In my last post I mentioned how setting up a Feedback loop can help you keep track of spam reports for your server. I realized that it helped tackle only a small portion of the problems faced by Webhosts when it comes to email blacklists. So in this post we’ll take a deeper look at what a Blacklist is, how you can use it and you can avoid getting your own IPs on a Blacklist.
What are email Blacklists?
As the name suggests, an email blacklist contains a list of IPs that have been reported to be a source of spam. Most blacklist authorities implement what is called a DNSBL – DNS-based Black List. This is similar to a the normal DNS, only instead of querying to get the IP address of a domain name, we query the DNSBL to see if an IP address is on that list. It returns details as to why the IP address is listed on that Blacklist, usually including a URL that can be visited to get more details.
Some of the most popular DNSBLs are:
Spamhaus – zen.spamhaus.org
SORBS – dnsbl.sorbs.net
SpamCop – bl.spamcop.net
There are blacklists dedicated to different types of unsolicited mail. You can check this link for a more detailed listing.
How are Blacklists used?
As a Webhost, you can configure your mail server to lookup the senders IP address on a DNSBL, before accepting the mail from that IP. If you are using a control panel(cPanel, Plesk etc), this can be done via the control panel itself, and usually only involves ticking a few box’s and restarting the mail server. Under the mail server configuration section look for “Blacklists”, “DNSBL” etc. If you are not using a control panel, you will have to manually configure your mail server to check these blacklists. Once enabled, for each mail received by your server, it will check if the senders IP is on any of the blacklists you have selected. If it is, the mail is bounced back to the sender, along with the result received from the DNSBL on looking up that IP address.
You can also manually check to see if your IP addresses are listed on any of the popular blacklists using tools provided by MXToolbox or Anti-Abuse
Choosing a DNSBL:
It is important to check the status and reputation of a blacklists before deciding to use it. Points to look out for:
- Do they keep the number of false positives to a minimum?
- Is it frequently updated?
- Is it still online?
All of these can be answered after a quick search on the internet and reading what people say about that DNSBL. Blacklists that have been shutdown are known to cause problems in normal mail delivery, as the mail server continues to wait for a response from the DNSBL before accepting the mail. Sometimes even causing the mail server to identify all IPs as blacklisted. The three blacklists I mentioned earlier are among the best out there, so you should be safe using them.
How can my IP address get listed and how do I stop it?
There are three major problems that could cause your IP addresses to get blacklisted. Lets look at each of them and a quick fix for each:
1)Users sending out spam.
As mentioned in my previous post, mailing lists are a popular source of spam, and can easily get your IPs blacklisted if not monitored. Setting up a FBL will keep you aware of the spam reports received for mail sent from your server. You should receive these reports before your Ips are blacklisted. So if you act fast you can avoid having to go through the processes of getting your IPs de-listed.
Users could also send out mail via your server using PHP scripts. If these scripts are not properly protected, spammers could use it to send out spam. Or if the security measures on your servers are not strong enough, spammers could upload PHP scripts to a vulnerable account on your server and use it to send out spam. One effective means of identifying the source of such attacks is by switching to suPHP. Conveniently, a colleague of mine has recently written this excellent article on how this can be done on a cPanel server.
2)Open Relay.
An Open Relay is a server that allows “anybody” to send mail via the server without the need to authenticate themselves. If you are using a control panel, your server is most probably already configured not to act as an Open Relay. However a misconfiguration in the mail server could cause it to act as an Open Relay, so it is important to test your server. You can do this using the tests on any of the following sites:
or you can use the following command via Shell/Command Prompt:
telnet relay-test.mail-abuse.org
You will be notified if your server is acting as an Open Relay. If you are using a control panel, rebuild you mail server’s configuration or reinstall it using the options provided by the control panel itself. This should stop it from being an open relay without breaking integration with the control panel. If you are not using a control panel, make sure you configure the mail server to require senders to authenticate themselves before relaying mail via your server.
3)Malicious scripts
In the previous two examples, the spam was sent from the server using the mail server on that server itself. Another way you could get blacklisted, is if there are malicious/spamming scripts on your server that are sending out spam by connecting directly to the remote mail servers. This bypasses your mail server completely, so there will be no trace of these mails in your mail logs, but your IP address will still be listed as the source of the spam. The best way to stop these kind of attacks is to use the server’s firewall to prevent normal users from connecting to port 25 on remote servers. You will still have to allow the mail server to connect to port 25 on other servers, so we can’t block outgoing access to port 25 completely. This can be achieved with the Linux kernel firewall via iptables using the following rules:
-A OUTPUT --dport 25 -m owner --uid-owner username -j ACCEPT
-A OUTPUT --dport 25 -j DROP
The first rule specifies that only a process with the effective user ID “username” will be allowed outgoing access to port 25. Here you must specify the user ID/username under which your mail server will be running. The second rule blocks all other outgoing access to port 25. Once enabled, the only way to send mail from your server will be via your mail server. It will also be a good idea to allow the “root” user outgoing access to port 25.
These three simple steps should help keep your server’s IPs off email blacklists. Thus ensuring that mail sent by your customers do indeed reach their destination 🙂
About the Author:
Hamish works as a Senior Software Engineer in Bobcares. He joined Bobcares in July 2004, and is an expert in Control panels and Operating systems used in the Web Hosting industry. He is highly passionate about Linux and is a great evangelist of open-source. When he is not on his xbox, he is an avid movie lover and critic.
Thanks so much for recommending our DNS tools! Along with the Blacklist Lookup tool, we also have a few other tools that may be of interest including SPF Lookup, MX Lookup, Email Header Analyzer (as you mentioned) and much more!
One of the tools that we are the most excited about is the Free Monitoring Tool. This tool will send you an alert if your server is Blacklisted. You can also configure it to send you an alert if your server goes down. We are working hard on creating an all in one tool that does all the DNS test and lookups you could ever need! If you have any other tools additions or feedback, please let us know.
Thanks,
@MxToolBox