IP Address Blocked, Unable to Send Email

Topic

New Reply

I’m not sure where this post belongs, so I will ask the moderators to move to it where it best fits.

Just recently I had problems sending emails from my email clients. I use Thunderbird on Windows & Linux, and the stock email app on my Android tablet.

The problem was restricted to emails sent via my ISP accounts (outgoing server smtp.virginmedia.com); I was able to send emails from my Gmail accounts via the same apps without any connection errors.

Using Thunderbird, I was able to log the error, and my ISP said that the error code indicated that the block on sending emails from their accounts was because my IP address was listed in the Spamhaus SBLCSS database.

I checked the Spamhaus SBLCSS database, and sure enough, my IP address was listed.

After posting several messages on my ISP’s community forum, and not really getting anywhere, I scanned all of my systems for malware, but found nothing that would explain my IP address appearing on the Spamhaus SBLCSS database.

The next day, after being advised to scan/clean my systems and apply for a delisting, I found that my IP address was no longer listed in the SBL database, and my email clients worked perfectly.

Can anybody explain why my IP address would appear on the Spamhaus SBLCSS database, when all of my systems showed up clean, and why it would then spontaneously disappear without any action on my part?

Could there be a problem with the Spamhaus SBLCSS database? Or does the problem lie with my ISP?

By the way, this seems to have happened to numerous customers of the same ISP over a period of months; so it’s not just me. I can’t help but think my ISP is giving its affected customers the run-around!

Reply | Quote

Replies

Your problem is the dynamic IP addressing used by your ISP.

Because the ISP doesn’t have enough IP addresses to give all their customers a static (same all the time) IP address, they use dynamic addressing. In other words, there is a pool of IP addresses and when you connect you get one out of the pool (not the same one all the time).

Evidently, someone misused the IP address you got once to do some spamming (but you didn’t get the same one the next time). The spamming was reported to the Spamhaus SBLCSS database and the IP was blocked. You were the victim of someone else’s misuse.

You can check your IP with  Spamhausbefore using it, and if it is listed, disconnect from the Internet. Reconnect and see if it gives you a good IP next time.

 

Reply | Quote

Thanks for your clear explanation.

However, it was the same IP address both times. Blocked one day, but not the next; I didn’t do anything to delist it.

Do IP addresses get delisted automatically if there’s no nefarious activity for a certain period of time?

Reply | Quote

Delisting after a period of non-activity is a very possible explanation.

Reply | Quote

Just checked here:

https://www.spamhaus.org/faq/section/Spamhaus%20SBL#137

and read this:

“The CSS component of the SBL, a spam source IP address zone, has an automated expiration system. Unlike traditional SBL records, SBL CSS records are automatically expired three days after last detection. For this automatic expiration to work, it is vital that all spamming is terminated”.

I’ve never bothered much about my IP address, but it looks like I was recently assigned a bad one, that came good after being used by my clean system for three days or so. Something to watch for in future!

Reply | Quote

SpamHaus lists a variety of reasons. Click on the link in your IP query, to see the reason (some of which do not automatically resolve in time).

For instance:

Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on “SMTP Authentication” in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.

Reply | Quote

DavidForrest57 wrote:

I checked the Spamhaus SBLCSS database, and sure enough, my IP address was listed.

Is your network/router protected by strong password ? It could be that a neighbour, passing by stranger… used your network/IP for spam.

Have you scanned your PC for spamming malware ?

Reply | Quote

Yes, it has a strong password; nothing dumb like “password”.

I’ve used Wireless Network Watcher to check for anything else on my network, but there are only these three systems, plus my Chromecast.

Reply | Quote

My ISP has advised that my IP address changed last on 20 August, which is when I received a new router from them. I’m pretty sure that the blacklisting of my IP address on SBLCSS occurred after this date, because I’ve sent emails successfully since the change of router. So I think we can rule out my receipt of a blacklisted IP address, as PKCano suggested.

My IP address was automatically delisted from the SBLCSS on Sunday (29 Sept), presumably after 3 days of non-detection. Today, three days later, my IP address is still showing up clear, meaning no detections for 6 days. If there’s malware present, it’s lying low for now!

I have scanned the three systems on my network but no malware was detected:

• Windows 10 (1903) full scan with Windows Defender and Malwarebytes (Free).
• Android tablet scanned with Malwarebytes.
• Android phone scanned with Malwarebytes.

I’ve used Wireless Network Watcher to check for anything else on my network, but there are only these three systems, plus my Chromecast.

Given this additional information, can anyone suggest why my IP address should appear on the SBLCSS and then be delisted again?

Reply | Quote

[jabeattyauditor]

The IP address that matters is the IP of the SMTP server you’re using – the server that isn’t under your control – smtp.virginmedia.com.

You can scan and rescan your own local systems to your heart’s content, but it won’t matter at all – the SHARED SMTP server’s IP is the one that was blacklisted, and it’ll most likely be blacklisted again in the future. (Just Google blacklisted virginmedia SMTP server and check out all the threads.)

Someone/multiple someones are using that server for outbound spam and your ISP isn’t doing much about it.

YOU can’t do much except use a different ISP or a different mail service.

The dynamic IP address of your network connection has ABSOLUTELY NOTHING to do with this situation.

• This reply was modified 5 years, 6 months ago by jabeattyauditor. Reason: grammar edit

2 users thanked author for this post.

DavidForrest57, b

Reply | Quote

Thanks for taking the time to help.

The fact is that when my dynamic IP address was on the SBLCSS blacklist I was unable to send mail via the SMTP server. Once it dropped off the list (which it did without any action on my part), I was able to send mail again.

I’m afraid I know very little about networking, but your reply that:

jabeattyauditor wrote:

The dynamic IP address of your network connection has ABSOLUTELY NOTHING to do with this situation.

seems to be at odds with the above observation. To my uneducated mind, there seems to be a definite link between my network IP being blacklisted and being unable to send mail via the SMTP server.

Could you explain a little more, please?

My ISP maintains that such problems must be due to malware on the user’s network, even when nothing shows up in virus and malware scans. My ISP’s policy to tell affected customers that it’s the user’s system at fault and it’s up to the user to fix things.

Reply | Quote

jabeattyauditor wrote:

The IP address that matters is the IP of the SMTP server you’re using

Not quite. It maybe that your ISP monitors the Spamhaus database and blocks SMTP traffic to their SMTP server from listed IP addresses – it should block all SMTP traffic from listed addresses IMO.
This is consistent with your mail clients complaining when trying to send via the VM SMTP server.

cheers, Paul

1 user thanked author for this post.

DavidForrest57

Reply | Quote

Paul T wrote:

Not quite. It maybe that your ISP monitors the Spamhaus database and blocks SMTP traffic to their SMTP server from listed IP addresses – it should block all SMTP traffic from listed addresses IMO.

Yes… “should” is a good word.

Now, there’s still several alternatives as to what exactly might have happened, and without seeing detailed error message and logging content it’s sort of hard to tell.

I have had individual messages blocked because I had quoted someone else’s message that included a blocked IP address… yes, in the quoted message text.

Worst case, all it takes is someone misconfiguring something to block a specific string, possibly with wildcards, that can be interpreted as a blocked address… but actually meant something like a warehouse shelf code, software version number, date/timestamp, or some such.

Also if there was a sender who managed to spoof your local IP or the server’s IP, well, could even be a standard reactive block if that wasn’t detected as a spoof, even if you also had the address and didn’t send spam.

1 user thanked author for this post.

DavidForrest57

Reply | Quote

My ISP advised that the error message I was getting indicated that my Sending IP address was on the SBLCSS list.

Reply | Quote

It could have been that someone was running a mail server off the dynamic IP address you had which caused the issue. Usually spam blacklists pick the SMTP server IP (Your ISP)  not the HELO IP (your dynamic IP)

2 users thanked author for this post.

Bill C., DavidForrest57

Reply | Quote

Thanks to those of you who have suggested alternative explanations to my IP address appearing on the SBL CSS list. I don’t know enough about networking to comment on these, but the suggestions imply that malware isn’t the only explanation.

Additionally, the FAQs on the Spamhaus website (https://www.spamhaus.org/faq/section/Spamhaus%20CSS) state that “CSS is highly effective at blocking spam during SMTP delivery with very low false positive detections”. Whist they claim that false positive detections are very low, very low isn’t zero. So there exists the possibility of a false positive detection.

Given that virus and malware scans haven’t revealed any nasties, and that it’s over a week since my IP last appeared on the blacklist, how confident can I be that my systems are free of some as-yet undiscovered malware?

Ultimately, my main concern is that there isn’t anything nasty lurking on my home network.

Reply | Quote

I have found the issue is not your exact IP address being on the list, but that a block is in place for a range of dynamic IP addresses of an ISP.

I have also found that if you forward an email with links and urls, if any of those are on spam lists, or questionable website lists your specific email can be blocked at the outgoing SMTP server of your ISP. They said this will not get you on the list unless it is an ongoing issue and they may issue a TOS warning.

On a semi-related spam topic, I have found that at every national and state election since 2012, lots of my routine incoming email will end up in the spam folder. After talking to the Spam folks at my ISP I was told that opponents reporting political or advocacy group emails to ISPs as spam always ticked up during election season.

Reply | Quote

Thanks for your reply.

I carried out tests with very simple emails; no links, no attachments, just a few words of text. They simply would not send. I was prompted for my password (which isn’t normal) but inputting it didn’t send the mail. The mail ended up in the Outbox, and wouldn’t send.

Is there any reason why a range of addresses might be blocked?

Reply | Quote

DavidForrest57 wrote:

Ultimately, my main concern is that there isn’t anything nasty lurking on my home network.

You have scanned your machine and your IP has not been re-listed so you are probably safe. To be sure I’d run a 3rd party AV scan or two. Most of the AV companies will run a free scan for you.

cheers, Paul

1 user thanked author for this post.

DavidForrest57

Reply | Quote

I’ve returned to this topic as I believe I now have the answer to my problem; it’s a rather surprising one too.

My IP address was recently blocked when only my Android tablet was in use. So something on that device was responsible. The thing is, that device has never been rooted and all the downloaded apps have come from the Google Play store.

In order to monitor traffic on my network I set up a hotspot on my laptop, and connected my tablet via the hotspot. I installed a program called Wireshark on my PC to monitor traffic on Port 25 TCP (spambot traffic will always use this port). The full process has only recently been developed by my ISP’s Community Forum experts, and can be read here:

https://community.virginmedia.com/t5/Security-matters/Searching-for-Spambots-on-your-network/td-p/4087596

Sure enough, Wireshark detected traffic on Port 25 TCP indicating that spam was being sent via my IP address, and it was this spamming that was presumably detected by Spamhaus, resulting in my IP address being blocked.

I didn’t have to look very far for a potential suspect on my tablet. My partner has been using the Hola Free VPN app so that she can view geo-restricted content on Spanish TV. I don’t understand much about networking but I know that this app “does stuff” with IP addresses and “some stuff” was causing our IP address to be listed on the SBLCSS; this made Hola Free VPN the prime suspect.

When Hola Free VPN was uninstalled and the tablet restarted, Wireshark showed no traces of traffic on Port 25 TCP over a 14 hour period. My partner then uninstalled the app from her Android phone. I used Wireshark to check her phone (and the tablet again) over a period of 18 hours and neither showed any activity on Port 25 TCP.

When I searched for reviews of Hola Free VPN (beyond those on Google Play store) I was horrified by what I read. Here’s a couple of links:

https://www.vpnmentor.com/reviews/hola-vpn/

https://privacyaustralia.net/hola-vpn-review/

My conclusion is that this widely used and popular app facilitated the distribution of spam through my public IP address, even though it’s not a spambot itself and is a legitimate app available on Google Play Store. The way in which it works means that your network resources are shared with others on this peer-to-peer service. If somebody’s sending spam (intentionally or not) or conducting any other nefarious activity, it can appear to be coming from your IP address.

I can only comment on the use of the Android app, but I guess the same would apply to other forms of this service (i.e. Firefox and Chrome browser extensions).

I’m still keeping an eye on the Spamhaus listings, but I’m confident that I’ve identified the problem and eliminated it. The question is how many users are aware of the potential implications of using this app?

Reply | Quote

DavidForrest57 wrote:

Hola Free VPN app

As has been said many times, a free VPN is selling your data / other things.
Pay for one if you need a VPN.

cheers, Paul

1 user thanked author for this post.

wavy

Reply | Quote

Paul T wrote:

As has been said many times, a free VPN is selling your data / other things. Pay for one if you need a VPN.

I use NordVPN (paid) and have had occassions (including this site) that I was either unable to login or post. Disconnecting the VPN or restarting and getting assigned to a different VPN server clears things up. Maybe I should change VPN provider?

Reply | Quote

Depends why you are using a VPN. If it’s for travel / public wifi, then you can put up with the occasional problematic site. If you use it for normal browsing from home you are wasting your money IMO.

cheers, Paul

Reply | Quote