fbpx

Consolidated List of Pronounced RBLs (Real-time Black Lists) and Experiences in De-Listing

Background

Getting your IP address blacklisted as an ISP is not fun at all. A simple breach leads to discomfort a few hours, a more serious breach can keep you busy for up to a week, or longer. Fact is even a single mailbox that gets compromised can lead to weeks of work. Lost reputation and business could also form part of the equation. As there is no magic formula for delisting, this article is designed to provide some pointers and the systems out there that assists with delisting.

At the point of breach

The most important thing to do is to stop the MTA, the outgoing server, e.g. Postfix or Exim. You can faff around and try and clean the queues, but computers are fast and if your queue is already busy you are loosing valuable time by trying to sort the problem out whilst it is happenign. So SSH now, and stop Postfix. service postfix stop

Next, of course, you have to clean the queues. This article is not about the queues so much, as each email server has a slightly different queue cleaning mechanism, but rather about getting your IP operational again.

Warning – not only your IP may be polluted

In the old days threats were generally confined to a single IP. One could go and focus on delisting that specific IP address. These days, no more. Some of the more aggressive lists will blacklist an entire /24 block, some might blacklist larger network blocks, and some might even blacklist your entire domain from sending. When you start to tackling the problem, be aware if you’re busy troubleshooting a single IP address, a network, or an entire domain.

One service which lists an entire /24, even if just a single IP spammed, is invalumentSIP/24. Once you are in this list, you are pretty screwed. They do have a way of delisting, and we’ll provide more on that later.

With regards your entire domain being blacklisted, here is a clue:

“Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain

Carefully read the message above – yep – you are screwed. Your domain has been blacklisted. Google gets a special mention here. You see the way Google as a company was designed, was to never interact with the end users. The idea was build automatic systems and make as much money in the process without the hassle of communicating with end-users. So Google’s systems do not have a way of unblocking. Or even seeing if you’re blacklisted. You’ll pretty much learn the hard way if Google is blocking you by a return message.

But do not fear – it’s possible to delist yourself, provided or course, that the problem has been resolved. The reason why it’s not always easy or clear how to delist, is because the majority of these services are run by robots – the amount of SPAM is too large for a normal human driven system to cope. So instead they have created semi or fully automated ways to see if you can be delisted.

So without further adieu, here is our list of favourite and most hated RBLs and how to get off them.

Small Fact about SPAM

How to report SPAM

Did you know there is only one well known service on the internet where you can report SPAM? Spamcop. Let us know in the comments if you know of another place.

Paying to get delisted

You might find services that wants to charge you a fee to get delisted. This is a big no-no in Internet etiquette. We generally recommend to NOT PAY.

How to Check on Which RBLs You’ve Landed

There are two well known services that provide consolidated lists of blacklistings, and then some minor ones. The ones most commonly used are:

MX Toolbox

https://mxtoolbox.com/blacklists.aspx

MX Toolbox has a sexy interface. When looking if you’re blocked  they will prompt you to register but you don’t have to. Just close the prompt and following the direct link to the listing site.

MultiRBL Valli Org

http://multirbl.valli.org/lookup/

MultiRBL is awesome and very comprehensive. It’s pretty fast too.

List of Commons RBLs and more

Now let’s delve into a list of some of the most common RBLs:

Mimecast

Mimecast is one of the most user-friendly and professional SPAM checking and blacklisting services available. Their help desk is manned by real humans who proactively respond to tickets. If you get a rejection notice from Mimecast, go here to request an unblock: https://www.mimecast.com/senderfeedback/

Soon you’ll receive a ticket number and if the information you’ve submitted makes sense to them they’ll give you a sensible reply. One caveat is they might request the rejection notice and original email in .EML format. .EML files are basically text files containing the header and the body of the email. You can use “View Original” in Google or “Save As” in Thunderbird to generate an .EML file. If you don’t have access to the original message that was sent (e.g. it was sent by your client), then simulate the problem by sending a new message to the Mimecast user via the bouncing server. Something we’ve never quite understood about excellent services such as Mimecast is why both MX Toolbox and MultiRBL cannot directly query the block lists.

Sane Security

If you have accidently landed on Sane Security you are pretty screwed for a few days. As you will notice on their website, they do accept False Positives, but alas, no confirmation email or ticket reply is ever sent. So you’re operating in the dark for a few days until their system decides you are not a virus anymore. They also blacklist any server in your domain, so let’s say for example your domain and company address is @mysuperhost123.com. So say you are [email protected] If you have a server at AWS called serverXYZ.mysuperhost123.com, all of your email from that server will be blacklisted.

All we can say when you’ve been blacklisted by Sane Security is to beg them to remove you, and hope they are actually reading their emails. In one instance contacting them via Twitter did the job.

Probably to get delisted: Unknown, variable, and you’re pretty screwed at least for a few days

Pains with this service:

  • No ticketing system
  • Some dubious incomplete sections of their website, e.g.:
    • Links to mailing lists that do not work
    • Outdated information

Link: https://sanesecurity.com/

Truncate

This one is pretty bad. For at least a day or two you are stuffed. It’s not that commonly used, but ISPs such as M-Web in South Africa use it. Their system is managed by SYNAQ and although SYNAQ’s support is excellent, they are unable to assist when you are on this list.

There is no automatic way of delisting.

URL http://www.gbudb.com/truncate/

More information:

truncate.gbudb.net

Spamcop

This is one of the most reliable SPAM reporting systems. The unfortunate thing is services such as SendGrid regularly end up on this list rendering SendGrid pretty useless. What’s cool about Spamcop though is it’s the only known 3rd party service that we know where SPAM can be reported. Click here to find out how.

UCEProtect

Somehow the Swiss got it right to create a common blacklist and provide a payment option. The payment option can be used to do an “express delisting” or to “belong to a whitelist”. Our recommendation: DO NOT PAY.

The unfortunate thing with UCEProtect is that it takes a week to get delisted. We have found though that most mail servers do not take UCEProtect very seriously, my best guess is because they break the payment rule.

Here is their whitelisting service soliciting money:

90 CHF to USD is about $95. Ouch.

Probably to get delisted: Good

Pains with this service:

  • It takes a week to get delisted if you go the free route WHICH WE RECOMMEND
  • You have to pay for “express delisting”, but if you read the fine print you’ll notice you’re just going to throw money away.

Link: http://www.uceprotect.net/en/rblcheck.php

Project Honeypot

Project Honeypot is a real gem. Once you get listed, you can delist yourself, but only from the IP address which was listed. So if you’re running a bunch of Linux boxes, you need to create a SOCKS proxy and pretend you’re that IP in a browser (they have CAPTCHA). Here is the command to create a SOCKS proxy using SSH:

ssh -p22 -D 9090 -N -f [email protected]

Substitute 22 for your hidden SSH port, and use 9090 as the SOCKS v5 proxy port

Google

Google has a tool called postmaster.google.com which they recommend network administrator consult when they are blacklisted. In our experience this tool doesn’t work most of the time and give too little information to be of use. Emphasis there is real useable data that you can react on for domains that has spammed. It’s an overly simplified tool and in our opinion a waste of time. Perhaps with time they will improve it, but as of July 2020 it’s just crap.

Generally if you land up in Google’s block list, which is undocumented, you are completely screwed. At times Google will report what is the polluted IP, but other times not. Get ready for begging and pleading at no-one door. You will never receive a reply back from Google. With time they do unlist blocks but this could take up to a month.

Our searches for a concrete place to submit requests for delisting has gone nowhere. The most common URL that you will find, e.g. https://support.google.com/mail/contact/msgdelivery DOES NOT WORK. Additionally, bless his soul, jp88 who is copying / pasting the standard replies for us sods to use has the misfortune of trying to help people. Generally you’ll notice when people complain to jp88 and get a bit antsy he eventually tells them to buzz off as there is no fix. After a lot of extra work and googling, ignoring incorrect information provided by google, a of 301 redirects, we found a delisting form here:

https://support.google.com/mail/contact/bulk_send_new?rd=1

We don’t know if it works, because, err, google doesn’t cater for humans.

And the confirmation, bless, says:

Thank you for submitting your request.

Please allow at least 2 weeks between submissions for the changes, if any, to propagate.

To measure and monitor your email deliverability to Gmail users, please use Postmaster Tools.

At this point it’s import to make a list of clients that you will loose in the next two weeks due to Google’s inability to cater to network administrators. Since there isn’t that much you can do anyway, we generally recommend to move away from Google blacklisting disasters and rather focus on the places where you are able to delist. Once you’ve caught your breath try delisting from Google again and give us some tips on how in the comments.

Microsoft

Microsoft have pretty much sorted out SPAM reporting. Not only can you see if you’re listed, but they also provide an escalation channel for following up on delistings. Google should take a page out of Microsoft’s book.

Microsoft’s delisting form can be found here:
https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
Generally the form works but on some occasions you might end up with this error meaning you’re stuck:

The above form can be used to delist from:

hotmail.com, live.com, msn.com, outlook.com. Strangely hotmail.de is missing.

Once you delve deeper into the Microsoft toolset, you will encounter this website which allows you to list IPs that you want to watch:
Smart Network Data Service

This tools seems quite intelligently designed and we’ll provide more feedback as time goes on.

Suomispam

Suomispam has quite comprehensive information on their website about delisting, but specifically on this page they have a link to contact them:
http://suomispam.net/#!using

As per many of the other smaller services they tend to rant about how you shouldn’t be wasting their time.

Spam Grouper

As with many of the lesser know SPAM delisting services, you should hope not to end up on Spam Grouper’s list. Sending an email for delisting ends up with this beauty:

To the untrained eye, basically Spamgrouper’s email server is offline.

Leave us a reply in the comments section and share you adventures in delisting!

References

Share this article

Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top