Ops! I’m blacklisted. How to remove the IP address from the blacklist.

Author: Vittore Zen

A post-mortem analysis of how the behavior of some users and some forgetfulness of the network administrator dragged us into the black hole of the blacklist and how the FlashStart® services helped us to remove the IP address from the blacklist and live happily.

A day of ordinary madness

10:00 | the first phone call

The IT staff is called by the administrative office: they complain because when they scan a document in the multifunction printers the scans (scan to email) do not arrive in their mailbox.

10:05 | the second phone call

The IT staff is called by the marketing department: they complain because for a few days some customers have pointed out that important emails sent to them had been cataloged as Spam and placed in their respective folder.

10:15 | the SMTP server logs

The IT staff checks that the scans are sent correctly to the internal SMTP servers. Then check the correct forwarding of the emails and analyze the files /var/log/mail.log /var/log/mail.info and /var/log/maillog

postfix/smtp[18902]: 0668921EE6E6: to=info@example.com, relay=mxint01.1and1.com[213.21.0.10]:25, delay=1.1, delays=0.12/0.02/0.87/0.13, dsn= 5.0.0, status=bounced (host mxint01.1and1.com[213.21.0.10] said: 550 host is listed in reject.bl.kundenserver.de (in reply to RCPT TO command))
status=bounced (host gmail-smtp-in.l.google.com said: 550-5.7.1 [203.0.113.2] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. p198si10148872itp.132 – gsmtp (in reply to end of DATA command))
status=bounced (host gmail-smtp-in.l.google.com[203.0.113.2] said: 550-5.7.1 [54.94.176.245 19] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1 https://support.google.com/mail/answer/188131 for more information. n10si2294606qte.338 – gsmtp (in reply to end of DATA command)
mx.l.google.com[74.125.204.27] said: 550-5.7.1 [203.0.113.2 2] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for more information. b18si150966pgn.296 – gsmtp (in reply to end of DATA command))

 

In the logs of our internal SMTP server on which the scans from the multifunction rely for sending, there are several lines with SMTP 421 error and others with SMTP 550 error.

Recall that 421 errors indicate temporary blocks and the mail server will try to resend the emails.

Example of an SMTP 421 error:

421 4.7.0 [167.89.55.59 15] Our system has detected that this message is suspicious
due to the nature of the content and/or the links within. To best protect our users from spam,
the message has been blocked. Please visit https://support.google.com/mail/answer/188131
for more information. u22si16671234pfl.244 – gsmtp
550 errors are permanent failures. You will have to take some action before Gmail removes your server IP address from their blacklist.

 

SMTP 550 errors indicate permanent failures. You will then need to take some action before, for example, Gmail removes the IP address of the mail server from their blacklist.

Example of an SMTP 550 error:

SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [173.194.71.26]:
550-5.7.1 [194.XXX.XXX.181] Our system has detected an unusual rate of
550-5.7.1 unsolicited mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been blocked.
550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
550 5.7.1 our Bulk Email Senders Guidelines. k8si8849879lbl.62

 

These errors begin to point us towards a problem: the gmail servers are not accepting our traffic because we are on a blacklist.

10:30 | blacklisted

To check if we are on a blacklist, we query the URL https://mxtoolbox.com/blacklists.aspx and indicate the IP address with which our internal SMTP server goes out on the internet.

Oops! We are on the blacklist. Now there are two questions:

» Why are we blacklisted?
» The only solution to solve this problem is to wait?

10:35 | Mikrotik firewall

To answer the first question, the IT staff begins to investigate more deeply. We start by analyzing the perimeter firewall, a Mikrotik device with the latest version of RouterOS on board. There is unusually high traffic coming out of the network. Using the command /tool torch the data tells us that the outgoing traffic comes from the DNS service: our Mikrotik router is resolving names not only for our internal network but also for any client on the internet: Damn, we are an open DNS resolver and we didn’t know it (see the article “Avoid open DNS resolvers on Mikrotik”). We close all DNS ports that we had forgotten open.

Our likely being included in a black list derives from this role we have assumed on the network.

11:00 | the user

The antivirus reports that in a user’s browsing cache there are files attributable to phishing activity. The network administrator calls the user, who confirms that he has clicked on a link that was indicated on an email received, an internet page has opened with a link on which he has clicked and then a notice of the antivirus that does not remember, in any case, has confirmed everything proposed. This too was not needed. What a day! The problems reported at 10 are still not resolved, the emails still do not arrive.

13:00 | advice

The colleague has heard about FlashStart® and its services related to internet filtering and DNS. Objection: but FlashStart® is just a DNS resolver, what does it have to do with blacklists?

13:15 | FlashStart®

You connect to the FlashStart® site and activate a demo version on your network (activate a free trial). FlashStart is an easy to use and efficient Internet Malware and Content Filter, distributed in more than 120 countries.

After a few minutes of configuration, the phishing site is no longer reachable from the users’ workstations: if it had been there before, the user would not have been able to make mistakes by clicking risky clicks. You begin to see the light …

14:00 | the second IP address

On the FlashStart® site (guide) you have read the documentation relating to the removal from the blacklist. The IT staff doesn’t have to do anything, within a few hours the FlashStart® system will do the job for us.

For the moment we change the configuration of the Mikrotik firewall by adding a rule of src-nat to let the internal SMTP server out with a different IP than the public one present in the blacklist:

/ip firewall nat add action=src-nat chain=srcnat comment=”Internal SMTP to 2nd IP” out-interface=ether1-wan src-address=10.10.250.15 to-addresses=2.28.245.216

 

The mail resumes its normal operation.

The day after

9:00

To check if we are still on a blacklist, we query the URL https://mxtoolbox.com/blacklists.aspx and indicate the IP address with which our internal SMTP server went out on the internet.

Hurray! FlashStart® did its job well: we are no longer on the blacklist. Now the problem is definitively solved.

 


> To contact us click here
> For a free trial click here
> To request a personalized quote click here