much sense to me really.

A bit like this. Server ip and domain it was sent from is found.

Received: by 10.64.236.40 with SMTP id ur8csp270236iec;
Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
X-Received: by 10.236.129.3 with SMTP id g3mr42503511yhi.67.1408251693456;
Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
Return-Path: <bounce-md_30152195.53f036ff.v1-4a68e3a9c92a4da1abcc77bffb4b1933@mandrillapp.com>
Received: from cloudmail.curse.com (cloudmail.curse.com. [205.201.137.179])
by mx.google.com with ESMTPS id k26si17311804yhh.188.2014.08.16.22.01.33

Why do you even think you are getting DDoS attacked?

I have worked on a lot of peoples websites and forums who thought they were getting DDoS attacked and it was never the case. In almost every situation at least that I have dealt with, it was simply bots hitting your website and causing server overloads.

I had this happen on my forums about a year ago maybe and I used Ban Spiders by User Agent (https://vborg.vbsupport.ru/showthread.php?t=268208) along with a few htacces goodies and some ip range blocks to stop bots from terrorizing my forums.

This is more likely what you have and not a DDoS attack. If you were actually getting DDoS attacked and if you are on a shared server, your host would quickly look into it and do something about it because it not only affects your website but a whole lot others as well.

If you want I can take a look for you if that is the case, I would of course need an admin account and access to your cPanel to monitor what is going on throughout the day. Send me a private message if you still need help.

A bit like this. Server ip and domain it was sent from is found.

Received: by 10.64.236.40 with SMTP id ur8csp270236iec;
Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
X-Received: by 10.236.129.3 with SMTP id g3mr42503511yhi.67.1408251693456;
Sat, 16 Aug 2014 22:01:33 -0700 (PDT)
Return-Path: <bounce-md_30152195.53f036ff.v1-4a68e3a9c92a4da1abcc77bffb4b1933@mandrillapp.com>
Received: from cloudmail.curse.com (cloudmail.curse.com. [205.201.137.179])
by mx.google.com with ESMTPS id k26si17311804yhh.188.2014.08.16.22.01.33

I obviously know the sending server ip can be found in the mail header. My question was not how it is done but how do you know it is being done? It seems a very unlikely way for a site to be attacked.

My first question still stands as well. What does the security log show that represents a ddos attack and what ports are being targeted? My servers and most if not all others are probed hundreds if not thousands of times daily. These do not represent attacks and I am curious if that is what is happening here. And how is email being tied to this? What is the evidence of it?