My IP is listed in CSS - General help
IP listed in CSS - General help
NOTE: This FAQ applies specifically to IPs listed in CSS due to a compromise, insecurity or infection. For listings related to low reputation, unsolicited mail, etc, please refer to our FAQs for marketing and bulk email
Why was this IP listed?
This IP was listed because we have evidence suggesting that the IP or something behind it is compromised, insecure or infected.
What should be done about it?
The situation requires correcting: Spamhaus has detected spoofed SMTP connections coming from this IP address.
- To stop the abuse immediately, close port 25 on the router or firewall and restrict port 25 access to known email servers.
- Note: this will only prevent the abusive connections from leaving your network. If the problem is (for example) an infected mobile phone, when it moves to another insecure network, it will resume its activity without restriction.
Due to the complexity of the threat landscape, we are unable to advise on the exact nature of the problem. Also, we can only see what’s coming from the public IP and have no insight into network configurations. We hope the following information might be of help.
- For Windows operating systems the following free tools can sometimes help: Windows Defender, Malwarebytes, Norton Power Eraser, CCleaner and/or McAfee Stinger.
- All operating systems: Check tool-bars, extensions and plug-ins on each browser for anything you don’t recognize. Look for for “free” VPNs or other heavily-monetized apps, which often have a great many advertizements. We have seen many mobile devices (mostly Android phones) being turned into spam proxies as a result of installing questionable apps.
- Calling your provider, IT department, or taking your suspect machine(s) or device(s) to a competent tech support service might also be useful.
Is this IP a NAT gateway, firewall or router?
- Is the IP a NAT gateway, firewall or router? The infected devices are usually computers or other devices behind the router.
- In some cases, the compromised device CAN be the router itself.
- Ensure that telnet port 23 (UDP and TCP) is not accidentally left open.
- Please consult the documentation of your device regarding how to make sure its software is up to date, and how to ensure that the device is properly secured.
- You can use packet sniffing or logging at the router or firewall to see what’s trying to use port 25. Only mailservers should be generating such traffic, since software for sending or reading email relies on the dedicated ports 587 or 465.
- Wireshark is a good (free) tool to investigate network traffic.
Routers and firewalls should be configured with port 25 disabled and SMTP Authentication enabled.
CSS listings expire automatically a set number of hours after last detection.
Back