My guess is that someone is using your mail server as a passthrough gateway. You have to block incoming requests that do not originate from your mail server. Every mail server is different but the crux of it is that you're being used to send smtp traffic through your mail server. You need to look up your mail server and see what the specific process is. You may have it in passthrough mode. Yours would not be the only one with this issue. Once you fix, it should take about 48 hours for the blacklist to clear, or you can submit a blacklist removal ticket request. Bill On Mon, Mar 28, 2022 at 12:39 PM William Dudley via vcf-midatlantic < vcf-midatlantic@lists.vcfed.org> wrote:
The only user accounts are me and my ex-wife, and she only interacts with my network via ssh (public key only, no passwords) and a simple web interface. I do run a web server, but all static pages OR Perl CGI driven pages; no Wordpress. I suppose I should get the ex-wife to run a malware check on her machine.
Thanks for your thoughts.
Bill Dudley
This email is free of malware because I run Linux.
On Mon, Mar 28, 2022 at 11:29 AM Ethan O'Toole <telmnstr@757.org> wrote:
Make sure none of your user accounts are compromised. On 757.org we had one of the user's accounts get popped and outsiders were slow rolling spams through it.
Are you running web services on it? That is another potential point of entry. Outdated wordpress plugins and wordpress accounts, stuff like
that.
It's a PITA to troubleshoot. And a PITA to get removed from blocks, especially O365 and Google.
- Ethan
On Mon, 28 Mar 2022, William Dudley via vcf-midatlantic wrote:
This has naught to do with vintage computers, but I need help, and this audience likely has one or more folks who can help.
I run my own mail server; I have for many years. Lately, spamhaus.org has blocked me for ONE suspect email from my network.
Here is ALL the bad activity from my IP for the last three months:
(IP address, timestamp (UTC), and HELO string) 98.109.205.15 2022-03-28 10:15:00 instructure.com 98.109.205.15 2022-03-15 08:05:00 instructure.com 98.109.205.15 2022-01-21 16:10:00 localhost
It's a funny kind of malware that sends two messages 15 days apart.
I can't figure out where it's coming from, and my knowledge of iptables and tcpdump is insufficient to do the following jobs:
1. figure out where this bad email is coming from 2. block port 25 outbound at my firewall except from the ONE machine authorized to send email.
I am willing to PAY for help with this.
Email me if you think you can help and would like to try.
Thanks, Bill Dudley
This email is free of malware because I run Linux.