An IP Has Been Blacklisted. How to Identify the Source and Remove the Spam

Plesk Servers > Email
Shared hosting customers: This should only serve as documentation. Please open a ticket with our support team to have an IP address investigated and removed from a blacklist. 
 
Dedicated server customers: You may attempt this yourself, but beware, if you request removal, and you get blacklisted again, your wait time for removal will be extended. Wait times can be extended to upwards of a month when re-listed. It would be in your interest to open a support ticket.
 
Identify the Reason an IP Address Has Been Blacklisted and Mitigating It
 
An IP address blacklist is a listing of IP addresses which have been reported to have sent spam. When users mark a message as spam or filters note patterns in a message that have occurred in known spam, the originating IP address of the messages can be added to various blacklists on the Internet. A mail server subscribing to those blacklists will refuse to deliver a message originating on a server with that IP address.
 
When an IP address has been blacklisted, the destination mail server will reply with a message indicating that the source server's IP address has been blacklisted. The message often contains a link to steps that can be taken to remove the IP address from the black list. Below is a snippet of a header from a failure to deliver message.
 
Could not deliver message to the following recipient(s):
Failed Recipient: name@cox.net<mailto:someoneelse@anotherdomain.com>
Reason: Remote host said: 554 fed1rmimpi309 cox 70.xx.xx.xx blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.
The link in the error above references the blacklist that lists the IP address in question and information on how to de-list the address. Before attempting to de-list the address, the account that was sending the spam should be identified, the password for that account should be changed, any spam in the mail server's spool should be removed, and the request should be submitted to de-list the IP address. 
 
If you have a shared hosting account and you receive a "failed to send due to blacklist" error, contact the support department for assistance in rectifying the issue. One of your domain's or another domain on your email server may have been compromised and has sent spam.
 
If you are a dedicated server customer, you can follow the steps below, but may need to contact Support to initiate the de-listing process with the organization maintaining the blacklist.
 
Identify the Compromised Mail Account
  1. Log into the server that is blacklisted.
  2. Log into the SmarterMail server using one of the methods below.
    • Open a browser and type the IP address of the server with :9998 appended to the end and use admin and the server's password to log in.
    • Using the @Managed.com Control Suite, right click on the SmarterMail server to Log in as Admin.
  3. Log into SmarterMail using the admin account by starting Control Suite > right click on SmarterMail > choose Login as admin.
  4. Click on Manage and view the Waiting to Deliver spool to determine if there's a backlog of mail that's going out.

    Waiting to Deliver Spool
     
  5. If so, identify the user(s) sending out the mail and clean out any spam.
    1. Log into Plesk or Control Suite and change the password of the compromised account to a randomized password.
    2. Stop the SmarterMal service to prevent the spam from being delivered. Press Windows  + R and type Services, locate and right click on SmarterMail Service > click Stop.
    3. Delete the spam that’s in the spool.Use the script below to clear both the mail content and the headers. To remove email from a specific domain or email address, copy the following code into a file named clear.bat and place the file the C:\SmarterMail\Spool\  folder and run it .  You will be prompted for what to search for in the emails.  Type this information in and press Enter. This will delete all matching emails with no prompting, so be careful with what you search for.  We recommend contacting support for assistance with using this script.
    4.  
      @echo off
      SET /p searchString=Search for:
          for /f "delims=" %%a in ('findstr /s /m "%searchString%" *.eml *.hdr') do call :doWork "%%a"
         
          PAUSE
          exit /B
       
      :doWork
          SET fn=%~1
           
          if %fn% neq %0 (
              ECHO %fn:~0,-4%
              del %fn:~0,-4%.eml
              del %fn:~0,-4%.hdr
          )
       
    5. Restart the Smartermail service. (Services > right click on SmarterMail Service > Start.)
    6. Contact the user about the spam and new, randomized password.
  6. ​If the spam has already been delivered, select Reports > System Summary Reports > Traffic Reports > SMTP OutUsage to identify the domain that has used the most bandwidth when sending mail.


     
    1. Click on the domain in question - highest outgoing message count.

      SMTP OutUsage
    2. Locate the user with the highest bandwidth. This mailbox is often the culprit for sending out the spam.
    3. Log into that user's mail account and view their outgoing mail to confirm that the mail being sent is spam. (Use Control Suite to retrieve their current password.)
    4. If the messages are spam, log into Plesk (or Control Suite) and change the password to a randomized password.
    5. Contact the mail user to let them know about the spam and password change. Educate them on how to avoid recurrences.
Now that the spam has been taken care of, see How to Remove an IP Address from a Blacklist.
To catch spam before your IP becomes black listed see Adding an Event in SmarterMail to Monitor Mail Spool Activity.
To help avoid compromised mail accounts see How to Set SmarterMail Minimum Password Requirements.

Add Feedback