0

At least daily I am put on a Spamhaus XBL or CSS or PBL list. After 1/ changing passwords at my email provider, 2/ using Norton and 3/ Malwarebytes antirootkit without result, I like to try Wireshark in order to find the cause of this blacklisting. I first installed Wireshark and started to capture. (My W10 PC using Thunderbird is connected to a mobile network using tethering over WIFI and my smartphone). I used Thunderbird to send a testmail. I dont see any SMTP protocol traffic after using "SMTP" as filter in Wireshark. The used port is 465 and filter "tcp.port==465" shows there was communication. I want to find the application (if there is one) which uses my PC (or phone) to send spam which causes me to be blacklisted. (TLSv1.2 is used). Someone can help me?

patpin
  • 11
  • 1
  • 4
  • This might be anywhere on your network, not just that one computer. Also if this is a spam listing it's highly probable that port 25 is involved, not 465. – tadman Feb 16 '21 at 21:53
  • There is only one PC and the Smartphone is providing the hotspot . Thunderbird is configured with SMTP server settings 465 as port and in "security and authentification" SSL/TLS and normal password. I 'll try with tcp.port==25 now. for a few hours... – patpin Feb 16 '21 at 21:59
  • I'm wondering why you even care. Why are you delivering mail directly from your phone hotspot IP? If you want your mail to be accepted it should be from a proper server IP of some sort. Some blocklists are provider-wide, the whole IP range is tainted, not you specifically, so that could also be the issue. – tadman Feb 16 '21 at 22:00
  • Is this an IP you personally control, as in it's directly assigned to you, or is it through your mobile provider? If it's a phone IP it might be shared, so you have no control over it at all, and it *will* get listed for reasons you can never determine. You need to use an IP that is not shared. – tadman Feb 16 '21 at 22:02
  • I dont have a ADSL or fixed network. The mobile is all I have. Its a dynamic IP I receive from the ISP. I think allmost after each change of IP (by the ISP, I am back on one of the lists... – patpin Feb 16 '21 at 22:05
  • You can't use a dynamic IP to send mail directly, at least if you want to do it reliably. You *must* use a fixed IP of some sort. Some VPNs offer this, but they're not great for sending mail, either. You want, at least, a VPS of some kind with a directly assigned IP. These can cost as little as $5/mo. – tadman Feb 16 '21 at 22:06
  • This config worked well for many years without problems... You suggest that a other client of this ISP could have provoked the listing before I received this IP? – patpin Feb 16 '21 at 22:09
  • Guess you got lucky. Maybe the individual(s) causing this problem have ramped up their activity or moved to your neighbourhood. – tadman Feb 16 '21 at 22:09
  • Can I be shure the problem is coming from some other user of this ISP. – patpin Feb 16 '21 at 22:12
  • You can only work with probabilities here. If your machine isn't sending the mail, someone else is. If you're getting random IPs from a pool, that pool could be poisoned by someone else's activity. You **need your own IP** to have control in this situation. They're not expensive. They do work. – tadman Feb 16 '21 at 22:13
  • OK thanks a lot for yr intervention.Has the Norton + pswchange + antirootkit excluded (with reasonable probability) that my PC is used by malware for sending spam? – patpin Feb 16 '21 at 22:24
  • You probably need a malware scanning program. It's unlikely but not impossible that your PC has been hijacked for spamming, it's just rare. Normally it's some old Windows XP machine or an unpatched Windows 2003 server that gets wrapped up in those botnets. What's more likely is that someone else using the same pool of IPs is either spamming deliberately, or has been hijacked. – tadman Feb 16 '21 at 23:15

0 Answers0