Link to home
Start Free TrialLog in
Avatar of aando
aando

asked on

How to get around a blacklisit so we can continue business with email.

We had someone bring an infected laptop into the network. It sent out emails and we got put on a blacklist. 3 picked us up. We got off two and the third is saying it could take 3-4 days to drop off. They won't just take it off for us. So how do we get around this? We can't send out emails. We can't bill anyone. We can't continue business operations. This has crippled our network. They have blocked the IP address and put it on a blacklist but not necessarily the domain.
Avatar of John
John
Flag of Canada image

You cannot do anything yourself about the third blacklist - They will have to remove you themselves.

In the meantime, set up a temporary email address
Avatar of Jackie Man
Are you hosting your own email server on premises?

If yes, ask your ISP for broadband internet and request to change (need to pay extra of course) and ask them to assign you another real IP address for your network.
Avatar of aando
aando

ASKER

Yes, we host our own. We have a block of IP's. Can I just assign a different one? Then what do I have to change on the internet side?
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Here it went south:
We had someone bring an infected laptop into the network.
IF you do that, be sure the system is in quarantaine: ie. it cannot reach ANY other system on your network, not even a router...

If this is the only thing:
It sent out emails and we got put on a blacklist.
Then you are lucky, it might have spread other malware to other systems as well.

If possible change IP address then you can send again (only needed for sending, receiving mail can still be done on the original addres)
 (possibly set up through another mailer with forwarding.).  
Make sure there is no backlog of mail originating from the laptop on any mail servers. (you will run out of IP addresses very quickly if not done).
Then be sure that the new mail address is setup in SPF. and a mail has the right DKIM credentials.
You asked, "Yes, we host our own. We have a block of IP's. Can I just assign a different one? Then what do I have to change on the internet side?"

Maybe. Depends on many factors. You must still go through the list above, because blacklists look at IPs associated with a host/domain, now even the actual landing pages of offers.

Based on your questions, if your primary revenue revolves around email marketing, hire an email consultant to accelerate you out of this bind.

You'll know you have a competent person, when their rate for fixing the problem makes you weep.
The points noci brings up are crucial.

Big points about correct SPF + DKIM setup.

Also, no one should ever be allowed to bring some random device into your network.

That's like having Typhoid Mary serving in the cafeteria.

This type of policy, of allowing random devices inside your network, will guarantee this happens again.
Simple way to "How to get around a blacklist so we can continue business with email" will be to...

Switch over to using a Mail Relay system like MailGun till problem is cleaned up.
You can use a third party smtp service like sendgrid.com to pass all of your mail through.  It will cost $80 per month but get your mail out. Also, if you ever run into this issue again, it will be easier to get out. You can work with them and obtain a new IP and be ready to go quickly.
If you have a block of IP addresses you can use another one for the 3 days.  Maybeee setup a VPN and use that outgoing port?
I would recommend getting a third party hosted mail filtering solution. Configuring it to scan outbound emails would be worth considering.

While you care primarily about being able to send emails (understood that it is business critical), I would highly suggest that you review and update your network and security policies. For example, restrict which systems send out traffic on port 25. Ensure guest system can only touch a guest network and not other systems. Network access control with posturing would be an even bigger step. Some companies even maintain a separate ISP connection for the guests internet access (not saying your company can afford this, but might be worth a look. At the very least, you would want that traffic to NAT to a different public IP than your corporate traffic)

Essentially, kill off a lot of the things that would potentially get you put on a blacklist in the first place.
Masnrock, those email blasters don't use port 25, they have really evolved, also it they were on a guest network that used the shared external IP address, they would still get blacklisted.
I agree with the above about a third party mail system, predominantly for spam control (outstanding) and also for portability  (mail.com)
Dan, I happened to use that as a somewhat related example. The overall point is that there is far more to be done than simply get off a blacklist.
As masnrock said, "far more to be done than simply get off a blacklist".

This is a nice way of saying, fixing this type of problem can take a very long time + in the very worst cases, after everything's fixed + locked down on the client sides, sometime phone calls to humans managing blacklists are required... at which time you'll have to speak a level of Geek-ease which proves you are Savant enough to have actually fixed the problem.

These calls also involve a good deal of groveling...
I have found policy abuse departments from IsP's as being understanding, especially since it wasn't his fault, a user brought a PC in that was infected.  I guess you can lock everyone out from WiFi, or get another IP for a guest network, but if this is only once, i would just deal with it and move on.  i've gone through this firm time to time, but it's never a business ending deal.
It's only once until it occurs again. And this literally caused a shutdown in business operations. In fixing something like this, might as well do it right rather than simply treat the symptom.

I have found policy abuse departments from IsP's as being understanding
The OP was talking about blacklist databases (ie Spamhaus), not ISPs. And lots of companies, including in the security space, make use of these databases.

I also think it would be reasonable to expect that the head of the company will ask what happened and how it could be prevented from happening again. Simply getting off the blacklist is a quick fix, but by no means a cure. And I bet the fixes I am suggesting pale in comparison to the revenue that the company might lose.
If on the OUTGOING firewall (all of them) block outgoing mail ports (25, 465) except from your own mailserver(s). Then at least they need to go through your mail server.
then the risk to become immediatly blacklisted is down a little.
(Assuming also outgoing mail goes through a mail filter on spam, and possibly (hopefully) the mail server only accepts authenticated requests, that should prevent rogue mailers from using your mailserver.)

Using a VPN as a workaround hardly seems wise, one of the previous users of that address might have done a spam-run..
To expand on what David said above, you asked:

We have a block of IP's. Can I just assign a different one?

Probably not.  Your domain name, or names, have probably been blacklisted along with the IP address or CIDR block.

We had someone bring an infected laptop into the network.

Fire them immediately.  This will send a definite message to everyone in the company that network security is more important than any one person's job, it is a serious violation of company policy, we are not going to tolerate it and this issue had better not happen again.  If you just wink at it and say "naughty, naughty" you're showing your employees that (a) network security isn't really very important and (b) no matter how bad, IT will fix it and make it all better.

If your management isn't willing to enforce that, send out a company-wide email with the offender's name in it stating "Due to (insert name here)'s bad judgment in bringing an infected laptop onto the company network, that is why nobody is getting any email out.  We think we may be able to get this solved in about a week, but we have no control over the blacklist that this got us onto, and we are now at their mercy.  Thanks, (insert name here)."
Avatar of aando

ASKER

A lot of helpful advice. I was able to get off of two by request but the third had to fall off. Been locking everything down to just SMTP on Exchange. Thanks all.
You're welcome!

Good luck!