Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 4/19/24 8:31 AM, Jaroslaw Rafa via mailop wrote: I started to monitor all outgoing traffic from my server towards his IP address with tcpdump, then I put up firewall rules that blocked (with logging) all outgoing traffic to his IP other than to port 25. Obviously no packets were going out of my server towards his, yet the guy insisted that strange traffic from my address is still incoming. Indeed, his firewall kept blocking me and he kept unblocking me manually . I wonder if TCP connections were being fully established. Is there a chance that someone was spoofing your IP? Could he produce packet captures for you to analyze? Is there a possibility of a compromised CPE that's hijacking the IP? -- Grant. . . . unix || die ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
Dnia 19.04.2024 o godz. 10:47:56 Sebastian Arcus via mailop pisze: > In a sense I haven't managed to make further progress with this. > Spamhaus have been very vague about the problem - which to some > extent I understand as they don't want the bad guys to exploit their > systems. But at the same time, their latest correspondence keeps on > dropping hints about port 25 - which doesn't make any sense, as port > 25 outbound has always been blocked on this network - so in that > case the blacklisting should have never happened. I've just tested > yesterday again - and not only I can't do outbound port 25 > connections from inside the network, I am getting, as expected, > automatic warnings from the server when the attempts happen - which > I configured a long time ago. This reminds me of an issue I had about a year ago with one of the members of the Postfix mailing list. I wanted to reply to him directly and it turned out my server got firewalled on his server, apparently - as his logs did show - for some strange (non-SMTP) traffic coming from my server. I started to monitor all outgoing traffic from my server towards his IP address with tcpdump, then I put up firewall rules that blocked (with logging) all outgoing traffic to his IP other than to port 25. Obviously no packets were going out of my server towards his, yet the guy insisted that strange traffic from my address is still incoming. Indeed, his firewall kept blocking me and he kept unblocking me manually :). I was never able to find out what was going on. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
Sebastian Arcus via mailop wrote:- >> Michael's suggestion of checking for compromise of CPE (routers etc) is >> also well worth pursuing. > >I have though about that as well. The only possibility that I can come >up with is the Fritzbox VDSL modem/router sitting in front of the Linux >gateway/firewall. Try a packet capture between the Linux gateway/firewall and the Fritzbox, or (depending where any NAT is done) just inside the gateway/firewall. Then when re-listed you will either have the offending traffic or, if not, the issue is on the far side of your capture point. In saying this, there is some guessing about your network configuration. -- Best wishes, Matthew ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 2024-04-19 at 07:21:47 UTC-0400 (Fri, 19 Apr 2024 12:21:47 +0100) Sebastian Arcus via mailop is rumored to have said: On 18/04/2024 14:05, Marco Moock via mailop wrote: Am 18.04.2024 schrieb Bill Cole via mailop : I can't say that Spamhaus lists IPs that engage in the abusive practice of remote sender verification but I would be happy to hear that they are doing so and CSS+XBL listing is a reasonable expression of that sort of world-hostile behavior. If that sender verification includes trying to send an email until RCPT TO:, this is abusive in many cases and also uceprotect will list such servers. I would have to look further into this, but I was under the impression that Exim uses the VRFY command for callout verification? If it does that, it is a menace to both ends of the connection. The problem is that the site asking for verification is exporting its mail authentication load to both senders (acceptable) and random forged unrelated 3rd parties, which is not acceptable. The vast majority of SMTP mail servers have not answered usefully to VRFY in this millennium, so if you were to ask one of those, your answer may bear no relationship to reality. Which is fair. Just to be 100% clear: your first step must be to turn off sender verification. Whether that solves your Spamhaus problem, I cannot say. It will help you avoid a thousand little less-visible reputation problems that you may be building with every attempt to verify the sender of a forged spam. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 18/04/2024 19:14, Matthew Richardson via mailop wrote: Sebastian Arcus via mailop wrote:- In that case I think I am back to square one. If an infected device connecting to 587/465 to various servers on the internet, from our network, to try and guess passwords/break into accounts wouldn't have used the FQDN of our public IP as HELO - then that's not what is going on. The Spamhaus info mentions the HELO being our public IP FQDN. The Spamhaus link (with your IP 51.155.244.89 you mentioned before in this thread) does show the EHLO matching the reverse DNS of the public IP. Reading it also implies that the issue is with port 25 rather than 587/465. I am inclined to think the same You could try doing packet captures on your router (before NAT) for outgoing port 25 traffic, which should give a clue to the internal source. Don't overlook the possibility that the malware might be on the same machine as Exim. It crossed my mind - seems highly unlikely, but worth pursuing. Michael's suggestion of checking for compromise of CPE (routers etc) is also well worth pursuing. I have though about that as well. The only possibility that I can come up with is the Fritzbox VDSL modem/router sitting in front of the Linux gateway/firewall. I would have to try and think of a way to eliminate that - maybe by temporarily replacing it something else and seeing if the address gets blacklisted again - as I can't actually monitor its outbound traffic - as nothing is sitting in front of it to the internet. -- Best wishes, Matthew ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
Am 19.04.2024 um 12:21:47 Uhr schrieb Sebastian Arcus via mailop: > I would have to look further into this, but I was under the > impression that Exim uses the VRFY command for callout verification? Most sites have disabled that, and implementations of Exim are known that use RCPT TO. Stop using this feature will most likely stop being listed there. The reason is explained here: http://www.backscatterer.org/?target=sendercallouts If you need a similar service, do strict SPF and DKIM checking. -- kind regards Marco Send unsolicited bulk mail to 1713522107mu...@cartoonies.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
Sorry - I have included in an earlier reply after being prompted by another member - but I guess it can got lost with all the replies in this thread. And it doesn't have anything to do with the Contabo address my emails are coming from - it's on a different provider/subnet. The IP is 51.155.244.89 On 18/04/2024 18:31, Michael Peddemors via mailop wrote: It's REALLY hard to give you good advice, if you don't include the actual IP Address that is listed.. However, if it is the same email server you sent from, it's on Contabo which has it's own problems with reputation.. And I don't think they really care to help the innocent operators on their networks with reputation problems.. On 2024-04-18 03:52, Sebastian Arcus via mailop wrote: I hope this is within the allowable topics for this list. I tried searching the archives, but haven't found an answer for the issue below yet. If anyone could shed some light, it would be very much appreciated. A few days ago I started having issues with the public IPv4 address of one network I look after ending up on the Spamhaus XBL and CSS blacklists. I have taken good hard look at the setup and applied to be delisted twice, but it is blacklisted again - so I must be missing something. I read through the Spamhaus docs on their website. The following applies to this site: 1. Port 25 outbound is completely blocked for the entire network, except our inhouse email server which uses Exim 2. The inhouse server doesn't do any sort of relaying. 3. The site doesn't do any sort of marketing or mailing list type activity as far as I know - and the Spamhaus detected connections are out of working hours - so this being caused by employees sending any unwanted emails seems unlikely. 4. I have checked the Exim logs, and there is no sign so far it has been compromised in any way, or it is sending out any unusual email traffic. 5. This is a low volume site - I would say less than 100 emails sent per day. 6. Spamhaus provides the date and timestamp of last rogue connection detected - but there is nothing in our Exim log which matches that date and time. 7. The information they provided is: (IP, UTC timestamp, HELO value) 2024-04-18 05:25:00 The wording on Spamhaus' website is a bit generic, and seems to hint that you can end up blacklisted if infected with a variety of other viruses/exploits, not only those to do with smtp. However, because of the format of the info above, I was digging in the direction of an exploit which uses the smtp protocol to spam the internet. Does anybody here have some experience with Spamhaus blacklists? Am I barking up the wrong tree, and should I cast the net wider, and look for any type of infection which scans any other ports on the internet - not only the type which would be scanning smtp servers on port 25 trying to send spam? In our case that should be technically impossible, as port 25 outbound is blocked completely on the gateway/firewall (except for the email server)? Grateful for any hints - as it would be useful to narrow down a bit what am I looking for. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 18/04/2024 14:05, Marco Moock via mailop wrote: Am 18.04.2024 schrieb Bill Cole via mailop : I can't say that Spamhaus lists IPs that engage in the abusive practice of remote sender verification but I would be happy to hear that they are doing so and CSS+XBL listing is a reasonable expression of that sort of world-hostile behavior. If that sender verification includes trying to send an email until RCPT TO:, this is abusive in many cases and also uceprotect will list such servers. I would have to look further into this, but I was under the impression that Exim uses the VRFY command for callout verification? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 18/04/2024 14:20, Slavko via mailop wrote: Dňa 18. apríla 2024 11:22:10 UTC používateľ Sebastian Arcus via mailop napísal: However, if keeping outbound port 587 open turns out to be causing real headaches, I could take a look at revising the existing approach. IMO, one don't need to block 465 port (or 587) from inside LAN, as it is near to impossible without breaking real users connections. But consider: + ratelimit it -- one user will not create a lot of connections, IMO good start can be 10 connections in 10-15 min + log over limit connections, this will allow to see if limit is too low and/or reveals infected hosts That will not prevent rogue connections, but will unhide them and thus one can do something with infected machine (block/clean or even trash it) relative quickly (my router FW logs are propagated over XMPP). And consider to include the POP3(S) and IMAP(S) too. Those are actually really good suggestions - thank you! ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Reason for being listed at Spamhaus CSS and XBL unclear
On 18/04/2024 14:21, Marco Moock wrote: Am 18.04.2024 schrieb Sebastian Arcus via mailop : On 18/04/2024 13:44, Marco Moock via mailop wrote: Am 18.04.2024 schrieb Sebastian Arcus via mailop : The mention of HELO is what threw me off - and I kept on thinking that it's not possible, as port 25 is blocked. But I completely missed the point that even authenticated connections on 587 will use HELo - I think? They require auth, so they will use EHLO. :-) Although no difference here. The EHLO/HELO FQDN can't be used to abuse something. If it is the FQDN with matching reverse/forward DNS, it is fine. When submitting mail to 465/587, the machine will use its name (most likely no a FQDN), but that is not a problem because MSAs must not check that name - it would fail most of the time. In that case I think I am back to square one. If an infected device connecting to 587/465 to various servers on the internet, from our network, to try and guess passwords/break into accounts wouldn't have used the FQDN of our public IP as HELO - then that's not what is going on. It could use that, but that is equal for the attack. You definitely need more information from them, unless identifying and resolving the problem is impossible. In a sense I haven't managed to make further progress with this. Spamhaus have been very vague about the problem - which to some extent I understand as they don't want the bad guys to exploit their systems. But at the same time, their latest correspondence keeps on dropping hints about port 25 - which doesn't make any sense, as port 25 outbound has always been blocked on this network - so in that case the blacklisting should have never happened. I've just tested yesterday again - and not only I can't do outbound port 25 connections from inside the network, I am getting, as expected, automatic warnings from the server when the attempts happen - which I configured a long time ago. I will take a step back and look at all the research I did and the replies both from Spamhaus and on this mailing list and try to make sense of what is happening. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
