Solving a Spamhaus /CBL blacklisting issue

[netagence]

Hi,
We have been dealing with a Spamhaus /CBL blacklisting for weeks. Tried everything we could think of, had our server admin work on in, then hired a Linux security specialist who spent days on it.
We get re-enlisted after a few hours no matter what we do.
Could installing ASL help us understand and solve such an issue ? I could see no topic about spamhaus or spam in this forum.
I'm also anxious to not create further issues for our users who suffer from this in terms of email reliability, and would not like a "too tough" policy to make working features to stop...

Thanks.

[scott]

Do you have any indication of spam abuse happening on the system? Like from smtp_auth, or php?

This is a (rough!) forensics procedure page on doing some basic source investigation: https://www.atomicorp.com/wiki/index.php/Spam

[netagence]

Interesting page for most cases. Our issue is that we could never find a single spam message, no Apache process shows anything unusual. We are used to deteting such "basic" hacks from compromised scripts and could not find such traces in spite of days of searches and various specialists trying. Could ASL help understand and find something they didn't ?
Any other issue that could be created in Plesk ?

[mikeshinn]

Well, the system could be compromised and spamming from a tool running on the system (and therefore not using your MTA). One technique you might try would be running netstat -anp and see if anything is taking out to port 25 besides your MTA.

You could also lock down outbound port 25 to just your MTA (thereby preventing anything from spamming, except thru your MTA), this article explains how to do that:

https://www.atomicorp.com/forums/viewto ... ail#p30223

Did the spamhaus project provide any details about why you keep getting on the list?

[netagence]

The specialist we hired took those steps also found in CBL / Spamhaus firewall recommandations and found nothing.
Spamhaus provided a few replies, to the tunes "if you get listed we are 100% positive it's for a good reason, and we have so many hits we cannot keep traces or examples, of mail headers that would be forged anyway".
Very desperate.

[mikeshinn]

So you have the firewall rules in place preventing any outbound connections to ports 25, 465 and 587, which means everything should be flowing thru your MTA (or not getting out at all). Do you see any mail going out in your MTA logs, and what is in that mail?

Also, do you see any other outbound connections from your system, such as connections to port 80 or 3128?