The IP of my email server has been listed on Spamhaus CBL, which states that the server "attempted to send email without using the HELO/EHLO command", "[which] is generally indicative of a broken email spam infection".
As suggested by the CBL, I first used their HELO check and it replied "The HELO for IP address X.X.X.X was 'example.com' (valid syntax)", which seem to indicate the issue is not a misconfiguration of my email server.
Unfortunately, most of the tools listed on CBL are Windows-only and my server is running Debian.
I ran maldet
on most sensitive directories but it found no hits (it is still running, though). I ran unhide
but it found nothing. I ran lynis
(ex-rkhunter
) and though it gave wise security advices on the server configuration, I don't see anything relevant in its report. I ran ispp_scan
and though it claimed to have found a suspect.globals.eval
malware infected file, the IP got listed again after deletion of this file.
I ran netstat -napec
and greped it against ':25'
to identify SMTP connections, it showed sporadic TIME_WAIT
entries but gave no clue on how to identify their owning process or even if they were legitimate or not. I tried ss -nap
as well as iptraf
with a filter on outgoing SMTP connections but they weren't more verbose.
How can I identify their parent process ?
Finally I ran an lsof -i tcp:25 -P -R
loop but it only showed seemingly legitimate exim4
connections.
Could it still be a server misconfiguration ? Here is my update-exim4.conf.conf
:
dc_eximconfig_configtype='internet'
dc_other_hostnames='[a few domain names]'
dc_local_interfaces='127.0.0.1 ; X.X.X.X ; ::1'
dc_readhost='foobar.example.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='foobar.example.com::587'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
Since the first event CBL reports occurred on Monday 11th, 01:15:00 UTC, I also searched on the whole system for files newer than 5 days ago, but couldn't find anything suspicious. I don't see any recently uploaded suspicious file under the web servers either.
I tried unlisting my IP hoping for a false positive, but it was relisted a few hours later, and since the CBL only list incoming connections to their servers, I do not doubt I have to fix something. But what ? Am I at least looking in the right direction ?
NB : The most sensitive data the server hosts are (literally) a few professional emails, and it is not shared.
Update :
Using tshark
I was able to find suspicious MX queries. Checking these queries against exim4 logs, I found that they do correspond to frozen rejection emails of spam addressed to obsolete email addresses.
I doubt it, but could it be that the CBL listed our IP because of such a rejection email ?