IP Blacklist and Blacklist Removal

briannaUncategorizedLeave a Comment

Everyone hates spam. Even worse is malware—something that infects your computer and sends spam out to you and others or tries to hack into systems. In response to these problems, many people began to maintain lists recording who generates spam and malware. An “IP blacklist” is used by most mail servers and some firewalls as a step in deciding whether to accept emails, mark as “Junk,” or just drop traffic altogether.

IP Blacklist Listings

Different blacklists have different ways of collecting addresses. Some mail servers collect data from users clicking “This is spam” and report this to blacklist maintainers, while other blacklist operators have “honeypots.” Honeypots are systems designed to attract spam, so they can blacklist any IP address from which they receive spam.

A significant amount of spam comes from home computers and other devices that have been infected with malware, making them part of a “botnet.” Some operators even actively scan the Internet, looking for devices with certain vulnerabilities that they know have been exploited by botnets. Residential users and cell phones generally don’t run mail servers, so any indication that an IP address is part of a pool used for those may put an address range on a blacklist.

Problems with Blacklists

The main problem with blacklists is collateral damage – traffic blocked that shouldn’t be. A few blacklists intentionally do this, to force large IPv4 block holders to take action in preventing spam from reaching their customers. In some cases, a device got blacklisted for spam, but was later patched and the spam stopped. Many blacklists have an “aging” policy, where if no further problems are seen or reported over a period of time, an IP address will be removed from the list. If it’s reported again, it may take longer to age out next time.

Often, IPv4 addresses for sale will include some that have been blacklisted. Companies looking to buy, should always conduct some diligence. But it is important to remember that IP addresses can be listed (or de-listed) at any time, so a blacklist check two weeks ago may have no correlation with one today.

Checking Blacklists

Most blacklists offer a web page where you can check whether an IP address has been listed. That’s not going to work if you want to check 65,536 IPv4 addresses. A few blacklists allow you to download their list to search locally (or sync with github). For two major operators, SORBS and Spamhaus, you’ll need to script a test.

Both SORBS and Spamhaus operate DNSBLs, for Domain Name Service Black-Lists. They allow queries over DNS and return a code that tells you which list an address is on.

For instance, if I want to find out about 192.0.2.43, I can run the Unix command:

$ dig 43.2.0.192.in-addr.arpa @dnsbl.sorbs.net +short

I may get a response like “127.0.0.6,” which SORBS tells me means it’s on their spam list. The equivalent command in Windows command line console is:

>  nslookup [email protected] 43.2.0.192.in-addr.arpa

To query an entire block, you’ll need a script that queries every address in that block. IPv4.Global is able and happy to run such a check for our customers.

IP Blacklist Removal

Every blacklist maintainer has their own mechanism for getting addresses removed that often requires some demonstration that the original cause of the listing has been removed. For several SORBS lists, you have to request a retest:

  1. Log into a machine using the blacklisted IP address, browse to their support page, and click “Request Key.”
  2. You then email the key to SORBS and they retest;

If the test passes, SORBS will flag the address to be removed. If you don’t have access to that machine, or it doesn’t have a browser, you can try to open a support ticket.

Spamhaus similarly provides a web interface, which tells you which list you’re on with links to clean up.

Fortunately, most blacklist operators recognize that spam doesn’t come from unrouted IP addresses, so simply taking the network offline, as you would in preparation to sell, provides a good reason why you can’t retest and why they should reconsider. Similarly, showing the record of when an IPv4 address block was transferred is often acceptable documentation: the old management may have been lacs, but you, the IP address buyer, are not responsible for their actions.

As with so many parts of buying and selling IP addresses, you can do it yourself, but the help of an experienced broker like IPv4.Global can make your life a whole lot easier. Reach out to us today for all of your IPv4 needs.

Leave a Reply

Your email address will not be published. Required fields are marked *