Table of Contents
Getting your IP address blacklisted as an ISP is not fun at all. A simple breach leads to discomfort a few hours, a more serious breach can keep you busy for weeks, and sometimes even months. Fact is even a single mailbox that gets compromised can lead to a ton of work. Lost time, reputation, and business is all part of the equation. As there is no magic formula for delisting, this article is designed to provide some guidance and document some of the systems out there to help with delisting.
At the point of breach
The most important thing to do is to stop the MTA, that outgoing server, e.g. Postfix or Exim. You can faff around and try and clean the queues, but computers are fast and if your queue is already busy you are loosing valuable time by trying to sort the problem out whilst it is ongoing. So SSH now, and stop Postfix, or Exim, or whatever.
service postfix stop
Next, of course, you have to clean the queues. This article is not about the queues so much, as each email server has a slightly different queue cleaning mechanism, but rather about getting your IP address to operate again without being blocked.
Warning – not only your IP may be polluted
In the old days threats were generally confined to a single IP. One could go and focus on delisting that specific IP address. These days, no more. Some of the more aggressive lists will blacklist an entire /24 block, some might blacklist larger network blocks, and some might even blacklist your entire domain from sending. Digital Ocean have fallen out of favour due to poor [email protected] monitoring so large parts of their network is blocked by default. When tackling the problem, be cognisant if you’re busy troubleshooting a single IP address, a network, or the domain name. To buy time, solve the problems you can first.
One service which lists an entire /24, even if just a single IP spammed, is invalumentSIP/24. Once you are in this list, you are pretty screwed. They do have a way of delisting, and we’ll provide more on that later.
With regards your entire domain being blacklisted, here is a clue:
“Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain“
Carefully read the message above – yep – you are screwed. Your entire domain has been blacklisted. Google gets a special mention here. You see the way Google as a company was designed, was to never interact with the end users of the “consumer” kind. The idea was build automatic systems and make as much money in the process without the hassle of communicating with people. So Google’s systems do not have a way of unblocking. Or even seeing if you’re blacklisted. You’ll pretty much learn the hard way if Google is blocking you by a return message.
But do not fear – it’s possible to delist, provided or course, the problem has been resolved. The reason why it’s not always easy or clear how to delist, is because the majority of these services are run by robots – the amount of SPAM is too large for a normal human driven system to cope. So instead they have created semi or fully automated ways to see if you can be delisted. Some of the smaller niche ones are actually manned by staff and so are the professional ones (like Mimecast), but generally a lot of SPAM delisting services are automated.
Small Fact about SPAM
How to report SPAM
Did you know there is only one well known service on the internet where you can report SPAM? Spamcop. Let us know in the comments if you know of another place.
Paying to get delisted
You might find services that wants to charge you a fee to get delisted. This is a big no-no in Internet etiquette. We generally recommend to NOT PAY.
How to Check on Which RBLs You’ve Landed
There are two well known services that provide consolidated lists of blacklistings, and then some minor ones. The ones most commonly used are:
MX Toolbox has a sexy interface. When looking if you’re blocked they will prompt you to register but you don’t have to. Just close the prompt and following the direct link to the listing site.
MultiRBL Valli Org
MultiRBL is awesome and very comprehensive. It’s pretty fast too.
So without further adieu, here is our list of favourite and most hated RBLs and how to get off them
List of Commons RBLs and more
Now let’s delve into a list of some of the most common RBLs:
Fmb.la is a composite blocklist made from multiple sources. They have a great interface that forces Google logins but allow delisting by way of a TXT record. It’s a pretty cool user-friendly delisting service.
FortiGuard is sneaky so you’re going to have to watch your Postfix queue for delayed messages. They will appear in this format:
host mail.domain.com[a.b.c.d] refused to talk to me: 554 5.7.1 This message has been blocked because it is from a FortiGuard AntiSpam Service blocked IP address.(connection blocked ip e.f.g.h)
Luckily FortiGuard has an appeal form easily googleable and accessible, so use it here:
Google has a tool called postmaster.google.com which they recommend network administrator consult when they are blacklisted. In our experience this tool doesn’t work most of the time and give too little information to be of use. Emphasis there is real useable data that you can react on for domains that has spammed. It’s an overly simplified tool and in our opinion a waste of time. Perhaps with time they will improve it, but as of July 2020 it’s just crap.
Generally if you land up in Google’s block list, which is undocumented, you are completely screwed. At times Google will report what is the polluted IP, but other times not. Get ready for begging and pleading at no-one door. You will never receive a reply back from Google. With time they do unlist blocks but this could take up to a month.
Our searches for a concrete place to submit requests for delisting has gone nowhere. The most common URL that you will find, e.g. https://support.google.com/mail/contact/msgdelivery DOES NOT WORK. Additionally, bless his soul, jp88 who is copying / pasting the standard replies for us sods to use has the misfortune of trying to help people. Generally you’ll notice when people complain to jp88 and get a bit antsy he eventually tells them to buzz off as there is no fix. After a lot of extra work and googling, ignoring incorrect information provided by google, a of 301 redirects, we found a delisting form here:
We don’t know if it works, because, err, google doesn’t cater for humans.
And the confirmation, bless, says:
Thank you for submitting your request. Please allow at least 2 weeks between submissions for the changes, if any, to propagate. To measure and monitor your email deliverability to Gmail users, please use Postmaster Tools.
At this point it’s import to make a list of clients that you will loose in the next two weeks due to Google’s inability to cater to network administrators. Since there isn’t that much you can do anyway, we generally recommend to move away from Google blacklisting disasters and rather focus on the places where you are able to delist. Once you’ve caught your breath try delisting from Google again and give us some tips on how in the comments.
What to do if Google has marked your entire domain as spammy.
May you only pray that you don’t end up in the situation below. As you can see, here Google has marked an entire domain as a spammer. This is incredibly hard to troubleshoot, but after careful elimination of headers and the whole route, and DMARC and SPF that was perfect, we were approached by a client with this problem.
In this case there really is only one resolve – contact Google. As this is where the fun begins. Google doesn’t really have a telephone number…
Microsoft have pretty much sorted out SPAM reporting. Not only can you see if you’re listed, but they also provide an escalation channel for ISPs to submit delisting request. Google should really take a page from Microsoft’s book.
The way to go about it to to first simulate the problem, since just like Mimecast they would want to a copy of the error. Here are the caveats:
- You need the actual error message
- You need to fill in the form listed below
- You need to send from an email address that is not also blocked! To be safe, use an @gmail address
- On the first response, Microsoft always declines the request. I suppose this is because they get spammed. Read the text carefully and reply to that email
- The entire process takes around 48 to 72 hours including the first response which needs to be followed up.
The actual documentation that explains what to do is here but you’re only interested in submitting a support request, given that you know the problem is resolved and there is a false positive on their system. So the actual form is mentioned in that article, but can also be found here:
Generally the form works but on some occasions you might end up with this error below in which case try another browser:
The above form can be used to delist from:
hotmail.com, live.com, msn.com, outlook.com. Strangely hotmail.de is missing.
Once you delve deeper into the Microsoft toolset, you will encounter this website which allows you to list IPs that you want to watch:
Smart Network Data Service
This tool is very intelligently designed for system administrators and allows you to list all the IP addresses you’re watching. Here is a screenshot of the tool with the View IP Status menu selected and a list of some actual blocked IPs:
Mimecast is one of the most user-friendly and professional SPAM checking and blacklisting services available. Their help desk is manned by real humans who proactively respond to tickets. If you get a rejection notice from Mimecast, go here to request an unblock: https://www.mimecast.com/senderfeedback/
Soon you’ll receive a ticket number and if the information you’ve submitted makes sense to them they’ll give you a sensible reply. One caveat is they might request the rejection notice and original email in .EML format. .EML files are basically text files containing the header and the body of the email. You can use “View Original” in Google or “Save As” in Thunderbird to generate an .EML file. If you don’t have access to the original message that was sent (e.g. it was sent by your client), then simulate the problem by sending a new message to the Mimecast user via the bouncing server. Something we’ve never quite understood about excellent services such as Mimecast is why both MX Toolbox and MultiRBL cannot directly query the block lists.
Project Honeypot is a real gem. Once you get listed, you can delist yourself, but only from the IP address which was listed. So if you’re running a bunch of Linux boxes, you need to create a SOCKS proxy and pretend you’re that IP in a browser (they have CAPTCHA). Here is the command to create a SOCKS proxy using SSH:
ssh -p22 -D 9090 -N -f [email protected]
Substitute 22 for your hidden SSH port, and use 9090 as the SOCKS v5 proxy port
Proofpoint has one of the most polite IP delisting request forms and they have a pretty cool website too. To ask them to delist your IP address, go here:
From there a ticket is logged and they might request additional information from you. From my experience they don’t send ticket replies but silently resolved the problem within about a day (but that could depend on severity).
If you have accidently landed on Sane Security you are pretty screwed for a few days. As you will notice on their website, they do accept False Positives, but alas, no confirmation email or ticket reply is ever sent. So you’re operating in the dark for a few days until their system decides you are not a virus anymore. They also blacklist any server in your domain, so let’s say for example your domain and company address is @mysuperhost123.com. So say you are [email protected] If you have a server at AWS called serverXYZ.mysuperhost123.com, all of your email from that server will be blacklisted.
All we can say when you’ve been blacklisted by Sane Security is to beg them to remove you, and hope they are actually reading their emails. In one instance contacting them via Twitter did the job.
Probably to get delisted: Unknown, variable, and you’re pretty screwed at least for a few days
Pains with this service:
- No ticketing system
- Some dubious incomplete sections of their website, e.g.:
- Links to mailing lists that do not work
- Outdated information
This is one of the most reliable SPAM reporting systems. The unfortunate thing is services such as SendGrid regularly end up on this list rendering SendGrid pretty useless. What’s cool about Spamcop though is it’s the only known 3rd party service that we know where SPAM can be reported. Click here to find out how.
As with many of the lesser know SPAM delisting services, you should hope not to end up on Spam Grouper’s list. Sending an email for delisting ends up with this beauty:
To the untrained eye, basically Spamgrouper’s email server is offline.
Suomispam has quite comprehensive information on their website about delisting, but specifically on this page they have a link to contact them:
As per many of the other smaller services they tend to rant about how you shouldn’t be wasting their time.
Trend Micro has something called Email Reputation Services which is globally embedded into their software and appliances. The link is here: https://www.ers.trendmicro.com/reputations
When you see this incredibly poorly designed bounce it means you have been blacklisted:
Host in.hes.trendmicro.eu[22.214.171.124] said: 450 4.7.1 <[email protected]>: Recipient address rejected: ERS-QIL. (in reply to RCPT TO command)
One would think recipient address rejected right? Nope, actually it’s your source IP address that is blacklisted and you have to delist it at the link prescribed above.
This one is pretty bad. For at least a day or two you are stuffed. It’s not that commonly used, but ISPs such as M-Web in South Africa use it. Their system is managed by SYNAQ and although SYNAQ’s support is excellent, they are unable to assist when you are on this list.
There is no automatic way of delisting.
Somehow the Swiss got it right to create a common blacklist and provide a payment option. The payment option can be used to do an “express delisting” or to “belong to a whitelist”. Our recommendation: DO NOT PAY.
The unfortunate thing with UCEProtect is that it takes a week to get delisted. We have found though that most mail servers do not take UCEProtect very seriously, my best guess is because they break the payment rule.
Here is their whitelisting service soliciting money:
90 CHF to USD is about $95. Ouch.
Probably to get delisted: Good
Pains with this service:
- It takes a week to get delisted if you go the free route WHICH WE RECOMMEND
- You have to pay for “express delisting”, but if you read the fine print you’ll notice you’re just going to throw money away.
Leave us a reply in the comments section and share you adventures in delisting!
Updates to this document
- 14 July 2021 – added a table of contents, move Updates to this document to bottom
- 9 July 2021 – created an Updates to this document section
- Added Wikipedia link: https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists