Public IP blacklisted by spamhaus

Emc · June 18, 2024, 7:08pm

My public IP has been blacklisted by spamhaus eight days ago. Upon a request for more information they sent me the following:

Your PUBLICIP has been classified as part of a third-party proxy network. At this time, your IP and bandwidth are being exploited by at least one residential proxy reseller.

Having an unkown 3rd party proxy on your network opens up many different types of abuse. Spam is just one of them, but these proxies are also used for fraudulent account creation, account takeovers, stolen browser identities, click/ad fraud, as well as stealing PII and other data.

–HOW TO FIX THIS PROBLEM

Do you have one or more local SMTP servers? The problem is NOT your mail server. It is never the mail server. It is always someone’s mobile device (phone, laptop, tablet), or more rarely a computer, somewhere on the LAN. There can be more than one device.

a) Make sure port 25 access is limited to your mail server access only / end-users should be using SMTP authentication on port 587 or 465
b) Do you have mail server(s) and clients NAT’d on the same public address?
c) Set up logging or a pcap such as Wireshark at the firewall to find the infected device(s)

This is NOT your mail server:
(IP, UTC timestamp, HELO value)
PUBLICIP 2024-06-10 12:20:00 PUBLICIP-philadelphia.hfc.comcastbusiness.net
PUBLICIP 2024-05-28 13:50:00 mx.verifex.co

I have pfsense running, and a few vlans within my pfsense. However, I am not blocking port 25 on any of them. As their reply recommends, I was thinking on blocking port 25 on all my vlans, and only allow it for my smtp server.

Has anyone experienced similar problems to this lately? Here is a very interesting reading as to how android devices are being used to do this proxy stuff.

xMAXIMUSx · June 19, 2024, 12:36am

I literally just did this today. Basically if you are sending email over smtp port 25 (unencrypted) then ISP’s flag your IP for potential spam. All you need to do is click the checkbox that you run your email server and then supply your name and email. They send you a link and when you go to the link it will clear your IP.

Or you use authentication to send your mail which would be over 587 or 465 (encrypted)

Emc · June 19, 2024, 1:14am

Unfortunately this specific site does not give me that option. I’ve already opened a ticket, told them I run my own mail server and mentioned that I’ve blocked 25 coming out from anywhere that isn’t my mail server.

It seems like something inside my network was sending emails for mx.verifex.co and hence it got blocked.

I have no idea what it could be. But according to the article they sent, restricting outbound SMTP 25 to the mail server only should fix this issue.

Crazy thing is that it could be ANYTHING, an app, software. Mind you there are about 300 unique devices in my network. Literally finding a needle and I need 25 open YESTERDAY. I’m hoping the pfsense rules alleviates all this problem.

I wasn’t even aware of this problem, seems like it really just surged a few years ago