Suspicious HELO leading to XBL listing
Hello,
The main shared IP of one of our servers got listed in XBL and upon checking it I found that the reason is a mail sent with an HELO of gmail.com so it seems this stems from something malicious.
I would have a few questions:
1. Is it safe to assume that Exim would not send a message with a spoofed HELO? Or is there a way to set the HELO from the client side even for a mail sent through Exim?
2. If #1 is true, is it safe to assume that the mail got sent by direct port access?
3. On the other hand, if the mail might have been sent through Exim, is there a way to log the HELO in the exim_mainlog?
Meantime I have enabled the cPanel SMTP restrictions (it was active the one from CSF now disabled because we needed to allow a customer to use SendGrid or some other MSP) and delisted the IP.
Thanks!
-
if you go to WHM -> Email -> Email Deliverability
does it show the correct HELO?Check also file:
/etc/mailhelo
(if it exists).0 -
Hey there! Let's not assume anything - I would start by seeing if you could find the message in WHM >> Mail Delivery Reports to see if there is any useful data there about who sent it. You can also find out how Exim sets the HELO message here:
https://support.cpanel.net/hc/en-us/articles/360057877894-How-do-I-configure-mailhelo-for-Exim
so it would be good to know if that has been changed.
Leaving those restrictions on is the best method to ensure this doesn't happen, so it would be good to figure out an alternative solution for those other mail users.
0
Please sign in to leave a comment.
Comments
2 comments