For the first time yesterday I got bounce messages on mail I was sending, notifying me that the IPv4 address of my box (domain studioinfinity dot org – a Linode instance) was on the SpamHaus CSS list. The Spamhaus FAQ said I should check the HELO messages for misconfiguration, but they come out fine in the checking services recommended by SpamHaus. The FAQ said I should also check for my server being compromised or infected. The status checks on the admin panel are all green (except for the spamhaus listing) and logging on to the server and running the (fixed) mail_log.py for the last 2days only shows under the sent email the seven emails I personally sent by hand. So I requested the automated list removal, and that worked, but 12 hours later I am re-listed. The FAQ says that means my IP is continuing to exhibit questionable behavior. Note I have been running this MIAB instance for several years at this IP address under this domain name, and this is the first time I have had trouble with a spamhaus IPv4 listing. (I had a v6 address in a range that SpamHaus didn’t like but then Linode gave me a dedicated v6 range and that problem went away.)
Are there any other checks I could/should do for the box having been hacked in some way?
Since it is the IP address in the CSS listing, it must be some activity on the part of my MIAB instance that is triggering SpamHaus, correct?
Any other suggestions for preventing re-listing? I am reluctant to request another de-list if the box is simply going to be re-listed in another 12 hours or so. I am also reluctant simply to migrate to a new IP address without some reason to think the new IP address won’t just get CSS listed shortly thereafter.
Does it make any sense to go to the trouble of archiving all email, starting with a fresh instance (hopefully on the same IP address if possible) with new passwords, installing MIAB from scratch, and restoring the email onto the new instance?
Thanks for any help/ideas. In the current state, the MIAB instance is unusable and I am really unclear how I could then proceed with providing my organization’s email – definitely unwilling to be assimilated by the Borgle.
Spamhaus keeps relisting you as you might be in other internal lists. They do not admit it but they seem to be affliated with the big inbox providers. You have 3 automatic delists with spamhaus. The 4th time you must write them from the form here. https://contact-center.spamhaus.org/
Then your 3 automatic delistings are reset.
You can go ahead and use the form before the auto delist. Try to be honest with them. Ask them to relax their listing rules against you. If they are relactunt mention the affliation from above that you feel that they are replicating someone elses lists.
If you have outbound v6 turned on. Disable it and send Ipv4 only, gradually 3,4, 5 messages per day. There are topics on this froum to disable outbound Ipv6. Check yourself on https://multirbl.valli.org/ see of you are listed elsewhere. See if you are blocked on gmail or outlook. You can see the messages from them from terminal bounce or defer or reject.
cat /var/log/mail.log | grep “postfix/smtp” | grep -P ‘status=’
If not check the headers if SPF, DKIM, DMARC is OK. Reverse DNS as well.
Most probably there is nothing wrong with your MIAB setup but Spamhaus has imposed stricter block rules on you because of your sending pattern.
If you are listed on gmail delist via their help center. (They never respond) Gmail Help
It can take upto 2 weeks for the big mailbox providers to star accepting messages from you if you ended up on their lists.
In the meanwhile use a free relay mailgun sendgrid, etc, if you need to send urgently.
Thank you for the assistance. In multirbl.valli.org, studioinfinity dot org was also listed by spamgrouper.to and uribl.com. I sent a delist request to uribl, but spamgrouper.to only accepts delist requests from the IP provider, so I sent a request to abuse@linode.com to ask that they make the removal request to spamgrouper.to. We shall see if any of those make headway.
In multirbl.valli.org, numerous of the lookups failed with “DNS request failed: The name server was unable to process this query due to a problem with the name server.” As I mentioned, I am using MIAB’s built-in DNS. Are the failures worrisome that somehow the MIAB DNS is not working properly?
I will disable outbound IPv6.
Is it better to wait to do the spamhaus delisting until after I get a response back concerning spamgrouper.to and/or uribl.com? Or to delist spamhaus again right away?
I will post again if I get to resolution on all this.
Whitelist your 6 and 4 IPs here: https://www.dnswl.org/ (It make take a day but set a country of origin of your IPs for more expedient service)
One more thing. I see you are using Word Press on both sites. If you are sending notifications via WP get yourself a SMTP plugin and do not send notifications via the MIAB. Setup a relay for notifications such as mailgun, sendgrid, etc. Since February gmail and yahoo consider such senders as bulk senders and you have to be careful about the HTML formatting in WP and include a one-click unsubscribe button. Thus, it is easier to use a relay which does the job for you.
Use MIAB for personal and transactional messages only.
Also use CAPTCHA plugin for WP because I am sure that bots are trying to register on your WP sites and they may request password resets, etc and this is how your sending pattern may seem chaotic if you use notifications in WP.
Thanks for your ongoing help! The URIBL request was denied, but on the other hand, my box is no longer listed, so I won’t worry about that. I am delisted from SpamHaus. So on multirbl.valli.org, only my IPv4 address is listed, and only on spamgrouper.to. The IPv6 and domain name don’t show any blacklists. I heard nothing back from abuse@linode about requesting delisting from spamgrouper.to, so I will try opening a ticket. Should I wait until that’s resolved somehow before starting to send from studioinfinity.org again?
On Talos, my sender IP reputation is neutral and my spam level is “none”, so it seems as though there is nothing to worry about there.
I registered at dnswl.org and added the IPv4 and IPv6 addresses of my box under my domain.
I signed up for the free tier of MailJet and switched the WordPress SMTP credentials for studioinfinity.org to MailJet, and set up SPF and DKIM records for the MailJet sender in the Custom DNS of my MIAB box. Do I need to add the mailjet relay to the dnswl.org information as well?
Hopefully that covers everything and I will get some deliverability back… worried about clearing that spamgrouper.to listing. Thanks again.
Alternatively, the /etc/gai.conf file can be edited to make getaddrinfo prioritize return of IPv4 addresses. To do this remove the comment leading character (#) from the following line: #precedence ::ffff:0:0/96 100