My Broadband IP Blacklisted as a SPAM Generator
This is an unusual one. I didn’t think it would be, but based on the lack of Google results for this having happened to other people, I thought it would be an idea to document it. I’m sure it happens a lot more then people realise.
The basic gist of the story is that my broadband IP address got black-listed as a SPAM generator, and that meant I could no longer send out email through the broadband mail server. It was frustrating, because it seemed that there was nothing I could do about it, but I have learnt a few tricks now to get over the problem next time.
It all started while repairing a laptop. The laptop had caught a virus or two and needed scanning and updating. Stupidly I plugged it into my home network to get various updates.
Now, on my broadband I run an SME Server. All traffic goes through that server. When I send emails from any PC in the house, the transparent proxy catches those emails, queues them up, then sends them all on via my cable provider’s SMTP server – smtp.blueyonder.co.uk
Normally the server scans all outgoing mail for spam and viruses, and it is usually pretty good at it. Unfortunately, what this laptop was spitting out consisted of extremely simple SPAM emails – just a single sentence and a short URL going through bit.ly. That slipped right through the SPAM scanner and in no time at all, 60,000 SPAM messages were queued up on the server and streaming out to Virgin broadband. Not that I knew this was happening, mind.
At some point, some part of the network noticed this, shook its head slowly, then put my IP address on a blacklist. This blacklist was then used by my ISP to basically cut me off from sending any email through its servers.
The result is that smtp.blueyonder.co.uk simply gave me a message telling me to get lost, then dropped the connection each time I tried to send out mail. This could be seen at the lowest level by connecting using telnet, pretending to be a mail client:
# telnet smtp.blueyonder.co.uk 25 Connected to smtp.blueyonder.co.uk. Escape character is '^]'. 550-Administrative prohibition. This IP address is a source of spam. Please 550 Contact abuse@blueyonder.co.uk for details of how to fix this. Connection closed by foreign host.
Switching off the transparent mail proxy of the server and sending direct to smtp.bluyonder.co.uk using Outlook Express or Thunderbird also gave this same error. Using telnet like this though, just removes the possibility that the email client is not set up correctly.
Okay, so need to tell my ISP – the IP address owner – to remove me from the blacklist. To cut a long story short, that proved impossible. There was simply no-one at the ISP with the authority to do so, or even the understanding of what I was asking for.
Next approach: the IP address is poisoned, so let’s get a new one. Easier said than done. I left the broadband modem off all night, I rebooted it many times, I reboot my server many times, but I just could not shake off that IP address. This almost permanent IP address is kind of nice to have normally, but now I wanted to change it, it was proving difficult.
After several calls to the ISP, I finally managed to talk to someone who knew about these things. “Try bypassing your server and connect your PC direct to the broadband modem”, was his suggestion. I tried that, and behold, a new IP address was allocated. Cool. Just switch back to my server and…hmm, back to the old IP address.
So the Motorola Surfboard modem – or perhaps the cable box at the bottom of the street – was remembering the hardware and trying to allocate the same IP address to the same hardware every time. And it could remember the hardware for at least a full night.
So I guess I would have to change the network card in my server, which was a bit of a bind. Then I struck on this little gem: although the MAC address of the network card is coded into it, the operating system can override (or perhaps reprogram) that MAC address. By changing the MAX address, the network card in the server would look to the cable modem like a different piece of hardware.
I recorded the current MAC address, then added one to it, and issued this command:
# ifconfig eth1 hw ether 00:50:FF:E6:B9:4B
The network card was “eth1″ and the ethernet (“ether”) hardware address was being set to “00:50:FF:E6:B9:4B” (it was “00:50:FF:E6:B9:4A” originally). If you are having this problem with a Windows machine rather than a Linux server, then digging into the driver settings can often give you a box where the MAC address can be edited. Do use this option with care, since MAC addresses are supposed to be unique globally and two machines with identical MAC addresses nearby can play havoc with your network.
One reboot later and I was allocated a new IP address, and email was back online!
Of course, while I am celebrating, someone else will be given my old IP address, be labelled a SPAM creator, and will now have their own problems with their email. I have reported it to the ISP and explained what I think will be happening, and there is not a lot more I can do about it. I feel kind of bad about that, but I have learned never to plug a virus-laden machine into my network again, at least not without some kind of firewall and a virtual private network (VPN) to keep the prying eyes of any virus away from other machines on the network.