APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Help - I'm on a blacklist

© June 2009 Anthony Lawrence

You are getting bounced mail that says your email can't be delivered because you are on a blacklist. Almost always there will be instructions or a link in the bounce message that tells you what you need to do next. It's usually pretty simple (here's Spamcop's FAQ page, for example). You follow the directions and get yourself removed, but a month or so later it happens again. You are unhappy, and if you are one of my Kerio Mailserver customers, you might have sent me an email saying just how unhappy you are.

The first thing to understand is that your mailserver is working correctly. It's trying to deliver mail; it's the other server that is saying "No, you are on a blacklist so I won't take your mail".

Why are you on a blacklist? Well, maybe for no good reason at all - maybe someone thought you sent them spam and asked that you be treated that way. Or, maybe you really ARE sending spam - maybe one or more of your machines has been compromised and is sending out junk without your knowledge.

Ok - take a deep breath. It's unlikely to be the mailserver that is at fault here. More likely you have an internal machine that is responsible. The problem COULD be on whatever server the mail server runs on, but it still is unlikely to use the mailserver program. It's much more likely that they'll send it directly themselves.

Why? To avoid logging. If your mailserver is used to send spam, it's going to log every piece of mail sent. It wouldn't be hard for you to notice unusual activity in your logs - you'd spot them quickly.

To stop these sneaks, your WAN firewall should be set to block outgoing port 25 and 465 from all machines EXCEPT the mailserver. Ideally, it should log any such attempts. It should also separately log port 25/465 coming from the mailserver itself in case that machine itself has been hacked.

You say your firewall can't block outgoing traffic or won't log it? You have a toy firewall - get something better (Kerio sells a nice firewall too, by the way).

Usually you can get the blacklist company to give you some information about what was sent and when. In combination with your firewall logs, that can sometimes help narrow down your search so that you can identify the specific machine.

Of course it is possible that someone outside is using your mailserver to relay spam. That's often very easy to do if your users won't use strong passwords. The all too typical "sam" with password "sam1" can be easily guessed and then used to send anything. Again, these will be in your logs. If you see that Sam sends email 24 hours a day or sends hundreds or thousands of messages per hour, you may have found your problem.

If you do not see anything unusual in the logs and you are blocking outgoing mail ports for user machines, you can be pretty certain that you have NOT been sending spam. In that case, you may have been falsely reported. If that keeps happening, most blacklists have a procedure for dealing with false or malicious accusations.

Another possibility is that the mail didn't come from you at all. Usually this type of lie won't get you on a blacklist, but it might cause a friend or other email contact to accuse you of spamming them or sending them a virus. One of the odd things about sending email is that the sender can easily lie about who they are. I (or anyone else) can very easily "forge" mail so that it appears to come from someone else. Therefore, the nasty virus-laden email that appeared to come from you may not have at all - but it probably DID come from someone who knows you. Here's why: those nasty programs that take over programs often read the mail address book to find other folks email addresses, and will use those addresses in the forged email. So if Pete has you and Sam in his address book, and his computer gets infected by a virus, Sam might get forged email that looks like it came from you.

If you've left your email on newsgroups, message boards or websites, spammers could have found it there too. They look for email addresses both to send junk to and to use as the forged source. See How Mail works for more on that.

Also see: I'm receiving spam reports, but my mail server logs don't reflect it. Why?
But my server is secured against relay...
Spam-sending malware

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> I'm on a blacklist - what now!

Inexpensive and informative Apple related e-books:

iOS 8: A Take Control Crash Course

Take Control of Upgrading to El Capitan

Take Control of iCloud, Fifth Edition

Take Control of Preview

Take Control of iCloud

More Articles by © Anthony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

We are stuck with technology when what we really want is just stuff that works. (Douglas Adams)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode