As in any profession, once you become an expert, it can be hard to understand how the general public doesn't understand certain things that you have taken to be basic facts about the job you do or the area you work in. For anti-spam people, blacklists are as plain to us as changing the oil is to a mechanic. But, through our interactions with many of you, it's become clear that the mechanics of a blacklist are still a mystery to the vast majority of the population. This blog post will hopefully help to shed some light on this important subject.
Getting listed on an IP blacklist
Step 1 - Add a spam trap address to your mailing list
Spammers by their nature use enormous lists of email addresses. Many of these email addresses are scraped from web sites - for instance, the email@example.com link on your web site is probably in dozens of spam databases. Addresses are also bought and sold in an underground marketplace - sometimes from unscrupulous email marketers looking to make a few extra dollars.
Anti-spam companies, and blacklist operators like Spamhaus, SORBS, and UCEPROTECT, maintain their own special, secret email addresses known as "spam traps". Anti-spammers purposefully advertise their spam trap addresses (for example, on web sites) so that spammers may incorporate them into their address books.
Step 2 - Send to a spam trap address
Once the spam trap address is incorporated into the spammer's mailing list, the next step is to send it some spam. In the diagram below, the spammer has compromised a user's PC with spam-sending malware. The spam trap address "firstname.lastname@example.org" is incorporated into the spammer's mailing list, and the spammer's spamming malware is attempting to deliver to that address.
Step 3 - Becoming listed
Before the spamming malware has delivered the body of the spam message (in geek speak, during the "RCPT" phase of the SMTP conversation), it must first tell the spam trap mail server the email address it wishes to deliver to. As soon as the spam trap server receives the trap address, the IP address of the compromised user's machine is listed in the black list.
In just three steps, the IP has been listed.
But I don't have any spam sending malware? Why is my IP listed on a Spamhaus?
In most ISP networks - and many cloud hosting networks such as Amazon Web Services - IP addresses are assigned somewhat "dynamically". This means that the same address may be used by different people's computers over the course of days or weeks. On some networks (particularly on mobile networks), the problem is even worse: multiple users end up sharing a single public IP address through a process called NAT. If you're currently sharing - or recently shared - an IP address with a user whose machine sent spam, then it's possible that IP address has been blacklisted.
What can I do if my IP address is blacklisted?
The answer to this question depends on what kind of user you are, and what kind of IP address you have. So, we'll break it down. The first step if your IP address is listed is to determine whether your machine, or a machine sharing your IP address which is under your control is sending out spam. If you're absolutely sure that nothing under your control is sending out spam, you can visit the blacklist removal pages provided by most IP blacklist operators, and request the removal of your address. Here are some links to the removal tools provided by a few of the more popular IP blacklists:
We can't stress enough how important it is to verify that you're not actually sending spam. In many, many cases where someone's IP address has been blacklisted, the cause is a machine within their own home or office network, which has been compromised and is sending spam. If you don't fix the spam sending problem, then any attempt to move to a new IP address or de-list your listing will quickly fail and may lead to more severe listings. For ISPs and hosting companies, outbound spam filtering is a great way to help customers determine if they are sending spam.
If you can't remove your IP from the blacklist, or if the blacklisting is definitely the result of someone else's bad behaviour, then your best option is to find a new IP address or address space (i.e. subnet). Depending on what kind of Internet user you are, new IP addresses are obtained in a variety of ways. Here are the most common:
- Residential ISP or Mobile User - Try recycling your IP address by "refreshing your DHCP lease"; if that fails, ask your provider for a new IP address.
- Commercial ISP User - If you're sure your network is clean, contact your ISP and ask for a new static IP address.
- Cloud Hosting User - Try sending your email out through a service like SendGrid.
- Dedicated Hosting Customer - Check other IP addresses near yours (i.e. in the same /24 subnet). If others are listed, you may have been dragged along. Ask to be moved to a new subnet if possible.