IP blacklisting happens when an email sent to a recipient is returned with an error message that includes the terse statement:
error 550: Message rejected due to sender IP reputation ([xx.xx.xx.xx])
A “Blacklist”, more properly called a “DNS-based Blackhole List”, is a real-time database that uses criteria to determine if an IP address is sending email that could be considered spam. There are over a hundred influential public blacklists including Spamhaus, Barracuda Reputation Block List, and SpamCop. They all have their own criteria for accepting inbound mail and all can seriously impair email delivery.
Perversely, blacklisting happens when an important email addressed to an important customer or supplier is returned and, worse, all subsequent messages are returned, followed by a contagion that spreads to effective paralysis.
Initially, users call their email supplier for help. However, the supplier has limited options. For instance, email was being despatched, and in one sense the “error 550” delivery failure message proves that the sender’s equipment worked well enough to have sent the email in the first place.
How does blacklisting happen?
The problem lies with the IP address associated with the sender’s email. Email is routed using IP addresses. Once, engineers imagined the number of IP addresses using “version” 4 would be impossible to consume. However, as the “Internet of things” continues to grow, “IPv4” faces a crunch. There are not enough IP addresses using the IPv4 convention to supply all devices with unique values, future growth notwithstanding. To keep costs down, engineers use techniques to delegate individual public IP addresses to cover several users. This has become a vulnerability. Larger organisations tend to use dedicated solutions which circumvent this vulnerability.
For example, company A (see “witness.org” in the illustration above) uses a mail server which is uniquely identified on the Internet as 22.214.171.124. However, company B has its owns services, but those services sit within server 126.96.36.199’s environment. In this way, potentially, several hundred organisations can use a common IP address. This practice is most commonly used in retail, or entry level, web hosting.
When an email address has been blacklisted, the IP address attached to an email has been associated with suspicious activity by virtue of the IP address (e.g. 188.8.131.52) which matches an existing entry held by a public blacklist as a source of unusual volumes or otherwise suspicious activity. The activity is not necessarily attributable to the sender at witness.org, in the case of the example above. However all users subscribed to 184.108.40.206 are seen by a public blacklist as one entity. The good news is that the message is returned to sender so that there is a chance for the sender to understand there is a problem.
If an email services have been blacklisted, it could be because a user with a common IP address has been detected distributing suspicious email. This is not always the case, though. It could also mean that the user’s own workstation or office network is responsible, using resources to distribute large mail volumes which might include the business’ own sensitive data. The only way to know a business’ web servers or local machines have not been infiltrated is to conduct a full security review.
There are several reasons that contribute to blacklisting. Perhaps the most usual culprits are catch-all email services, email forwarding, and poorly managed bulk email.
How to fix blacklisting problems
Blacklisting is such a common problem that ISPs need dedicated departments to manage this and other security issues. In terms of mail flow, the bottleneck happens at the recipient’s end. The sender’s services have despatched email, so the sender’s equipment works. However, in practice there is not much motivation for the recipient to intervene to clear the blacklisting block. Usually, the sending ISP intervenes to lift the block by tracing contaminated IP addresses and corresponding with the public blacklists involved. If the underlying reason for a blacklisting is not eliminated and blacklisting persists, eventually public blacklists will permanently block an implicated IP address. Further, if an ISP has reason to believe its user is breaking its contractual terms by causing suspected email to cross its networks, ISPs will usually terminate email services until the user can demonstrate what steps it is taking to arrest the abuse. Potentially, an ISP may seek financial penalties from its user.
More often, businesses are finding that premium services like Exchange, Hosted Exchange, etc. are increasingly necessary to provide the reliability they need.