How IP Addresses and Domain Names Get Blacklisted

Introduction

It is always worrisome for business if domain name or server IP address gets blacklisted and sometimes the reason behind those blacklisting remains unknown to us.  

So what can be the root cause that this Domain name/IP gets blacklisted?

In this blog, I have tried to explain what a blacklist is? How this blacklist work behind the scenes? How can you check whether your domain is listed or not? And what can be done to remove them from blacklisting?

Before you can move forward, I would recommend you to learn a bit about spam which can be directly or indirectly related to domain name getting blacklisted.

How is Email Spam Directly Related to the Domain   Blacklisting   Blocklist? 

Email Spams are unwanted, irrelevant messages that are bombarded or sent in bulk to users, including subscribers and unsubscribers. Since these messages are unimportant and users have never subscribed earlier, they might report this as spam. The increase in spam complaints helps ISPs to directly move your IP address or domain name in the blacklist; this results in degradation of the domain reputation and server IP.

The blacklisting can be due to any reason, some of them include, the issue with email headers, content, the from address, server from where the Email was generated initially, and many such similar pointers.  

In most of the scenarios, it acts as a sign of improper server settings or issues with the email server which you might have owned or rented, or maybe you might not have followed Email sending guidelines. You can learn more about email spam from the previous tutorials.  

Email Spam continues to be an ever-evolving issue, which can be understandable and solved while following guidelines that can help you save your domain name and IP address getting blacklisted on Global Realtime Blackhole Lists (DNSBLs).

What is   Blacklisting   Blocklisting and How Does Your IP Get Listed?

From the user's perspective, let's assume you are receiving lots of spam so what will be your first step to stop that? 

There can be two ways one you block the sender another report that Email as spam and if you perform these steps for a few more times the ISP (internet service providers (Gmail, yahoo, outlook)) will automatically add that domain name or IP in the spam list. 

But when it comes to prevention mechanism, the first step that an email administrative does is simply block that 'IP' address or Domain name which looks suspicious. To make this process clean and secure the idea of centralizing and crowdsourcing, the data was fostered, which resulted in the birth of DNSBLs.

DNSBLs can be said as web cops who monitor IP address and Domain name, and if they follow something that is against RBL rules, they have the right to put those IP or domain in their list.

Almost every DNSBLs maintain their own set of rules on which they operate, mostly DNSBL has categories related to abuse or spam. These DNSBLs have a variety of methods to collect the suspicious IP address, which doesn't follow the rules or engage with hacking, botnets, or malware.  

If your IP is spotted or listed in the DNSBL list then earlier, your IP might be used for sending spam or used for email traps, honeypot, or botnet analysis.     

Working with IP Address Lookups?

As mentioned earlier, every DNSBL follow their own set of rules and basis on that rules they add IP in their list. The Domain reputation is open to the public so that they look up their IP/domain name and check the reason for getting listed.

DNS servers originally meant for domain lookups only, but due to high scalability and low overhead, it gains a considerable reputation for looking up IP as well.

Checking the lookups technically:

 1. Reverse an IP address
2. add the DNSBL domain after the IP address.
 3. Do Lookup for resulting domain  

if your domain is listed then an IP address will be returned, but if it is not listed then, the result will  be "NXDOMAIN/Non-existent domain."

IP address (1.12.103.153):

Name:     153.103.12.1.zen.spamhaus.org
Address:  127.0.0.10

A domain which is not listed is as follows:

IP address (8.8.8.8):

Name:      8.8.8.8.zen.spamhaus.org
*** server can’t find 8.8.8.8.zen.spamhaus.org: Non-existent domain

What is the actual command used to get the result?

dig a +short (domain.name).(blacklist-domain-name) @(ns IP)[optional]

ie. dig a +short example.com.hostkarma.junkemailfilter.com
//resulting output
127.0.0.1
127.0.0.3
127.0.0.2
127.0.0.5
127.0.1.1
127.0.1.2
127.0.1.3
127.0.1.4
127.0.2.1
127.0.2.2
127.0.2.3

Different DNSBLs have different ways of handling the responses. To confirm whether the domain is registered or not, it is recommended to look upon other sources as well, which includes a list of DNSBLs. 

This was the technical aspects of how to look up through different blocklist server and check whether the domain is trapped or not. But you no longer need to take implementation efforts because my team and I have already done it for you.

This tool not only lookups 100+ DNSBLs but also suggest the delisting step if your domain or IP address is trapped. The best part of this tool is we have open-sourced it! Which is FREE. So, no matter how many domains you want to check there is no restriction.

For example, Let's assume you want to search for a domain "google.com". You just need to add the search string in the input field of Pepipost tool. Something like the below image

 I hope this tool will help you with a good overview of your domain and IP address restrictions. Feel free to check the tool and do let me know through comments if you have any kind of suggestion.