Why was this IP listed?
81.46.XXX.2 is making connections with values that indicate a problem: either a misconfiguration or a malware infection.
Technical information
The most recent connection(s): December 12 2022, 19:00:00 UTC (+/- 5 minutes). The observed HELO value(s) were:
(IP, UTC timestamp, HELO value)
81.46.XXX.2 2022-12-12 19:00:00 PLESK-1.2703529.cloudfabric.net
81.46.XXX.2 2022-12-12 13:00:00 PLESK-1.2703529.cloudfabric.net
81.46.XXX.2 2022-12-10 14:55:00 PLESK-1.2703529.cloudfabric.net
81.46.XXX.2 2022-12-09 15:05:00 PLESK-1.2703529.cloudfabric.net
81.46XXX.2 2022-12-07 15:00:00 PLESK-1.2703529.cloudfabric.net
Notable things about the HELOs:
- They usually do not exist in DNS - they have no A record. This can be caused by misconfiguration as well as malware.
- They often have dynamic-appearing rDNS, and the domain(s) used can appear to be geographically far from the IP geolocation
- They can include "impossible" HELO values like "gmail.com", "hotmail.com" etc - Gmail & Hotmail do not use these
- The cause of this problem is frequently found to be coming from a phone or laptop with a "free" VPN or channel unlocker app on it.
What should be done about it?
If this is a shared server, please call your hosting company or ISP!
If this is a misconfiguration of a HELO setting or
a Plesk host, that should be corrected.
HELO/EHLO & DNS CHECKS:
You can test a server's HELO configuration by sending an email from it to
[email protected]. A bounce that contains the required information will be returned immediately. It will look like an error, but it is not. Examine the contents of this email.
- If the HELO/EHLO value does NOT exist in DNS, that should be corrected
- If the HELO/EHLO value is NOT correct, that should be fixed
- If the HELO/EHLO is using a domain that does NOT exist, that should be corrected
- If the HELO/EHLO IS what you expect it to be AND it exists in DNS, then there is a spambot or some other kind of malware! This needs to be found and removed.
NOTE: this check does not currently work on IPv6. This is only a syntax check, NOT a verification that the DNS problem has been resolved.
If the HELO configuration is correct and as expected, then there is another problem, probably malware.
MALWARE CHECKS:
- Secure your firewall to not allow any packets outbound on port 25, except those coming from any email server(s) on your local network. Remote sending of email to servers or printers on the Internet will still work if web-based, or correctly configured to use port 587 using SMTP-AUTH.
- Guest networks should also be secured - infected personal devices are a big issue!
NOTE: limiting port 25 outbound will only prevent the abusive connections from leaving your network and will
not find or remove the malware. In order to do that, we suggest setting up network logging/packet logging to monitor anomalous traffic. This will help identify sources of malware if the scans do not find anything.
- Perform complete scans with an up to date anti-virus/malware on all devices behind this IP on a scheduled basis.
- Remember to check personal devices such as laptops, phones, tablets, as well as routers, etc. Malware can be on almost anything that is connected to the internet, including a smart doorbell.
- Consider the router or firewall as a source of the problem if scans find no other devices.
This FAQ can be helpful:
https://www.spamhaus.org/faq/section/Hacked...%20Here's%20help
Removal from CSS
If the problem on 81.46.XXX.2 has been addressed, you can request removal:
Facebook
Twitter
