Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
An IP address of a Plesk mail server got blacklisted. What to do?
Note: The following article covers cases when a local mail server is used by Plesk.
Answer
Table of Contents
- What are the symptoms if a Plesk IP address is blacklisted?
- Blacklist - what is it?
- Why an IP address got blacklisted?
- What to do if a server IP address is blacklisted?
- How to remove an IP address from blacklists?
What are the symptoms if a Plesk IP address is blacklisted?
-
Mail cannot be sent to external mail addresses with a bounce message like:
Note: In the output below, the IP address 203.0.113.2 belongs to a Plesk server.
PLESK_INFO: 550 SC-001
(SNT004-MC4F35) Unfortunately, messages from 203.0.113.2 weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140).
PLESK_INFO: [203.0.113.2] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError h1si7104782plt.44 - gsmtp (in reply to end of DATA command))
PLESK_INFO: 5.7.1 Service unavailable; client [203.0.113.2] blocked using
prs.proofpoint.com (in reply to RCPT TO command)
PLESK_INFO: 421 4.7.0 [TSS04] Messages from 203.0.113.2 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
PLESK_INFO: 550 mail not accepted from blacklisted IP address [203.0.113.2] (in reply to MAIL FROM command)
PLESK_INFO: MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:
Recipient: [SMTP:example@example.com]
Reason: 554 Your access to this mail system has been rejected due to
poor reputation of a domain used in message transfer
PLESK_INFO: The server returned:
554 Blocked - see https://ipcheck.proofpoint.com/?ip=203.0.113.2 -
When checking a server IP address using the MXToolbox blacklist checker or https://whatismyipaddress.com/blacklist-check, it shows that the IP address is in one of the DNS-based email blacklists (Commonly called Realtime blacklist, DNSBL or RBL).
-
On Windows servers with MailEnable mail server, the following entries can be found in the SMTP-Activity logfile in
%installation_path%\Mail Enable\Logging\SMTP
:CONFIG_TEXT: Remote server returned a response indicating a permanent error. Server Response:(550 Mail content denied. http://mail.example.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726**)
CONFIG_TEXT: Communications Error: Socket connection to mta6.am0.yahoodns.net failed (error 10060). The host was either not contactable or it rejected your connection. Socket Family = 2; Port=25 Remote server returned a response indicating a permanent error. Server Response: (550-5.7.1 [52.74.x.x18] Our system has detected that this message is**550-5.7.1 likely suspicious due to the very low reputation of the sending IP**550-5.7.1 address. To best protect our users from spam, the message has been**550-5.7.1 blocked. Please visit**550 5.7.1
Remote server returned a response indicating a permanent error. Server Response: (554-gmx.net (mxgmxus003) Nemesis ESMTP Service not available**554-No SMTP service**554-Bad DNS PTR resource record.**554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=52.74.x.x&c=rdns**) -
On Linux servers with Postfix mail server, the output of the
mailq
command shows a lot of deferred email messages:# mailq
...
(delivery temporarily suspended: host mx2.recepient-server.com [203.0.113.8] refused to talk to me: mx1.sender-server.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
...One of the following records can be found in
/var/log/maillog
:Click to expandCONFIG_TEXT: postfix/smtp[18902]: 0668921EE6E6: to=info@example.com, relay=mxint01.1and1.com[213.21.0.10]:25, delay=1.1, delays=0.12/0.02/0.87/0.13, dsn= 5.0.0, status=bounced (host mxint01.1and1.com[213.21.0.10] said: 550 host is listed in reject.bl.kundenserver.de (in reply to RCPT TO command))
CONFIG_TEXT: delivery 1284: failure: status=deferred (lost connection with while receiving the initial server greeting)
192.0.2.2_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.1_[ 203.0.113.2_______1]_Our_system_has_detected_an_unusual_rate_of/550-5.7.1_unsolicited_mail_originating_from_your_IP_address._To_protect_our/550-5.7.1_users_from_spam,_mail_sent_from_your_IP_address_has_been_blocked./550-5.7.1_Please_visit_http://www.google.com/mail/help/bulk_mail.html_to_review/550_5.7.1_our_Bulk_Email_Senders_Guidelines._v9si4270797qar.136_-_gsmtp
CONFIG_TEXT: status=bounced (host gmail-smtp-in.l.google.com said: 550-5.7.1 [203.0.113.2] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. p198si10148872itp.132 - gsmtp (in reply to end of DATA command))
CONFIG_TEXT: status=bounced (host gmail-smtp-in.l.google.com[203.0.113.2] said: 550-5.7.1 [54.94.176.245 19] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1 https://support.google.com/mail/answer/188131 for more information. n10si2294606qte.338 - gsmtp (in reply to end of DATA command)
CONFIG_TEXT: status=bounced (host said: 550 5.7.1 Service unavailable, Client host [203.0.113.2] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS3130).
CONFIG_TEXT: [203.0.113.2] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError h1si7104782plt.44 - gsmtp (in reply to end of DATA command))
CONFIG_TEXT: postfix/smtp[90128]: 9AEA08CB9D: host mta6.am0.yahoodns.net[203.0.113.2] said: 421 4.7.0 [TSS04] Messages from 203.0.113.2 temporarily deferred due to user complaints - 203.0.113.3; see https://help.yahoo.com/kb/postmaster/SLN3434.
CONFIG_TEXT: status=deferred (host somehost.tld[203.0.113.2] refused to talk to me: 554 Blocked - see https://ipcheck.proofpoint.com/)
CONFIG_TEXT: postfix/error[5413]: 579DA456CAC9: to=<user>@yahoo.com, relay=none, delay=0.18, delays=0.15/0.01/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[203.0.113.2] while sending RCPT TO)
CONFIG_TEXT: postfix/smtp[90928]: 5AEA08CB5D: host
prefilter.emailsecurity.trendmicro.eu[203.0.113.2] said: 554 5.7.1
<SBS.apinvoicing@nhs.net>: Recipient address rejected: ERS-RBL. (in reply
to RCPT TO command)
Blacklist - what is it?
Real-time blacklists or DNS blacklists (RBL, DNSBL) are publicly available services that stores a list of IP addresses known to be involved in spam activities. Nowadays, all of the most popular mail servers can be configured to query DNSBL servers and reject/flag messages if the sender's site is listed in one of these lists. For example, Plesk has the DNS Blackhole Lists feature that allows to specify the DNSBL hostname that a Plesk mail server should query and reject spam emails based on the response.
Additionally, recipient's mail server can have its own blacklisting service as a part of anti-spam solutions installed.
Why an IP address got blacklisted?
It is not uncommon for an IP address to end up on a public blacklist, especially on a shared server. It could be due to overall volume of mail coming from that server, or messages seem to have characteristics of spam in them.
Another common cause is mail forwarders. If there is a user@example.com email account in Plesk that is forwarding mail to the mailbox on some mail service like Gmail user@gmail and if user@example.com is spammed, Plesk mail server could forward all the spam to Gmail. As a result, Gmail mail server can consider Plesk mail server IP address as a source of spam or relay server for spam messages and add it to its own list of spammers.
Gmail servers might see sender's mail IP address as relaying the spam message to their server, even though it wasn't the originating server of the spam.
What to do if a server IP address is blacklisted?
If an IP address/hostname/domain were added to a blacklist, it means that the server is/was considered as a source of spam.
-
For Plesk on Linux: If spam emails are still being sent, find scripts that are responsible for this:
-
As a part of troubleshooting, try to disable mail() function: How to disable mail() function for a spamming domain
-
-
To avoid outbound spam issues in future, configure protection from outbound spam.
-
Make sure DKIM, SPF, and DMARC solutions are set up in Plesk.
How to remove an IP address from blacklists?
Once you verified that the source of spam is found and all precautions to avoid this behavior are set, it is time to remove the Plesk mail server IP address from the blacklists:
-
Use the services like MXToolbox blacklist checker or Blacklist Check provided by WhatIsMyIPAddress.com to find what RBL/DNSBL servers have it blacklisted.
-
Send a removal request to exclude the IP address from blacklist. Most of the DNSBL services have Removal Request form on their websites, e.g.:
-
Submit a request to mail service to remove your IP address from blacklists:
In case the IP address is listed in the UCEPROTECTL2 / L3, you have an IP Address from your ISP that falls into a poor reputation range. The removal request should be sent from the ISP side in this case.
For reference, see:
Comments
0 comments
Please sign in to leave a comment.