Are you Blacklisted?

Static M.e.

Found this site tonight on siliconrepublic.

Handy little site, I seem to remember a couple of people asking here if their IP was Blacklisted.

http://www.blacklist.ie/

*Ive nothing to do with the site.

aidan_walsh

Since they show you your IP, wouldn't it be handy if they prepopulated the box for you.

Anyway, my current IP shows up on one list :eek:

r3nu4l

aidan_walsh wrote:

Anyway, my current IP shows up on one list :eek:

Me too :eek:

NJABL listed: Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
Explanation

Dynablock.njabl.org started out as a straight import of what was dynablock.easynet.nl...a very nice DNSBL of dynamic IP spaces, which the maintainer got tired of maintaining and announced would be shut down December 1, 2003. From December of 2003 until January of 2007, NJABL maintained its own copy of the dynablock zone.

With the advent of Spamhaus's PBL, dynablock has become obsolete. Rather than maintain separate similar DNSBL zones, NJABL will be working with Spamhaus on the PBL. For the next several months, dynablock.njabl.org will exist as a copy of the Spamhaus PBL. After dynablock users have had ample time to update their configurations, the dynablock.njabl.org zone will be emptied.

If you currently use dynablock.njabl.org we recommend you switch immediately to pbl.spamhaus.org. If you currently use combined.njabl.org, we recommend you add pbl.spamhaus.org to the list of DNSBLs you use. You may also want to consider using zen.spamhaus.org, which is a combination zone consisting of Spamhaus's SBL, XBL, and PBL zones.

Since we no longer directly maintain the dynablock.njabl.org zone, any additions or removals must be done via the Spamhaus web site. Do not email NJABL asking for removals.

As an ISP or other "network operator", you are encouraged to use the Spamhaus PBL web site to register which parts of your IP space should not be sending "direct to MX" email over the internet.

As an end-user running a mail server on a static IP that's been mistakenly listed in the PBL, you can use the Spamhaus PBL web site to register an exclusion for your IP, removing it from the PBL (and dynablock).

For compatibility with dnsbl.njabl.org, all dynablock.njabl.org listings return an A record of 127.0.0.3 and (other than the 127.0.0.3 test listing) all return the same TXT record, currently:
Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

kleefarr

Um... two.

Spam Haus not listed
Spam Cop not listed
Mailwall RBL not listed
Abuse At not listed
SORBS listed: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?***.***.***.*
NJABL not listed
510 SG listed: miscellaneous address blocks that have sent spam here

What does it mean and should/could I do anything about it?

Zirconia

A lot of places blacklist (and by that I mean they refuse any SMTP email originating directly from) any known block of dynamic IP addresses that ISPs give out to their clients.

The logic behind it is that you are probably not likely to be running a legitimate mail server (as opposed to just an email client like outlook) if you have a dynamic address - you are supposed to really have a fixed DNS Mail Exchange server record for domain email.

Of course with third party dynamic DNS services you can run a mail server on a dynamic IP these days, but most SMTP mail coming from dynamic address really is spam from infected or controlled PCs, not people trying to run their own mail server, so the blacklisting is legitimate.

Oh and you don't have to be concerned - when you set up your email client like Outlook, you should be set up to send and receive mail via your ISP's mail host, e.g. mail.eircom.net. It's this hosts IP address that is critical to your mail getting through. As long as the ISP's mail host is not blacklisted, then you don't have to worry about weather your own dynamic IP address is blacklisted or not.

dayfydd

I believe you probably know what you're talking about, but my webmail message was recently blocked by Spamhaus... I am assigned various dynamic pool addresses under a satellite IP.
?:mad:?

Snowbat

Can you post the rejection message?

AndrewMc

Another useful site worth checking: http://openrbl.org/

Check out the “OpenRBL JS Client” — has 36 different RBLs.

BigEejit

I set up a mail server for my family while I was on a static IP when i lived in London and it worked grand. When I moved house I ended up on cable and started getting a dynamic ip ... and after setting up dyndns I found myself in the position where my own mail server would not send out email due to me being on a dynamic ip address (spamhaus).... And tbh with the sheer quantity of mail servers using spamhaus I just had to give up as the vast majority were blacklisting my email .... so I have to use gmail, which I have had no issues with ...

Also I found one of the links showed the following on that second blacklist checker:
Net 82.32.0.0/12 is UCEPROTECT-Level2 listed because of 3006 abusers. Your ISP CABLEINET Telewest Broadband/AS5462 has to fix this. See: http://www.uceprotect.net/rblcheck.php?ipr=82.44.xx.xx

Thats an awful lot of ip addresses those guys have blacklisted, 3006 is a lot of abusers though.


The big question of course is: How many people use a mail client that does not use bayesian filtering that actually require blacklisting .... far better to use intelligent filtering at stopping junk than daft blacklists imo

AndrewMc

BigEejit wrote: »

I set up a mail server for my family while I was on a static IP when i lived in London and it worked grand. When I moved house I ended up on cable and started getting a dynamic ip ... and after setting up dyndns I found myself in the position where my own mail server would not send out email due to me being on a dynamic ip address (spamhaus).... And tbh with the sheer quantity of mail servers using spamhaus I just had to give up as the vast majority were blacklisting my email .... so I have to use gmail, which I have had no issues with ...

Could you have sent your mail through the ISPs mail server instead?

ressem

I'm suprised that there aren't more people on that 510 SG blacklist.

It lists our company mail server because there's an problem server in the same public /15 subnet managed by eircom? (255.254.0.0), 120,000-odd possible machines.
Not exactly precision targeting there.

thelaundry

I've heard there's a service that monitors whether your IP address is listed all the time and sends you alerts. I can't find it though. I'm told it is Blacklist Alarm. Anyone know anything about a service like this?

Snowbat

RBLalerts from DNSstuff?
http://member.dnsstuff.com/info/overview_rbl.php

There are quite a few blacklists and they vary greatly in terms of listing policies, usefulness, quality, and maintenance. Some you can even expect to be listed on (lists of dynamic IP addresses, ones that list specific countries or ISPs). *Competent* mail administrators know which ones are professionally run and suitable to use for rejection, which ones are suitable for tagging and scoring, and which ones are run by insane zealots.

@BigEejit
Client-side bayesian filtering only hides the problem and gives you a Spam folder that you'll need to check for false positives or risk losing valid mail. Blocklists (at an enterprise or ISP level) actually save bandwidth and storage and push the problem back at the source. Unfortunately, Telewest/Blueyonder had a less than stellar reputation for handling abuse issues:
http://news.bbc.co.uk/1/hi/technology/4528927.stm

towel401

I been a good boi

The IP address 86.43.88.90 is not blacklisted.

RBLs checked:
Spam Haus not listed
Spam Cop not listed
Mailwall RBL not listed
Abuse At not listed
SORBS not listed
NJABL not listed
510 SG not listed

BigEejit

Snowbat wrote: »

RBLalerts from DNSstuff?
http://member.dnsstuff.com/info/overview_rbl.php

There are quite a few blacklists and they vary greatly in terms of listing policies, usefulness, quality, and maintenance. Some you can even expect to be listed on (lists of dynamic IP addresses, ones that list specific countries or ISPs). *Competent* mail administrators know which ones are professionally run and suitable to use for rejection, which ones are suitable for tagging and scoring, and which ones are run by insane zealots.

IIRC Verizon in the US had most of the rest of the world Blacklisted ... I recall having to go through a long process to get my (then static IP from a decent business isp) mailserver allowed so I could email my brother.

@BigEejit
Client-side bayesian filtering only hides the problem and gives you a Spam folder that you'll need to check for false positives or risk losing valid mail. Blocklists (at an enterprise or ISP level) actually save bandwidth and storage and push the problem back at the source. Unfortunately, Telewest/Blueyonder had a less than stellar reputation for handling abuse issues:
http://news.bbc.co.uk/1/hi/technology/4528927.stm

My problem is that because a ISP uses dynamic IP's and also because some of that ISP's customers are sending spam they blacklist the entirety of the ISP's dynamic IP's (hundreds of thousands). No-one is ever going to know even rough figures, the article is from 2005.

The thing is, in most cases the spam has traversed the interweb from china etc before it get stopped by a server probably no more than 100km away from me, and just because its on one of these blacklist does not guarantee it is spam. Plenty of spam comes from static IP's that are not blacklisted (yet). In fact, using a very easily spoofed email I could get any server blacklisted, and we all know its a PITA getting that reversed.

As for bayesian and false positives, what about gmail .... it uses bayesian afaik, and so far has been 100%. I remember checking this a few years ago and they did not use blacklists then.

Snowbat

BigEejit wrote: »

IIRC Verizon in the US had most of the rest of the world Blacklisted ... I recall having to go through a long process to get my (then static IP from a decent business isp) mailserver allowed so I could email my brother.

Verizon's idiocy had most of Europe and parts of Asia and Russia blocked. Some of their outraged customers launched a class-action suit and Verizon ended up settling. It's probably just loose change to Verizon but I think they won't try that again in a hurry :
http://www.emailblockingsettlement.com/

BigEejit wrote: »

My problem is that because a ISP uses dynamic IP's and also because some of that ISP's customers are sending spam they blacklist the entirety of the ISP's dynamic IP's (hundreds of thousands). No-one is ever going to know even rough figures, the article is from 2005.

The story I linked to was a listing by SPEWS, a two-level blacklist that certainly leaned towards insane zealotry. Most blacklists list only spam sources and do not expand listings to cover big chunks or all of a provider's netspace the way SPEWS did. SPEWS was not a widely-used for this very reason (typically vanity domains of antispammers and a handful of businesses and ESPs) but it was enough to be noticed and encouraged quite a few providers to clean up their acts.
http://en.wikipedia.org/wiki/Spam_Prevention_Early_Warning_System

BigEejit wrote: »

The thing is, in most cases the spam has traversed the interweb from china etc before it get stopped by a server probably no more than 100km away from me, and just because its on one of these blacklist does not guarantee it is spam. Plenty of spam comes from static IP's that are not blacklisted (yet). In fact, using a very easily spoofed email I could get any server blacklisted, and we all know its a PITA getting that reversed.

You're tarring all blacklists with the same brush and ignoring the fact that only some are suitable for front line rejection while others are more suitable for tagging and filtering. A reasonable setup might use Spamhaus, SpamCop, and UCEPROTECT level 1 in front for rejection and then SORBS, UCEPROTECT level 2 and 3, bayesian scanning, and various URIBLs for tagging and filtering. It would certainly not be a good idea to use UCEPROTECT level 3 in front for rejection.

How do you propose to spoof an email that could get any server blacklisted? Sure you can fake the From address and add some fake headers but you can't fake the IP address of the server that delivers it to my provider. That's the server that will be a candidate for blacklisting because it is either compromised or has an abusive user. If you think you can spoof an IP address, good luck predicting all the TCP sequence numbers accurately enough to complete the job, if the traffic even makes it past the filters of your provider's router.

BigEejit wrote: »

As for bayesian and false positives, what about gmail .... it uses bayesian afaik, and so far has been 100%. I remember checking this a few years ago and they did not use blacklists then.

Gmail's accuracy is not 100% for me but easily 99%. I think they have some deal with Postini now but remember they've always allowed users to flag/unflag spam and with a large userbase that would work very well. I've found the most effective solution for me (I don't control the mail server for most of my accounts) is SpamAssassin with input from the bayesian scanner AND scoring with multiple blacklists. It would not surprise me if Gmail was also using a backend scoring system with input from multiple sources.

Another problem lately is blackhole syndrome where emails seem to just disappear en route. If you're the sender, you've confirmed the address is correct, you know it hasn't bounced, yet the recipient claims nothing arrived. If you're the recipient, you've confirmed the sender used the correct address and doesn't see a bounce, yet nothing arrives. Whether due to one end dumping it as spam without rejection or bounce, or the other end dumping or filtering bounce messages due to backscatter problems, or the recipient not seeing it in the spam folder, this kind of thing is really breaking what should be a straightforward and reasonably reliable system. At least with blacklists used for 55X rejection, the sender knows almost immediately that the mail cannot be delivered and why - I'd much prefer that to the mess of "solutions" currently fighting each other.

SakisP

Maybe blacklisting is the reason that I cannot get through a certain point in Cable & Wireless's backbone to some website that my wife just loves to visit:

forum.cosmo.ru
www.odnoklassniki.ru
www.ljplus.ru (also repository for pictures in personal pages of www.livejournal.com)

I guarantee you that if you are using an eircom connection, you will NOT get through to any of these sites - if you do, then maybe eircom have solved the problem (fat chance!)

My eircom IP appears in the SORBS Dynamic IP Addresses list, according to www.blacklist.ie and additionally on SpamHaus and TQMCube according to openrbl.org... When I ran the IP address that appeared when I went through www.zend2.com (an anonymizing portal) it came out without any positive blacklistings from 36 lists.

Here's a couple of traceroutes for you to peruse:

Tracing route to forum.cosmo.ru [81.176.78.226]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.1.254 <--- my wireless modem
2 * * * Request timed out. <--- the other side
3 9 ms 9 ms 10 ms 159.134.127.69 <--- internal eircom gateway
4 24 ms 23 ms 23 ms 83.71.113.102 <--- external eircom gateway
5 23 ms 23 ms 23 ms ge-3-2-0-zcr1.lnt.cw.net [195.66.224.182] <--- Cable & Wireless backbone starts here
6 33 ms 33 ms 32 ms so-3-0-0-dcr2.amd.cw.net [195.2.10.106]
7 31 ms 30 ms * as0-dcr1.amd.cw.net [195.2.10.153]
8 40 ms 40 ms 41 ms so-0-0-0-dcr2.fra.cw.net [195.2.10.150]
9 45 ms 40 ms 41 ms so-6-0-0-zar1.fri.cw.net [195.2.10.226] <--- the point of no return...
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.

Tracing route to www.ljplus.ru [195.161.116.13]
over a maximum of 30 hops:

1 4 ms 3 ms 2 ms 192.168.1.254
2 * * * Request timed out.
3 22 ms 70 ms 72 ms 159.134.127.65
4 19 ms 19 ms 19 ms 83.71.113.98
5 121 ms * 72 ms zpr2.amt.cw.net [195.69.145.144]
6 54 ms 67 ms 71 ms so-0-0-0-dcr2.fra.cw.net [195.2.10.150]
7 49 ms 40 ms 39 ms so-6-0-0-zar1.fri.cw.net [195.2.10.226]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.


etc.

Would the word "goons" accurately describe support people at eircom, or can I hope that there is a contact in their department that I can talk with about this?

Snowbat

SakisP that looks more like a routing issue between CW and RTComm.RU than a blacklist problem. DNS blacklists are *normally* used only for email.

forum.cosmo.ru has address 81.176.78.226
www.odnoklassniki.ru has address 81.176.227.133 (and 81.176.227.11)
www.ljplus.ru has address 195.161.116.13

All these are in ranges BGP advertised by RTComm.RU - http://www.cidr-report.org/cgi-bin/as-report?as=AS8342

RTComm should be reachable through these networks:
AS6320 TELECOMPLETE-AS Telecomplete Ltd, UK
AS174 COGENT Cogent/PSI
AS1239 SPRINTLINK - Sprint
AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
AS1273 CW Cable & Wireless
AS3356 LEVEL3 Level 3 Communications

From your info, Eircom are currently using CW to reach RTComm. My provider gets there via UUNET and another box I checked gets there via Cogent and both these are fine. I'll PM you some addresses to report this to.

SakisP

Thanks for the valuable info, Snowbat!

However, you might want to reconsider the CW issue when you see the traceroute from my workplace, served by NTL:

Tracing route to forum.cosmo.ru [81.176.78.226] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms xxxxxx.xxxxxxx.xxxxxxxx.xxx [xx.xx.xxx.x]
2 1 ms 1 ms 2 ms 089-101-132094.ntlworld.ie [89.101.132.94]
3 3 ms 2 ms 4 ms 089-101-167025.ntlworld.ie [89.101.167.25]
4 89 ms 29 ms 2 ms dbln-t2core-b-so-2-3-1-0.aorta.net [213.46.165.33]
5 75 ms * 32 ms nl-ams-rc-01-pos-0-1.chellonetwork.com [213.46.160.13]
6 33 ms 33 ms 64 ms 213.46.183.186
7 51 ms 52 ms 33 ms zpr2.amt.cw.net [195.69.145.144]
8 70 ms 65 ms 47 ms so-0-0-0-dcr2.fra.cw.net [195.2.10.150]
9 59 ms 62 ms 64 ms so-6-0-0-zar1.fri.cw.net [195.2.10.226]
10 63 ms 86 ms 149 ms romteleco-gw.fri.cw.net [166.63.204.170]
11 336 ms * * msk-dsr1-ae0-804.rt-comm.ru [217.106.7.218]
12 115 ms 115 ms 115 ms msk-dsr1-ae0-804.rt-comm.ru [217.106.7.218]
13 115 ms 113 ms 112 ms cose1.imedia.ru [81.176.78.226]

Trace complete.

NTL go via CW as well... and it works

Snowbat

Interesting. Are you getting a 83.x.x.x IP address from Eircom? If you are, see http://www.boards.ie/vbulletin/archive/index.php/t-246760.html
romteleco-gw.fri.cw.net [166.63.204.170] may be using an *obsolete* bogons list that causes it to drop packets to/from that range. This would make it a blaclist issue afterall, though a non-DNS one specifically for router and firewall security: http://en.wikipedia.org/wiki/Bogon_filtering

AndrewMc

Snowbat wrote: »

Another problem lately is blackhole syndrome where emails seem to just disappear en route.

There are some badly-written mail servers out there that don't handle being greylisted properly. It's happened more than once that a server sending to me has tried once, got the temporary failure, and neither retried nor bounced to the sender...