Join Log in
Score:-2
avatar Server

How to fix spam listing of IP due to SMTP HELO banner

ru flag
Dennis Thrysøe

Spamhaus has listed my IP a few times for an apparent problem. They are indicating:

A device using <ipv6 addr> is infected with malware and is emitting spam.

<ipv6 addr> is making SMTP connections with HELO values that indicate a problem. The HELOs that it is connecting with are as follows:
Technical information

(IP, UTC timestamp, HELO value)

<ipv6 addr> 2022-05-09 09:25:00 server.example.com

The mentioned IPv6 address is the one from my server, and the prefix matches too.

I am not sure how I can fix this. The server is configured correctly, the postfix HELO banner is set to the fully qualified hostname, old SSL/TLS is disabled, etc.

In fact the string "server.example.com" does not occur (in plaintext) anywhere on this (linux) server. Nothing to find in the log files at this time either.

How can I figure out which process is trying to send with this HELO banner, and why?

Ubuntu 22.04, using Postfix (but it does not look like it is Postfix causing this).

50
0 + 0
anx avatar
fr flag
anx
Does the IPv6 address mentioned in conjunction with the unknown domain match any IPv6 address you used at the specified time, or does it merely share a common prefix?
0
Reply
Tilman Schmidt avatar
bd flag
Tilman Schmidt
Please provide more information. Is <ipv6 addr> one of your IP adresses? What operating system and mail software is the server you mentioned running? Does it have assigned <ipv6 addr> as one of its addresses? What does its logfile say at the time indicated by Spamhaus? What does your firewall log say about outgoing SMTP connections at that time? Do the two logs match?
1
Reply
djdomi avatar
za flag
djdomi
Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server)
0
Reply
ru flag
Dennis Thrysøe
@djdomi unfortunately I don't see anything in this question / answers relevant to my sitaution.
0
Reply
ru flag
Dennis Thrysøe
Added details: Ubuntu, Postfix, nothing found in any logs, Postfix provides correct EHLO banner.
0
Reply
djdomi avatar
za flag
djdomi
then ask your provider for a new ip due blacklisted . but really verify that you are not sending spam
0
Reply
anx avatar
fr flag
anx
Does this answer your question? [Why would Spamhaus continue to add an IP to the CSS when that IP hasn't sent email recently?](https://serverfault.com/questions/889111/why-would-spamhaus-continue-to-add-an-ip-to-the-css-when-that-ip-hasnt-sent-ema)
0
Reply
Score:0
avatar Server
ru flag
Dennis Thrysøe

Turns out it is because Spamhaus lists entire /64 blocks for ipv6:

Why would Spamhaus continue to add an IP to the CSS when that IP hasn't sent email recently?

So the solution in my case was to disable ipv6 for outbound mail delivery. An alternate solution could be to get a dedicated /64 block from the ISP.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.