The IPV6 address for my mailcow server has recently been listed in two of the spamhaus lists, not for sending spam, but for a configuration related issue.
Here is what the spamhaus explanation for the listing says:
Why was this IP listed?
This IP is making SMTP connections with HELO values that use a bare IP address (a bare IP address looks like: 126.96.36.199). This behaviour is commonly associated with various botnets, and is a violation of the SMTP protocol as defined in RFC2821/5321 section 188.8.131.52.
The most recent detection was at: May 8 2021, 18:20:00 UTC (+/- 5 minutes)
Only the IPV6 address is listed and when I try testing the HELO by sending an email through my server to email@example.com, the bounce indicates that the email went via the IPV4 network and the HELO syntax comes back fine with the HELO reporting as the FQDN (not a bare IP) for my mailcow server.
I have been running mailcow dockerized on this same VPS without any such issues for > three years. The server has (and has always had) correctly configure PTR records for both its IPV4 and IPV6 addresses both of which point to the FQDN of the mailcow server. The VPS is dedicated to running mailcow - there are no other services running on it besides mailcow.
The spamhaus listing is recent and nothing I am aware of has changed in the mailcow server’s configuration - other than keeping up with mailcow updates.
So two questions:
- Is it possible that mailcow is somehow using a bare IP for the HELO of IPV6 connections?
- is there any way to test the HELO but constrain the test to be IPV6?