“My IP is blacklisted. How to remove it?” – Experts answer
“Help! My IP is blacklisted. All my mails are bouncing. How to remove it?“
This is a common support request we resolve here at our Server Administration Services support desk.
Website owners wake up one day to find all their business mails bouncing, citing the reason that the server is a source of spam.
Why IPs get blacklisted
IP address blacklisting happens when spam traps set by IP reputation monitoring services (SpamHaus, SpamCop, etc.) detect spam coming out of a server.
It can happen due to:
- Spam scripts uploaded to a hacked web site which has outdated and vulnerable web applications(WordPress, Joomla, Drupal, etc).
- Stolen/leaked passwords to email accounts that allow spam mails through email authentication.
- Unsecured email server that acts as an open email relay.
How to delist an IP from DNSBL
All popular blacklists allow you to delist a blacklisted IP by visiting the link mentioned in the bounce mail.
BUT don’t do it without eliminating the source of spam from your server.
So, follow this sequence of steps:
1. Identify the source of spam and suspend the account
If your server is listed as a spam source, it’ll likely have a hacked website, or a compromised email account or a mail server config error.
First identify and fix that.
To find a compromised account, we follow a 3-step procedure:
- Find the mail volume per account per hour from the mail log. The one that sends a large amount of mail should be the compromised account.
- Find the source of mail. That is, find if it was locally generated (through the website) or through a mail client.
- If it is the website, we correlate the mail logs with web logs to find the spam script. If it an external mail client, we know that the mail password is leaked.
We temporarily suspend the compromised account to quickly put an end to the spamming.
Not sure how to do this? We can help. Click here to contact our server experts.
2. Change the Mail server’s IP
In many servers, there would be 2 or more IPs.
Once we’ve suspended the compromised account, we change the mail server IP to immediately restore mail delivery.
Here’s how to do it in 3 popular mail servers
- Exim – Add the line
interface = XX.XX.XX.XXunder
exim.confand restart Exim.
- Sendmail – Edit the file
/etc/mail/sendmail.mcand add change
Addrin the line
DAEMON_OPTIONS(`Port=smtp,Addr=XX.XX.XX.XX,Name=MTA'). Regenerate the config with
m4, and restart Sendmail.
- Postfix – Edit
/etc/postfix/main.cf, add the IP in
inet_interfaces = XX.XX.XX.XXand restart Postfix.
If you are not sure how to do this, our server experts can help you. Click here to submit a support request.
3. Request delisting the IP
At this point, there will no longer be any spam going out of your server.
So, you can click on the link in the mail bounce to request de-listing of your IP.
For eg. if the bounce said, http://www.abuseat.org/lookup.cgi?ip=XX.XX.XX.XX, go to that link and submit your IP.
If you need help with this step, click here to talk to our experts.
4. Clean the compromised account and un-suspend it
The server IP delisting can be instantaneous, or it can take a couple of days based on your previous delisting history.
In that time, thoroughly clean your website of any malware or files that you do not recognize.
A quick solution we use is to restore a clean copy of the website from backup.
If you do not have a backup, you’ll need a web developer to go through the files one by one and clean out malicious code. Click here if you need assistance.
How to prevent IP blacklisting
IP delisting can be an exhausting process.
Anyone who went through it once wouldn’t want it to happen again.
And that is why we always recommend preventive measures to blacklisted servers.
Here are a few top anti-spam and anti-malware measures we implement in our customer servers:
1. Harden the web server to prevent spam script upload
Spammers exploit vulnerable web applications to upload spam scripts. We prevent this in our customers servers by setting up and maintaining web application firewalls like ComodoWAF and mod_security.
We fortify it with anti-virus scanners and anti-malware scanners so that no known malware signature will get through into the server.
2. Setup upload scanners that triggers based on file system change
Even if we’ve secured vulnerable web applications, spammers can still upload malware through compromised FTP accounts.
We block this by setting up anti-malware scanning whenever a new file is created (called
In this way, no matter which way a malware enters the server, it’ll still be found and deleted.
3. Enable outbound mail scanning
What if the email account logins are stolen?
To put a block to that, we enable anti-spam scanning in all outgoing mails.
In this way, even if a spammer manages to hack an email account, and send spam, it’ll still be blocked by the server.
4. Rate limiting outgoing mail per account
Now let’s assume that all our other defenses failed, and the spammer was able to send out a spam.
To limit the damage in such a case, we put rate limits on each email account. We’ve found that legitimate business mail accounts won’t send more than 50 mails an hour.
So, even if the worst happens, the spam volume won’t be enough to get the IP listed in all spam lists.
5. 24/7 monitoring and periodic security audit on server settings
To prevent the possibility that the mail server may become vulnerable, we audit our customer servers periodically.
We patch vulnerable server versions, and audit the settings to make sure it does not allow open relay.
We monitor the IP blacklists 24/7 as well so that even if one of our customer’s servers get listed, we’ll be able to restore services before business is affected.
Many website owners and service providers come to us with the question “My IP is blacklisted. How to remove it?”. Here we’ve listed the causes for the error, how to fix it, and how to prevent it.