Blacklisted IP Address or domain
We have a zimbra mail server supporting 200 users, recently we got blacklisted and its taken ages to get us back to receiving emails as usual; we can only receive emails from users on the same domain. My query is what other ways can we monitor and prevent getting black listed in the future? Using the MX tool we have confirmed we have been blacklisted because of SORBSSPAM &Â UCEPROTECTL.
Delisting the same seems to be a regular thing judging from the past. What other suggestions are available to prevent these from happening again?
Delisting the same seems to be a regular thing judging from the past. What other suggestions are available to prevent these from happening again?
Also check for compromised accounts. Spammers take over user accounts and use your server to relay their junk
I own a block of IP addresses and just change the IP address if I get blacklisted until I can get off the list.
MX Toolbox does a pretty good job of showing you how to get delisted.
https://blog.mxtoolbox.com/2016/08/15/how-do-i-get-delisted/
MX Toolbox does a pretty good job of showing you how to get delisted.
https://blog.mxtoolbox.com/2016/08/15/how-do-i-get-delisted/
afaik, blacklisting at uceprotect means you actually send spam
- check that your users cannot directly access port 25 on random servers from the same IP your mail server uses. if that is the case, block that traffic, or at least use a different ip and monitor closely.
- check your server logs. if you do send spam, it should represent a significant amount of the traffic. usually seeing all or part or the sender/recipient/subject should let you identify a spam flow in a matter of seconds, maybe minutes. check for outgoing email with senders outside your domain ( means a bot is sending junk from your network ), incoming email for senders outside your domain ( means you are an open relay ), and weird subjects
- check that your users cannot directly access port 25 on random servers from the same IP your mail server uses. if that is the case, block that traffic, or at least use a different ip and monitor closely.
- check your server logs. if you do send spam, it should represent a significant amount of the traffic. usually seeing all or part or the sender/recipient/subject should let you identify a spam flow in a matter of seconds, maybe minutes. check for outgoing email with senders outside your domain ( means a bot is sending junk from your network ), incoming email for senders outside your domain ( means you are an open relay ), and weird subjects
In addition to making sure you're not running an open relay, are you making use of SPF? If not, then you might want to go that route.
- misconfiguring SPF records for your domain will get your IP blacklisted
- not configuring them at all will not
- configuring them properly won't help not being blacklisted in any way
- applying SPF filters to your incoming traffic has no impact whatsoever on remote blacklists unless you actually are an open relay in which case you have bigger problems that SPF won't solve anyway
- not configuring them at all will not
- configuring them properly won't help not being blacklisted in any way
- applying SPF filters to your incoming traffic has no impact whatsoever on remote blacklists unless you actually are an open relay in which case you have bigger problems that SPF won't solve anyway
For your question about how to monitor, i think mxtoolbox has utilities that can check your IP address. If you are looking for something a bit more DIY, Nagios monitoring system can do it - we use that at my job to check our customer mail servers every 5 mins for black lists.
As others have said, the best thing to do post blacklist is to change your public IP via some rule changes on your firewall.
to stop it from happening again, make sure the following
email server is not open relay
port 25 and 587 is blocked leaving your network to the internet for all end users
a outbound spam filter (if you want suggestions message me) that audits mail sent by your email server for spam
If you have a marketing department sending email, make sure the message they send comply with anti-spam laws
As others have said, the best thing to do post blacklist is to change your public IP via some rule changes on your firewall.
to stop it from happening again, make sure the following
email server is not open relay
port 25 and 587 is blocked leaving your network to the internet for all end users
a outbound spam filter (if you want suggestions message me) that audits mail sent by your email server for spam
If you have a marketing department sending email, make sure the message they send comply with anti-spam laws
i'd second the idea of the outgoing spam filter. note that in that regard, a very simple non blocking filter ( possibly analyzing email subject and per user volume only ) should be enough to be warned when a bot is using your server. but if you have an existing heavyweight spam filter on your inbound, there is little to no reason not to apply it to your outbound traffic. configurations ought to be different but all decent solutions handle that.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Is your server is open relay ?
Go to mx toolbox and check for open relay. If your server is open relay it will blacklisted again and again for this you can block open relay.