[vcf-midatlantic] OT: help needed with network problem

Mon Mar 28 21:43:27 UTC 2022

Bill,

I've never heard of "passthrough mode", but I have head of "open relay",
and my server does not allow relaying except for specific hosts on my
network.
(Relaying is denied by default on any even semi-recent sendmail
installation.)

I have relaying allowed for three specific machines on my LAN (and I just
disabled one of those).  Thanks for that suggestion, assuming that was
your intent.

The blacklist is already removed; spamhaus will remove a block on the
assumption that you're working on the problem (assuming you ask nicely).

Thanks,
Bill Dudley
This email is free of malware because I run Linux.

On Mon, Mar 28, 2022 at 5:03 PM Bill Degnan via vcf-midatlantic <
vcf-midatlantic at lists.vcfed.org> wrote:

> My guess is that someone is using your mail server as a passthrough
> gateway.  You have to block incoming requests that do not originate from
> your mail server.  Every mail server is different but the crux of it is
> that you're being used to send smtp traffic through your mail server.  You
> need to look up your mail server and see what the specific process is.  You
> may have it in passthrough mode.
>
> Yours would not be the only one with this issue.  Once you fix, it
> should take about 48 hours for the blacklist to clear, or you can submit a
> blacklist removal ticket request.
>
> Bill
>
> On Mon, Mar 28, 2022 at 12:39 PM William Dudley via vcf-midatlantic <
> vcf-midatlantic at lists.vcfed.org> wrote:
>
> > The only user accounts are me and my ex-wife, and she only interacts with
> > my
> > network via ssh (public key only, no passwords) and a simple web
> interface.
> > I do run a web server, but all static pages OR Perl CGI driven pages; no
> > Wordpress.
> > I suppose I should get the ex-wife to run a malware check on her machine.
> >
> > Thanks for your thoughts.
> >
> > Bill Dudley
> >
> > This email is free of malware because I run Linux.
> >
> >
> > On Mon, Mar 28, 2022 at 11:29 AM Ethan O'Toole <telmnstr at 757.org> wrote:
> >
> > >
> > > Make sure none of your user accounts are compromised. On 757.org we
> had
> > > one of the user's accounts get popped and outsiders were slow rolling
> > > spams through it.
> > >
> > > Are you running web services on it? That is another potential point of
> > > entry. Outdated wordpress plugins and wordpress accounts, stuff like
> > that.
> > >
> > > It's a PITA to troubleshoot. And a PITA to get removed from blocks,
> > > especially O365 and Google.
> > >
> > >                         - Ethan
> > >
> > >
> > > On Mon, 28 Mar 2022, William Dudley via vcf-midatlantic wrote:
> > >
> > > > This has naught to do with vintage computers, but I need help,
> > > > and this audience likely has one or more folks who can help.
> > > >
> > > > I run my own mail server; I have for many years.
> > > > Lately, spamhaus.org has blocked me for ONE suspect
> > > > email from my network.
> > > >
> > > > Here is ALL the bad activity from my IP for the last three months:
> > > >
> > > > (IP address, timestamp (UTC), and HELO string)
> > > > 98.109.205.15 2022-03-28 10:15:00 instructure.com
> > > > 98.109.205.15 2022-03-15 08:05:00 instructure.com
> > > > 98.109.205.15 2022-01-21 16:10:00 localhost
> > > >
> > > > It's a funny kind of malware that sends two messages 15 days apart.
> > > >
> > > > I can't figure out where it's coming from, and my knowledge of
> > > > iptables and tcpdump is insufficient to do the following jobs:
> > > >
> > > > 1. figure out where this bad email is coming from
> > > > 2. block port 25 outbound at my firewall except from
> > > > the ONE machine authorized to send email.
> > > >
> > > > I am willing to PAY for help with this.
> > > >
> > > > Email me if you think you can help and would like to try.
> > > >
> > > > Thanks,
> > > > Bill Dudley
> > > >
> > > > This email is free of malware because I run Linux.
> > > >
> > >
> >
>