search

reacherhq / check-if-email-exists

Check if an email address exists without sending any email, written in Rust. Comes with a ⚙️ HTTP backend.
https://reacher.email
Other
4.32k stars 335 forks source link

Error: smtp error 5.7.1 Mail from IP 3.93.33.11 was rejected due to listing in Spamhaus SBL. #1065

Closed DYW972 closed 2 years ago

DYW972 commented 2 years ago

After using check-if-email-exists with an iCloud email, I have received this error message :

5.7.1 Mail from IP 3.93.33.11 was rejected due to listing in Spamhaus SBL. For details please see http://www.spamhaus.org/query/bl?ip=3.93.33.11

Following the link provided, here is the information I've found:

The machine using this IP is infected with malware that is emitting spam, or is sharing a connection with an infected device.

As a result, this IP is listed in the eXploits Blocklist (XBL) and the CSS Blocklist (CSS)

More information:

Why was this IP listed? A device using 3.93.33.11 is infected with malware and is emitting spam.

3.93.33.11 is making SMTP connections with HELO values that indicate a problem. The HELOs that it is connecting with are as follows:

Technical information (IP, UTC timestamp, HELO value)

3.93.33.11 2022-02-26 08:00:00 gmail.com

Notable things about the HELOs:

They are often dynamic-looking rDNS, and claim to be from geographically very different networks They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake. The cause of this problem is frequently found to be coming from an phone or laptop with "free" VPN or channel unlocker, "free" streaming apps. This can be caused by a spambot infection or a server misconfiguration.

First check that the HELO settings are correct. This can be done by sending an email from 3.93.33.11 to "helocheck@abuseat.org". A bounce that contains the required information will be returned immediately. It will look like an error. It is not. Please examine the information in the body of the email. NOTE: "helocheck@abuseat.org" does not currently work with IPv6.

If the HELO settings are correct, then there is a spambot or some other kind of malware!

What should be done about it? If this is a shared server, please call your hosting company or ISP!

These listings are the result of what we believe to be a security issue that results in spam being sent from your network. To stop ongoing listings and to secure your network, devices, and data, we recommend both prevention and remediation of the issue.

We hope the following information might be of help.

Prevention We very strongly advise securing your router/firewall to deny any outbound packets on port 25, except those coming from any email servers (if any) on your local network. Remote sending of email to servers on the Internet will still work if web-based, or configured properly using port 587 with SMTP-AUTH.

If you are not running your own mail server, you should be using your ISP's mail servers with SMTP authentication, and your router should be set to deny outbound traffic on port 25. Your ISP can help you set that up if needed. If you are using your ISP's mail servers and they are blocking you from those servers, please call them for a resolution. Your router should also be set to deny outbound traffic on port 25. Your ISP can help with that. If you are running your own mail server, please contact your ISP for help with getting set up on an appropriate static IP and valid DNS/rDNS for that purpose, to configure SMTP authentication on port 587, and then to limit outbound port 25 only to the use of that server. Limiting port 25 access is a best practice. Please call your ISP or IT department for assistance with configuring your router or firewall correctly.

Remediation The device(s) or computer(s) that caused this issue should be found and secured. The following information should address most cases, but please seek professional assistance if it is necessary:

The cause of this problem is frequently found to be coming from an phone or laptop with "free" VPNs, channel unlockers, streaming type apps installed. Programs like Windows Defender, Windows Malicious Software Removal Tool (MSRT), Malwarebytes, Norton Power Eraser, CCleaner and/or McAfee Stinger can help. There is also a version of Malwarebytes for Mac/OSX. These tools are free of charge! Update your enterprise anti-virus/anti-malware programs, and run full scans on every device that is available If you have a CMS or website, ensure it is up to date. All plug-ins, extensions & patches for it should be updated and maintained We can only see what's coming from the NAT (public) IP; anything inside your network is visible only to you. Packet capture is the best way to identify which devices are generating unwanted traffic. In general, only mailservers are supposed to generate traffic to port 25, as mail clients rely on the dedicated ports 587 or 465. If this IP address is a NAT gateway, firewall or router: in some cases, the compromised device can also be the router/firewall itself. Please consult the documentation of your device regarding how to make sure its software is up to date, and how to ensure that the device is properly secured. Spamhaus has a "hacked or compromised devices" FAQ with tips and links to help in this situation.

XBL listings expire automatically after the last detection. If necessary, once the security issue is solved, you can update an existing ticket to request removal

Can I have more explanation about this error from your point of view?

Best regards

amaury1093 commented 2 years ago

Your IP is blacklisted. https://help.reacher.email/self-host-guide#6812392972df451d871c679ef29b65cf.

DYW972 commented 2 years ago

Wow This is super weird! Thank you!