1

Recently noticed that email server IP address 88.119.185.129 is added to Symantec email blacklist. This IP is clean, not listed at any blacklists. The email server is not open relay, all emails are signed by strong DKIM, also using PRVS, and no spam e-mails. IP has valid PTR (reverse DNS) and SPF records. No suspicious activity - it's clean machine. Have tried several times to ask to remove from Symantec email blacklist at IP Address Investigation Request page - and they removed it - but after 1 day - IP was added again. I heard lots of people complains about this Symantec blacklist.. How to fight them? It is impossible to send emails to several domains now.

Ernestas Gruodis
  • 119
  • 4
  • Are you quite certain that no spam is originating from that IP address? – Michael Hampton Aug 09 '20 at 13:25
  • Yes, all server traffic is recorded. – Ernestas Gruodis Aug 09 '20 at 13:29
  • How are you recording all the server traffic? – Tero Kilkanen Aug 09 '20 at 13:30
  • To file, on CLI, etc.. - it is possible to see and analyze all sockets (ports 25, ..) activity. I mean only for server administrator. – Ernestas Gruodis Aug 09 '20 at 13:35
  • I experience the same problems since 3 weeks. Address from email server CANSPACE, a leading canadian domain registrar is blocked. After reporting to https://ipremoval.sms.symantec.com/remove the address is removed but 2 days later back again. No other blacklist reports ANY problems with this address. Receiving email provider where email is blocked refered to Symantec and confirmed that **they are not blocking this address.** Stefan Sidl, – user946769 Dec 21 '21 at 19:33
  • 1
    Does this answer your question? [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](https://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Gerald Schneider Feb 23 '22 at 12:27

2 Answers2

2

Short answer: Your server is sending spam.

Long answer: Someone somewhere flags a message that he/she received as spam. Most probably an indirect outgoing message - maybe a forwarding adress.

bjoster
  • 4,423
  • 5
  • 22
  • 32
  • Regarding spam - impossible. I think they are supporting media giants like gmail, etc.. and forcing to use their services, and not some widely unknown SMTP servers.. If that would be the real case - Symantec would provide a proof in some kind of form. This makes me not to trust in their products. – Ernestas Gruodis Aug 10 '20 at 16:34
  • 2
    This is interesting. I plugged in an IP address I control which has not been used for over a year, and it also came up with a "negative reputation". So too with several other IP addresses of VMs which don't send mail. I don't know what Symantec is doing, but I'm pretty sure now that they're doing it wrong. – Michael Hampton Aug 10 '20 at 16:59
  • 1
    Unused IPs are *usually* not 'negative', but DUL or SORBS (see https://www.zytrax.com/books//dns/ch9/dnsbl.html for details). Technically they can't have a reputation, or they inherited a bad one (maybe from a netblok). But symantec is the king and queen of intransparency here, I don't recommend using their stuff because of this, too. – bjoster Aug 11 '20 at 09:46
2

I had the same situation with a new IP address we received after a server upgrade. We definitely didn't send and spam or bulk mails and our server was no open relay. (I operate currently 6 mail servers for different clients, I do that for more than 20 years and never had such a problem before.)
The problem is, that Microsoft's mail services like hotmail.com use this list, and nearly all mails sent by a server with an IP address on the list of Symantec is classified as spam.
Our clients complained that our mails were now classified as spam and regularly marked them as not-spam. It did not help. We tried that for 3 weeks. Frequently, I requested to remove our IP at https://ipremoval.sms.symantec.com/ , it did not help.
I contacted Microsoft and they said, all is fine with our IP address and there is nothing further they can do.
I wasn't able to reach anyone at Symantec.

Now I contacted our provider and asked for another IP.
I got another IP addresses in the same address range, but it had the same problem. We even did not send out ANY mails using that addresses, but always a few hours after our request to remove the address, it was listed by Symantec again.
Our provider confirmed that there are sometimes problems with certain addresses and they also have no contacts at Symantec.
Finally we got another IP address from our provider in another IP range and now all works fine.

So if you are certain, that your server is no open relay and e.g. you get a good score here: https://www.mail-tester.com/, I would recommend to get another IP address from your provider in another address range.

HaWei
  • 21
  • 3