On 18/04/2024 19:14, Matthew Richardson via mailop wrote:
Sebastian Arcus via mailop <mailop@mailop.org> wrote:-
In that case I think I am back to square one. If an infected device
connecting to 587/465 to various servers on the internet, from our
network, to try and guess passwords/break into accounts wouldn't have
used the FQDN of our public IP as HELO - then that's not what is going
on. The Spamhaus info mentions the HELO being our public IP FQDN.
The Spamhaus link (with your IP 51.155.244.89 you mentioned before in this
thread) does show the EHLO matching the reverse DNS of the public IP.
Reading it also implies that the issue is with port 25 rather than 587/465.
I am inclined to think the same
You could try doing packet captures on your router (before NAT) for
outgoing port 25 traffic, which should give a clue to the internal source.
Don't overlook the possibility that the malware might be on the same
machine as Exim.
It crossed my mind - seems highly unlikely, but worth pursuing.
Michael's suggestion of checking for compromise of CPE (routers etc) is
also well worth pursuing.
I have though about that as well. The only possibility that I can come
up with is the Fritzbox VDSL modem/router sitting in front of the Linux
gateway/firewall. I would have to try and think of a way to eliminate
that - maybe by temporarily replacing it something else and seeing if
the address gets blacklisted again - as I can't actually monitor its
outbound traffic - as nothing is sitting in front of it to the internet.
--
Best wishes,
Matthew
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
