As explained yesterday, a client’s compromised email account sent out thousands of spam emails before it was detected and stopped. This has happened before, but the circumstances this time are different.
Most blacklists are automated, both in adding IP addresses to the blacklist and in removing them. This is a double-edged sword. On the plus side, IP addresses that are the source of spam are quickly added, making it less likely that spam will get through in subsequent attempts from the same IP address. Most, if not all, automated blacklists then remove the bad IP address fairly quickly after the spam stops. They realise that stuff happens, and when the spam stops they assume the problem is fixed and remove the IP address. There is short-term pain, but it’s measured in hours and the block is generally removed within your business day.
On the negative side, organisations and people that run blacklists are generally unwilling to manually remove IP addresses before they automatically expire. In and of itself this isn’t actually a bad thing; many blacklist wouldn’t be able to function if they had to field pleas and demands that IP addresses be removed. Quick, automated removal when the problem that caused the listing in the first place is fixed is the cure.
Unfortunately this situation has exposed a blacklist that actually seems to be designed to punish mail servers that have had a temporary problem, even after the problem has been stopped. This is unusual in our experience, as it makes the blacklist less useful, by blocking legitimate email long after the problem has been addressed. Information on their website states that it could be “a week or more” before an IP address is removedif they determine the spam outbreak to be severe enough — without defining “severe” — even though it has stopped. And since the addition and removal of IP addresses is automated, “you cannot” get your IP address removed manually. Full stop.
Since this blacklist is still blocking our mail server’s IP address almost 24 hours later, at 05:01 UTC we started relaying all mail sent by clients through our relay mail server (NC023), which has a different IP address. We will continue to monitor the blacklist in question and reverse this once our IP address is removed.
It seems that most of the mail servers we’ve seen using this blacklist are in South Africa. Mail bounced using this blacklist will show a message like the following, using real email addresses, domains and IP addresses of course:
<destination@example.com>: host something.co.za[1.2.3.4] said: 550-rejected because 212.71.255.195 is in a black list at truncate.gbudb.net 550 http://www.gbudb.com/truncate/ [212.71.255.195] (in reply to RCPT TO command)
If you’ve seen this, we suggest that you contact the person to whom you sent the email and suggest that they tell their hosting company that they should stop using blacklists that don’t operate within the norms of most blacklists. Feel free to point them to this blog post.
With all of the above said, we will be setting up a new mail server and migrating all accounts to it within the next couple of weeks. The new server will be better equipped to spot and stop these outbreaks automatically before they become “severe”.
As always, we appreciate your patience, and we also appreciate those clients that keep their anti-virus software up to date. If you have any questions, please feel free to contact us. Thank-you.