Home » How Legitimate IP Addresses Get Blacklisted

 

Everyday, legitimate email users find their outbound email flow blocked by recipient email servers using blacklists (aka Blocklists, RBLs) to block spam. Most of these users are shocked to find their IP Addresses on a list with IP Addresses used to flood the world’s inboxes with spam and malware. The news of their listing stirs up fear, anger, and righteous indignation. “How can we be on a blacklist when we don’t spam?" they ask. That is a great question--how do business email IP Addresses operated by non-spammers get placed on legitimate, targeted spam blacklists (i.e. blacklists that list IP Addresses that have recently sent spam, instead of lists that include large ranges of IP Addresses by default)? Simple...by spamming.

“What," you ask, “A non-spammer that doesn’t spam gets listed on a spam blacklist for spamming?" Yes. For several years, spammers have hijacked mail servers and other computers to send spam. The spammer’s strategy has always been to find a quiet, undefended place on a network where they can send spam and perform other illicit acts without detection. A recent example from one of our clients provides a real life illustration of how this works.

 

 

This particular client (who will remain unnamed) runs an email server, as well as an internal document server. They utilize an enterprise-grade email spam and virus filter for security and are relatively proactive in managing their network for security risks. Despite these efforts, a spammer was able to download a mass mailer program onto the client’s document server. How the spammer bypassed the client’s security is a question that remains unanswered. The payload was most likely delivered via a malware infected website. In this case a simple anti virus software solution that stops executable programs from loading without administration permissions would have stopped it, but the document server had no anti virus services running at all.What is more important to note, though, is where the spammer put their program and what the program did.

 

The program was a modified commercial mass mailing program know as Advanced Mass Sender 4.3 (published by KBB Software). This screenshot was forwarded to us after our client discovered the program on the document server:

Had they been sending outbound email from their own IP address, most major ISP’s and many business email servers would have blocked their email. And, if their local service provider would have seen the traffic coming off the client’s network they likely would have stopped all SMTP traffic, causing catastrophic email failure.

This particular client is proactive and technologically savvy, so they quickly determined that something was not right on their network, found the problem and terminated it. But, what if they had not been so fast? What if they did not use our outbound email filtering service? The consequences could have been devastating. Not only would they have inadvertently contributed to the global spam scourge, they would have suffered extreme email failure due to large scale listings on blacklists.

 

There are several lessons you should take from this study:

1) Spammers can use any part of your network that is connected to the internet to send spam, whether it is part of your email system or not.

2)&2) Even well defended networks can fall victim, which is why you have to move from a well-defended network to an extraordinarily well-defended network. Block threats from all potential entry points, instead of the most common entry points.

3)&3) Constantly monitor your network for intrusions and infections

   

     This case certainly does not resemble every bot infection, but is a real-world illustration of how an infection can occur.