17 February 2017

Blacklisted!

Because of spam and other forms of network abuse, access to network services – such as mail exchangers – is restricted more and more often. This document provides advice for administrators whose networks or servers have been ‘blacklisted’.

The basics

You cannot bully people into accepting your traffic

The Internet consists of a large number of individual networks. Most of these networks are privately owned. Whenever a network whose operations someone else pays for agrees to receive traffic that you send, it is extending hospitality that it may revoke without notice. In most cases, you have no means to force a network to accept email or any other traffic from your network.

(A pointy-haired person once commented, in disbelief, ‘But that would be anarchy!’ – Not far from the head of the nail, although ‘democracy’ probably would be an even better description of the distributed nature of Internet governance.)

Issuing demands when blocked is probably the worst thing you can do to your own connectivity. Distributed block lists are protected through freedom of speech, and their operators are often highly regarded by the Internet community they serve. In addition, administrators have a duty to protect their resources, so they are usually very serious about their right to restrict access. Picking a fight with block list operators – especially issuing any threat of legal action – over your listing is therefore likely to swiftly place your networks in an indefinite number of static access lists all over the globe (yes, that is a lot of jurisdictions) for a long time.

Natural selection applies to block lists. If using a list does not produce good results, not many people will use it. Conversely, the lists that survive are likely to be both effective and esteemed.

Understanding block lists

  • Local lists are typically static access list files used on one site or within one organization.
  • Distributed lists, such as SBL and SORBS, are available to the public (perhaps for a fee), usually through the DNS. Mail servers typically query distributed lists dynamically rather than store a local copy of the entire list.

If you are dealing with a distributed block list, be sure to understand the difference between these roles:

  • the list operator who has added you to their list;
  • the party who is using the list on their networks and/or servers.

Adding a network to a distributed list is merely an informational service that by itself does not affect the traffic of the listed party. Any decision to actually block or otherwise influence traffic to a site is up to an administrator at that site. In other words, the block list operator only runs a list – whether and how to use that list is up to individual network administrators.

Being blacklisted does not necessarily mean that someone considers your network or domain abusive. As an example, mail server administrators often use block lists to deny dial-up and DSL users SMTP access, encouraging such users to send their mail through their providers’ so-called smart hosts instead. Some lists seek to list all networks assigned to certain countries, so that a provider can enforce a policy of not accepting mail sent from or through those countries.

Anyone can create a blacklist, but a listing cannot affect your outgoing email unless the list is actually used on the mail server of your recipient. Do not worry just because you have found your IP address listed on some unorthodox blacklist few mail administrators are likely to use.

(Although the terms block list and blacklisting are effectively established, and therefore used in this document, they are technically incorrect. Administrators may also use distributed lists for other purposes than actually blocking traffic; spam filters often use them merely to tag email Subject: lines, and at least theoretically, blacklists could even be used to favour the listed parties.)

Things you can do to help prevent listings

  • Do not allow anyone or anything to send spam from your networks.
  • Do not host any kind of spam support services, such as
    • websites that are advertised through spam (directly or indirectly);
    • ‘drop boxes’ for replies to spam;
    • DNS service for spammers;
    • payment processing services for products that are advertised through spam;
    • spam tools, such as web pages marketing ‘millions of email addresses’.
  • Ensure that all your servers, workstations and other devices are secure. No spam bots, open SMTP relays, open proxy servers or similar abuse intermediaries may exist.
  • Operate abuse and postmaster email addresses. Consider registering with abuse.net and creating an ISP account with SpamCop.
  • Ensure that adequate contact information (most importantly organisation and person names, email addresses and telephone as well as fax numbers) for all your domains and networks is available through the relevant Whois services.
  • Publish an adequate, detailed and binding acceptable-use policy. Focus on preventing abuse.
  • If your preventative measures fail: act upon legitimate problem reports and consider publishing your actions.
  • Ensure that all your mail exchanges accept empty return path (MAIL From: <>) delivery status notifications.
  • Avoid bad neighbourhoods. If your providers are ignorant or downright abuse-friendly, their reputation is likely to trickle down to you.

Steps to take if you find yourself listed

As discussed above, never threaten legal action over blacklisting issues.

  1. Find out how you are being blocked

    There is no single universal Internet block list. Pay attention to the error messages you have received. If there are references to a distributed block list, note them.

    You can also try looking up your domains and networks on major block lists. There are websites that allow you to query many lists at once. Note that you might be on several different lists, maybe even for several different reasons.

    You can usually query distributed lists by using a DNS resolver and appending the lookup key (in the case of an IP address, in reverse order) to the zone name. The existence of any A record indicates a positive result. For example, if the IP address 192.0.2.2 were listed on relays.dnsbl.example, the query dig 2.2.0.192.relays.dnsbl.example might yield 2.2.0.192.relays.dnsbl.example. 300 IN A 127.0.0.2. In order to differentiate between reasons for listing, the list might also use 127.0.0.3, 127.0.0.4 and so on. An NXDOMAIN reply would instead indicate that 192.0.2.2 was not listed.

    If you do not find yourself listed on any of the distributed block lists, you will have to assume for now that a local access list is blocking your traffic. Most of this document still applies.

  2. Find out why you are being blocked

    Sometimes an error message (or, in the case of distributed lists, a TXT record) will state the reason for the block. Distributed block lists often run informative websites providing answers to frequently asked questions. Even if you have been blocked only locally, the organisation blocking your traffic might have a web page explaining their policy, possibly even displaying their current block lists.

    If you cannot find any reason as to why you are being blocked, you may have to contact the blocking site at this stage already.

  3. Remove the problem, if possible

    Fixing the problem that has earned you a listing may be as easy as pulling the plug on a spam relay, or as complicated as implementing and enforcing new terms of service. Be as thorough as possible; do your best to make sure the problem is gone and cannot resurface.

    In some cases, you might conclude that the reason for the listing is impossible to remove. For example, you might be unable to relocate to a different country in order to evade a country-based listing. It may prove useful to contact (such as by telephone or fax) the party who is blocking you, and ask them to ‘whitelist’ you. Think very carefully before attempting to circumvent a listing; if a recipient does not want your traffic, they are also likely to block any alternative routes you might find, and you may be blamed for the damage this causes other users.

  4. Request removal, if appropriate

    Many block lists have automated interfaces, such as web forms, for requests regarding removal of list entries. Always try to comply with the procedures set out by the list operator. If you need to phrase your request, be polite. Most operators are eager to keep their lists up to date, but it is human to prioritise courteous requests over hate mail.

    Whenever you contact someone – whether in public or in private – over a listing, be specific. Someone who does not know which list and which networks or domains you are referring to would find phrases such as ‘please remove me’ or ‘why am I blocked?’ quite meaningless. Something like ‘the open relay at 192.0.2.2 has now been secured; please consider removing 2.2.0.192.relays.dnsbl.example’ would be much better.

    If your entire provider – or, indeed, one of their providers – is being blocked, removal is likely to require efforts by them. In such a case, avoid bothering the list operator; direct your efforts at your own provider instead.

    Not all lists accept removal requests. Others implement a waiting period: as an example, if an IP address has been listed for one month, the listing might be removed only after no more abuse from that address has been seen for another month; listed for a year, no more abuse for a year, and so on.

    Do not post removal requests to newsgroups. In particular, do not post APEWS removal requests to news.admin.net-abuse.email. Doing so will only worsen your situation.

  5. If unsuccessful, contact the recipient

    You may find your removal request denied. In such a case, the senders should contact their intended recipients, for example by telephone or fax, to request a so-called whitelisting: an exception that will allow certain mail through irrespective of any block list entries. If the recipients do want mail from your users, blocking it makes no sense.

  6. Should you try to circumvent the problem?

    Some providers offer authenticated SMTP as a standalone service allowing you to route your outgoing messages through a provider that is not your ISP. Such a solution can be particularly useful if you are innocently listed over abuse committed by other customers of your ISP or by your ISP itself. Your travelling users would probably also benefit.

    However, if you have been listed due to action or neglect on your own part, any new networks you manage to use are likely to be listed as well. Instead of building a name for yourself as a hopeless abuser, tackle the issues that caused your listing. If you need professional advice, seek it.