One of my clients complained to me that some of their email wasn’t being delivered. I investigated and discovered that email to them through my server was being bounced. The error message in the maillog was:
Feb 25 10:44:59 server1 postfix/smtp: 852EA400001: to=
, relay=mail.global.bigfish.com[18.104.22.168], delay=2, status=bounced (host mail.global.bigfish.com[22.214.171.124] said: 550 Service unavailable; Client host [126.96.36.199] blocked using 88.blacklist.zap; Mail From IP Banned To request removal from this list please forward this message to firstname.lastname@example.org (in reply to RCPT TO command))
Visiting Frontbridge.com takes you to a page at Microsoft.com. Frontbridge is apparently Microsoft’s hosted Exchange servers. So I emailed that message to the address given in the bounce message, and got an auto-acknowledgment that they would look into removing my server from the block. This morning I got an email that my IP has been safelisted. But:
As long as this IP address does not continue to send a majority of spam, messages will continue to be allowed to route through our network. If this IP address gets relisted after a period of time, further assessment of this IP would be required and the removal process would be more difficult.
So I emailed and asked what spam they think my server had been sending. The response:
The 88.blacklist.zap is an internal list generated with logs from our spam filtering engines. IP addresses may end up on this list if a certain percentage of the mail received by our network from that IP address is marked as spam by our filters for a given period of time. For example 90 percent of the mail is spam for 15 days. The thresholds are variable and may change as needed to ensure the safety of our network.
When the IP address is listed in the blacklist, all emails coming into our network from that IP address are blocked without going further into our filters.
We do not keep a copy of spam messages in our server. After the IP address has been safelisted, we cannot provide you traces or logs of spams prior to being delisted.
So if I have no idea what messages are triggering their alarms, I can’t fight the problem. I can’t even protest, since I don’t think I’m sending spam. Which probably means I’ll be losing a client if I get blacklisted again by Frontbridge.
Through watching the logs, I think I’ve figured it out. I use Mailman to manage mailing lists. For that client, the list is set to reject any message sent to the list from a non-subscriber. That message though is forwarded to the list-owner. So the 100 spam messages that are sent to that list everyday were being forwarded to my client. Frontbridge saw those messages and concluded they were spam. I’ve turned that option off, so now my client won’t get those refused messages. Hopefully no one on the list will accidentally use the wrong address to post, because no one will get a warning they tried to do that.