Spamhaus XBL keeps adding my IP

email spam

Several days ago I found a message which was rejected in my inbox. It said that my IP is listed on Spamhaus XBL. Their page states: The reasons could be an Open Proxy or Spambot/Trojans.

Checked all of my logs, couldn't find any suspicious traffic or outgoing E-Mails. So far so good. I still didn't trust it and reinstalled the whole Mailserver (Postfix/Dovecot) and made sure everything is setup correctly. Mails are being send through SMTP on Port 465 (SSL) only. Also the only Mails that are being send through this server are coming from a forum of mine (notifications for new posts/messages/etc).

2 days later I got another rejected message... Same happened again: Spamhaus XBL entry. Only legit traffic/mails again in my logs, nothing suspicious.

How do I actually solve this?

Edit: Should mention that I'm using a static IP.
I also set a valid SPF entry:

v=spf1 ip4:xx.xx.xx.xx -all

Solution 1:

If you don't have much outgoing mail, I'd setup a packet capture on port 25 (SMTP) do check if something else than your mail server is sending suspicious mails to the Internet.

As the Spamhaus page speaks of an "Open proxy", did you try portscanning your server from the Internet to see if there is any service that should not be there? For example a Squid server or other HTTP proxy allowing CONNECT requests to port 25...

Solution 2:

I would start with the following

  • Block inbound to 25 if you do not have this server listed as an MX preference (if you authenticate and send only, open 587 which is the email submission port).
  • Ensure you have unsubscribe links for any message sent automatically
  • Ensure you can track NDR's (if you continue to send junk to non-existent mailboxes you will be marked as an abuser)
  • Check and make sure your sending domain has an abuse@ and postmaster@ email address
  • Ensure inbound connections to SMTP do not permit relays or backscatter/lashback.
  • Get a copy of all email out of postfix postconf -e [email protected]
  • Consider an ESP for temporary/permanent help
  • Sendgrid has great tools, you can use them as a relayhost with postfix and track your issues with them.

Good Luck

Related

Where should SCCM be installed in a small system?
MySQL 500% CPU Usage and Crashes Server
Resize RAID partition with GPT partition layout, without LVM
OpenDMARC with multiple MX: correct setup for trust between servers
Setting up Elastic Beanstalk application with HTTPS
Are Dell PowerVault MD3200 EMMs compatible with the MD1200 chassis/midplane?
How can I generate and use a third-party certificate on a Remote Desktop Server?
Finding local IP addresses using Python's stdlib under Debian jessie
IP Address is very slow compared to loopback address
Write permission to a specific file without changing ownership
Is it possible (how?) to Route incoming UDP packets with one target IP to a destination IP that is resolved through a DNS query for a static URL?
What exactly does nfs4_disable_idmapping parameter do?