I can't say that Spamhaus lists IPs that engage in the abusive practice
of remote sender verification but I would be happy to hear that they are
doing so and CSS+XBL listing is a reasonable expression of that sort of
world-hostile behavior.
(I saw your Exim-Users discussion)
On 2024-04-18 at 06:52:20 UTC-0400 (Thu, 18 Apr 2024 11:52:20 +0100)
Sebastian Arcus via mailop <s.ar...@open-t.co.uk>
is rumored to have said:
I hope this is within the allowable topics for this list. I tried
searching the archives, but haven't found an answer for the issue
below yet. If anyone could shed some light, it would be very much
appreciated.
A few days ago I started having issues with the public IPv4 address of
one network I look after ending up on the Spamhaus XBL and CSS
blacklists. I have taken good hard look at the setup and applied to be
delisted twice, but it is blacklisted again - so I must be missing
something. I read through the Spamhaus docs on their website. The
following applies to this site:
1. Port 25 outbound is completely blocked for the entire network,
except our inhouse email server which uses Exim
2. The inhouse server doesn't do any sort of relaying.
3. The site doesn't do any sort of marketing or mailing list type
activity as far as I know - and the Spamhaus detected connections are
out of working hours - so this being caused by employees sending any
unwanted emails seems unlikely.
4. I have checked the Exim logs, and there is no sign so far it has
been compromised in any way, or it is sending out any unusual email
traffic.
5. This is a low volume site - I would say less than 100 emails sent
per day.
6. Spamhaus provides the date and timestamp of last rogue connection
detected - but there is nothing in our Exim log which matches that
date and time.
7. The information they provided is:
(IP, UTC timestamp, HELO value)
<our.public.ip> 2024-04-18 05:25:00 <our.exim.fqdn.and.helo>
The wording on Spamhaus' website is a bit generic, and seems to hint
that you can end up blacklisted if infected with a variety of other
viruses/exploits, not only those to do with smtp. However, because of
the format of the info above, I was digging in the direction of an
exploit which uses the smtp protocol to spam the internet.
Does anybody here have some experience with Spamhaus blacklists? Am I
barking up the wrong tree, and should I cast the net wider, and look
for any type of infection which scans any other ports on the internet
- not only the type which would be scanning smtp servers on port 25
trying to send spam? In our case that should be technically
impossible, as port 25 outbound is blocked completely on the
gateway/firewall (except for the email server)? Grateful for any hints
- as it would be useful to narrow down a bit what am I looking for.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
