- Server operating system version
- Debian 4.9
- Plesk version and microupdate number
- 18.0.44
Why was this IP listed?
116.202.... has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.
The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.
Technical information
Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.
Recent connections:
(IP, UTC timestamp, HELO value)
116.202.....-10-05 03:50:00 gmail.com
Important points:
- The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
- They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
- If the HELO does not make sense for the IP generating it, it should be looked at closely.
- There is often more than one compromised device.
- Guest networks should also be secured.
I checked my server with ImunifyAV and delete the Wordpress site which was Hacked. But now all website are not infected. Is there any other antivirus tools, which I can use for checking my server? I have 2 IP address, one for hosting website and the other is for sending mails. I also configure it in the mail server. Could it be the issue?
Thanks for your help and suggestions.
Thanks