Spamhaus blacklisted our mdaemon server IP due to wrong HELO

Question

since two weeks ago spamhaus kept on putting our IP address on the CSS blacklist - we've had few thing to fix from the guideline so we delisted ourselves few times after checking all the requirements.

Now after 3 times they created a ticket for our case and state that our helo response is a localhost:

Then something else is going on:

(IP, UTC timestamp, HELO value) 188.39.** 2023-05-30 18:40:00 localhost.localdomain 188.39.** 2023-05-30 07:35:00 localhost.localdomain 188.39.** 2023-05-28 07:05:00 localhost.localdomain 188.39.** 2023-05-27 22:05:00 localhost.localdomain 188.39.** 2023-05-27 17:05:00 localhost.localdomain

Note the top one is after your message claiming the HELO is correct.

Every time we have been blacklisted we checked our helo response by sending an email to helocheck@abuseat.org and response was proper FQDN with valid syntax - no error here.

Is there anyway that they could be getting the localhost.localdomain response from our IP? How do they test for HELO response, could it be firewall sending HELO?

I would appreciate any help, thank you

Answer 1

If your Mdaemon is configured correctly (check secondary domains as well) then something else might be using the same public IP address.

A common scenario for that is when you've got a single public IPv4 address on your router and source NAT everything through it. That way, a spam source inside your network is indistinguishable from your MTA from the outside.

You need to either

1. separate outgoing client traffic from your mail agent by using multiple public IP addresses, or
2. deny outgoing SMTP from your clients. It's fine to permit outgoing SMTP/MSA to port 587 (can't be used for spamming) or to port 465 for SMTPS (mostly only authenticated MSA), but not to port 25, at least not to arbitrary servers.

Option 2 is hightly recommended as you don't only save your MTA from being blacklisted but also the rest of the world from being spammed from your network.

It's also a good idea to raise an alarm when a private client tries to connect outbound to port 25: it's either someone trying to bypass your mail system or an intruder using an infected client.