Xen Orchestra email backup report blocked by SpamHaus / pfSense monitoring on port 25

mlantin · March 19, 2025, 3:24pm

Hello all,

Since yesterday, I’m not able to send email report from XenOrchestra anymore, this what I get in the logs:

Code: -32000

Message: Can’t send mail - all recipients were rejected: 550 5.7.1 Service unavailable, Client host [MY_IP_ADDRESS] blocked using Spamhaus. To request removal from this list see https://www.spamhaus.org/query/ip/MY_IP_ADDRESS AS(XXX) [AM1PEPF000252DD.eurprd07.prod.outlook.com 2025-03-19T14:35:56.647Z 08DD65841610DA38]

I tried sending email with the same parameters from a different computer, I got the same error log.

First of all, is that Spamhaus service legit?

I’m using direct SMTP send on port 25 through Microsoft 365 (see here for details).
This is the easiest way I found to send email to our domain without creating a specific user.

If I go to the Spamhaus website following the link in the log, it says:

MY_IP_ADDRESS has been classified as part of a third-party proxy network. There is a type of malware using this IP that installs a third-party proxy that could be used for nearly anything, including sending spam or stealing customer data.

The proxy is installed on a device - usually an Android phone, firestick, smart doorbell, etc, but can be anything that has software on it - that is using your IP to send spam DIRECTLY to the internet via SMTP port 25: This is very often the result of third party “free” apps like VPNs, channel unlockers, streaming, task bar modifiers, etc.

I then tried to monitor what’s going out of our pfSense gateway by adding a specific rule for port 25 on all LAN/Guest/VLANs interfaces, with Log packets that are handled by this rule option activated. This rule is just before the rule letting the interfaces accessing the internet.

If I send an email through SMTP on port 25, I can now see it in the firewall logs by filtering on destination port 25.

The trouble is that after a few minutes, it disappears from the logs, even tough the log rotation size has been increasead to 50 GB and is actually only using 38 MB.

I’m not good at monitoring traffic, are they better way to do this?

Any suggestions would be welcome.

Many thanks

ryan_g · March 19, 2025, 6:21pm

Spamhaus is legit. Routing email through port 25 has been heavily scrutinized for a long time.

I use SMTP2GO for an email relay. It requires some DNS records but not that hard to do and it hasn’t been an issue for pfsense and xen orchestra messages that I count on.

mlantin · March 20, 2025, 7:23am

Thanks for the info about SMTP2GO, I’ll have a look.
In the meantime, I switched to my ISP SMTP server (using TLS) and it’s working fine.

But I still need to monitor what’s going on outbound port 25.
Can someone give me best practices to achieve that?

I’m gonna mirror the port that goes to my ISP modem and do packet capture on port 25 to see first of all if there is indeed a lot of activity. If so, I would need to do that from the firewall to see which machines are generating that traffic.