Why Was My IP Address Blacklisted On Spamhaus?
When an IP is noticeably sending spam, they are listed on blacklists, otherwise known as DNSBLs. These blacklists protect email users from opening potentially harmful spam sent from IP addresses displaying suspicious activity.
For more insight into blacklists and how they work, read our blog post, "How Can Your Mail Server Avoid IP Blacklists".
Without the proper protection—such as MailChannels SMTP Relay—web hosts’ networks are often compromised and used to send hundreds upon thousands of spam email. As a result, the offending IP addresses are blacklisted.
Here, we examine why and how blacklisting occurs, how web hosts can delist these IP addresses and how to avoid blacklisting in the future.
Getting listed on an IP blacklist
Step 1: There's a spam trap address on your mailing list
Spammers by their nature use enormous lists of email addresses; many of which are scraped from web sites. For instance, the firstname.lastname@example.org link on your web site is probably in dozens of spam databases. Addresses are also bought and sold in an underground marketplace—sometimes from unscrupulous email marketers looking to make a few extra dollars.
Anti-spam companies, and blacklist operators like Spamhaus, SORBS, and UCEPROTECT, maintain their own special, secret email addresses known as "spam traps". Anti-spammers purposefully advertise their spam trap addresses (for example, on web sites) so that spammers may incorporate them into their address books.
Step 2: Send to a spam trap address
Once the spam trap address is incorporated into the spammer's mailing list, the next step is to send it some spam. In the diagram below, the spammer has compromised a user's PC with spam-sending malware. The spam trap address "email@example.com" is incorporated into the spammer's mailing list, and the spammer's spamming malware is attempting to deliver to that address.
Step 3: Becoming listed
Before the spamming malware has delivered the body of the spam message (in geek speak, during the "RCPT" phase of the SMTP conversation), it must first tell the spam trap mail server the email address it wishes to deliver to. As soon as the spam trap server receives the trap address, the IP address of the compromised user's machine is listed in the blacklist.
In just three steps, the IP has been listed.
I don't have any spam sending malware. Why is my IP listed on a Spamhaus?
In most ISP networks—and many cloud hosting networks such as Amazon Web Services—IP addresses are assigned somewhat "dynamically". This means that the same address may be used by different people's computers over the course of days or weeks.
On some networks (particularly on mobile networks), the problem is even worse: multiple users end up sharing a single public IP address through a process called NAT. If you're currently sharing—or recently shared—an IP address with a user whose machine sent spam, then it's possible that IP address has been blacklisted.
What can I do if my IP address is blacklisted?
The answer to this question depends on what kind of user you are, and what kind of IP address you have. So, we'll break it down. The first step if your IP address is listed is to determine whether your machine, or a machine sharing your IP address which is under your control is sending out spam.
If you're absolutely sure that nothing under your control is sending out spam, you can visit the blacklist removal pages provided by most IP blacklist operators, and request the removal of your address. Here are some links to the removal tools provided by a few of the more popular IP blacklists:
**We can't stress enough how important it is to verify that you're not actually sending spam**
In many, many cases where someone's IP address has been blacklisted, the cause is a machine or phone within their own home or office network, which has been compromised and is sending spam. If you don't fix the spam sending problem, then any attempt to move to a new IP address or de-list your listing will quickly fail and may lead to more severe listings.
For ISPs and hosting companies, outbound spam filtering is a great way to help customers determine if they are sending spam.
If you can't remove your IP from the blacklist, or if the blacklisting is definitely the result of someone else's bad behaviour, then your best option is to find a new IP address or address space (i.e. subnet). Depending on what kind of internet user you are, new IP addresses are obtained in a variety of ways.
Here are the most common:
- Residential ISP or Mobile User
Try recycling your IP address by "refreshing your DHCP lease"; if that fails, ask your provider for a new IP address.
- Commercial ISP User
If you're sure your network is clean, contact your ISP and ask for a new static IP address.
- Cloud Hosting User
Try sending your email out through a service like SendGrid.
- Dedicated Hosting Customer
Check other IP addresses near yours (i.e. in the same /24 subnet). If others are listed, you may have been dragged along. Ask to be moved to a new subnet if possible.
MailChannels Outbound specializes in protecting hosting providers from blacklisting and improving IP reputations.
This post was updated on August 15th, 2018.