Pages

Wednesday, November 11, 2009

What's a blacklist and why am I on one?

The internet: a bustling cloud of completely organized chaos. The internet has the potential to send information to the waiting eyes of countless recipients, all in a matter of seconds. Coordinate your schedule with others, catch up on the latest gossip, ask an opinion, hire someone, fire someone, break up with someone… perhaps find a suitor for your available female Ukrainian friends? Maybe sell some Viagra imported from Canada? Get to know an Ethiopian ambassador who wants to transfer umpteen-jillion dollars into your bank account right away.

As I stated before in a previous article, around 70% of the estimated 210 billion emails that were sent in 2008 were spam. As you can see (and probably have witnessed first hand) spam has become somewhat of a problem. So what’s a little junk mail, right?

If we were talking about the post cards and sales circulars you get at home it would be one thing. The trouble with electronic junk mail is that it’s being used on a large scale to spread viruses and other malware.

Today’s Spam filters communicate with companies whose job it is to keep a constantly updating list of known and suspected spammer IP addresses. The filters download these lists and stop messages that come from those sources. Some of the most widely known of these companies include SORBS, Spamhaus, and CBL.

Unfortunately there are a number of reasons that you may end up one day finding yourself listed on one of these blacklists, and it may or may not be for a legitimate reason.

If you find yourself receiving non-delivery reports when you send emails to recipients who have historically always been able to receive email from you, you should check to see if you’re listed.
One way to do this is to go to mxtoolbox.com, type your domain name (usually the part of your email address following the @) in the search field and do an MX Lookup. The screen that pops up will show you where the internet gets your mail from. There’ll be a link that says “Blacklist Check”.

The Blacklist Check link will bring up a list of over 100 blacklists, and will let you know if you’re listed on any of them. Clicking the links to the lists you find yourself on will usually bring you to a place where you can request de-listing.

But why?
Before requesting de-listing, you really ought to find out why you’re listed. If you request a de-listing before fixing the problem, you’re likely to find yourself right back on the list again.

Malware
Spambot infections are a common reason to be listed on a blacklist. This is malicious software written for the purpose of searching through your address book, and sending spam messages out to those recipients, in the hopes of spreading the infection by tricking the recipients into clicking links or running programs.

This can generally be detected by reviewing your firewall logs to see if there are machines sending excess traffic on port 25, the default SMTP port. Generally speaking a user will have this problem in conjunction with other such problems as unsolicited browser pop-ups, warnings that there are infections, or odd computer behaviors. If your firewall does not keep verbose logs, start with machines having these kinds of problems.

Some malware will search through an address book and choose a recipient whose name it will then use for its emails. In other words, if John Smith’s computer gets infected, and he’s got my name in his address book, that infection could then start sending spam to all recipients in his address book that look like they came from me. This is known as spoofing an email address, and can result in my getting blacklisted.

Running MalwareBytes’ Anti-malware or other such malware scanners will usually remove these infections.

If you host your own email server, a good way to stop this and prevent it from happening again is to lock down your firewall, so that only your email server is allowed to send emails to the internet. You can then configure email traffic monitoring, or a spam filter that filters outbound emails to check all messages as they go through.

You can also have a third-party such as MXLogic or Postini filter outbound traffic, and lock down your firewall to only allow email traffic coming from the email server to only that vendor’s external IP addresses

If you use a host for your email and connect via POP3, this method will not be viable for you. Be sure to consult your network administrator if you’re unsure how you send and receive email.

Note: A mis-configured firewall can cause traffic to be delayed or stopped altogether. If you’re not sure of exactly what you’re doing, you should always consult with a knowledgeable source before changing firewall settings.

IP Blocks
Companies who make their money from spam emails will sometimes buy several external IP addresses at the same time. These are called IP blocks, and will be sold as a range, say for example from xxx.xxx.xxx.100 to xxx.xxx.xxx.150. That company will then use these IP addresses to host email servers from which they will then send spam.

The blacklist companies will notice an increased amount of spam from all or most of these IP addresses, and just add a whole range to their black lists. Unfortunately over time as IP addresses change hands, this can cause a legitimate company who has the misfortune of being assigned xxx.xxx.xxx.121 to become blacklisted.

Even more unfortunately there’s really no way to avoid this other than sheer luck.

Other
If the reason you were blacklisted is something other than these two common reasons, you may need to contact your network administrator, your email host, your internet service provider, or all of the above.

Now that you’ve found out why and remedied the problem, you can go ahead and request a de-listing. Sometimes you are removed in a matter of minutes, but changes like this can sometimes take several days to propagate throughout the internet.

Prevention
As the old saying goes an ounce of prevention is worth a pound of cure.

Our vendors realize that this is a problem. As I said earlier, port 25 has historically been the default port for email traffic, and thus a common path for malware and spam to take. Some companies such as Verizon are shutting down port 25 to all traffic from sources with dynamic IP addresses. If you’re not sure whether you have a dynamic IP address, consult your network administrator. While this isn’t exactly a blacklist, the results are similar.

Don’t be fooled by spam. Bill Gates is not going to share his money with you for passing a chain letter. You’re probably not really pre-approved for a mortgage from a company you’ve never heard of and never contacted. The shipping and handling on a mail order bride is probably too much anyway. Any email that seems too good to be true probably is.


Invest the time and make sure you’ve done everything you can to help prevent this from happening to you. Always ask a knowledgeable source if you’re at risk for email blacklisting. Get a spam filter, even though you don’t have a spam problem. Get a professional grade firewall, and get it configured by an expert. Make sure you have up to date Virus and Malware protection, and exercise cautious computing. Don’t wait until this becomes a problem, resulting in delayed or denied communications or loss of revenue.