Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 1029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Black listed server

Jesus Campos

Hi,

I have had a web server continuously marked in cbl.abuseat.org blacklist. I can't find which one it is... I know that I can block the port 25, but I would like to know wich one is the spammer....

Any ideias how to find it in logs?

Best regards.



This thread was automatically locked due to age.
Parents
  • 0

    I am not able to understand, what you exactly mean.

    So your firewall drops spam emails in the first place. Do you assume its a false positive and its one of your webserver or what is your detailed issue? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sorry, I will give more information.

    Network configuration:
    - 2 public ips;
    - DMZ zone for primary servers natted by public ip 1. Local email server are in DMZ zone.
    - Lan1 for local users natted by public ip 2. SMTP ports blocked by default by AntiVirus (Exceptions for some apps: outlook, thunderbird, etc).
    - Lan2 for secondary servers natted by public ip 2.

    SMTP ports to WAN are open to local email server, and blocked to all hosts, except to some networks like gmail or microsoft (to allow local users to use gmail or hotmail SMTP).

    The ip blocked in blacklist is the public ip 2 with this error:

    A device (computer, server, mobile phone, etc), or an app on a device that is using xxx.public.ip.2 is infected, insecure or compromised. It is making SMTP connections with forged HELO values on port 25.
    The observed forged HELO value was xxxx. The most recent detection occurred at: January 20 2021, 11:05:00 UTC (+/- 5 minutes)

    I suspect that the problem is in Lan2 but I cant find any record related in the log viewer... 

    What is the file for firewall log in console? I can't find it in /log. Maybe with grep expressions I can find it more easeally.

    Thanks.

Reply
  • 0 in reply to LuCar Toni

    Sorry, I will give more information.

    Network configuration:
    - 2 public ips;
    - DMZ zone for primary servers natted by public ip 1. Local email server are in DMZ zone.
    - Lan1 for local users natted by public ip 2. SMTP ports blocked by default by AntiVirus (Exceptions for some apps: outlook, thunderbird, etc).
    - Lan2 for secondary servers natted by public ip 2.

    SMTP ports to WAN are open to local email server, and blocked to all hosts, except to some networks like gmail or microsoft (to allow local users to use gmail or hotmail SMTP).

    The ip blocked in blacklist is the public ip 2 with this error:

    A device (computer, server, mobile phone, etc), or an app on a device that is using xxx.public.ip.2 is infected, insecure or compromised. It is making SMTP connections with forged HELO values on port 25.
    The observed forged HELO value was xxxx. The most recent detection occurred at: January 20 2021, 11:05:00 UTC (+/- 5 minutes)

    I suspect that the problem is in Lan2 but I cant find any record related in the log viewer... 

    What is the file for firewall log in console? I can't find it in /log. Maybe with grep expressions I can find it more easeally.

    Thanks.

Children
  • 0 in reply to Jesus Campos

    Basically do not open Port 25 for anybody. Its from a security view bad practice to do so. 

    User Email tools uses 465/587 SMTP for users. Port 25 should be only be used by MTAs. 

    Because thats exactly what happen, if you open Port 25 for users. 

    __________________________________________________________________________________________________________________

Unfiltered HTML