---

@owengriff wrote:

Hi

thanks for reply, I agree totally. I just wish I could set up pop settings but unable to. As I stated looks like I am on spamhaus, css website and have emailed them to remove me. Hopefully once they do this I can set up pop settings on both the app and laptop. I can do screen shots of screens if needed for extra help but agree vm should be documenting this fix on YouTube as there videos for every other fix on there lol

---

Well with a bit of zooming and some software to sharped up images, it does look as if your home IP address has been listed on Spamhaus' CSS blocklist, now this is a list of addresses which have been reported as sending out, well, 'low reputation' spam messages. So something, some device on your home network has become infected with some malware and is 'gradually and slowly; in an attempt to avoid detection' sending out spam email. Now VM have policy of checking your connection against the Spamhaus lists before allowing you to connect to send email - this is arguably not a very good strategy, but it is what it is, VM have made a corporate decision to do this, and nothing you or I, or indeed anyone else might think is going to change that.

So you need to get off of the Spamhaus list, now you can simply request it and they may well comply, but unless you have actually tracked down and eliminated the root cause, then this delisting will be temporary, eventually you will get listed again and this time Spamhaus will be 'reluctant' to delist you, and no, there is absolutely nothing, no threats of legal action etc, you can do. Your demands/request will simply be ignored!

Tracking down the source of the spam message is technically possible but not trivial, as you have noticed, unfortunately there simply is no alternative - well other than abandon VM as an email provider, sign up with some alternative supplier and start the laborious process of informing all of your contacts of your new address.

Thankyou so much for advice we will await the spamhaus request I sent to see if I get removed 

thanks all for the advice and help given I have a better insight to how vm is a bit intolerant to their own customers now

cheers

Owen 

Hi @owengriff ,

Welcome back to our community forums and sorry to hear you are having these issues with your email. We can understand the inconvenience this may have caused. We are however glad to see that the community was able to advise on this. Please let us know how your request to be removed goes and if you need any further help.

Thanks,

Hi all

I had this back off Spamhaus can anyone navigate me through it please?

How to solve this problem depends on whether your IP is static or dynamic. If you are not sure, call your ISP and ask them. Please read on for more information.

---

If your IP is dynamic, it is possible you have inherited someone else's problem. If your IP is dynamic, there are three options:

* Most common: if you are not running your own mail server, you should be using your ISP's mail servers with SMTP authentication, and your router should be set to deny outbound traffic on port 25. Your ISP can help you set that up if needed.
* If you are using your ISP's mail servers and they are blocking you from those servers, please call them for a resolution. Your router should also be set to deny outbound traffic on port 25. Your ISP can help with that.
* If you are running your own mail server, please contact your ISP for help with getting set up on an appropriate static IP and valid DNS/rDNS for that purpose, to configure SMTP authentication on port 587, and then to limit outbound port 25 only to the use of that server.

Please call your ISP or IT department for assistance with configuring your router or firewall correctly. You can also find most router configuration manuals online.

--

If the IP is static, your network has a malware problem. It is NOT your mail server:

(IP, UTC timestamp, HELO value)
86.21.223.216 2023-02-08 02:25:00 mta3.e.therealreal.com
86.21.223.216 2023-02-07 23:25:00 ip68-108-73-180.lv.lv.cox.net
86.21.223.216 2023-02-07 02:40:00 mta3.e.therealreal.com
86.21.223.216 2023-02-06 03:10:00 mta3.e.therealreal.com
86.21.223.216 2023-02-05 03:00:00 mta3.e.therealreal.com


Consider the implications of a proxy that is under someone else's control being active on your network. Spoofed port 25 connections are what WE see coming from it, but proxies can be used for all sorts of malicious activities, and they are inside your firewall.

We very strongly recommend securing your firewall to not allow any packets outbound on port 25, except those coming from any email server(s) on your local network. Remote sending of email to servers via the Internet should still work if web-based, or configured properly to use port 587 using SMTP-AUTH.

Unfortunately, we can only see what's coming from the NAT (public) IP; anything inside your network is visible only to you. You can start logging at the router or firewall to see what's trying to use port 25 and that should lead you right to the compromised device(s).

The easier thing to do would be to limit outbound port 25 to mail servers and thus secure your network and stop the listings. You can look for the device(s) afterward.

NOTE: there may be more than one affected device.

Regards

Hi thankyou for your advice i have had a reply from spamhaus. I have 2 firesticks but use a paid vpn via Torguard. Wondering if i could get any help to fix please?

There is a proxy installed on a device - probably an Android mobile, firestick, smart doorbell, etc or possibly a Windows computer - that is using your IP to send spam DIRECTLY to the internet via port 25: This is often the result of third party "free" apps like vpns, channel unlockers, streaming, etc being installed on someone's personal device.


This is a simple explanation of how this works: https://www.spamhaus.com/resource-center/when-doorbells-go-rogue/

Any devices with "free" VPNs, TV streaming, channel unlocking, or 3rd party apps installed would be the first things to check.

---

How to solve this problem depends on whether your IP is static or dynamic. If you are not sure, call your ISP and ask them. Please read on for more information.

---

If your IP is dynamic, it is possible you have inherited someone else's problem. If your IP is dynamic, there are three options:

* Most common: if you are not running your own mail server, you should be using your ISP's mail servers with SMTP authentication, and your router should be set to deny outbound traffic on port 25. Your ISP can help you set that up if needed.
* If you are using your ISP's mail servers and they are blocking you from those servers, please call them for a resolution. Your router should also be set to deny outbound traffic on port 25. Your ISP can help with that.
* If you are running your own mail server, please contact your ISP for help with getting set up on an appropriate static IP and valid DNS/rDNS for that purpose, to configure SMTP authentication on port 587, and then to limit outbound port 25 only to the use of that server.

Please call your ISP or IT department for assistance with configuring your router or firewall correctly. You can also find most router configuration manuals online.

--

If the IP is static, your network has a malware problem. It is NOT your mail server:

(IP, UTC timestamp, HELO value)
86.21.223.216 2023-02-08 02:25:00 mta3.e.therealreal.com
86.21.223.216 2023-02-07 23:25:00 ip68-108-73-180.lv.lv.cox.net
86.21.223.216 2023-02-07 02:40:00 mta3.e.therealreal.com
86.21.223.216 2023-02-06 03:10:00 mta3.e.therealreal.com
86.21.223.216 2023-02-05 03:00:00 mta3.e.therealreal.com


Consider the implications of a proxy that is under someone else's control being active on your network. Spoofed port 25 connections are what WE see coming from it, but proxies can be used for all sorts of malicious activities, and they are inside your firewall.

We very strongly recommend securing your firewall to not allow any packets outbound on port 25, except those coming from any email server(s) on your local network. Remote sending of email to servers via the Internet should still work if web-based, or configured properly to use port 587 using SMTP-AUTH.

Unfortunately, we can only see what's coming from the NAT (public) IP; anything inside your network is visible only to you. You can start logging at the router or firewall to see what's trying to use port 25 and that should lead you right to the compromised device(s).

The easier thing to do would be to limit outbound port 25 to mail servers and thus secure your network and stop the listings. You can look for the device(s) afterward.

NOTE: there may be more than one affected device.

@owengriff 

An excellent post - I picked up on this sort f thing back in 2019.

Unfortunately most home routers don't allow outbound filtering,  I did come up with a method of searching for devices sending spam on your network,

https://community.virginmedia.com/t5/Security-matters/Searching-for-Spambots-on-your-network/td-p/40...

The thinking behind it is that blocking port 25 outbound only deals with devices sending mail, it doesn't deal with any other activity from the affected devices, better to track them down and clean them.

Tim

Edit, PS it's SMTP that's being blocked by VM because you're on spamhaus' CSS list - That has the knock on effect of preventing you from setting up a POP3 or IMAP account although those two protocols are not the one's being blocked,

I should also add that VM's IP addresses are allocated by DHCP - but they are very sticky - It's not unusual to keep the same IP address for over a year, IMHO the chances of you having inherited someone else's problem are slim to none.

Yes, indeed, you haven't inherited someone else's issue, but the passage you quoted from Spamhaus, webpage, by necessity has to be fairly generic and cover all internet providers. It is also, I feel, confusing in a (justifiable) attempt to cover all the bases - it does go on about if you are running your own email server (which you aren't). The mentions of 'contacting your ISP', are almost inevitably irrelevant - they concern a case where you are a business which legitimately runs an in-house mail server, but the IP address has been categorised as a 'domestic/dynamic' one, and in this case, yes, the ISP could let Spamhaus know and they may well remove that address for the list.

This isn't relevant here though, you aren't a business running a mail server, and neither are you on a proper static address, so VM can do precisely nothing to help, and, in fact, nor should they.

If you find yourself on one of the Spamhaus 'naughty lists', then it's ultimately down to you to sort it out, neither Spamhaus nor VM will, or indeed can, help out here. There are ways to track down the offending device, which Tim (ravenstar68) once produced a fairly comprehensive set of instructions for, the link for which I can't find, but it may well be a 'sticky' post, but they are not trivial and do require a degree of technical skill and understanding.