Category Archives: Knowledgebase

What does being blacklisted mean?

Being on a blacklist is a sign of trouble for your email deliverability.  Since companies screen out traffic from blacklisted IP addresses, your emails may be dumped into a spam folder or refused completely.  If your email server’s IP address is blacklisted, it could make doing business difficult.  It’s also a sign that your servers may have been used for spreading spam, viruses or malware.  This could indicate a security breach or an employee issue.  

If your website IP address is blacklisted, then you have a bigger problem.  Typically, web servers do not send email.  Since the primary means of collecting bad actor IP addresses is via email, your web servers might be sending email without your knowledge.  This is definitely a sign of a malware or virus infection on those servers, or someone running email inappropriately from a web server.  

Occasionally, small businesses will run email and web on the same servers.  If you do, you run the risk of a blacklist event taking out all your e-commerce channels because companies may deny access to your website and email activity based upon your blacklist status.

Domain blacklisting is a serious issue.  It means that someone is using your domain for malicious activity, either on a server hosting your website, or by breaking into your DNS.  If the activity is coming from a server in your datacenter, then you need to root out the virus or malware on your servers, patch your servers, and upgrade your security systems and firewalls.  If the activity is coming from a server outside your datacenter that is using your domain name or a subdomain, you have another big problem.  In this case, your DNS has been hacked and the attackers have added subdomains that use your brand.  The attackers can utilize the remote server to host malware and viruses all the while using your brand to make their attacks look legitimate.

Regardless of the type of blacklist, being blacklisted could be a serious issue.  MxToolbox Monitoring services can help you by letting you know when you have been blacklisted, giving you notice before it becomes a serious business issue.

How do I get delisted?

Each blacklist has it’s own method for delisting.  Sometimes it’s a webform, sometimes it is an email.  Almost always, you need to include the steps you took to fix whatever problem put you on a blacklist.  Many blacklist operators see themselves as righteous crusaders fighting against spam, malware, viruses, bad email configurations and poor email operations, so remember when dealing with a blacklist operator, you are the bad actor seeking forgiveness.

Tips for delisting:

    • Read the description of the blacklist – Descriptions on MxToolbox Blacklist Info Pages give you everything you need to know about the blacklist and your reasons for being listed.  
    • Ask yourself “Do I need to be delisted?” and “Is this affecting my business?” – If you do not do business in Spanish, chance are you don’t need to be removed from the NoSolicitado blacklist that only serves Spanish language emails.  If you aren’t seeing any emails bouncing back, then this isn’t a huge issue, yet.  Don’t waste time or get frustrated over listings that have no effect on business.  
      MxToolbox provides filters that allow you to ignore alerts on irrelevant blacklists.  We also provide an MxReputation report that tells you what your global reputation is.  If it’s still high, you might be fine ignoring this blacklist.
    • Take care of the problem that caused the blacklisting – Once you know why you were listed, fix those issues.  Patch servers, run anti-malware/anti-virus software, fire the guy in marketing that was CCing all your customers or whatever you need to do. A blacklist will not delist you if you have changed nothing.
    • Have a detailed list of remediation steps you have taken –
      What did you do to clean viruses or malware?
      What did you do to close hacked accounts and prevent future attacks?
      Have you changed outbound email policies to prevent spam?
      Have you patched servers or firewalls?
    • Visit their site and fill out the required forms carefully and completely – MxToolbox has links to all the blacklist websites, including delisting forms.  Their forms are for their protection.  Their users will question a delisting if it results in further spam, so filling them out completely will aid your case.
    • Be polite – Most blacklists have evidence that your servers have acted badly.  Treat this as a respectful request that your servers be delisted because you are technically the bad actor here.
    • Explain the business impact – Let them know that you have a business that is impacted by being listed.
    • Be patient, wait a few days for a response – This is not an instantaneous delisting process.  Some of these blacklists are small shops with a handful of employees.  They also need time to validate that you are no longer spamming, sending malware or other issues.  They will wait to see that your emails are no longer hitting their spam traps or being reported by any new customers.  Be patient.
    • Don’t make multiple requests – It’s okay to make a second request if you have heard nothing in a few days, but refrain from making multiple requests in the first few days of an inquiry.  Blacklists get hundreds or thousands of requests daily and often duplicates drop to the bottom.
    • Don’t pay to delist – All the blacklists checked by MxToolbox provide free delisting services.  A few offer paid expedited delisting services.  MxToolbox does not recommend paying to delist and we do not condone services that require payment.  

After you’ve gone through these steps, you should consider setting up monitoring on your important IP addresses, especially Email and Web servers.  Monitors can alert you to blacklist events as they emerge, rather than waiting for serious business impacts.  MxToolbox offers a wide range of monitoring solutions from Free, single IP solutions, to real-time large network blacklist monitoring.

How do I know if I am listed on a blacklist?

Typically, the first time you find out that you are blacklisted is when customers start telling you that they aren’t receiving your email.  Bounced email is the number one symptom of being blacklisted.  Unfortunately, this is finding out about the problem only after it has impacted your business.

The other way to find out if you have been blacklisted is monitoring.  MxToolbox provides active monitoring solutions for blacklisting events.  Our free IP Blacklist monitor checks your server’s IP address every 7 days to give you a general warning of blacklist issues.  Our paid subscriptions check every 4 hours and premium services check at least once an hour, up to real-time blacklist checking.  The higher the frequency of checks, the more likely you will know about being blacklisted before it becomes a customer issue.

How are blacklists used?

Organizations use blacklists to limit security threats like spam, malware and viruses. The IP address of a server sending email is pulled from the email’s header and compared to the blacklist.  Anything that originates from an IP address on the blacklist is refused, quarantined or dumped to a spam folder.  Similarly, content of an email is scanned against the domain blacklist.  Any emails from or containing a domain on a blacklist will be dealt with.

Some companies also utilize blacklists to scan inbound or outbound web traffic or to create web or email filtering appliances.  Many companies purchase or utilize multiple blacklists along with their own blacklist information to minimize the potential for spam, malware or viruses passing through their servers.

MxToolbox provides insight into the blacklist reputation of your IPs and Domains.

 

What is a Blacklist?

A blacklist is simply a list of IP addresses or domain names that an organization has decided to block for one reason or another.  Blacklists started as a means to combat email spam.    Early on, it was just a list of IP addresses or domain names that were sending junk email.  These lists were manually managed with IPs added and removed based upon human interactions between a few systems administrators.  As the Internet evolved these individual lists became larger, more centralized and list curators developed unique tools, spam traps and service models to make the lists more widely available, and more accurate.

There are a few different types of Blacklists that you need to be aware of to fully understand the market.

Public/Private

Public Blacklists are shared publicly via the web or, more traditionally, via DNS.  A public blacklist can be referenced by anyone online to check individual IP addresses.  Checking more than one list or more than one IP requires development of tools, like MxToolbox that can programmatically check these lists.  Often a subscription to the full list can be purchased for use internally, or commercially in appliances or software. Examples of public blacklist are SORBS and Spamhaus Zen.

Private Blacklists have been setup by a company for their own security usage and are not made available externally.  Often, these are considered proprietary or trade secrets because proprietary methods of data collection are used in the curation of the list.  Examples of these include your ISP’s blacklist, Microsoft’s blacklist and those used by security companies.

IP/Domain

IP Blacklists contain a list of IP addresses that are suspect.  Typically, each IP blacklist has a different method of generating suspect email or web traffic and therefore different reason for listing the IP address.  Typical reasons for listing are:

  • Spam has been received from this IP in a honey trap, directly by the organization or has been reported by subscribers to the list.
  • Malware or viruses were sent from this IP address.
  • Open relays or other configuration issues allow for bad actors to exploit the server at this IP address for spam or malware distribution.
  • This IP address has been marked as dynamic (DHCP) by the owner and leased out to their customers.  Since it is dynamic, no servers should be on these IPs and you cannot trust the ones that are.

Note: If you are on a dynamic IP address, you will automatically be blacklisted by most blacklists.  This is normal.  If you’re not sure if you are on a static IP, then you’re probably not on a static IP.

Domain Blacklists simply list domains that have been found in spam email or are known to be sources of malware infections.  There are only a handful of domain blacklists or blacklists that list domains alongside IP addresses.  While a Domain Blacklist is a useful tool to alert you to reputation issues, they do not contain comprehensive domain reputation information.  In general, checking your website’s IP address against an IP blacklist is also necessary to protect the reputation of your website and checking the IP addresses of your email servers is necessary for protecting your email reputation.

You can find the full list of blacklists checked by MxToolbox here.

What blacklists do I check and how should I?

Amongst our newer users, we often get some confusion between IP and Domain blacklist lookups and what the results mean. There is a distinct difference in the search and results and different benefits for performing the different lookups.  I’m hoping this will clear it up for many users and enable everyone to understand the unique benefits to each.

IP Blacklist Lookups

When you perform a blacklist lookup on an IP address, our system searches a list of 100 IP-based blacklists for the IP you gave us and returns both positive and negative results.  

An IP may be on this blacklist for any number of malicious activities:

  • Sending spam
  • Malware attacks
  • Operating a tor node
  • Hosting a botnet or virus
  • Many others…

Since an IP address represents a server on the Internet, any IP address could be blacklisted.  While any IP address may be listed, it is typically a webserver or email server that is the primary culprit.  We therefore recommend checking and monitoring the IP addresses of your web and email servers on a regular basis.

Domain Blacklist Lookups

When you perform a Domain blacklist lookup, you input a domain name.  MxToolbox algorithms do a DNS lookup of the Domain to produce the primary DNS record for that domain (an A record search).  We then run the IP address of the A record against all IP blacklists and simultaneously we run the domain name through a second set of domain blacklists.  Both could return results of blacklisting.

IP Blacklists vs Domain Blacklist

IP blacklists contain the IP addresses of known spammers, malware infectors, virus and botnet distributors and other bad actors.  When an IP is on a blacklist it is has been caught in some bad act.  Since an IP address identifies a particular server somewhere, you know that the server is performing some bad act.

Domain blacklists contain a list of domain names that have been included in known spam attempts.  This does not mean that the domain is the source of the spam, or that the server is a source of spam.  It only means that the domain name or domain URL was included in spam or malware laden emails. 

So, if you are sending email, you want to check the IP address of your mail server.  If you are running a web server, you want to check the IP address of the server.  If you are concerned about your domain’s reputation, you should check your domain against a domain blacklist.

Blacklist Monitors

MxToolbox Experts recommend that everyone with their own email servers monitor the IP addresses of those mail servers against IP blacklists.  This will give you warning that someone or something is performing a bad act through your email.  Further, it is highly recommended that you monitor you setup a domain blacklist monitor for your website.  Since domain blacklist monitors use both the IP of the web server and the domain in blacklist searches, you get extra protection of your reputation.  

Free Monitoring

MxToolbox offers one free IP blacklist monitor to our registered users.  This enables you to monitor your email server or webserver for blacklisting in the most common IP blacklists.  Our domain blacklist monitors are more comprehensive for web reputation and are therefore a paid feature.  While most of our customers find a free account sufficient for a small business, some want the additional reputation protection of a domain blacklist monitor or our Domain Health Monitoring.

New MxToolBox Monitoring Feature: Pausing Monitors

Sometimes, there comes a point when a server needs to be taken down for temporary maintenance. Whether you are monitoring that server for performance or availability, you more than likely don’t want to get inundated with down alerts or, worse,  go through the process of removing the monitor in order to stop the alerts – only to re-add it again later.

With that in mind, MxToolBox recently released a new feature for pausing your monitor. Whenever you need to take server offline, you can simply pause/disable your MxToolBox monitor until you are ready to bring the server back online.

To access this feature:

  • Select the monitor you wish to pause
  • Select the “Edit” tab
  • Choose “Disable Monitor”.

When you are ready to unpause your monitor:

  • Select the “Disabled” button in the status bar of your monitoring dashboard
  • Select your monitor
  • Click “Edit”
  • Select “Enable Monitor”

Bam! your monitor is now active again and ready to start tracking.

This is the second in our series on making the most of your MxToolbox account.  Today we’ll talk a little about blacklisting. 

Blacklist Lookups

An example of blacklist results.

An example of blacklist results.

Blacklist lookups check our extensive list of blacklists (up to 100 for paid subscribers) and operate in two modes: IP address or Domain blacklists.  This is one of those where checking blacklists for IP addresses produces different results than using a domain.  Read more below.

About Blacklists

For email senders, Blacklists might seem to be a nuisance.  Who are they to prevent you from emailing your customers?  Well, they are legitimately used by nearly every email provider on the internet to reduce spam.  Blacklists setup honeypots that receive spam and use this spam in their algorithms to block illegitimate email.  In fact, Blacklists reduce the amount of email your servers process by as much as 90%.  Think about that for a second…  Your server would need to be 10x more powerful to process all the email you receive without using the email filter capability a blacklist provides.  Blacklists benefit everyone (except the spammers) by reducing the overhead of emailing.

Occasionally, legitimate emailers get caught in a honeypot and added to a blacklists.  That’s how MxToolbox, helping legitimate businesses understand the blacklists they are on and how to get off the list.

IP Blacklists

IP Address blacklists should be checked using the IP address of your mail servers or, in some cases, your web servers.  An IP address on a blacklist indicates that spam or malware has originated from that IP address, or potentially there is an email configuration that promotes spamming or is the source of a botnet attack.  Each blacklist specializes in monitoring different types of bad online behavior (spam, malware, botnets, exploitable email configurations, etc), so check the individual blacklist description for more information.

Domain Blacklists

Domain blacklists are a little different.  A domain blacklist lists domains that have been included in links or content of spam emails or those known to house malicious or exploitative software.  If your domain is on a domain blacklist, chances are your reputation or your website is being used for nefarious purposes and you need to correct it immediately.

Blacklist Detail

If you are blacklisted, MxToolbox is often able to provide information around the blacklist you are on.  This may include your reason for listing.  You will find a DETAIL button for each blacklist upon which you are listed.  For example, CBL is primarily for sending spam, probably resulting from a malware or virus attack.  Now you know what to check your server for before approaching the blacklist for delisting!

Delisting Information

An example of delisting information available on MxToolbox.com

An example of delisting information available on MxToolbox.com

You’re on a blacklist and you want off.  On each blacklist detail page, MxToolbox provides links and steps for delisting your mail servers from the blacklist.  Each blacklist is a little different.  Some may require more information, others may just require you to fill out a request form.  Regardless, you must fix the problem before you request delisting!  If you don’t you will be relisted and most likely have to jump through bigger hoops or experience longer delays the next time you request delisting.

Note:  Some blacklists ask for donations or payments for express delisting.  It is MxToolbox’s belief that delisting should be free.  We only search blacklists that are legitimately used by companies or organizations to reject email and have free delisting.  It is up to you to choose if you would like to pay for an express delisting or donate to the blacklist.  Contact Us is you feel like a blacklist is unfair or unethical.

The next topic is analyzing email server setups and troubleshooting using MxToolbox.

The Death of a Blacklist

From time to time a Blacklist will go permanently offline.  Unlike a failed website that often goes down with little or no noise, a blacklist tends to end with a bang.  This was the case with the recent loss of Burn-Tech.   Blacklists typically have many anonymous subscribers using their lists, so there are only a few mechanisms that can be used to let subscribers know the end is near.  Typically, the protocol is to Blacklist the entire Internet.  This may sound extreme, but it is very successful at driving awareness.

For email admins the story is simple

If email admins get a positive blacklisting on their servers, they tend to go look at why the rejection rate for a particular blacklist has spiked.  Once they do visit the blacklist website, they’ll get the complete story and can remove the blacklist from mail filter algorithms pretty easily.  This typically happens within a day or so, but could be delayed over a weekend (as in the case of Burnt-Tech).

The difference is for legitimate emailers

Legitimate emailers subscribe to services like MxToolbox to know when they are at risk of mail rejection due to blacklisting.  When we see an IP on a blacklist, we immediately alert you.  When it happens for all our customers, we look into the blacklist and will suspend the blacklist and try to notify our customers of the change.  While email admins may still block your email while they are removing the failing blacklist from their filters, this is only temporary.  The good news:  you didn’t do anything to get on the blacklist.  It’s safe to ignore the blacklisting event, even though you may experience a few bounce-backs.  Everyone else in the world is experiencing the same bounce-backs as you, but at least you know why!

 

How reliable is DNS?

DNS is the backbone of the Internet.  It contains all the information to properly route a customer to your site and begin the transaction, when properly configured.  For example:

  • The A record translates your domain, like mxtoolbox.com, to an IP address of the server.
  • The MX record tells your customers’ email servers what IP address to use when sending email.
  • CNAME records associate one domain name with another domain, which can be used to associate one brand with another.
  • SOA specifies what DNS servers are authoritative for a domain

There are many different record types for different purposes, but the beauty of DNS is that it just works.

Until recently…

In May, hackers added a domain to the St Louis Federal Reserve’s research website and setup a clone of the website that was virtually identical to the existing page.  Using this new page, they grabbed a number of logins from unwitting researchers.

In March, hackers targeted 10000+ GoDaddy customers by adding hidden subdomains.  While at the time of the article only a third of the subdomains had been used, it indicates a new type of attack that leverages Small Businesses and their brands for nefarious purposes.

So, what is this attack?

Think of DNS as a phone book for your online presence.  It contains everything a customer needs to find you: your name, address and telephone number.  What if a criminal could call up the Yellow Pages and change your address without you knowing?  Or, change a digit on your phone number?  You might not even notice at first, but new and existing customers might go to the new location or call the new phone number.

What if the criminal made a store front that looked like yours but instead of providing your quality product, the sold cheap knock offs for the same price?  Your brand would suffer and you might go out of business.

Unfortunately, this costs a lot of money and is pretty easy to spot.  However, with DNS, criminals can hack 10000 domains at a single registrar and go undetected.  This type of attack is becoming more common and everyone from a small business to a large enterprise needs to be aware of the possibility that their DNS is at risk.

Monitor your DNS for Changes

MxToolbox recently launched DNS Zone Protect, a monitoring solution for all your DNS, that gives you immediate warning when any change is made to your DNS.  With DNS Zone Protect, you get instant notification of changes to your domain’s DNS.  This new monitor uses AXFR to monitor your domain’s DNS and compares it to previous DNS configurations.  When a change is made, we flag it and notify you.  You get peace of mind knowing that changes to your DNS are being externally monitored by MxToolbox.

DZPStatus

 

DZPChangeSummary