請教一下各位先進
這幾天公司外包廠商EIP IP被SPAMHAUS 黑單
我跟廠商溝通了好幾天 他們還是找不到問題也不知道怎麼處理
有甚麼辦法可以幫我解決嗎
現在公司很多MAIL都因此寄不出去 或者寄出去對方沒收到
以下是 SPAMHAUS 這邊的回覆

08 MAR 2024
08:59:05
Thank you for contacting Spamhaus XBL Removals,

Please use https://translate.google.com/ for language, if needed.

IF THIS HAS ALREADY BEEN FIXED PLEASE...
REPLY TO THIS MESSAGE IMMEDIATELY - AND - INCLUDE THE DETAILS OF WHAT WAS FIXED AND HOW.

This issue can be caused by multiple things: please read the whole reponse, especially if you have a Sophos appliance!

--

122.116.21.46 has been classified as part of a proxy network. There is a type of malware using this IP that installs a third-party proxy that could be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.

It is NOT your mail server:

(IP, UTC timestamp, HELO value)
122.116.21.46 2024-03-08 05:55:00 122-116-21-46.hinet-ip.hinet.net
122.116.21.46 2024-03-04 12:55:00 83.8.244.229.ipv4.supernova.orange.pl
122.116.21.46 2024-03-02 13:30:00 122-116-21-46.hinet-ip.hinet.net
122.116.21.46 2024-03-02 05:30:00 122-116-21-46.hinet-ip.hinet.net
122.116.21.46 2024-03-01 15:55:00 122-116-21-46.hinet-ip.hinet.net

The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but can be anything that has software on it - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.

This is a simple explanation of how this works: https://www.spamhaus.com/resource-center/when-doorbells-go-rogue/

Any devices with "free" VPNs, TV streaming, channel unlocking, or 3rd-party apps installed are the first things to check.

How to solve this problem depends on whether this IP is static and assigned for business use with an internal mail server or dynamic, for home use. If you are not sure, call your ISP and ask them.

HOME USER: Dynamic Single IP for non-commercial use. There are a number of possibilities:

• It is possible you may have inherited a problem from the IP's previous user. Please check the timestamps provided above. Was this IP yours during the most recent?
• Dynamic IPs are not intended for running mail servers. If that is what you are doing, please find a work-around with your provider. Effective NAT/Firewall configuration will be required.
• In the event that you do not operate your own mail server - which should be most people - then please configure your router to block all access to port 25, and use SMTP AUTH with your provider of choice. Your ISP can help with that, and most router user manuals are available online.

Please call your ISP or IT department for assistance with configuring your router or firewall correctly. You can also find most router configuration manuals online.

If the IP is static, the network has a malware problem. It is very unlikely to be the actual mail server, but it is something that is able to share the same public IP.

Consider the implications of a proxy that is under someone else's control being active on your network: malicious operators control a device that is within your network. To them, spamming is an extra. Your business is their business.

We very strongly recommend securing your firewall to not allow any packets outbound on port 25, except those coming from any email server(s) on your local network. Remote sending of email to servers via the Internet should still work if web-based, or configured properly to use port 587 using SMTP-AUTH. We also suggest securing any guest networks the same way.

IMPORTANT: Limiting port 25 stops the connections from leaving your network but does NOT neutralize the proxy. It needs to be found and removed.

Since we are unable to see through NAT or the Firewall, finding the problem is entirely the responsibility of the IT manager. Logging at the router or firewall to see what is trying to use port 25 should lead to the compromised device(s).

The easier thing to do would be to limit outbound port 25 to mail servers and thus secure your network and stop the listings. You can look for the device(s) afterward.

NOTE: there may be more than one affected device. There also may be more than one issue. Please check all your technical settings, including DNS (forward and reverse) and HELO values. Guest networks also need to be secured.

Our FAQ might be helpful: https://www.spamhaus.org/faq/section/Hacked...%20Here's%20help

--SOPHOS:

If you are using a Sophos device please check the following:
Go to Protect-> Email | go to the Tab "general settings" | below this menu SMTP settings -> look at the "SMTP Hostname".

If that is "SMTP" or "Sophos" then you will need to configure it properly using a fully qualified domain name. Correct configuration is site dependent and we are unable to recommend anything specific.

You can test a server's HELO configuration by visiting https://aboutmy.email. From there, send an email from the machine in question to the provided email address, and then examine the results. This tool will give a lot of detail about the email. To check HELO/EHLO, navigate to "Delivery" -> "SMTP" and look for the EHLO line.

The Sophos appliance re-writes the HELO that the proxy is using. Fixing the HELO is important, but not nearly as critical as finding and removing that third party proxy. Changing the HELO will NOT neutralize the proxy.

Regards,
Marvin Adams