So I am listed on spamhaus for CSS Blocklist (CSS). Please help!

TheKingZiga · October 21, 2024, 9:06pm

So…about 3 months I had a chicken chinnese ddos trojan virus on my MIAB, I have reinstalled whole VM and reinstall. I closed up ssh and make stronger password. No problem until about 2 month back with CSS Blocklist (CSS). I have made a new subnet on my pfsense, just for MIAB and blocked any device from other subnets. DHCP is off and only static ip, 192.168.70.3, so MAIB cant talk to any other device and any other device cant talk to MAIB. I have blocked mail ports for any other subnet. Changed password of all mailboxes, everything google/chat gpt told me and I had silence for about 2 weeks and then again and again 10 days later. I have googled and googled, no solution found, I am out of ideas. Its frustrating. So now I am here for help and I hope someone could help me.

some info about my setup:
IPS: 1 dynamic and static IP, dynamic is for PCs, ps4, etc
static is for mail server, game servers, websites, etc

so mail server is on VM on proxmox, subnets are separeted via vlans. I am hosting MC servers, websites etc on that static ip.

Mail server is at 192.168.70.3 and all mail ports are port forward via pfsense, which is my main router.

So all my game server, websites etc are hosted at subnet 192.168.69.0 (at static ip), and cant talk to MAIB, same as my subnet for home PCs 192.168.1.0 (dynamic ip).

Yes I am hosting my mail server at home!

I will add some screenshots.

I am out of ideas…Because I cant find from where are coming that helo values.

If needed I can give here my static ip, as is not that hard to find (thekingziga.com).
I can upload logs anything, from MAIB, PFsense…just tell what need.

can theoritically infected device from 192.168.1.0 still sent that malware mails?

thanks for any help!

vele · October 21, 2024, 10:13pm

My Spamhaus listing is always triggered when I send to gmail. It is a random thing. Today I sent a perfectly genuine email and got listed 3 minutes later. It seems that they are affiliated with google and do not like selfhosted servers.

TheKingZiga · October 23, 2024, 5:47am

huh, I mean I was sending mail to bunch of mail providers (also gmail), never had a problem, but now last 3-4 mounths I have these problems. I would not care if I could sent mail normally, but 40% I get blocked and its annoying.

vele · October 25, 2024, 9:41am

I delisted myself from Spamhaus, now they prefer the automatic delisting. However this is to no avail as I am immediately listed after sending legit emails to a gmail recipient. I decided to write them (go to the main site >> Contact>>Select Other issues). I explained that this is happening when trying to send to gmail and it is triggered by perfectly legit emails and that I am fully complaint in terms of SPF, DKIM DMARC etc. Here is their reply:

Thank you for contacting Spamhaus,

I had a check on the previous listings and can see the IP is relisted for the same reason. The primary cause for the listing is the poor network neighbourhood reputation. There are multiple IPs in this /24 subnet which are spoofing proofpoint servers. The ideal stepforward would be for your hosting to prevent spammers from infesting this IP range/s. Having said that, this IP was supposed to be protected from this rule causing a listing but that does not seem to be working. I will have a check on this and make sure the IP does not get relisted with this rule again at Spamhaus.

And the next reply is in terms of deviding the block and isolating my IP from the spammers:
Thank you for contacting Spamhaus,

This is done. The IP should not get hit by the same rule. Keeping the ticket open for now.

Regards,
Josh Matthews

So beware of your network range neighborhood.
Can anyone explain what is spoofing proofpoint servers?

TheKingZiga · October 28, 2024, 9:49pm

well I was unlisted automatically…I guess I fixed the problem or sourse of that spam mails…thanks everyone for help (hope it does not happen again)