On 18/04/2024 14:21, Marco Moock wrote:
Am 18.04.2024 schrieb Sebastian Arcus via mailop <mailop@mailop.org>:
On 18/04/2024 13:44, Marco Moock via mailop wrote:
Am 18.04.2024 schrieb Sebastian Arcus via mailop
<mailop@mailop.org>:
The mention of HELO is what threw me off - and I kept on thinking
that it's not possible, as port 25 is blocked. But I completely
missed the point that even authenticated connections on 587 will
use HELo - I think?
They require auth, so they will use EHLO. :-)
Although no difference here.
The EHLO/HELO FQDN can't be used to abuse something. If it is the
FQDN with matching reverse/forward DNS, it is fine.
When submitting mail to 465/587, the machine will use its name (most
likely no a FQDN), but that is not a problem because MSAs must not
check that name - it would fail most of the time.
In that case I think I am back to square one. If an infected device
connecting to 587/465 to various servers on the internet, from our
network, to try and guess passwords/break into accounts wouldn't have
used the FQDN of our public IP as HELO - then that's not what is
going on.
It could use that, but that is equal for the attack.
You definitely need more information from them, unless identifying
and resolving the problem is impossible.
In a sense I haven't managed to make further progress with this.
Spamhaus have been very vague about the problem - which to some extent I
understand as they don't want the bad guys to exploit their systems. But
at the same time, their latest correspondence keeps on dropping hints
about port 25 - which doesn't make any sense, as port 25 outbound has
always been blocked on this network - so in that case the blacklisting
should have never happened. I've just tested yesterday again - and not
only I can't do outbound port 25 connections from inside the network, I
am getting, as expected, automatic warnings from the server when the
attempts happen - which I configured a long time ago. I will take a step
back and look at all the research I did and the replies both from
Spamhaus and on this mailing list and try to make sense of what is
happening.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
