Sebastian Arcus via mailop <mailop@mailop.org> wrote:- >In that case I think I am back to square one. If an infected device >connecting to 587/465 to various servers on the internet, from our >network, to try and guess passwords/break into accounts wouldn't have >used the FQDN of our public IP as HELO - then that's not what is going >on. The Spamhaus info mentions the HELO being our public IP FQDN.
The Spamhaus link (with your IP 51.155.244.89 you mentioned before in this thread) does show the EHLO matching the reverse DNS of the public IP. Reading it also implies that the issue is with port 25 rather than 587/465. You could try doing packet captures on your router (before NAT) for outgoing port 25 traffic, which should give a clue to the internal source. Don't overlook the possibility that the malware might be on the same machine as Exim. Michael's suggestion of checking for compromise of CPE (routers etc) is also well worth pursuing. -- Best wishes, Matthew _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
