[exim] Slightly OT - possible reasons for ending on Spamhaus…

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: exim-users
Subject: [exim] Slightly OT - possible reasons for ending on Spamhaus blacklist
This is slightly off-topic, but if anyone could shed some light, it
would be very much appreciated. A few days ago I started having issues
with the public IP address of one network I look after ending up on the
Spamhaus XBL and CSS blacklists. I have taken good hard look at the
setup and applied to be delisted twice, but it is blacklisted again - so
I must be missing something. The following applies to this site:

1. Port 25 outbound is completely blocked for the entire network, except
our inhouse email server which uses Exim
2. The inhouse server doesn't do any sort of relaying.
3. The site doesn't do any sort of marketing or mailing list type
activity as far as I know - and the Spamhaus detected connections are
out of working hours - so this being caused by employees sending any
unwanted emails seems unlikely.
4. I have checked the Exim logs, and there is no sign so far it has been
compromised in any way, or it is sending out any unusual email traffic.
5. This is a low volume site - I would say less than 100 emails sent per
day.
6. Spamhaus provides the date and timestamp of last rogue connection
detected - but there is nothing in our Exim log which matches that date
and time.
7. The information they provided is:

(IP, UTC timestamp, HELO value)
<our.public.ip> 2024-04-18 05:25:00 <our.exim.fqdn.and.helo>

The wording on Spamhaus' website is a bit generic, and seems to hint
that you can end up blacklisted if infected with a variety of other
viruses/exploits, not only those to do with smtp. However, because of
the format of the info above, I was digging in the direction of an
exploit which uses smtp to spam the internet.

Does anybody here have some experience with Spamhaus blacklists? Am I
barking up the wrong tree, and should I cast the net wider, and look for
any type of infection which scans any other ports on the internet - not
only the type which would be scanning smtp servers on port 25 trying to
send spam - which in our case should technically be impossible, as port
25 outbound is blocked completely on the gateway/firewall? Grateful for
any hints - as just it would be useful to narrow down a bit what am I
looking for.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/