Thursday, September 9, 2010

What to do after being blacklisted

Earlier this week we had a laptop come into our office that was unknowingly spamming for almost a full day.

I was only alerted to it because I have an account set up with SpamCop which will send you an email alert if its traps catch spam from your IP address. After receiving that email I checked out our firewall's traffic monitor which was FULL of logs of an internal accessing port 25 (SMTP) to a ton of places. A quick nslookup for that IP told me whose computer was the cause of all this so I ran over to their desk and quickly took their laptop off our network. I felt good (at the time) that I found this so quickly and quarantined it.

At this point there were no other signs that there were problems, until the next day when some users started to report getting undeliverable and delivery delayed notices.

(end background story)

What should you do if you get blacklisted?

  1. Be sure your network is completely clean and take any computers that might be infected offline.
  2. Find a way to block outgoing port 25 to all computers in your network except your mail server. This can be a little tricky and the process for doing it is different for all types of firewalls. I have a WatchGuard Firebox and I added a new deny policy for all IP addresses except the Exchange server to use port 25 (SMTP).
  3. Make sure your mail server is not an open relay. Open relays allow spammers to use your mail server to send mail. There are a number of tools to do that, here is one: SpamHelp
  4. Check the blacklists and remove your server if they allow you to:
  • SpamCop - SpamCop allows you to manually remove your IP from their blacklist
  • Barracuda - Barracude allows you to manually remove your IP from their blacklist (note: it can take a couple hours to propagate to all Barracude devices around the internet)
  • Spamhaus - Spamhaus allows you to manually remove your IP from their blacklists
  • SenderBase (IronPort) - This is a Cisco product and it appears that a LOT of large companies use this (Target is one example). Unfortunately you can not manually remove your IP from their blacklist as they don't really have a blacklist. SenderBase computes a "reputation" for your domain/IP address and based on the level of this reputation, companies can choose to have email blocked if it is under their defined acceptable level. With that said, it does seem that individual companies can (but not all will) add you to their "whitelist" temporarily while your reputation level improves. Your reputation level automatically improves as time goes by if the spamming has stopped. This is the most annoying of the ones listed here as this can take up to 3 days for your reputation to get back to neutral and there is no way to speed up this!
  • MXtoolbox - this site will check over 100 blacklists to see if your IP address is listed

There are probably more blacklists out there than what I've listed, the key is to look at any undeliverable message that you get bounced back and find the reason your mail has been rejected. For example, in the undeliverable message that was set to a address, there was this information: #550 Connections from your IP
address are being rejected due to a low SenderBase Reputation Score. Contact
your IT support team, and have them review for more information.

Usually this will have information that directs you to a website like the ones above where you can check on the status of your IP address and sometimes remove it from the blacklist. For those with little or no helpful information, the best thing you can do is try to get in contact with the company's mail administrator. You can try emailing or (from a gmail or other email account) detailing why you think you were blocked, that you have taken care of the problem, and requesting removal from their blacklist.

Going through all of this is quite a pain so like most security things, being proactive will save you a lot of headache later. Things like having patched computer, up to date and effective virus protection, and blocking outgoing port 25 (SMTP) connections from your workstations will help prevent your company's IP address from every being blacklisted.

When your IP gets blacklisted it sucks being the mail administrator because users are so reliant on email these days and they don't understand how sometimes you just have to wait for things to work themselves out. My hope with this post is that it will help people out when they have to deal with this incredibly frustrating situation.

No comments:

Post a Comment