[vcf-midatlantic] OT: help needed with network problem

Mon Mar 28 21:01:46 UTC 2022

My guess is that someone is using your mail server as a passthrough
gateway.  You have to block incoming requests that do not originate from
your mail server.  Every mail server is different but the crux of it is
that you're being used to send smtp traffic through your mail server.  You
need to look up your mail server and see what the specific process is.  You
may have it in passthrough mode.

Yours would not be the only one with this issue.  Once you fix, it
should take about 48 hours for the blacklist to clear, or you can submit a
blacklist removal ticket request.

Bill

On Mon, Mar 28, 2022 at 12:39 PM William Dudley via vcf-midatlantic <
vcf-midatlantic at lists.vcfed.org> wrote:

> The only user accounts are me and my ex-wife, and she only interacts with
> my
> network via ssh (public key only, no passwords) and a simple web interface.
> I do run a web server, but all static pages OR Perl CGI driven pages; no
> Wordpress.
> I suppose I should get the ex-wife to run a malware check on her machine.
>
> Thanks for your thoughts.
>
> Bill Dudley
>
> This email is free of malware because I run Linux.
>
>
> On Mon, Mar 28, 2022 at 11:29 AM Ethan O'Toole <telmnstr at 757.org> wrote:
>
> >
> > Make sure none of your user accounts are compromised. On 757.org we had
> > one of the user's accounts get popped and outsiders were slow rolling
> > spams through it.
> >
> > Are you running web services on it? That is another potential point of
> > entry. Outdated wordpress plugins and wordpress accounts, stuff like
> that.
> >
> > It's a PITA to troubleshoot. And a PITA to get removed from blocks,
> > especially O365 and Google.
> >
> >                         - Ethan
> >
> >
> > On Mon, 28 Mar 2022, William Dudley via vcf-midatlantic wrote:
> >
> > > This has naught to do with vintage computers, but I need help,
> > > and this audience likely has one or more folks who can help.
> > >
> > > I run my own mail server; I have for many years.
> > > Lately, spamhaus.org has blocked me for ONE suspect
> > > email from my network.
> > >
> > > Here is ALL the bad activity from my IP for the last three months:
> > >
> > > (IP address, timestamp (UTC), and HELO string)
> > > 98.109.205.15 2022-03-28 10:15:00 instructure.com
> > > 98.109.205.15 2022-03-15 08:05:00 instructure.com
> > > 98.109.205.15 2022-01-21 16:10:00 localhost
> > >
> > > It's a funny kind of malware that sends two messages 15 days apart.
> > >
> > > I can't figure out where it's coming from, and my knowledge of
> > > iptables and tcpdump is insufficient to do the following jobs:
> > >
> > > 1. figure out where this bad email is coming from
> > > 2. block port 25 outbound at my firewall except from
> > > the ONE machine authorized to send email.
> > >
> > > I am willing to PAY for help with this.
> > >
> > > Email me if you think you can help and would like to try.
> > >
> > > Thanks,
> > > Bill Dudley
> > >
> > > This email is free of malware because I run Linux.
> > >
> >
>