Spamhaus has listed my IP a few times for an apparent problem. They are indicating:
A device using <ipv6 addr> is infected with malware and is emitting spam.
<ipv6 addr> is making SMTP connections with HELO values that indicate a problem. The HELOs that it is connecting with are as follows:
Technical information
(IP, UTC timestamp, HELO value)
<ipv6 addr> 2022-05-09 09:25:00 server.example.com
The mentioned IPv6 address is the one from my server, and the prefix matches too.
I am not sure how I can fix this. The server is configured correctly, the postfix HELO banner is set to the fully qualified hostname, old SSL/TLS is disabled, etc.
In fact the string "server.example.com" does not occur (in plaintext) anywhere on this (linux) server. Nothing to find in the log files at this time either.
How can I figure out which process is trying to send with this HELO banner, and why?
Ubuntu 22.04, using Postfix (but it does not look like it is Postfix causing this).
