I hope this is within the allowable topics for this list. I tried
searching the archives, but haven't found an answer for the issue below
yet. If anyone could shed some light, it would be very much appreciated.
A few days ago I started having issues with the public IPv4 address of
one network I look after ending up on the Spamhaus XBL and CSS
blacklists. I have taken good hard look at the setup and applied to be
delisted twice, but it is blacklisted again - so I must be missing
something. I read through the Spamhaus docs on their website. The
following applies to this site:
1. Port 25 outbound is completely blocked for the entire network, except
our inhouse email server which uses Exim
2. The inhouse server doesn't do any sort of relaying.
3. The site doesn't do any sort of marketing or mailing list type
activity as far as I know - and the Spamhaus detected connections are
out of working hours - so this being caused by employees sending any
unwanted emails seems unlikely.
4. I have checked the Exim logs, and there is no sign so far it has been
compromised in any way, or it is sending out any unusual email traffic.
5. This is a low volume site - I would say less than 100 emails sent per
day.
6. Spamhaus provides the date and timestamp of last rogue connection
detected - but there is nothing in our Exim log which matches that date
and time.
7. The information they provided is:
(IP, UTC timestamp, HELO value)
<our.public.ip> 2024-04-18 05:25:00 <our.exim.fqdn.and.helo>
The wording on Spamhaus' website is a bit generic, and seems to hint
that you can end up blacklisted if infected with a variety of other
viruses/exploits, not only those to do with smtp. However, because of
the format of the info above, I was digging in the direction of an
exploit which uses the smtp protocol to spam the internet.
Does anybody here have some experience with Spamhaus blacklists? Am I
barking up the wrong tree, and should I cast the net wider, and look for
any type of infection which scans any other ports on the internet - not
only the type which would be scanning smtp servers on port 25 trying to
send spam? In our case that should be technically impossible, as port 25
outbound is blocked completely on the gateway/firewall (except for the
email server)? Grateful for any hints - as it would be useful to narrow
down a bit what am I looking for.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
