As part of turning up the dedicated server, I received a new block of IP addresses.  I migrated the sites and data to the new server without much of a problem.  The next day is when the fun began.

One of the sites I host is a non-profit organization that does a lot of communication with members (nearly 19,000) via email lists.  I got a message from my contact at that organization that he was seeing a lot of email bounces.  I took a look at the mail server logs, and sure enough, most destinations were rejecting mail from this new server because the IP addresses provided to me appeared in many DNS blacklists.

I found this pretty frustrating.  I wasn’t mad at my provider, I was mad at the maintainers of these lists for some reason.  My provider graciously offered new addresses or to reroute my former addresses to the new server.  I saw it as a challenge, though.

I saw a lot of rejections that looked like this:

** xxx@xxx R=lookuphost T=remote_smtp: SMTP error from remote mail server after initial connection: host smtp.secureserver.net [216.69.186.201]: 554-m1pismtp01-019.prod.mesa1.secureserver.net\n554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

This was far and away the most common rejection notice, and there was no detail on how or why my addresses were there.  I spent some time on Google and found that this message comes from the Cisco IronPort mail security product, even found a link that validated my IP’s reputation was poor in their eyes.  In my reading about Iron Port and Sender Base, I found that it’s tough to get off the list if you are listed in the common DNS RBL’s .  So, I put my IP address into MX Toolbox and got a long, ugly list of blacklists I was included in.  Starting from the top, I visited the site of every single one, and completed the removal request form, or sent an email to the list’s administrator pleading my case.  Within a week, my IP address was not on any of the DNS RBL’s tracked by MX Toolbox.   Unfortunately, I was still seeing a large percentage of outbound email being rejected, most of it still coming from the IronPort product.  I sent a message to support at senderbase.org, explaining the situation, and that I had gone to the effort of removing those addresses from the blacklists.  I was pleasantly surprised to get a message back within a few hours asking some questions.  I had to follow up twice, but within a week, I was showing “good” on senderbase.org’s reputation lookup tool, and was not seeing any more rejections from IronPort mail servers.

Next on my list to fix were emails being rejected by Barracuda spam firewalls because my IP’s were on the Barracuda Reputation Block List.  I had no idea how many organizations use the Barracuda anti-spam system.    In my logs, I saw this:

** xxx@xxx R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<xxx@xxx>: host barracudamailsrv.udem.edu.mx [148.238.48.37]: 554 Service unavailable; Client host [www3.stelesys.com] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=69.61.23.66

Fortunately, Barracuda lets you know the source of the problem, unlike IronPort.  Barracuda lets you look up your IP, and if you are on their list, gives you the option to request it be removed.  As with many of the blacklists, removal appeared to be automated, indicating that since this was the first request to have that IP removed from the list, it would be removed.  I suspect that if I started spamming from that address, it would be harder to get off the list the next time around.

At this point, nearly all outbound mail is being delivered.  I noticed that a good number of Barracuda mail firewalls do not update frequently, and 3 weeks after being removed from the Barracuda list, there are still a small handful of mail servers rejecting mail from my server because the Barracuda application thinks I am still on the list.  I found a few organizations that apparently maintain their own private blacklists, and all but one included directions on how to request removal – Qwest communications being the exception.

There is still one list that is blocking me, though…  I found it by looking at my IP address using the search tool on this page.  My IP shows as being listed by mipspace.  After digging around on their site, I found a contact email for them.  As with every other blacklist admin previously, I pleaded my case.  I got an email back from the list administrator indicating that the whole /17 netblock for my colo was in the list because of rampant spamming.  Their suggestion was to request my ISP to SWIP the /28 netblock for my server to me.  I have yet to do that, since I am not seeing any rejections caused by obscure DNS RBL.

Learn from my story – if possible, research the IP addresses you are given first if you care about things like having email delivered.  I spent roughly 30 hours over the course of a month to clean up these IP addresses.

When IP Reputation Goes Wrong is a post from: Information Technology Management