Mail blocked using zen.spamhaus.org

I manage two MaiB servers: A club with about 5 users (RFSC) and my personal server (dBugg). Both are hosted at Linode.

When email is sent from an RFSC account to my dBugg account, it gets rejected:

Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
    [<IPv6 address>] blocked using zen.spamhaus.org;
    https://www.spamhaus.org/query/ip/<IPv6 address>

The error at Spamhaus is:

The machine using this IP is infected with malware that is emitting spam, or is sharing a connection with an infected device.

Why was this IP listed?

A device using 2600:3c03::/64 is infected with malware and is emitting spam.

IP Address 2600:3c03::/64 is making SMTP connections and identifying itself (via the HELO command) using a domain that is not possible: for example, “gmail.com” or “outlook.com”. The providers that own these domains do not ever use them in this way, so this is a sure sign of a problem.

The most recent detection was on August 12 2021, 17:00:00 UTC (+/- 5 minutes).

I check the logs around that time on the RFSC server and didn’t really see any issues. There were a couple of messages that were bound by the RFSC server, but not sent by the RFSC server.

One odd thing: following the Spamhaus link with the IPv6 address shows the address as listed in the XBL. However, substituting the IPv4 address for the same server comes back clean.

From what I have found so far, I don’t see anything on my server to indicate either malware or outgoing spam. Whether the IPv4 vs IPv6 difference is to be expected or not, I am not sure where to begin looking for issues with my server. Any guidance would be appreciated.

Thanks!

I’m guessing this is anonymized, but the /64 means it is an address block. Does your ISP provide you with this block? Most likely is that Spamhaus has blacklisted the IPv6 block you are on.

This is among the reasons to only use IPv4.

I think you are right. I found an FAQ at Spamhaus that talks about how they list IPv6 addresses only using /64 blocks and that can cause issues: The Spamhaus Project - Frequently Asked Questions (FAQ).

They link to a specific page for Linode users to get their address changed: An Overview of IPv6 on Linode | Linode

I’ve been at this for 25 years and I’ve managed to remain a noob as far as IPv6 goes. Linode has opened up my account so I can customize my network (at least I think that’s what they did), but I’m not sure what to do from there. I am waiting to hear back from them as to what my next step should be.

1 Like

I, too, have not bothered to learn how IPv6 actually works. All I’ve taught myself is how to disable it, especially on home networks. That said, before I was aware Spamhaus was blacklisting IPv6 address blocks, I made my current server and it has an IPv6 address, but I’ve experience zero issues, which seems to be generally the case for Vultr customers, as best I can tell.

So, Linode assigned new addresses for both of my boxes and they too are blocked by spamhaus. I think they’re in the same /64 range. I don’t think they have gotten to the “Oooh. It’s our problem” stage yet, but I’m sure they will.

In the meantime, the v4 addresses and the hostnames come back clean from Spamhaus. I think for the time being I want to just turn off v6 addresses as you suggested. I don’t run v6 on any other servers I have running outside of hosted stuff. Is it just a matter of getting it shut off at the box level, or do I have to do something in MaiB as well?

The easiest way is if your ISP can disable IPv6 assignment to the server. I still haven’t gotten around to figuring out how to turn off IPv6 at the server level in a clean and proper manner.

I believe either a reboot, sudo mailinabox, or both, should immediately reconfigure MiaB.

Ok, fixed (I hope). We’ll see if something new crops up.

I was missing some of their instruction on how to use the IPv6. Linode Support added static IPv6 ranges (I think they ended up adding two because I was a bit dense) but I was still testing the dynamic SLAAC IPv6 address that the dashboard assigns. I couldn’t wrap my brain around the fact that I needed to pick an address from the static range. The problem was, coming from 25 years of being stingy with IPv4 addresses, I didn’t understand that I could pick any address from the tons of addresses in that range.

So, here’s a recap of what finally fixed it for me. You will want to use the LISH console from your dashboard rather than SSH so you don’t get booted out of the network:

  • Submit a support request to add a static IPv6 range to my Linode.
  • Pick an address from that range once it’s added
  • Edit the Netplan configuration using the new IPv6: Linux Static IP Configuration | Linode.
  • Turn off automatic network assignment in the dashboard so it doesn’t overwrite your new config: Network Helper | Linode
  • Reboot
  • [For external DNS only] Replace old IPv6 address in all places with the new address
  • Configure rDNS for the static IPv6 range: How To Configure Your Linode for Reverse DNS (rDNS) | Linode
  • From an SSH session into the server, rerun the Mail-in-a-Box script:
    $ sudo mailinabox
    It will ask you what IPv6 address to use.

And, tada!

1 Like

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.