Incident Response: Email Blacklists Overview

Expand / Collapse

Subject: Incident Response: Email Blacklists Overview

Type of Security Control: Administrative | Preventative | Detective | Corrective | Compensatory

Purpose:

The purpose of this procedure is to define the actions to be taken when an IP address or range is in a blacklist. 

Impact:  Medium 

Applies to: External

Description: DO NOT submit a blacklist delisting because an IP address is blacklisted.  It is imperative that you find the source of the blacklist before submitting delisting otherwise the IP/network will be blacklisted again and likely for a longer period of time as it's another infraction.  Additionally, DataBank is not responsible for clearing IP addresses off of blacklists.  It is the customer's responsibility to do so as they are familiar with the type of messages being sent.  This is not a comprehensive blacklist listing and instructions can vary depending on the blacklist.  The bounce back message received typically has more information to get off the blacklist.

Applicable Compliance Statements:  

  1. NIST SP800-53R4 SI-8
  2. Prerequisites: 

    • Access to email logs

    Service Level Agreements: N/A

    Process:

      Common Blacklist Checking Websites

      http://www.robtex.com/rbl/
      http://mxtoolbox.com/blacklists.aspx
      http://www.dnsbl.com/

      Common Bounces When Blacklisted

      AOL

      <user at aol.com>: connect to mailin-04.mx.aol.com[205.188.159.217]:
      server refused mail service

      White Listing

      The following criteria must be met before resubmitting your request:

      * The RDNS for each IP shares the FBL email domain in common.
      Valid Example:
      FBL email address is aolfbl@accounting.aol.com
      192.168.1.1 resolves to mailserver1.accounting.aol.com
      192.168.1.2 resolves to mailserver2.accounting.aol.com

      *The DOMAIN WHOIS for each IP's RDNS shares the FBL email domain in common.
      The domain may appear in any of the listed email addresses.

      * At least one authoritative nameserver for each IP shares the FBL
      email domain in common.
      Valid Example:
      FBL email address is aolfbl@accounting.aol.com
      192.168.1.1 authoritative nameserver is ns1.accounting.aol.com
      192.168.1.2 authoritative nameserver is ns1.accounting.aol.com

      * The IP WHOIS information for each IP shares the FBL email domain
      in common.  The domain may appear in any of the listed email addresses.
      Valid Example:
      FBL email address is aolfbl@abuse.aol.com
      192.168.1.1 and 192.168.1.2 IP WHOIS:

      OrgName:    Your Company Name
      ...
      NetRange:   192.168.1.0 - 192.168.1.255
      CIDR:       192.168.1.0/24
      NetName:    COMPANY-1

      OrgAbuseHandle: xxxx
      OrgAbuseName:   abuse
      OrgAbusePhone:  xxxx
      OrgAbuseEmail:  abuse@abuse.aol.com
      ...

      * The ASN WHOIS information for each IP shares the FBL email domain
      in common.  The domain may appear in any of the listed email addresses.
      Valid Example:
      FBL email address is aolfbl@abuse.aol.com
      192.168.1.1 and 192.168.1.2 ASN WHOIS:

      OrgName:    Your Company Name
      ...
      NetRange:   192.168.1.0 - 192.168.1.255
      CIDR:       192.168.1.0/24
      NetName:    COMPANY-1

      OrgAbuseHandle: xxxx
      OrgAbuseName:   abuse
      OrgAbusePhone:  xxxx
      OrgAbuseEmail:  abuse@abuse.aol.com
      ...

      For more information on this request, please visit our website at
      http://postmaster-us.info.aol.com or call the AOL Postmaster Helpdesk at
      1-888-212-5537 or 1-703-265-4670.

      Thank You,
      AOL Postmaster

      SpamHaus

      550 5.7.1 Rejected: xx.xx.xx.xx listed at http://www.spamhaus.org/query/bl?ip=xx.xx.x.xx  (the link takes you to the reason why the IP is blacklisted)

      Comcast

      <username@comcast.net>: host gateway-a.comcast.net[206.18.177.26] said: 550 65.36.255.250 blocked by ldap:ou=rblmx,dc=comcast,dc=net -> BL003 Blocked for spam. Please see    http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy18627 (in reply to MAIL FROM command)
      or
      connect to mx1.comcast.net[76.96.62.116]: server refused mail service

      RoadRunner

      Failed Recipient: username@cityname.rr.com
      Reason: Remote host said: 550 ERROR: Mail Refused - 76.12.11.87 - See http://security.rr.com/cgi-bin/block-lookup?76.12.11.87

      Hotmail/Windows Live/MSN

      Reason: Remote host said: 550 SC-004 Mail rejected by Windows Live
      Hotmail for policy reasons. A block has been placed against your IP
      address because we have received complaints concerning mail coming
      from that IP address. If you are not an email/network admin please
      contact your E-mail/Internet Service Provider for help. Email/network
      admins, we recommend enrolling in our Junk E-Mail Reporting Program
      (JMRP), a free program intended to help senders remove unwanted
      recipients from their e-mail list: http://postmaster.live.com

      Yahoo

      Messages from 65.36.215.93 temporarily deferred due to user complaints - 4.16.56.2; see http://postmaster.yahoo.com/421-ts02.html

      ATT

      RSP: 550 Error - Blocked for abuse. See http://www.att.net/bls_rbl/ for information.

      BellSouth

      RSP: 550 Error - Blocked for abuse.  See http://www.att.net/bls_rbl/ for information.

      Earthlink

      <username@earthlink.net>: host mx1.earthlink.net[209.86.93.226] said: 550 550
      Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink@abuse.earthlink.net (in reply to MAIL FROM command)
      Reporting-MTA: dns; <domain SMTP server>
      Arrival-Date: Tue, 10 Jun 2008 15:57:53 -0400 (EDT)

      Removal steps:
      http://calcompserv.blogharbor.com/blog/_archives/2007/3/15/2807860.html

      SBCGlobal

      host sbcmx2.prodigy.net[207.115.20.21] said: 550
      5.7.1 Access denied (in reply to MAIL FROM command)

      Verizon

      The following addresses had permanent fatal errors
      <someone@xxxxxxxxxxx>
      (reason: 550 You are not allowed to send mail:sv14pub.verizon.net)

      Transcript of session follows while talking to relay.verizon.net.:
      MAIL From:<nb-owner+M9=someone=verizon.net@xxxxxxxx> SIZE=4980
      550 You are not allowed to send mail:sv14pub.verizon.net
      554 5.0.0 Service unavailable

      NetZero/Juno

      Could not deliver message to the following recipient(s):
      Failed Recipient: user@netzero.net
      Reason: Remote host said: 550 Access denied...5089258d3c8d68689185e1393d8181993185589dc8d86889c1f1b5d15c5c7c28f51
      15c5cd85ca9a9d838a909ecc1b5b598c8c948b5b54db5914d4d...:

      Excite

      <user@excite.com>: host xmxatip.excite.com[207.159.120.164] said: 554
      5.7.1 Service unavailable; Client host [208.112.85.89] blocked using
      dynablock.excite.com; Your message could not be delivered due to complaints we received regarding the IP address you're using or your ISP. See http://blackholes.excite.com/ Error: WS-02 (in reply to RCPT TO command)

      Getting Removed from Common Blacklists

      AOL

      To request removal, fill out this form:
      http://postmaster.info.aol.com/waters/hvu_request_form.html

      You need to copy/paste the headers of the original email in the Source Code text area.  Nothing about the bounce back message
      should be pasted into here at all.

      To see if your on their blacklist, fill out this form:
      http://postmaster.info.aol.com/waters/other_issues_form.html
      Turn around time is 24 hours per AOL support team.

      AOL's toll free line is 1-888-212-5537.  
      You can view all of their mail policies here: http://postmaster.aol.com/guidelines/index.html

      SpamHaus

      Go to http://www.spamhaus.org/lookup.lasso and search for the IP address.  If the IP is listed in the SBL, PBL, or XBL, you will be shown that.  There will be a link to removal as well which you can submit to them.  The usual turnaround time is 24-48 hours.

      SORBS

      Go to http://www.de.sorbs.net/lookup.shtml and look up the IP address.  If the IP is blacklisted, then read http://www.de.sorbs.net/overview.shtml where the netblock owner should submit the IP for removal.  You will need a good reason to be delisted and proof that the abuse has stopped.  Simply stating "please delist me" won't fly.

      Comcast

      Go to http://www.comcastsupport.com/Forms/NET/blockedprovider.asp and fill out their form.  Choose Email Administrator as the drop down.  Request samples in the Issue Description field. They said they will 'eventually' have the ability to send samples.

      RoadRunner

      You can request delisting of your IP address at the following link: http://security.rr.com/RRUnblockRequest.htm
      If you have not received a response from that address (other than the auto-response), you can contact the head of their Customer Care department: Trudy Mork: (703) 345-2400

      Hotmail/Windows Live/MSN

      Contact Hotmail/Windows Live/MSN via their postmaster page: http://postmaster.live.com/  This is only in RARE cases you will need to do this.  Hotmail/Windows Live/MSN all piggyback off of http://ipremoval.sms.symantec.com (Symantec BrightMail) and http://www.spamhaus.org/sbl/index.lasso (SpamHaus) primarily.  You should check http://ipremoval.sms.symantec.com/ (Symantec BrightMail) and http://www.spamhaus.org/sbl/index.lasso (SpamHaus) first.

      If not listed there, request a delisting via https://support.msn.com/eform.aspx?productKey=edfsmsbl&ct=eformts

      Yahoo

      http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html

      ATT

      First try http://worldnet.att.net/general-info/bls_info/block_admin.html if no response then you can write to abuse_rbl@att.net

      BellSouth

      http://worldnet.att.net/general-info/bls_info/block_admin.html <br>
      or you can write to bellsouth_unblock@abuse-att.net

      Earthlink

      Send an e-mail to blockedbyearthlink@abuse.earthlink.net for further information and to get delisted.

      SBCGlobal

      Create a ticket to removeme@sbc.sbcglobal.net and be prepared to include bounce back messages, headers, etc.  You will then receive a response based on AT&T's decision.

      Verizon

      http://www2.verizon.net/micro/whitelist/request_form.asp?id=isp

      USFamily.net

      Contact NotSpam@USFamily.net to appeal.  Make sure to include the IP address and proof that you're not spamming.  You're not guaranteed off of their list until they can prove the abuse has stopped. 

      NetZero/Juno

      You can request delisting of your IP address at the following link: http://www.untd.com/postmaster/blocked.html
      You can also follow http://www.netzero.net/support/webmail/u-understand-mdf.html and email abuse@support.NetZero.com with the requested information.
      To get on their whitelist the customer needs to fill out these forms:
      http://www.unitedonline.net/postmaster/whitelisted.html

      Excite

      Goto http://newfb.excite.com/feedback.jsp?key=exbnc and fill out the form with your name, email address and select Domain Administrator and request samples as to what caused the IP to be blocked as well as removal while we investigate the incidents in the logs

    Owner: Chief Information Security Officer
    Questions: Chief Information Security Officer
    Effective Date: 01/01/2016
    Last Reviewed Date: 09/10/2018
    Last Reviewed by: DataBank Security
    Next Review Date: 09/2018



    Rate this Article:


    Details
    Category: E-Mail

    Last Modified:Monday, September 10, 2018 2:06 PM

    Type: INFO

    Level: Intermediate

    Rated 4 stars based on 4 votes.

    Article has been viewed 33,903 times.

    Options
    Email Article Email Article


    Social Bookmarks Social Bookmarks