Procedure to remove blacklist

Description

Procedure to remove blacklist

Contents

What is blacklisting

Most of the time, blacklisting is discovered due to errors, when you are not able to access a website, or when you are unable to send an email. When you file a support request with LeaseWeb, you may hear from us that your IP address is blacklisted.

“In  computing, a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, which means only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked (or temporarily allowed) until an additional step is performed.

For example, a company might prevent a list of software from running on its network or a school might prevent a list of web sites from being accesses on its computers. – Source: Wikipedia

To avoid getting blacklisted, when sending emails for marketing purposes, always send them to mailing lists that contain email addresses obtained through double opt-in and with a valid unsubscribe URL.
 
Within most spam laws, (single) opt-in is not sufficient and is not allowed.
 

How double opt-in works:
1. The subject needs to fill out their email address to subscribe to the mail list.
2. A verification URL is sent to the subject.
3. The subject needs to confirm their subscription through the verification URL.

Are you blacklisted?

If a report is provided and you do not act upon it, your IP address can be blocked access to a website, a country, part of the world or being blocked from sending email. If a block affects a range, the Abuse Prevention department will investigate the issue and will try to solve it. If it is an individual block, you can either directly contact the website that blocked your IP address, or send a request to the Abuse Prevention department.

Most blocks are done due to spam, however, IP addresses are also blacklisted for malware, offshore hosting, and phishing.

One of the first checks is to find on which blacklisting the particular blocked IP address is listed. There are several available tools on the internet that provide these services. 

Two blacklist monitors that check against all major and smaller blacklists are the following websites:

  • www.mxtoolbox.com - If an IP address is listed, the listing will appear on top, in red. By clicking on it, the website for the blacklisting opens, and further instructions are provided there.
  • www.blacklistalert.org – If an IP address is listed, it will appear so in red. If applicable, a URL is made available to go to the blacklist

What blacklisting means to you

An IP address can be blocked for several reasons and on several occasions. The government can block an IP address or a range of IP addresses because some website(s) contains content that is illegal in a particular country. A mail company, such as Hotmail or Outlook, can set up a new anti-spam policy. It could also be that a website decided to block an IP address to avoid DDoS attack. Blocking them is known as blacklisting, and are mostly common with respect to spam and malware.

Each blacklisting has its own process for listing IP addresses and/or ranges, and how to file a delisting. Listings can be caused by a dirty range, generic RDNS, infected servers being abused by a spam bot, and also for simply hosting a TOR exit node.

Check for blacklisting

Once our Support department has established that your IP address(es) is blacklisted, your request is sent to the Abuse Prevention department.

They performs further investigation, if possible. One of the first checks is to find on which blacklisting the particular blocked IP address is listed. This check is done using the MX-Tool Box: http://www.mxtoolbox.com/blacklists.aspxThis tool checks your IP address against all major and several smaller blacklistings. 

If an IP address is listed, the listing will appear on top, in red. By clicking on it, the website for the blacklisting opens, and further instructions are provided there.

IP address blocks

If a report is provided and you do not act upon it, your IP address can be blocked access to a website, a country, part of the world. If a block affects a range, LeaseWeb will investigate the issue and will try to solve it. If it is an individual block, you can either directly contact the website that blocked your IP address, or send a request to LeaseWeb.

Most blocks are done due to SPAM, however, IP addresses are also blacklisted for Malware, Cybercrime, and Phishing (for example Spamhaus).

Delisting

If your IP address is blacklisted, to delist it, please review the following: 

  • Is the abuse issue resolved? 
    Requesting a delisting without solving the problem can generate a new block.

  • Ensure that your hosting is secured properly to avoid a new compromise of your systems. 

  • If the listing is caused by one of your customers, observe them carefully to avoid a new listing, if issues reoccur.

  • If you are 100% sure you have resolved the actual issue that caused the blacklisting, you can either request a delisting yourself, or through the Abuse Prevention department. 

Warning

Never attempt to delist an IP address (or range) whn you did not follow up on the cause of the blacklist. Make sure the reason for the blacklist is removed from the source, or the malicious activity has been ceased.

(warning) Every time a delisting is requested with the cause not removed, the delisting will get difficult each time you fail to comply.

Need help?

If you want assistance from the Abuse Prevention department with an investigation, delisting of an IP address, and so forth, please send an email to abusedesk@global.leaseweb.com. 

Blacklistings LeaseWeb monitors

LeaseWeb actively monitors all Spamhaus Block List (SBL). If your IP address appears on this blacklisting, you will receive an hour notification to solve the abuse issue. To see whether your IP address is listed at Spamhaus, please visit: www.spamhaus.org.

Blacklistings where LeaseWeb can assist you

LeaseWeb does not monitor the following blacklistings, however, we provide assistance if needed:

▪ TrendMicro
▪ SpamCannibal
▪ Barracuda
▪ Hotmail/LIVE/MSN
▪ SORBS
▪ DroneBL
▪ WpBL
▪ INPS_DE
▪ CBL

If your IP address is listed on a different blacklisting, we will do our best to assist you (without a guarantee of the outcome).

TrendMicro

TrendMicro’s blacklist is being used for their email reputation service in order to protect their customers from spam.


For delisting: Visit https://ers.trendmicro.com/reputations and follow the instructions.

SpamCannibal

SpamCannibal blocks spam at the origination server and can be configured to block DoS attacks.
"SpamCannibal uses a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using a TCP/IP tarpit, SpamCannibal's TCP/IP tarpit stops spam by telling the spam server to send very small packets. SpamCannibal then causes the spam server to retry sending over and over - ideally bringing the spam server to a virtual halt for a long time or perhaps indefinitely. SpamCannibal blocks spam at the source by preventing the spam server from delivering the messages from its currently running MTA process. This effectively eliminates the network traffic to your site because the spam never leaves the origination server. This same strategy works equally well when SpamCannibal's tarpit daemon is configured to defend against DoS attacks." - source, SpamCannibal.

Spam Cannibal lists IP addresses based on their RDNS. If this conflicts with the customer's mail setup, the IP address will be listed. If the customer adjusts their RDNS, a delisting can be requested. Spam Cannibal lists IP addresses also based on LeaseWeb's generic RDNS (hosted.by.leaseweb.com).

For delisting: Use the look up page from Spam Cannibal, to find out why an IP address is listed.
http://www.spamcannibal.org/cannibal.cgi

Barracuda

"Barracuda Central maintains a history of IP addresses for both known spammers as well as senders with good email practices. This information contributes to the Barracuda Reputation System, which gives the Barracuda Spam & Virus Firewall the ability to block or allow a message based on the sender's IP address. In addition to IP reputation, the Barracuda Central team maintains reputation on URLs, which gives the Barracuda Spam & Virus Firewall the ability to quickly block an email based on a poorly-rated URL contained in the message. By combining both the IP and reputation data, Barracuda Networks can easily determine whether a message is spam or legitimate email. Once identified, Barracuda Central can implement countermeasures to mitigate these threats." - source, Barracuda Networks.

For delisting: An IP address can be looked up through: http://www.barracudacentral.org/lookups 
If the IP address shows positive as being listed, you can request a delisting. The IP address will be removed from the blacklisting immediately and re-evaluated within 30 days.

Hotmail

Microsoft Hotmail has changed their anti-spam policy, and as a result, a number of our IP ranges got blacklisted. However, before requesting a blacklist removal, it’s worth to verify that the IP address is indeed on the MSN blacklist.

The following steps should be taken:

  1. MSN Blacklist verification.
  2. Preliminary blacklist removal checks.
  3. Submit MSN blacklist removal request.

MSN Blacklist verification:

If the IP address is blacklisted by MSN or Hotmail, the server’s log and email bounce messages should look something like this:

“host mx4.hotmail.com[xx.xx.xx.xx] said: 550 SC-001 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit MSN Postmaster for email delivery information and support (in reply to MAIL FROM command)”

If the message received is the same or similar to the above, than the IP is likely blocked by MSN or Hotmail. Typically, all MSN blacklist notifications include a 500x series SMTP error, as can be seen in the following link: http://mail.live.com/mail/troubleshooting.aspx.

400 SMTP error codes deal with email volume, rather than suspected spam. If high volumes are being sent, the IP holder may need to sign up for their bulk sender’s program.

Other errors not related to the 500 SMTP series may have other delivery issues, not related to blacklisting.

Preliminary blacklist removal checks

Before requesting removal from MSN’s blacklist, it is advisable to first ensure that the issue causing the listing is resolved.

The following checks should be performed:

  • Check the daily volume of email going to Hotmail, MSN, or Live.com.
  • Look for compromised user accounts.
  • Look for people forwarding email to Hotmail, MSN, or Live.com. If someone is forwarding email to Hotmail related addresses, and then mark it as spam.

After performing these checks, a removal request may be submitted.

Submit MSN blacklist removal request

In order to request a blacklist removal, the user should fill and submit the form in MSN’s automatic removal system available in the following URL:

https://support.live.com/eform.aspx?productKey=edfsmsbl3&ct=eformts&wa=wsignin1.0&scrx=1

A follow up email from MSN is received within 1-2 working days, and indicates whether the IP has been successfully removed or denied (i.e., no action is taken).

SORBS

"The SORBS (Spam and Open Relay Blocking System) provides free access to its DNS-based Block List (DNSBL) to effectively block email from more than 12 million host servers known to disseminate spam, phishing attacks and other forms of malicious email.  The list typically includes email servers suspected of sending or relaying spam, servers that have been hacked and hijacked, and those with Trojan infestations. In an attempt to provide preemptive protection, SORBS also lists servers with dynamically allocated IP addresses." - source, SORBS.

For delisting: Create an account through http://www.sorbs.net/. Once created, go to http://www.sorbs.net/contact/supportreq.shtml. It is clearly explained how to get the IP address removed.

DroneBL

"This is a synopsis of recent activity in DroneBL. DroneBL is a realtime monitor of abusable IPs, which has the goal of stopping abuse of infected machines." - source, DroneBL.

For delisting: Go to http://www.dronebl.org and create an account there. After you have created an account, you can request a delisting.
Go to http://dronebl.org/lookup and verify whether the IP address is blacklisted, and request a delisting.

WpBL

"WPBL is a private block list consisting of IP addresses which connected to members' systems and delivered unsolicited bulk mail (spam)." The list is designed to be useful and effective when used by WPBL members, but may not be suitable for other uses. This is NOT a public spam blocking service. WPBL should not be used to block mail or deny SMTP connections. It is most effective in a scoring-based system like SpamTestBuddy or SpamAssassin rather than black-and-white filtering." - source, WpBL.

For delisting: Use the look up system http://www.wpbl.info/cgi-bin/detail.cgi and request a delisting of the IP address.

INPS_DE

The INPS_DE blacklist contains IP addresses from which we received mails, that were classified as spam. It's very important to know, that a listing here doesn't mean that you are a spammer, but it means that they (or one of our reporting clients) received at least one spam message from the listed IP address.

For delisting: Go the removal page http://dnsbl.inps.de/index.cgi?lang=en&site=00005, add the IP address, and click on the “request removal” button. The IP address will be delisted immediately.

CBL

"The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.

The CBL also lists certain portions of botnet infrastructure, such as Spam BOT/virus infector download web sites, botnet infected machines, machines participating in DDOS, and other web sites or name servers primarily dedicated to the use of botnets. Considerable care is taken to avoid listing IP addresses that are shared or are likely to be shared with legitimate use, except in the case of infector download websites, phish emission or DDOS.

The CBL botnet detections may not necessarily directly involve the observation of spam emission, but most botnets are at least occasionally involved in email spam, in addition to infostealing, DDOS attacks etc.

In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected with a spam-sending virus or worm, acting as a open proxy for the sending of spam, OR, IPs primarily used in the operation of botnets." - source, CBL.

For delisting: Go to http://cbl.abuseat.org/lookup.cgi and enter your IP address. CBL will provide the information why the IP address was listed, and when the most recent activity took place.

 


Keywords
You can click on any of the keywords below this article to see all related articles for that keyword