23

I got following error message for several days, as my server tried to send a message to an emailadress at t-online.de:

host mx02.t-online.de[194.25.134.9] refused to
talk to me: 554 IP=xx.xx.xx.xx - A problem occurred. (Ask your postmaster
for help or to contact tosa@rx.t-online.de to clarify.) (BL)

At several forums I read that this problem without the (BL) appendix occurs if you sent 100+ messages a day and/or they were spam. They say, after 24 hour, this quota will be set to zero again and you get unblocked automatically. But this did not happen. We were still blocked after 3 days.

Our server did not send any spam and was not compromised. Also, a possible reason could be redirect domains, e.g. user@example.com redirects to user@t-online.de . In this case, the hostmaster of example.com will be made "guilty" if he forwards spam he received. However, our server also uses no email forwarding, so this couldn't be the reason either.

Also, our server was not listed at any blacklists of ipvoid.com .

So, the question is why are we getting this error message and is our server probably compromised by hackers?

Daniel Marschall
  • 803
  • 4
  • 9
  • 20
  • 1
    The important part is that you did what the message indicated to do: contacted the address given. – Michael Hampton Jun 06 '14 at 16:21
  • This sounds obvious, but I didn't do it immediately because nearly all bulletin boards wrote that it will be automatically removed, otherwise your server is comprised or wrong configured. I wanted to share this information with the community to look at the "(BL)" . If it is not there, you just need to wait. If it is there, you must contact them. – Daniel Marschall Jun 06 '14 at 17:02

1 Answers1

21

I have finally found out that all the pages I visited during research were talking about the error message without the (BL) suffix. Without "(BL)", the server wants to tell you, that you are blocked automatically and will be unblocked automatically after 24 hours. You should check forward settings or spamming users, as discussed in the web forums.

In our case, the error message had the rare suffix "(BL)", which meant that our server was on the internal permanent blacklist which is a very rare condition and not well documented. Now it makes sense - BL stands for blacklisted, of course. Writing "Permanent blacklisted" would have helped.

After contacting the email address given in the error message, it turned out, that not our server itself was permanent-blocked, but the datacenter, because there were too many spamming users. Due to our request, only our server IP (xx.xx.xx.xx/32) was whitelisted.

Daniel Marschall
  • 803
  • 4
  • 9
  • 20
  • It can't be that rare. The first IP address I tried from got the same error message from that server. – kasperd Jun 06 '14 at 16:25
  • The error message with the appended "(BL)" is rather rare. However, in most bulletin boards, also the official t-online one, you are often reading "wait 24h" (this was the reason why I didn't contact the mail address immediately), which is wrong for "(BL)" permanent bans, so I shared this solution here. – Daniel Marschall Jun 06 '14 at 16:51
  • That's what we do as well - when there's more than a few potentially malicious servers in a subnet (short-term or generic domain names) we blacklist the whole subnet or ISP. The legit users then need to be whitelisted one by one. – Zac67 Aug 24 '17 at 10:23
  • 1
    We've seen this when t-online doesn't have any reputation information from a block -- they just blacklist the entire thing automatically. Not exactly best practices IMHO :). – madscientist159 Mar 31 '19 at 08:05
  • 1
    Thanks for your sharing. T-Online uses Cyren IP reputation database. Recently I have seen blacklisting with Office 365 too. Microsoft autobans non Office365 hosted eMail senders. Administrators have to you use Microsofts delist portal to remove yourself from the blocked senders list. – NOOO Nov 11 '19 at 19:41