Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    My IP always listed in blacklist…

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    10 Posts 4 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sap68
      last edited by

      Hi,

      I have a lan with som PC's infected so i Wan IP is often listed in blacklist.
      This cause many problems to my mail server…

      I try to:

      • Change public IP on my mail server so, with nat I have server on a public IP and LAN on another
      • Block outbound smtp traffic from my LAN except mail server

      But I always stay on that blacklist.
      The mail server is a Mac, i'm pretty shure it's ok and not compromise...

      Sure, the first thing is cleaning all my PC's but a firewall level, it's nothing i can do?

      Thanks in advance...

      1 Reply Last reply Reply Quote 0
      • T
        tommyboy180
        last edited by

        Blacklists don't change over night in respect to removing IPs. You need to contact the maintainer of the blacklist to get removed.
        Usually IPs will stay on a blacklist for years.

        -Tom Schaefer
        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

        Please support pfBlocker | File Browser | Strikeback

        1 Reply Last reply Reply Quote 0
        • Cry HavokC
          Cry Havok
          last edited by

          I would recommend the following process:

          1. Install (and keep up to date) good AV on all systems.  If you can't afford to spend any money on this then Avast is worth using.
          2. Ensure all systems and applications are kept up to date with patches
          3. Remove all infections, possibly by erasing and rebuilding all systems
          4. Confirm your network is clean
          5. Contact the blacklist maintainer a week later, asking for removal

          Note that your IP will always be listed in the DUL and similar lists that list end-user IP ranges.

          1 Reply Last reply Reply Quote 0
          • S
            sap68
            last edited by

            @tommyboy180:

            Blacklists don't change over night in respect to removing IPs. You need to contact the maintainer of the blacklist to get removed.
            Usually IPs will stay on a blacklist for years.

            Just a tought: I have 8 public IP: I use unoe of these for LAN navigation on internet.
            Today i move my mailserver to another IP (not listed in mxtoolbox.com) with NAT 1:1.

            But suddenly, just few minutes later I have that IP blacklisted!

            It's very strage, how can it be that infected pc's use this new public IP? weird…

            1 Reply Last reply Reply Quote 0
            • S
              sap68
              last edited by

              @Cry:

              I would recommend the following process:

              1. Install (and keep up to date) good AV on all systems.  If you can't afford to spend any money on this then Avast is worth using.

              This a scheduled task, but not depend on me.
              I'm responsible only for the corporate firewall and I need to implement some techniques to limited the damages…

              @Cry:

              1. Ensure all systems and applications are kept up to date with patches

              I think this is done.

              @Cry:

              1. Remove all infections, possibly by erasing and rebuilding all systems
              2. Confirm your network is clean

              Scheduled

              @Cry:

              1. Contact the blacklist maintainer a week later, asking for removal

              Ok, after all scheduled operations…

              @Cry:

              Note that your IP will always be listed in the DUL and similar lists that list end-user IP ranges.

              Thanks

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                @sap68:

                This a scheduled task, but not depend on me.
                I'm responsible only for the corporate firewall and I need to implement some techniques to limited the damages…

                In that case, there are 3 things you can do:

                1. Block all outbound ports by default
                2. Configure the pfSense host to act as the LAN's DNS server and a proxy server
                3. Configure a mail server if email is required and allow only it to send and receive email (SMTP 25/TCP), ensure it filters all inbound and outbound email for malware and spam
                1 Reply Last reply Reply Quote 0
                • N
                  netmethods
                  last edited by

                  It sounds like your mail server is an open relay… or your IP subnet is blocked. It's common for customers on RR/TWC and Verizon to be on subnets marked as DHCP subnets. I've had several customers have this happen and it seems to be showing up more and more often. The only resolution is get your ISP to change your subnet, change your ISP or make your ISP give you a smart host to relay off of. (and dont let them charge you for it)

                  2x Nexcom 1088n8 in HA config
                  2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

                  1 Reply Last reply Reply Quote 0
                  • S
                    sap68
                    last edited by

                    @netmethods:

                    It sounds like your mail server is an open relay… or your IP subnet is blocked. It's common for customers on RR/TWC and Verizon to be on subnets marked as DHCP subnets. I've had several customers have this happen and it seems to be showing up more and more often. The only resolution is get your ISP to change your subnet, change your ISP or make your ISP give you a smart host to relay off of. (and dont let them charge you for it)

                    I'm sure that the server is not an open relay, maybe changing the subnet can solve the problem but only temporary, beacause if the pc's technicians don't eradicate the virus or spambot, we will soon IP blacklist again…

                    I think the best that i can do for now it's close all traffica outbound except for my server mail and prox all traffic through pfsense.

                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sap68
                      last edited by

                      @Cry:

                      In that case, there are 3 things you can do:

                      1. Block all outbound ports by default
                      2. Configure the pfSense host to act as the LAN's DNS server and a proxy server
                      3. Configure a mail server if email is required and allow only it to send and receive email (SMTP 25/TCP), ensure it filters all inbound and outbound email for malware and spam

                      1 + 2: what it's the goal to proxy all traffic outbound?
                      The spambot or trojan can't communicate directly through internet ad will be blocked?

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        @sap68:

                        1 + 2: what it's the goal to proxy all traffic outbound?
                        The spambot or trojan can't communicate directly through internet ad will be blocked?

                        The goal is to control all the outbound connections, ideally by not allowing any direct outbound traffic.  By forcing all outbound traffic through a proxy you can manage it better, and log it all.  If you install an email server and configure it to scan for (and block) spam and malware then that should stop any spambots.

                        By forcing all outbound email through a single, managed, email server and all other outbound traffic through a proxy (or opening a single port for for a single computer where the program can't work through a proxy) you can log everything.  Once you've got those logs you have to go through them to find the problems and deal with them.  It'll take time and effort to do that.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.