This is a follow-up to Our IP was listed by Spamhaus - how can we prevent this from happening again? - unfortunately, it is happening yet again.
I was thinking that people could have malware on their phones while using our wi-fi, so one thing to do would be to prevent e-mail traffic from going to/from anything that isn't our mail server.
Our router / firewall is an arcane slew of iptables rules, written before I came on the scene, so I just tinker with them here and there and hope not to break things. Here are the rules I put in hoping to restrict e-mail to just our server:
# Open ports on router for server/services (restricting outgoing e-mail to ouremailserver)
/sbin/iptables -A INPUT -p tcp --dport 25 ! -s private.subnetip.goes.here -j DROP
/sbin/iptables -A INPUT -p tcp --dport 110 ! -s private.subnetip.goes.here -j DROP
/sbin/iptables -A INPUT -p tcp --dport 143 ! -s private.subnetip.goes.here -j DROP
If this is incorrect, then I can fix it and hope the problem doesn't happen again. If it is correct, then I have to guess again (or gasp! figure out) where the real problem is.
Bonus! I just got the actual spam e-mail from Hotmail that actually got us blocked. Sure enough the sender IP is us but the hostname isn't one of ours. Is there a way to tell if it's really going through our network? Full dump of the .eml here: https://pastebin.com/hbp9EqyU