I've gone thru this: Spamhaus XBL keeps adding my IP
I'm managing the server 23.239.30.81 on Ubuntu using Postfix.
Since last 6 months or so I started forwarding all my:
- Cron Daemon logs
- Postfix SMTP errors
- Drupal website error logs
- Copy of subscription emails etc
to my one hotmail email.
But two weeks ago it was put on Spamhaus ZEN & CBL blacklist. But now I've changed the email from hotmail to one privately managed MS Exchange mail server.
But still after 3 days it is added back to blacklist.
Since a year I also have email monitoring setup using a cron script using pflogsumm which informs me if emails per day sent exceeds 300. But there aren't that many and just now I've checked in evening 6.30 pm and I can see just 93
Now I've added "always_bcc=myemai@privatecompany.com
" in Postfix main.cf
so that I can see all outgoing emails from this server. Here are the snapshots of those emails.
There isn't any spam .. I can see those( in addition to above) are:
- Contact us messages
- forum replies
- Account activation emails
- Mysql database backups
- Advertising reports etc
I'm forwarding the emails to a private email servers, how come Spamhaus ZEN & CBL can see those emails(except for forum subscriptions & replies) to blacklist this IP again?
I've emailed to cbl[@]abuseat.org but I've got only seemingly automated reply to check the system for viruses etc.
I've also run the system using clamAV antivirus.
All the forum replies and subscription and activation emails contain unsubscribe information. However the error logs do not.
What could I be missing?
Update: I've restricted emails to be sent only through Postfix: Firewall rule to only allow Postfix to send email through SMTP on port 25 and I do have copy of all the emails and none is spam. However it has been relisted the 4th time after some 15 hours.
Today(on 8th Dec) I've this reply from CBL:
The IP 23.239.30.81 is infected with spamware, most recently detected
at:2015:12:04 ~14:30 UTC+/- 15 minutes (approximately 3 days, 3 hours, 59
minutes ago)This host HELOed as [127.0.0.1] … Please correct that.
Best Answer
I would highly recommend to go through the CBL and Spamhuas websites again, because they have all the information you need to start with troubleshooting and safeguarding your server. The information there can help you understand how the blacklisting process works and why one gets listed and also advices on keeping server safe to avoid blaklisting.
I'm just going to quote a few important parts from CBL, the rest you can check for yourself. The point is, since you are getting listed again and again, your server is most probably compromised and it is not related to your postfix. Now you need to investigate and find out the possible cause. It can be a rootkit or a trojan or spambot or just another malicious script. You need to do a complete scan of your system for possible issues. Once you find the real cause, then you can resolve the problem and can take necessary steps to avoid it happening again.
Here is from CBL:
For troubleshooting and protection
More on MailServer in CBL: Mail Server in CBL
From Spamhuas:
What is "proxy hijacking"? What do I need to know about proxies?
What is a "honeypot" or "proxypot"? What is a "proxy hijack source" or "C&C"?