Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Slightly OT - possible reasons for ending on Spamhaus blacklist
exim-users at lists
Apr 18, 2024, 2:08 AM
Post #1 of 5 (49 views)
Permalink
This is slightly off-topic, but if anyone could shed some light, it
would be very much appreciated. A few days ago I started having issues
with the public IP address of one network I look after ending up on the
Spamhaus XBL and CSS blacklists. I have taken good hard look at the
setup and applied to be delisted twice, but it is blacklisted again - so
I must be missing something. The following applies to this site:

1. Port 25 outbound is completely blocked for the entire network, except
our inhouse email server which uses Exim
2. The inhouse server doesn't do any sort of relaying.
3. The site doesn't do any sort of marketing or mailing list type
activity as far as I know - and the Spamhaus detected connections are
out of working hours - so this being caused by employees sending any
unwanted emails seems unlikely.
4. I have checked the Exim logs, and there is no sign so far it has been
compromised in any way, or it is sending out any unusual email traffic.
5. This is a low volume site - I would say less than 100 emails sent per
day.
6. Spamhaus provides the date and timestamp of last rogue connection
detected - but there is nothing in our Exim log which matches that date
and time.
7. The information they provided is:

(IP, UTC timestamp, HELO value)
<our.public.ip> 2024-04-18 05:25:00 <our.exim.fqdn.and.helo>

The wording on Spamhaus' website is a bit generic, and seems to hint
that you can end up blacklisted if infected with a variety of other
viruses/exploits, not only those to do with smtp. However, because of
the format of the info above, I was digging in the direction of an
exploit which uses smtp to spam the internet.

Does anybody here have some experience with Spamhaus blacklists? Am I
barking up the wrong tree, and should I cast the net wider, and look for
any type of infection which scans any other ports on the internet - not
only the type which would be scanning smtp servers on port 25 trying to
send spam - which in our case should technically be impossible, as port
25 outbound is blocked completely on the gateway/firewall? Grateful for
any hints - as just it would be useful to narrow down a bit what am I
looking for.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Slightly OT - possible reasons for ending on Spamhaus blacklist [ In reply to ]
exim-users at lists
Apr 18, 2024, 2:40 AM
Post #2 of 5 (47 views)
Permalink
Am 18.04.24 um 11:08 schrieb Sebastian Arcus via Exim-users:
> This is slightly off-topic, (…)

Take a look at the mailing list mailop@mailop.org – that's where mail
operators discuss problems like that:

https://www.mailop.org


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Slightly OT - possible reasons for ending on Spamhaus blacklist [ In reply to ]
exim-users at lists
Apr 18, 2024, 2:59 AM
Post #3 of 5 (47 views)
Permalink
On 18/04/2024 10:40, Kai Bojens via Exim-users wrote:
> Am 18.04.24 um 11:08 schrieb Sebastian Arcus via Exim-users:
>> This is slightly off-topic, (…)
>
> Take a look at the mailing list mailop@mailop.org – that's where mail
> operators discuss problems like that:
>
> https://www.mailop.org

Thank you for that - I will

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Slightly OT - possible reasons for ending on Spamhaus blacklist [ In reply to ]
exim-users at lists
Apr 18, 2024, 11:05 PM
Post #4 of 5 (47 views)
Permalink
On 2024-04-18, Sebastian Arcus via Exim-users <exim-users@lists.exim.org> wrote:
> This is slightly off-topic, but if anyone could shed some light, it
> would be very much appreciated. A few days ago I started having issues
> with the public IP address of one network I look after ending up on the
> Spamhaus XBL and CSS blacklists. I have taken good hard look at the
> setup and applied to be delisted twice, but it is blacklisted again - so
> I must be missing something. The following applies to this site:

look at the timestamp of the spamhause listing, check exim logs for any
intersting log lines shortly after that. spamhause creates the listing
before replying "250" so their event will show a few seconds earlier
than the delivery to spamhaus.

Sometimes an RBL operator gets control of an abandonned domain
(legitimately) and suddenly historic email addresses are now
spamtraps.

> Does anybody here have some experience with Spamhaus blacklists? Am I
> barking up the wrong tree, and should I cast the net wider, and look for
> any type of infection which scans any other ports on the internet

no, it's always port 25. most of that text is for people who have
workstations connected directly to the internet.

--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Slightly OT - possible reasons for ending on Spamhaus blacklist [ In reply to ]
exim-users at lists
Apr 19, 2024, 5:59 AM
Post #5 of 5 (47 views)
Permalink
On 19/04/2024 07:05, Jasen Betts via Exim-users wrote:
> On 2024-04-18, Sebastian Arcus via Exim-users <exim-users@lists.exim.org> wrote:
>> This is slightly off-topic, but if anyone could shed some light, it
>> would be very much appreciated. A few days ago I started having issues
>> with the public IP address of one network I look after ending up on the
>> Spamhaus XBL and CSS blacklists. I have taken good hard look at the
>> setup and applied to be delisted twice, but it is blacklisted again - so
>> I must be missing something. The following applies to this site:
>
> look at the timestamp of the spamhause listing, check exim logs for any
> intersting log lines shortly after that. spamhause creates the listing
> before replying "250" so their event will show a few seconds earlier
> than the delivery to spamhaus.

Thank you for replying. That's among the first things I looked at. In
all 3 cases of being blacklisted there is absolutely no activity in the
Exim log which can be tied with the information sent over by Spamhaus -
even if I look 1 whole minute before and after. At the moment it is all
still a mystery. I have corresponded with Spamhaus and posted on the
MailOP list. Port 25 is completely blocked outbound on this network,
except for the email server. At this moment in time the only two
possibilities I see is the VDSL router sitting in front of the NAT and
firewall being infected, or something having gotten mixed up at Spamhaus
end.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal