Page 1 of 4 123 ... LastLast
Results 1 to 10 of 34
  1. #1
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Exclamation Spamhouse keep blocking my ip

    Hello
    Spamhaus CBL is keep blocking my external IP saying it is sending spam messages.
    I tried to investigate which client IP or what does my network send as spam.

    I could not find any, yet in last 28 days spamhaus blocked my ip by 49 times.

    Pls help me how do i detect and stop these spam which spamhaus detecting.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,583

    Default

    Firewall rule, block TCP 25, destination interface External.

    Your firewall will tell you where the mail is coming from very quickly.

    If you have a mail server you'll need to make an exception for it, and have it tell you who's sending all the mail.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,431

    Default

    To see who it was just look in reports:
    http://demo.untangle.com/admin/index..._port:%3D:25:1

    with condition server port = 25

    you may have to change the timeframe as needed
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Quote Originally Posted by dmorris View Post
    To see who it was just look in reports:
    http://demo.untangle.com/admin/index..._port:%3D:25:1

    with condition server port = 25

    you may have to change the timeframe as needed
    i am daily monitoring traffic on port 25 around the same what spamhaus reporting. (always it is nigh time)
    Since it is night time I do not find any single traffic on Destination server Port 25 and yet spamhaus daily list my ip as spam.
    Since many days i am trying to identify what is causing my ip as spam.

    Running exchange server - and reviewed logs on exchange. It is not sending any emails (no emails at all) during that time period.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,583

    Default

    Flip it around, you aren't looking for traffic destined to your IP on TCP 25, you're looking for traffic destined to anywhere on TCP 25.

    And if you are running Exchange on that IP address I highly recommend you put a firewall rule in to block, protocol TCP, destination port 25. Then put a pass rule above it for pass, protocol TCP, destination port 25, source IP address (Internal IP of Exchange).

    That will ensure nothing can send on TCP 25 but your email server, this is critical to avoid black listing if you're sharing an IP address with Exchange that's also being used for other systems to get to the Internet. If you aren't seeing stuff transit in the Exchange logs, it has to be something else. So once again check your firewall logs for anything destined to TCP 25, but sourced from an internal IP that isn't your Exchange server.
    Last edited by sky-knight; 07-10-2018 at 06:07 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Well no luck.
    firewall is enable and still got blacklisted. Spamhaus says it "The most recent detection was at Tue Jul 10 20:45:00 2018 UTC +/- 5 minutes"

    I looked at traffic, around period of those 30 minutes, i do see only 2 events on Port 25, which i have attached here.
    Is that could be the reason? I am not sure that is outgoing mails.
    Because Hostname is my exchange server, server column contains my exchange server ip,
    client column is some outside IP address, and Client port is 59523

    Apart from firewall Events report, i also looked at Network > All Session for this period of 30 mins (when spamhaus reported)

    I do not see any other activity when i apply apply filter on Server Port column with value 25. Or do I apply filter on client port in report?

    Every night still it is being black listed.
    Attached Images Attached Images

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,100

    Default

    That is incoming email so no. I'm assuming .56 is your mail server.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Exclamation

    Quote Originally Posted by jcoffin View Post
    That is incoming email so no. I'm assuming .56 is your mail server.
    Yea, it's mail server
    So what it could be now ? Between those 30 min period, did check everything but cannot figure out anything.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,100

    Default

    Did you adjust UTC time of Spamhaus for your timezone? Does the Untangle have the blacklist IP as the WAN directly or is it on the upstream modem?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Yeah, i did adjust timezone.
    "Jul 10 20:45:00 2018 UTC +/- 5 minutes" was the time from Spamhaus and so i was looking logs between
    Jul 11 02:00:00 am to 03:00:00 am

    Untangle work as bridge.

    Local Clients >>> All network switches >>>>> Untangle >>>> Router >>>> Internet

Page 1 of 4 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2