Are you also blocking outbound connections on port 587?
On Thu, 18 Apr 2024 at 13:57, Sebastian Arcus via mailop <mailop@mailop.org> wrote: > > I hope this is within the allowable topics for this list. I tried > searching the archives, but haven't found an answer for the issue below > yet. If anyone could shed some light, it would be very much appreciated. > > A few days ago I started having issues with the public IPv4 address of > one network I look after ending up on the Spamhaus XBL and CSS > blacklists. I have taken good hard look at the setup and applied to be > delisted twice, but it is blacklisted again - so I must be missing > something. I read through the Spamhaus docs on their website. The > following applies to this site: > > 1. Port 25 outbound is completely blocked for the entire network, except > our inhouse email server which uses Exim > 2. The inhouse server doesn't do any sort of relaying. > 3. The site doesn't do any sort of marketing or mailing list type > activity as far as I know - and the Spamhaus detected connections are > out of working hours - so this being caused by employees sending any > unwanted emails seems unlikely. > 4. I have checked the Exim logs, and there is no sign so far it has been > compromised in any way, or it is sending out any unusual email traffic. > 5. This is a low volume site - I would say less than 100 emails sent per > day. > 6. Spamhaus provides the date and timestamp of last rogue connection > detected - but there is nothing in our Exim log which matches that date > and time. > 7. The information they provided is: > > (IP, UTC timestamp, HELO value) > <our.public.ip> 2024-04-18 05:25:00 <our.exim.fqdn.and.helo> > > The wording on Spamhaus' website is a bit generic, and seems to hint > that you can end up blacklisted if infected with a variety of other > viruses/exploits, not only those to do with smtp. However, because of > the format of the info above, I was digging in the direction of an > exploit which uses the smtp protocol to spam the internet. > > Does anybody here have some experience with Spamhaus blacklists? Am I > barking up the wrong tree, and should I cast the net wider, and look for > any type of infection which scans any other ports on the internet - not > only the type which would be scanning smtp servers on port 25 trying to > send spam? In our case that should be technically impossible, as port 25 > outbound is blocked completely on the gateway/firewall (except for the > email server)? Grateful for any hints - as it would be useful to narrow > down a bit what am I looking for. > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
