-1

Spamhaus has listed my IP a few times for an apparent problem. They are indicating:

A device using <ipv6 addr> is infected with malware and is emitting spam.

<ipv6 addr> is making SMTP connections with HELO values that indicate a problem. The HELOs that it is connecting with are as follows:
Technical information

(IP, UTC timestamp, HELO value)

<ipv6 addr> 2022-05-09 09:25:00 server.example.com

The mentioned IPv6 address is the one from my server, and the prefix matches too.

I am not sure how I can fix this. The server is configured correctly, the postfix HELO banner is set to the fully qualified hostname, old SSL/TLS is disabled, etc.

In fact the string "server.example.com" does not occur (in plaintext) anywhere on this (linux) server. Nothing to find in the log files at this time either.

How can I figure out which process is trying to send with this HELO banner, and why?

Ubuntu 22.04, using Postfix (but it does not look like it is Postfix causing this).

Dennis Thrysøe
  • 159
  • 6
  • Does the IPv6 address mentioned in conjunction with the unknown domain match any IPv6 address you used at the specified time, or does it merely share a common prefix? – anx May 09 '22 at 14:33
  • 1
    Please provide more information. Is one of your IP adresses? What operating system and mail software is the server you mentioned running? Does it have assigned as one of its addresses? What does its logfile say at the time indicated by Spamhaus? What does your firewall log say about outgoing SMTP connections at that time? Do the two logs match? – Tilman Schmidt May 09 '22 at 14:39
  • Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – djdomi May 09 '22 at 17:04
  • @djdomi unfortunately I don't see anything in this question / answers relevant to my sitaution. – Dennis Thrysøe May 10 '22 at 06:05
  • Added details: Ubuntu, Postfix, nothing found in any logs, Postfix provides correct EHLO banner. – Dennis Thrysøe May 10 '22 at 06:06
  • then ask your provider for a new ip due blacklisted . but really verify that you are not sending spam – djdomi May 10 '22 at 17:01
  • Does this answer your question? [Why would Spamhaus continue to add an IP to the CSS when that IP hasn't sent email recently?](https://serverfault.com/questions/889111/why-would-spamhaus-continue-to-add-an-ip-to-the-css-when-that-ip-hasnt-sent-ema) – anx May 21 '22 at 22:14

1 Answers1

1

Turns out it is because Spamhaus lists entire /64 blocks for ipv6:

Why would Spamhaus continue to add an IP to the CSS when that IP hasn't sent email recently?

So the solution in my case was to disable ipv6 for outbound mail delivery. An alternate solution could be to get a dedicated /64 block from the ISP.

Dennis Thrysøe
  • 159
  • 6