---

@Niska wrote:

smtp.virginmedia.com): <rx> 525 5.7.13 Authentication Denied (VM305)

---

The VM305 error is pretty specific. It indicates VM are blocking you from sending VM emails through the VM SMTP servers because the public IP address you are sending from (so either your home network or your VPN) appears on Spamhaus's lists.

In most cases Spamhaus will have detected suspicious (spam) traffic coming from that IP address. That is most commonly caused by malware, aka a "spam bot", on a smart device on your home network, (so not necessarily the device you are sending from).

It is just emails sent using email apps or clients that VM block. As you have found, VM do not block emails sent from their webmail service.

The intermittent behaviour you are seeing is caused by the fact that those blocklists are dynamic. So if the malware stops sending out suspicious traffic for a time then your IP address will automatically drop off the blocklist and all is ok. However, once the malware starts up again and continues for a while then  the IP address will automatically goes back on the list.

That might conceivably be further complicated by that fact that it is possible that VM check against a cached copy of the blocklists rather than the live Spamhaus list itself.

So it may be that VM continue to block your IP address for a short time after it has come off the live list until they pick up the latest version of the blocklist. (I don't know that for a fact but it is a possibility.) It would explain why you find you are still getting the VM 305 error but your IP address is not listed when you check Spamhaus directly.

This blocking is likely to continue intermittently until you can identify which device is infected and have got rid of the malware.

Fire tv sticks or any smart device that has third party software installed are common culprits so you might like to consider whether you have any likely suspects. One poster on here even reported that their Ring Video Doorbell was the device that had been infected!

Coenoby

Which router are you using?

You need to make sure it's port 25 Outbound that's blocked, not port 25 inbound.  Not all routers allow blocking of outbound traffic.

Besides, blocking traffic isn't really the answer, tracking down and removing the source of the traffic is.  This is is because you don't know what other undesirable activity is using your network.

Tim

Thanks Tim.

I am using a Ubiquiti EdgeRouter. I am pretty sure it is blocking ok.

Would you suggest then maybe removing the block and keeping monitoring with Wireshark as part of collecting data?

And/or turning off the VPN and seeing if there is any traffic from devices?

Having done a bit more digging:

1. I can see no evidence of blocking any port 25 requests in practice - the Firewall rule is reporting no Packets or Bytes impacted by the rule, but I did reboot the router earlier today.

2. I've run Wireshark for a few hours now and seen no evidence of any port 25 traffic across the router. Which would make sense given the above.

However, for the third time today I'm unable to send email via a client.

See my Video here which explains my detection method

https://www.youtube.com/watch?v=UxNsoW7FRh0

Note that it uses the Hotspot feature in Windows 10 or 11.  You can't see traffic unless it passes through your computer, so you need to temporarily connect devices to the hotspot on your PC.

Note also this needs to be done on EVERY device on your network that normally connects to the router via Wifi, so If you have kids with mobiles, you need to check their devices too.

Thanks again Tim. I've been monitoring overnight using Wireshark pulling info direct from the router - so far 3.6m packets analysed and the only Port 25 traffic is probes from 6 external sources to my router.

On the router itself the Firewall reports no blocked outgoing packets either.

No sign of any outgoing at all, and yet I am back to being blocked again this AM.

I'm really unsure what I can do now - it's massively irritating. The only device I am not seeing/blocking is my Virgin Media hub which is running in Modem mode.

Wireshark doesn't pull any info to from the router

It allows you to view traffic passing through the network ports on the PC on which it's installed.

The second part of the instruction shows how to turn on the Wifi hotspot on the PC (which needs to have a wifi adapter) and to find the adapter that the hotspot is running on in order to monitor this port.

Once you've set the hotspot up and the wireshark capture, you connect your wireless devices to the hotspot INSTEAD of the router.

Once you've ruled out a device, you can connect it back to the router.

I appreciate that. 

I am using Wireshark to interrogate the router logs through an SSH tunnel. It should be just the same as the virtual hotspot method you recommend (albeit for all devices on the LAN at once).

And even if that was the case the router, which is blocking Port 25 traffic outgoing, is capturing how many packets it is blocking - currently 0 which to me suggests that there is no outgoing SMTP on Port 25 from my network. 

The bit I am getting a little confused by us the impact (or actually not) of my using a VPN. My memory is that it seems to make no difference whether I am connected to it or not, and yet I still get the 305 error. 

And I have tried multiple devices. I probably need more systematic research but I am not sure I am missing something with Wireshark.

I am also running pi-hole on the internal LAN (on a standalone pi) but don't believe that should be relevant.