Blacklists – An Overview & Explanation

What is a blacklist?

At a fundamental level, a blacklist is just a list of IP addresses that have been flagged for engaging in some type of undesired activity. This undesired activity can include email spam, botnet attacks, and several other types of malicious activity.

There are numerous blacklists that are compiled and maintained by a number of organizations throughout the internet. Some are for the exclusive use of a corporation, for example, Microsoft utilizes their own private blacklist in order to reduce spam going to their email clients. Others make the contents of their lists available to subscribers for a fee, while the rest offer up their lists to the public at no cost.

The most common types of blacklists we encounter are designed to reduce spam. These blacklists are generally created with the goal of providing a server administrator the means to curb the flow of email spam on their network by tracking IP addresses used by known spammers. Any attempt to deliver email to a mail server by a blacklisted IP is rejected outright, preventing the server from having to deal with the message at all. It is assumed that all email from a blacklisted IP is spam so no resources are spent trying to determine whether or not each individual message is valid, or not.

I’ve been blacklisted?! How did this happen?

Usually, when we are contacted by our end users about email delivery problems, they will discover the existence of blacklists. Generally, the way someone discovers they have been blacklisted is because emails that they’ve sent from their server will start bouncing back to them as rejected. This is a good indication that their server’s IP address has found its way onto a blacklist used by the receiving mail server to filter out potential spam.

Blacklist entries can occur for several different reasons, and these will vary depending upon the blacklist operator and how they manage their lists.

  • Your IP address may have been logged by a “honeypot” – meaning that your server sent an email to a monitored email address that is not expecting emails but is set up to monitor inbound emails. These are a form of spam traps, as any email sent to these addresses are assumed to be unsolicited.
  • An Internet user may have received an email from your server’s IP and clicked the “Report Spam” button. Some popular webmail services may report to one or more RBL (Real-time BlackList) services about these incidents.
  • An Internet user may have reported an email from your server’s IP to a spam reporting body, such as SpamCop.
  • A misconfiguration related to your server’s IP address may have been detected by the blacklist service. For example, some blacklists will list IP addresses that do not have a Reverse DNS PTR record configured that matches the SMTP server’s HELO banner – or for other reasons like this.

But, I don’t send spam, how was I reported to a blacklist?

There are a number of possible reasons why you may have been listed, but before reaching this conclusion, it is a good idea to review your mail server’s logs and make sure that you really are not sending spam from your server. In many cases, a website, a mail server, or an account on your server may have been compromised and conscripted into relaying spam email through your server without your knowledge.

If this is the case, it’s generally pretty obvious as there is usually a backlog of email in the queue. Inspection of the message headers will quickly indicate whether the messages appear legitimate or not.

If you are using cPanel and you prefer not to look through log files, you can use cPanel’s Mail Queue Manager to assess the situation.

If your server is truly clean and not sending out spam emails, the most likely reasons for getting blacklisted would include:

  • If you recently obtained the blacklisted IP address, it may have been blacklisted due to a previous owner’s activities. If this is the case, usually blacklists are cooperative and will delist it if asked.
  • If you’ve been recently blacklisted but can’t find a reason why, it may simply be a false positive. If the blacklist service provides samples of the reported spam this provides a good opportunity to review the email that caused the blacklisting and decide how to proceed from there.

Where do I go from here?

Once you have done your due diligence by making sure that your server is secure and not sending spam, or if you did discover a source of spam and have shut it down, you can move forward by requesting a delisting from the blacklists that have flagged your IP address.

It’s very important that due diligence is done first, as blacklists will often penalize repeat delisting requests. The reason is obvious — if it is easy for professional spammers to repeatedly get themselves delisted, this defeats the purpose of the blacklist. So, in order to ensure positive relations between you and the blacklist in the future, should you find yourself in the position of needing their help with another listing, it is good practice to make sure that every delist request submitted is completely valid and you are not at risk of being immediately re-listed for continuing offenses.

Delisting procedures vary from service to service, but they are typically automated, requiring you to fill out a simple web form providing the server IP, the reason for requesting delisting, and perhaps a verification code. However, some are not quite as easy, and others lack a process to request a delisting. In the latter case, these blacklists typically list IPs on a temporary basis, and after a set amount of time has passed without further incident, your IP is automatically removed. There is no way to speed up the process in this case.

Once your delist request has been submitted, depending on the blacklist service, it may be applied automatically or it may require human review. A good guideline is to expect resolution within 24-48 hours.

While it may seem that getting listed on a blacklist is a terrible thing, these lists do exist for a reason, and your email accounts would likely be flooded with massive amounts of email without them — it is estimated that well over half of all email messages are unsolicited. Blacklists filter out the majority of them before they even hit your mailbox. Also, finding yourself on a blacklist may be the first indication that your server has been compromised, a discovery that might take significantly longer otherwise. Finding yourself on the wrong end of a blacklist can be an annoyance, but their benefit far outweighs their burden.