I’ve been running mail in a box on linode for around a month now. Today there was a status change notification about the ip address being added to spamhaus blacklist: http://www.spamhaus.org/query/ip/184.108.40.206
What can I do to get my ip removed from the blacklist? I’ve raised a support ticket with linode. They replied asking me to investigate why the ip was blacklisted.
Is this for your internal use? or are you using this as a service for customers who you can’t 100% monitor?
Only other issue I could suggest is to any computers connecting (smartphones too) run some sort of Anti-Virus program, check for malware too, some viruses are smart and can piggy back on various apps.
Logs would be a great place to start, look through the mail.log and mail.err files in /var/log - would give you some history of what your box is sending out, may find a compromised workstation, or someone using an account that had a weak password and thus someone brute forced it and are blasting spam.
Password changes would be a great safe spot to start. Linode crew is awesome, just be polite, ask questions not accusations and they’ll help best they can but as it’s your management, they will point back to YOU being the primary issue, but some support crew is awesome and happily help when and where time allows - be humble, goes a long way with highly under appreciated staffers handling tickets.
This is for my personal use. Only I have access to the box (unless the box is compromised). auth.log shows brute force attempts to break into the box. However I’ve disabled password login and only 1 user can login to the box. Looking at the output of “sudo last -n 100” I do not see any suspicious logins.
I’ve looked at the outgoing email addresses in /var/log/mail.log (sudo grep -o ‘to=<.*>,’ /var/log/mail.log|sort|uniq) and all the addresses are my contacts.
Btw I am having trouble understanding the contents of http://www.spamhaus.org/sbl/query/SBL255928. The page says 220.127.116.11/22 has been blocked. Is it possible the subnet is blocked because of other hosts in the subnet?
Then I’d guess they are blocking the range then, probably seeing a high spam trend - give your findings to linode and let them know what you see from your end, and see what they can do on their end.
The issue has been resolved now. Thanks for the help!