News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • IP Address Blocked, Unable to Send Email

    Posted on DavidForrest57 Comment on the AskWoody Lounge

    Home Forums AskWoody support Productivity software by function MS Outlook and email programs IP Address Blocked, Unable to Send Email

    Viewing 11 reply threads
    • Author
      Posts
      • #1967560 Reply
        DavidForrest57
        AskWoody Lounger

        I’m not sure where this post belongs, so I will ask the moderators to move to it where it best fits.

        Just recently I had problems sending emails from my email clients. I use Thunderbird on Windows & Linux, and the stock email app on my Android tablet.

        The problem was restricted to emails sent via my ISP accounts (outgoing server smtp.virginmedia.com); I was able to send emails from my Gmail accounts via the same apps without any connection errors.

        Using Thunderbird, I was able to log the error, and my ISP said that the error code indicated that the block on sending emails from their accounts was because my IP address was listed in the Spamhaus SBLCSS database.

        I checked the Spamhaus SBLCSS database, and sure enough, my IP address was listed.

        After posting several messages on my ISP’s community forum, and not really getting anywhere, I scanned all of my systems for malware, but found nothing that would explain my IP address appearing on the Spamhaus SBLCSS database.

        The next day, after being advised to scan/clean my systems and apply for a delisting, I found that my IP address was no longer listed in the SBL database, and my email clients worked perfectly.

        Can anybody explain why my IP address would appear on the Spamhaus SBLCSS database, when all of my systems showed up clean, and why it would then spontaneously disappear without any action on my part?

        Could there be a problem with the Spamhaus SBLCSS database? Or does the problem lie with my ISP?

        By the way, this seems to have happened to numerous customers of the same ISP over a period of months; so it’s not just me. I can’t help but think my ISP is giving its affected customers the run-around!

      • #1967562 Reply
        PKCano
        Da Boss

        Your problem is the dynamic IP addressing used by your ISP.

        Because the ISP doesn’t have enough IP addresses to give all their customers a static (same all the time) IP address, they use dynamic addressing. In other words, there is a pool of IP addresses and when you connect you get one out of the pool (not the same one all the time).

        Evidently, someone misused the IP address you got once to do some spamming (but you didn’t get the same one the next time). The spamming was reported to the Spamhaus SBLCSS database and the IP was blocked. You were the victim of someone else’s misuse.

        You can check your IP with  Spamhausbefore using it, and if it is listed, disconnect from the Internet. Reconnect and see if it gives you a good IP next time.

         

        • #1967563 Reply
          DavidForrest57
          AskWoody Lounger

          Thanks for your clear explanation.

          However, it was the same IP address both times. Blocked one day, but not the next; I didn’t do anything to delist it.

          Do IP addresses get delisted automatically if there’s no nefarious activity for a certain period of time?

          • #1967564 Reply
            PKCano
            Da Boss

            Delisting after a period of non-activity is a very possible explanation.

            • #1967569 Reply
              DavidForrest57
              AskWoody Lounger

              Just checked here:

              https://www.spamhaus.org/faq/section/Spamhaus%20SBL#137

              and read this:

              “The CSS component of the SBL, a spam source IP address zone, has an automated expiration system. Unlike traditional SBL records, SBL CSS records are automatically expired three days after last detection. For this automatic expiration to work, it is vital that all spamming is terminated”.

              I’ve never bothered much about my IP address, but it looks like I was recently assigned a bad one, that came good after being used by my clean system for three days or so. Something to watch for in future!

              • #1968290 Reply
                Kirsty
                Da Boss

                SpamHaus lists a variety of reasons. Click on the link in your IP query, to see the reason (some of which do not automatically resolve in time).

                For instance:

                Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on “SMTP Authentication” in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.

      • #1968270 Reply
        Alex5723
        AskWoody Plus

        I checked the Spamhaus SBLCSS database, and sure enough, my IP address was listed.

        Is your network/router protected by strong password ? It could be that a neighbour, passing by stranger… used your network/IP for spam.

        Have you scanned your PC for spamming malware ?

        • #1971102 Reply
          DavidForrest57
          AskWoody Lounger

          Yes, it has a strong password; nothing dumb like “password”.

          I’ve used Wireless Network Watcher to check for anything else on my network, but there are only these three systems, plus my Chromecast.

      • #1971103 Reply
        DavidForrest57
        AskWoody Lounger

        My ISP has advised that my IP address changed last on 20 August, which is when I received a new router from them. I’m pretty sure that the blacklisting of my IP address on SBLCSS occurred after this date, because I’ve sent emails successfully since the change of router. So I think we can rule out my receipt of a blacklisted IP address, as PKCano suggested.

        My IP address was automatically delisted from the SBLCSS on Sunday (29 Sept), presumably after 3 days of non-detection. Today, three days later, my IP address is still showing up clear, meaning no detections for 6 days. If there’s malware present, it’s lying low for now!

        I have scanned the three systems on my network but no malware was detected:

        • Windows 10 (1903) full scan with Windows Defender and Malwarebytes (Free).
        • Android tablet scanned with Malwarebytes.
        • Android phone scanned with Malwarebytes.

        I’ve used Wireless Network Watcher to check for anything else on my network, but there are only these three systems, plus my Chromecast.

        Given this additional information, can anyone suggest why my IP address should appear on the SBLCSS and then be delisted again?

      • #1971117 Reply
        jabeattyauditor
        AskWoody Lounger

        The IP address that matters is the IP of the SMTP server you’re using – the server that isn’t under your control – smtp.virginmedia.com.

        You can scan and rescan your own local systems to your heart’s content, but it won’t matter at all – the SHARED SMTP server’s IP is the one that was blacklisted, and it’ll most likely be blacklisted again in the future. (Just Google blacklisted virginmedia SMTP server and check out all the threads.)

        Someone/multiple someones are using that server for outbound spam and your ISP isn’t doing much about it.

        YOU can’t do much except use a different ISP or a different mail service.

        The dynamic IP address of your network connection has ABSOLUTELY NOTHING to do with this situation.

        • This reply was modified 9 months, 2 weeks ago by jabeattyauditor. Reason: grammar edit
        2 users thanked author for this post.
      • #1971412 Reply
        DavidForrest57
        AskWoody Lounger

        Thanks for taking the time to help.

        The fact is that when my dynamic IP address was on the SBLCSS blacklist I was unable to send mail via the SMTP server. Once it dropped off the list (which it did without any action on my part), I was able to send mail again.

        I’m afraid I know very little about networking, but your reply that:

        The dynamic IP address of your network connection has ABSOLUTELY NOTHING to do with this situation.

        seems to be at odds with the above observation. To my uneducated mind, there seems to be a definite link between my network IP being blacklisted and being unable to send mail via the SMTP server.

        Could you explain a little more, please?

        My ISP maintains that such problems must be due to malware on the user’s network, even when nothing shows up in virus and malware scans. My ISP’s policy to tell affected customers that it’s the user’s system at fault and it’s up to the user to fix things.

      • #1971465 Reply
        Paul T
        AskWoody MVP

        The IP address that matters is the IP of the SMTP server you’re using

        Not quite. It maybe that your ISP monitors the Spamhaus database and blocks SMTP traffic to their SMTP server from listed IP addresses – it should block all SMTP traffic from listed addresses IMO.
        This is consistent with your mail clients complaining when trying to send via the VM SMTP server.

        cheers, Paul

        1 user thanked author for this post.
        • #1971499 Reply
          mn–
          AskWoody Lounger

          Not quite. It maybe that your ISP monitors the Spamhaus database and blocks SMTP traffic to their SMTP server from listed IP addresses – it should block all SMTP traffic from listed addresses IMO.

          Yes… “should” is a good word.

          Now, there’s still several alternatives as to what exactly might have happened, and without seeing detailed error message and logging content it’s sort of hard to tell.

          I have had individual messages blocked because I had quoted someone else’s message that included a blocked IP address… yes, in the quoted message text.

          Worst case, all it takes is someone misconfiguring something to block a specific string, possibly with wildcards, that can be interpreted as a blocked address… but actually meant something like a warehouse shelf code, software version number, date/timestamp, or some such.

          Also if there was a sender who managed to spoof your local IP or the server’s IP, well, could even be a standard reactive block if that wasn’t detected as a spoof, even if you also had the address and didn’t send spam.

          1 user thanked author for this post.
        • #1971567 Reply
          DavidForrest57
          AskWoody Lounger

          My ISP advised that the error message I was getting indicated that my Sending IP address was on the SBLCSS list.

      • #1971472 Reply
        anonymous
        Guest

        It could have been that someone was running a mail server off the dynamic IP address you had which caused the issue. Usually spam blacklists pick the SMTP server IP (Your ISP)  not the HELO IP (your dynamic IP)

        2 users thanked author for this post.
      • #1973308 Reply
        DavidForrest57
        AskWoody Lounger

        Thanks to those of you who have suggested alternative explanations to my IP address appearing on the SBL CSS list. I don’t know enough about networking to comment on these, but the suggestions imply that malware isn’t the only explanation.

        Additionally, the FAQs on the Spamhaus website (https://www.spamhaus.org/faq/section/Spamhaus%20CSS) state that “CSS is highly effective at blocking spam during SMTP delivery with very low false positive detections”. Whist they claim that false positive detections are very low, very low isn’t zero. So there exists the possibility of a false positive detection.

        Given that virus and malware scans haven’t revealed any nasties, and that it’s over a week since my IP last appeared on the blacklist, how confident can I be that my systems are free of some as-yet undiscovered malware?

        Ultimately, my main concern is that there isn’t anything nasty lurking on my home network.

      • #1973339 Reply
        Bill C.
        AskWoody Plus

        I have found the issue is not your exact IP address being on the list, but that a block is in place for a range of dynamic IP addresses of an ISP.

        I have also found that if you forward an email with links and urls, if any of those are on spam lists, or questionable website lists your specific email can be blocked at the outgoing SMTP server of your ISP. They said this will not get you on the list unless it is an ongoing issue and they may issue a TOS warning.

        On a semi-related spam topic, I have found that at every national and state election since 2012, lots of my routine incoming email will end up in the spam folder. After talking to the Spam folks at my ISP I was told that opponents reporting political or advocacy group emails to ISPs as spam always ticked up during election season.

        • #1973346 Reply
          DavidForrest57
          AskWoody Lounger

          Thanks for your reply.

          I carried out tests with very simple emails; no links, no attachments, just a few words of text. They simply would not send. I was prompted for my password (which isn’t normal) but inputting it didn’t send the mail. The mail ended up in the Outbox, and wouldn’t send.

          Is there any reason why a range of addresses might be blocked?

      • #1974851 Reply
        Paul T
        AskWoody MVP

        Ultimately, my main concern is that there isn’t anything nasty lurking on my home network.

        You have scanned your machine and your IP has not been re-listed so you are probably safe. To be sure I’d run a 3rd party AV scan or two. Most of the AV companies will run a free scan for you.

        cheers, Paul

        1 user thanked author for this post.
      • #1998207 Reply
        DavidForrest57
        AskWoody Lounger

        I’ve returned to this topic as I believe I now have the answer to my problem; it’s a rather surprising one too.

        My IP address was recently blocked when only my Android tablet was in use. So something on that device was responsible. The thing is, that device has never been rooted and all the downloaded apps have come from the Google Play store.

        In order to monitor traffic on my network I set up a hotspot on my laptop, and connected my tablet via the hotspot. I installed a program called Wireshark on my PC to monitor traffic on Port 25 TCP (spambot traffic will always use this port). The full process has only recently been developed by my ISP’s Community Forum experts, and can be read here:

        https://community.virginmedia.com/t5/Security-matters/Searching-for-Spambots-on-your-network/td-p/4087596

        Sure enough, Wireshark detected traffic on Port 25 TCP indicating that spam was being sent via my IP address, and it was this spamming that was presumably detected by Spamhaus, resulting in my IP address being blocked.

        I didn’t have to look very far for a potential suspect on my tablet. My partner has been using the Hola Free VPN app so that she can view geo-restricted content on Spanish TV. I don’t understand much about networking but I know that this app “does stuff” with IP addresses and “some stuff” was causing our IP address to be listed on the SBLCSS; this made Hola Free VPN the prime suspect.

        When Hola Free VPN was uninstalled and the tablet restarted, Wireshark showed no traces of traffic on Port 25 TCP over a 14 hour period. My partner then uninstalled the app from her Android phone. I used Wireshark to check her phone (and the tablet again) over a period of 18 hours and neither showed any activity on Port 25 TCP.

        When I searched for reviews of Hola Free VPN (beyond those on Google Play store) I was horrified by what I read. Here’s a couple of links:

        https://www.vpnmentor.com/reviews/hola-vpn/

        Hola VPN – Great Choice for BAD Security and Speed

        My conclusion is that this widely used and popular app facilitated the distribution of spam through my public IP address, even though it’s not a spambot itself and is a legitimate app available on Google Play Store. The way in which it works means that your network resources are shared with others on this peer-to-peer service. If somebody’s sending spam (intentionally or not) or conducting any other nefarious activity, it can appear to be coming from your IP address.

        I can only comment on the use of the Android app, but I guess the same would apply to other forms of this service (i.e. Firefox and Chrome browser extensions).

        I’m still keeping an eye on the Spamhaus listings, but I’m confident that I’ve identified the problem and eliminated it. The question is how many users are aware of the potential implications of using this app?

    Viewing 11 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: IP Address Blocked, Unable to Send Email

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel