I just tried replying to one of my customers and received a Spamhaus bounce back. My mail server IP [19x.1xx.60.84] is being blocked by Spamhaus. Please help!
That was a recent support request we received in our Server Support Services for web hosts.
Spamming activities can cause mail server IP addresses to get into email blacklist databases like Spamhaus. And, most servers do not allow mails from such IPs in blacklists.
Today, we’ll see how our Support Engineers restore mail functionality after Spamhaus IP block and take proactive measures to prevent such instances again.
What causes Spamhaus block?
Now, let’s see more details on Spamhaus block.
Spamhaus is a popular organization that tracks spam, malware, etc. in the internet. When any mail server violates the mail policy by sending bulk mails, host malware or phishing pages, it gets added to Spamhaus block list.
Unfortunately, Spamhaus listing does not provide any warnings or have a grace period.
All that a server owner would get is a block notice from Spamhaus saying:
This is an automated message from the Spamhaus Block List (SBL) database
to advise you that the IP below has been added to sbl.spamhaus.org:
IP/cidr: 1xx.201.xx.212
Problem: ROKSO Spammer (known professional spammer)
Pony
Downloader.Pony botnet controller @1xx.201.xx.212 And, that immediately block outgoing mails originating from these blacklisted IP addresses.
How to fix outgoing mail block?
When the server IP gets added in the Spamhaus block list, it affects all the mail users on the server. Therefore, there is a need for immediate action in this case.
Now, let’s see how our Server Support Engineers act upon Spamhaus IP block. The actions include corrective and preventive measures.
Corrective measures
Firstly, we will see the immediate corrective action that we take on Spamhaus blacklisting.
1. IP blacklist check
As the first step, our Server Engineers do a blacklist check of the server IP address. This helps us to identify the reason for blacklisting and the time at which spamming occurred.
With the time stamp, we check the mail server logs as well as the web server access logs for spamming. Luckily, these details help us to identify the website involved in the malicious activity.
Failure to find the source can result in further spamming.
2. Check for infected files/compromised email account
In most cases spam mails originated from compromised email accounts or hacked accounts.
Usually, hackers target multiple accounts on the server. They exploit same vulnerability in multiple websites using same software. For example, if hacker make use of a vulnerable WordPress plugin, it’s possible that many accounts using this plugin are involved in spamming.
That’s why, our Support Engineers do a complete server scan to find all the infected files and disable them. Also, we reset the password of compromised email accounts to stop spamming.
3. IP delisting
After removing the malicious contents, the next step is to submit an IP delist request at Spamhaus.
Fortunately, the bounce message itself hold the link to delist request. For example, an actual bounce would look like:
Remote Server returned '550 5.7.501 Service unavailable, Client host blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS16xxx849)'. Here, our Server Engineers disable the infected files, suspend the accounts and then submit the delist request.
4. Mail server IP change
The delisting of IP address happens only after a review from Spamhaus team. Therefore, it can take few hours to a days time.
But, we cannot wait for so long in live servers as it would affect mail delivery.
That’s why, our Server Support Engineers often restore mail functionality by setting a new clean mail server IP. Here, we set proper forward and reverse DNS records for the new IP to avoid potential problems with sending mails.
Preventive Measures
Till now, we saw the corrective actions that we take on the affected server.
But, there are chances that spamming activities happen again. To avoid this our Support Engineers take additional steps to prevent further spamming. These steps include :
- Periodic mail queue checking by setting email alerts when number of mails goes above threshold.
- Scanning the website files on the server using tools like Maldet, CXS scanner, etc.
- Enforcing email authentication in mail server – that is block mails from unauthorized users
- Periodic reputation checking of the mail server IP address.
Conclusion
It’s quite common for the server IP to get listed on Spamhaus due to spamming. This would block outgoing mails from the server. Today, we’ve seen how our Support Engineers take actions to make mail working and avoid further IP blacklisting.
Hello,
I use Surfshark VPN. However all my mails (private) are blocked by Spamhaus. How can I solve this issue?
Thank you in advance for your reaction.
Regards,
Jan ter Beek
Hello Jan,
For some reason, Spamhaus is blocking mails from your IP address. The fix involves figuring it out and then delisting. Our Engineers can help you. We’ll be happy to talk to you on chat (click on the icon at right-bottom).
The real problem is that Spamhaus block blocks not addresses. I am blocked because someone at 82.x.x.x has done something yet I am at 80.x.x.x They are completely irrational and obstructive. They get away from getting sued into obscurity because it is the little guy that suffers and they grandstand on the moral highground while not actually doing an effective job. Even the writer says his company have to get another IP address rather than expect them to actually do the job they are being paid for.
Hello Jamie,
Yes, Spamhaus block the server IP address even if a single user misuses the mail server. Replacing the mail server IP address works as a quick fix to minimize mail downtime.
hell im scared to even try anymore. its just away fot people to keep using me and planning there exit without my knowledge that ive been there songbird dropping notes off randomly
Hi chase,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).
Hello,
I’ve had two emails returned to me today from MAILER-DAEMON@xxxx.com saying “Undelivered Mail Returned to Sender.” Oddly enough, the second email returned to me was in a chain of emails to someone – the first went through without any problems.
I don’t understand Spamhaus’s directions for getting my mail through. Can you help me? Thanks!!
Hello Barbara,
We need to check the email failure message to know the reason for the error. If you still have errors and need help, we’ll be happy to talk to you on chat (click on the icon at right-bottom).
This SpamHouse seems like a real pain in the butt.
Same problem here. My IP address were never ever used as a mail server and is simply blocked by those idiots.
Sent de-list request but they simply won’t do it. Now because I really need to start my own mail server I simply can not do it.
Self elected idiots telling us what we can and what we can not do. We pay for internet access not for being blocked by some idiots. I’m really pissed.
Hi,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).
I was doing just fine till Spamhaus come along. Now it’s pure hell. Cannot count the number of times I’ve been forced into expending valuable time looking up a phone number to call someone all because I got spammed by Spamhaus. Go figure …..!!!
Recently I have received this message several times when sending out just 1 email: spamhaus.org/query/bl?ip=185.54.228.115 However, the message usually gets sent after about 60seconds.
My internet connection is mobile broadband so the IP changes with each log on but it goes through the server of my ISP.
I publish a newsletter monthly for a not-for-profit organisation, sending to around 460 members and have been brought up short by new spamming restrictions and can only send out 35 addresses at a time without getting pinged. This goes for gmail and my organisation’s domain name. Are these incidents related and what can I do to continue emailing the newsletter?
Thank you
Hi Andrea,
We need to check the email logs for a detailed understanding of the situation. If you still receive these messages while sending emails and need help, please initiate a chat from the icon at right-bottom. We’ll be happy to help you.
I am able to receive the messages from client’s end but unable to reply or send new messages and getting this message
xxx@xxx.com
host mx10.xxx.com [213.143.146.147]
SMTP error from remote mail server after pipelined MAIL FROM: SIZE=10258:
550 5.7.1 103.129.98.16 listed at zen.spamhaus.org
Hi there,
It looks like your IP address is blacklisted. You will need to figure out the reason why it got listed and submit a request at their end for delist. We are happy to help you. To contact our support team, please initiate a chat from the icon at right-bottom.
My Thunderbird app says that Spamhaus is blocking my IP. Is it because of using Tunnelbear? I’ve noticed the VPN causes some issues. Thanks, Karen
I need help with preventing my email from getting bounced back
Hi,
Please contact our support team via live chat
I am having trouble with spamhaus and my mail.com email account.
I need this as we are trying to conduct business but have no idea of where to start as it is way out of my league.
Hi,
Please contact our support team via live chat