Why was this IP listed?
116.202.... has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.
The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.
Technical information
Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.
Recent connections:
(IP, UTC timestamp, HELO value)
116.202.....-10-05 03:50:00 gmail.com
Important points:
- The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
- They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
- If the HELO does not make sense for the IP generating it, it should be looked at closely.
- There is often more than one compromised device.
- Guest networks should also be secured.
Facebook
Twitter
