2

Several days ago I found a message which was rejected in my inbox. It said that my IP is listed on Spamhaus XBL. Their page states: The reasons could be an Open Proxy or Spambot/Trojans.

Checked all of my logs, couldn't find any suspicious traffic or outgoing E-Mails. So far so good. I still didn't trust it and reinstalled the whole Mailserver (Postfix/Dovecot) and made sure everything is setup correctly. Mails are being send through SMTP on Port 465 (SSL) only. Also the only Mails that are being send through this server are coming from a forum of mine (notifications for new posts/messages/etc).

2 days later I got another rejected message... Same happened again: Spamhaus XBL entry. Only legit traffic/mails again in my logs, nothing suspicious.

How do I actually solve this?

Edit: Should mention that I'm using a static IP.
I also set a valid SPF entry:

v=spf1 ip4:xx.xx.xx.xx -all
recon
  • 21
  • 3
  • 2
    If you put your IP address in a general blacklist checker (like [here](http://mxtoolbox.com/blacklists.aspx)), does it show more blacklists, or more detail? I know your logs don't show anything, but still: is the forum running on the same server? PHP software often has leaks in it that are exploited to send spam. You may want to enable the php mail log. – Halfgaar Sep 20 '15 at 20:17
  • All clean @Halfgaar – recon Sep 20 '15 at 20:55
  • Did you actually check your servers ip address at Spamhaus? - https://www.spamhaus.org/lookup/ – joeqwerty Sep 20 '15 at 22:25
  • That's why I am here and what I already said @joeqwerty ;) I'm getting listed on that site constantly. – recon Sep 21 '15 at 09:52
  • You stated that you received an email that stated that you were listed. It wasn't clear to me if you checked for yourself to confirm, and that is why I asked. – joeqwerty Sep 21 '15 at 12:31

2 Answers2

3

If you don't have much outgoing mail, I'd setup a packet capture on port 25 (SMTP) do check if something else than your mail server is sending suspicious mails to the Internet.

As the Spamhaus page speaks of an "Open proxy", did you try portscanning your server from the Internet to see if there is any service that should not be there? For example a Squid server or other HTTP proxy allowing CONNECT requests to port 25...

Ale
  • 1,613
  • 17
  • 25
  • Capturing packets on Port 25 is actually a great idea. Will try that. I did scan my ports and all besides SSH and the Mail ports are blocked. Nothing else running. – recon Sep 20 '15 at 20:59
1

I would start with the following

  • Block inbound to 25 if you do not have this server listed as an MX preference (if you authenticate and send only, open 587 which is the email submission port).
  • Ensure you have unsubscribe links for any message sent automatically
  • Ensure you can track NDR's (if you continue to send junk to non-existent mailboxes you will be marked as an abuser)
  • Check and make sure your sending domain has an abuse@ and postmaster@ email address
  • Ensure inbound connections to SMTP do not permit relays or backscatter/lashback.
  • Get a copy of all email out of postfix postconf -e always_bcc=monitorinbox@example.com
  • Consider an ESP for temporary/permanent help
  • Sendgrid has great tools, you can use them as a relayhost with postfix and track your issues with them.

Good Luck

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55