Topic: SPAM blacklists

[brainamess]

Hello everyone,

I am blacklisted for spam I presume. I am trying to see how I can check if one of our email address' is mass sending emails and if it is happening which one.

I was wondering what you guys do to figure this out with SME. I can see all the logs but I am not sure which one would tell me exactly what I need to know and was hoping I could get some help in the matter

Have a great day!

[CharlieBrady]

There will be no logs if a device on the LAN is infected with malware which is sending SPAM directly via SMTPS.

Usually the blacklisting service will provide information as to why the server's IP has ended up on a list. Every blacklist is different in detail.

[brainamess]

Thanks for the response I have contacted the black listers. I will see what they say

[Stefano]

in the meanwhile...

1) disconnect your clients from WAN, do an extensive AV/Antispyware scan on all of them
2) if your server has some web app onboard (wordpress, joomla..) please disconnect the server too and start digging in the logs
start reading these:
https://forums.contribs.org/index.php/topic,51624.msg262911.html#msg262911
https://forums.contribs.org/index.php/topic,50701.msg255705.html#msg255705

HTH

[brainamess]

That is pretty much what I needed to hear. Thanks.

I know I need to get to the bottom of it. I hope knowing why I am black listed will help but I am starting at the bottom.

I appreciate you guys!

[mmccarn]

SME server by default will block any outbound connections from your LAN workstations attempting to connect to an external SMTP server on port 25.  You can check your setting for this in server-manager under 'Security' / 'Proxy settings' / SMTP proxy status (the default setting is 'Blocked').

If your SME is blocking outbound SMTP traffic, the outbound SPAM is either being relayed through your SME server or its being sent out on another common SMTP port (465 or 587).

You can look for outbound smtp traffic as described here:
Mail log file analysis#qmail: Outgoing SMTP traffic

You can monitor traffic passing through  your SME server in real-time using 'iptraf'.  There's no particularly useful wiki page on iptraf, but there are some forum discussions that might help: Google search for iptraf

If you find that one of your workstations is generating lots of traffic to outbound systems on port 465 (SMTPS), you may be able to block that in your SME server - there are some old notes about using custom template fragments to block outgoing traffic (these are very old notes; proceed with caution):
https://wiki.contribs.org/Firewall#Block_outgoing_ports

If your LAN switches provide traffic monitors you might also figure out which workstation is causing problems by looking for unexpectedly high traffic there.

There could be nothing wrong with your workstations or network - many DNSBL services block IP addresses that they consider to be dynamic (IPs intended for home users).  Or, if your ISP has 3 or more infected (or spamming) clients on the same class C subnet, your entire subnet could be blocked (including your IP).  You can research which block lists are blocking your mail and why using the MX Toolbox Blacklist Tool.

Another possibility -

Some email providers will not accept your email if the name returned by the 'reverse lookup' of your IP address does not in its turn result in your IP address when it, itself is looked up. It doesn't necessarily need to match your configured domain name, but it has to work both ways.

For example, if the nslookup d.c.b.a.in-addr.arpa (the reverse lookup for your IP) returns dsl-a-b-c-d.mycity.myispsname.com then before trying to send email directly from your SME to the Internet at large you want to make sure that nslookup dsl-a-b-c-d.mycity.myispsname.com returns your a.b.c.d and not an error or some other address.