Bitninja greylist -> smtp malicious activity

Webfoundry

Verified User
Joined
May 23, 2014
Messages
51
Location
Leuven, Belgium
The host of my VPN sent me a warning the have received a report of malicious activity originating from my VPS.
After examining the exim mainlog, I found the origin :

2019-06-30 17:29:09 1hhRXi-0003bF-PW == [email protected] <[email protected]> R=lookuphost T=remote_smtp defer (-19) H=littleitalytours.it [185.81.2.195]: Malformed SMTP reply in response to HELO server.webfoundry-hosting.be: 550 5.7.1 Your IP (xxx.xxx.xxx.xxx) is on the BitNinja server security greylist. This means that we experienced malicious attacks coming from your IP and placed it on our greylist due to security reasons. If you have taken the necessary steps to eliminate its source, you can delist this IP. You can only delist this IP a couple of times. It is good idea to warn your service provider about this incident.

So my server is probably sending spam.

Maldetect, spamassassin, clamav and firewall (CFS) are running. Is there something else I can do to prevent this ?
 
Thanks zEitEr for your help.
I've been doing some reading, and tried mxtoolbox as a test. It says my DMARC Quarantine/Reject policy not enabled

When I read https://help.directadmin.com/item.php?id=596 it states p=none
Should I try to make the default p=reject ?
change:
_dmarc TXT "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]"

to:
_dmarc TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]"

or am I looking in the wrong direction ?
 
DMARC does not protect your server against outgoing SPAM. It is used only for protecting your domain reputation from email spoofing. So I'd rather say it is not relevant to your issue reported in the initial post here.

Beside the mentioned DMARC is worth enabling. And your DMARC reports will be sent only for webfoundry.be. Related: https://help.directadmin.com/item.php?id=596
 
Back
Top