- Plesk for Linux
- Plesk for Windows
An IP address of a Plesk mail server got blacklisted. What to do?
Note: The following article covers cases when a local mail server is used by Plesk.
Table of Contents
- What are the symptoms if a local Plesk IP address is blacklisted?
- What is a blacklist?
- Why an IP address is blacklisted?
- What to do if a server IP address is blacklisted?
- How to unblock a server IP address?
What are the symptoms if a local Plesk mail server is blacklisted?
Mail cannot be sent to external mail addresses with bounce messages:
Note: In the output below, the IP address 203.0.113.2 belongs to a Plesk server:
PLESK_INFO: 550 SC-001
(SNT004-MC4F35) Unfortunately, messages from 203.0.113.2 weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140).
PLESK_INFO: [203.0.113.2] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError h1si7104782plt.44 - gsmtp (in reply to end of DATA command))
On Windows servers with the MailEnable mail server, the following entries can be found in the SMTP activity logfile at MailEnable Management > Servers > localhost > Services and Connectors > SMTP > Logs > Activity:
CONFIG_TEXT: Remote server returned a response indicating a permanent error. Server Response:(550 Mail content denied. http://mail.example.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726**)
CONFIG_TEXT: Communications Error: Socket connection to mta6.am0.yahoodns.net failed (error 10060). The host was either not contactable or it rejected your connection. Socket Family = 2; Port=25 Remote server returned a response indicating a permanent error. Server Response: (550-5.7.1 [52.74.x.x18] Our system has detected that this message is**550-5.7.1 likely suspicious due to the very low reputation of the sending IP**550-5.7.1 address. To best protect our users from spam, the message has been**550-5.7.1 blocked. Please visit**550 5.7.1
Remote server returned a response indicating a permanent error. Server Response: (554-gmx.net (mxgmxus003) Nemesis ESMTP Service not available**554-No SMTP service**554-Bad DNS PTR resource record.**554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=52.74.x.x&c=rdns**)
When checking a server IP address using the MXToolbox blacklist checker, it shows that the IP address is in one of the DNS-based email blacklists (Commonly called Realtime blacklist, DNSBL or RBL).
On Linux servers with Postfix installed, the output of the
mailqcommand shows a lot of deferred email messages:
(delivery temporarily suspended: host mx2.recepient-server.com [203.0.113.8] refused to talk to me: mx1.sender-server.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
One of the following records can be found in
/var/log/maillogon Linux:Click here to expand
CONFIG_TEXT: postfix/smtp: 0668921EE6E6: email@example.com, relay=mxint01.1and1.com[18.104.22.168]:25, delay=1.1, delays=0.12/0.02/0.87/0.13, dsn= 5.0.0, status=bounced (host mxint01.1and1.com[22.214.171.124] said: 550 host is listed in reject.bl.kundenserver.de (in reply to RCPT TO command))
CONFIG_TEXT: delivery 1284: failure: status=deferred (lost connection with while receiving the initial server greeting)
CONFIG_TEXT: status=bounced (host gmail-smtp-in.l.google.com said: 550-5.7.1 [203.0.113.2] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. p198si10148872itp.132 - gsmtp (in reply to end of DATA command))
CONFIG_TEXT: status=bounced (host gmail-smtp-in.l.google.com[203.0.113.2] said: 550-5.7.1 [126.96.36.199 19] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1 https://support.google.com/mail/answer/188131 for more information. n10si2294606qte.338 - gsmtp (in reply to end of DATA command)
CONFIG_TEXT: status=bounced (host said: 550 5.7.1 Service unavailable, Client host [203.0.113.2] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS3130).
CONFIG_TEXT: mx.l.google.com[188.8.131.52] said: 550-5.7.1 [203.0.113.2 2] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for more information. b18si150966pgn.296 - gsmtp (in reply to end of DATA command))
CONFIG_TEXT: Received-SPF: neutral (google.com: 203.0.113.2 is neither permitted nor denied by best guess record for domain of firstname.lastname@example.org) client-ip=203.0.113.2;
CONFIG_TEXT: [203.0.113.2] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError h1si7104782plt.44 - gsmtp (in reply to end of DATA command))
What is a blacklist?
Real-time blacklists or DNS blacklists (RBL, DNSBL) are publicly available services that stores a list of IP addresses known to be involved in spam activities. Nowadays all of the most popular mail servers can be configured to query DNSBL servers and reject or flag messages if the sender's site is listed in one of these lists. For example, Plesk has the DNS Blackhole Lists feature that allows to specify the DNSBL host name that Plesk mail server should query and reject spam mails based on the response.
Additionally, recipient's mail server can have setup its own blacklisting service as a part of anti-spam solutions installed.
Why a server IP address got blacklisted?
It is not uncommon for an IP address to end up on a public blacklist, especially on a shared server. It could be due to overall volume of mail coming from that server, or messages seem to have characteristics of spam in them.
Another common cause is mail forwarders. If there is a email@example.com email account in Plesk that is forwarding mail to the mailbox on some mail service like Gmail user@gmail and if firstname.lastname@example.org is spammed, Plesk mail server could forward all the spam to Gmail. As a result, Gmail mail server can consider Plesk mail server IP address as a source of spam or relay server for spam messages and add it to its own list of spammers.
Gmail servers might see sender's mail IP address as relaying the spam message to their server, even though it wasn't the originating server of the spam.
What to do if a server IP address is blacklisted?
If the IP address/hostname/domain were added to a blacklist, it means that the server is/was considered as a source of spam.
If spam emails are still being sent, find scripts that are responsible for this:
As a part of troubleshooting, try to disable mail() function: How to disable mail() function for a spamming domain?
To avoid outbound spam issues in future, configure protection from outbound spam.
Make sure all mail settings are set up in Plesk according to this KB article.
How to remove server's IP address from a blacklist?
Once you verified that the source of spam is found and all precautions to avoid this behavior are set, it is time to remove the Plesk mail server IP address from the blacklists:
Send a removal request to exclude the IP address from blacklist. Most of the DNSBL services have Removal Request form on their websites, e.g.:
Contact support of Gmail and Outlook to remove your IP address from blacklists: