Why does mail, from some domain, sent through someisp.com, get blocked by the isp's webserver being listed in RBLs?

Question

Today I one of our customers forwarded to me a mail from the ISP of one of her mail recipients that says they're blocking my customer's email because our webserver IP is listed in some RBLs.

Of course the latter, being a webserver, has nothing to do with this email journey through the 'net and unfortunately there isn't any DSN / bounce to look at: all we got is an email from someone working at the recipient's ISP saying "mail gets blocket because $ip_of_webserver is in $someRBL but I don't know why our system are checking that ip in the RBLs".

Detailed info:

the blocked mails have sender domain1.com and recipient domain2.com
the blocked mails started on the user's MS Outlook, which sent them to mail.ispdomain.com, which sent them to smtpout.ispdomain.com, which sends them to the MX of domain2.com
the MX of domain2.com does accept the email from our smtpout and responds 250 Requested mail action okay, completed - it probably filters the email in a later phase
domain1.com has MX records mx.ispdomain.com
mail.ispdomain.com, mx.ispdomain.com, smtpout.ispdomain.com are not listed in any RBL
webserver.ispdomain.com is listed in SORBS-WEB and SORBS-SPAM
only that specific IP is listed and not a whole range or subnet
webserver.ispdomain.com relays all of its locally-generated mails through smtpout.ispdomain.com
the blocked email did not come from or pass through the webserver
all the servers have correctly configured PTR records on their IP addresses

This is still an open issue and it will be interesting to see how a webserver that relays all of its mails to another system got listed in an RBL, but that's another story.

I am not asking "why doesn't my mail work" or how to de-list my system. Been there, done that.

I see that the only connection between an email and a webserver IP can be the domain name of the mail's recipient (possibly present in the mail text too, eg. in the signature). I'm guessing some antispam system took that domain name (from recipient address or from mail body), resolved its A dns record, and looked that up in RBLs.

I am asking: is there some widespread antispam software / technique that behaves like that? And is that actually an effective measure against spam?

Thanks to @MadHatter for editing my subject which was a little too twisted on itself :) please forgive me but I learned English at school. :| — Luke404, Nov 08 '12 at 07:43
Luke, don't worry about it, it happens a lot around here. Thanks for taking it so gracefully - and I can assure you that your English is **vastly** better than my Italian. That said, this question may get closed soon. For my money, it could be hugely improved by including the whole text of the bounce email, so that we can examine the issue from beginning to end - because what you ask now isn't really a question that can be answered. — MadHatter, Nov 08 '12 at 07:45
@MadHatter, I just had my coffee and started my workday, and I'm actually editing my question right now to improve it based on feedback from current answers. Unfortunately there isn't any bounce to write about. — Luke404, Nov 08 '12 at 07:47
Then I submit that there isn't really a question that **you** can answer, either. If I were brought an issue like this in my professional capacity, I'd refuse to touch it unless I could get hold of a transcript of an actual bounce. Otherwise, there's just so much that can be lost when you listen to a user's report, of another user's report, of a technical problem; you end up chasing the wrong issue nine times out of ten. And now you mention it, an *espresso* would be a lovely idea... let me make myself one! — MadHatter, Nov 08 '12 at 07:49
I'm trying to phrase it better, but the matter of the fact is that I'd like to ask about antispam techniques in general and if there is any that could behave like that, I'm not asking for help to get this specific message through. — Luke404, Nov 08 '12 at 08:01
Luke, I understand that, but the FAQ - which is linked from the top of every page - is clear: "You should only ask practical, answerable questions based on actual problems that you face." If you can't refine this post into a particular question about a particular issue, with concrete details, it may very well get closed. — MadHatter, Nov 08 '12 at 08:03
The main reason is that, RFCs notwithstanding, **any** mail admin may make **any** decision he or she sees fit with respect to the acceptance of each incoming mail. If she wants to reject only mail from people called Fred, or mail that arrives on the last day of the month, she may, and she may call it an anti-spam technique if she wants to (it wouldn't be much more baroque than some of the tests SpamAssassin applies). So the answer to your general question is: yes. — MadHatter, Nov 08 '12 at 08:05

score 0 · Answer 1 · answered Nov 08 '12 at 01:23

0

It could be that your subnet was blocked and not just your IP address, also the ISP isn't going to no much about why you are blocked -- the best thing to do is go to http://www.mxtoolbox.com/blacklists.aspx and check what black lists are blocking you and get in contact with them.

answered Nov 08 '12 at 01:23

Winter Faulk

471
2
14

Thanks for trying, but the original question already clarified that only one specific IP address was listed. – Luke404 Nov 08 '12 at 07:58
@Luke404, Read right over that without seeing it. – Winter Faulk Nov 08 '12 at 16:10

jpgeek · Accepted Answer · 2012-11-08T08:40:39.860

Hmm, interesting question. First, a clarification.

Today I one of our customers forwarded to me a mail from the ISP of one of her mail recipients that says they're blocking my customer's email because our webserver IP is listed in some RBLs.

Your customer tried to send an email and the mail was bounced back to her by the recipients ISP, correct?

If that is the case, the bounce mail should have the specific SORBS code for why it was bounced. I would look that up here: http://www.sorbs.net/general/using.shtml This should tell you which list it is blocked in.

From their site, the error codes are:

       http.dnsbl.sorbs.net    127.0.0.2
      socks.dnsbl.sorbs.net    127.0.0.3
       misc.dnsbl.sorbs.net    127.0.0.4
       smtp.dnsbl.sorbs.net    127.0.0.5
   new.spam.dnsbl.sorbs.net    127.0.0.6
recent.spam.dnsbl.sorbs.net    127.0.0.6
   old.spam.dnsbl.sorbs.net    127.0.0.6
       spam.dnsbl.sorbs.net    127.0.0.6
escalations.dnsbl.sorbs.net    127.0.0.6
        web.dnsbl.sorbs.net    127.0.0.7
      block.dnsbl.sorbs.net    127.0.0.8
     zombie.dnsbl.sorbs.net    127.0.0.9
        dul.dnsbl.sorbs.net    127.0.0.10
    badconf.rhsbl.sorbs.net    127.0.0.11
     nomail.rhsbl.sorbs.net    127.0.0.12

Their description of each list (at the link above) will tell you if you are being blocked because of a bad block of IPs, a single IP, a domain which has requested not to be listed in their RBL, SPF violations etc.

From there, it should be easier to track down the specific cause.

Update: If you can't get the actual bounce message, you might be able to look up the ip of the sending mx server here: http://www.sorbs.net/lookup.shtml To get the details and save the guess work.

Without a bounce message from the recipients ISP, it is harder to track down which of SORBS lists you are running afoul of. It is also strange that the recipients ISP is sending out hand generated emails rather than sending machine generated more detailed ones, but there is nothing we can do about that :)

Normally, I would try doing a manual SMTP connection to the recipients ISP, and see if you can get a better message from it. However it looks like you have already confirmed that their mail server is accepting the message (at least at this stage).

Guessing blind, the only things I could think of would be:

An SPF problem (eg the sending mx server not authorized to send mail for the domain via DNS SPF records)
The following item on SORBS might somehow be implemented to block all email originating from a domain name associated with spam:

escalations.dnsbl.sorbs.net - This zone contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.

Especially since domain1.com has MX records mx.ispdomain.com, SORBS might link the two. Ie. it groups all hosts for a domain together based on their A and MX records.

BTW, it might also be a good idea to fix the problem with the mail server and get it de-listed also. It looks like the SORBS list checks for open relays, broken scripts and such that you would want to close no matter what the case.

The involved RBLs are already cited in the original question and are SORBS-WEB and SORBS-SPAM. — Luke404, Nov 08 '12 at 07:48
I clarified the question and explained there is no bounce to look at. I'm trying to make it clear that my question is actually about what antispam techniques could behave like that (because I don't know any that would) and not about solving the specific issue of this specific mail. — Luke404, Nov 08 '12 at 07:59

Why does mail, from some domain, sent through someisp.com, get blocked by the isp's webserver being listed in RBLs?

2 Answers2