Tag Archives: Blacklist

Recent Spikes on UCEPROTECT Level 3

Recently, we noticed an increase of in the number of ASNs (full blocks of IP addresses owned by individual Internet Providers) listed by UCEPROTECT on their Level 3, aka Draconic, blacklist. The purpose of this particular UCEPROTECT blacklist is to block ASNs that allow spam to be sent from a large number of IP addresses in the network, often these are ASNs setup for spam or providers that do not adequately police their customers. However, this includes many popular services so many legitimate businesses have also been affected.

MxToolbox Stance

  1. We provide Blacklist lookups for information purposes only. DO NOT make decisions exclusively based upon a listing on the Blacklists we check. MxToolbox is not blocking you, the Inbox Provider is blocking your email because your IP address or domain is listed on a blacklist that they are using to make email delivery decisions. We give you the opportunity to see who is listing your IP address and do not endorse any blacklist. Feel free to ignore a blacklist if you think it is not relevant.
  2. NEVER PAY to be delisted. Legitimate blacklists, including UCEPROTECT, have free ways to be delisted. In this case, the entire ASN should be automatically delisted when the UCEPROTECT SPAMSCORE for that ASN drops below a certain level in a 7 day moving average. You can learn more about how UCEPROTECT lists ASNs here.
  3. MxToolbox regularly reevaluates the list of blacklists we check. Our criteria requires the blacklist to be used to make email delivery decisions. We have noted that some companies are dropping UCEPROTECT from their decision criteria due to the recent activity. We will watch this issue but will also continue to show UCEPROTECT listings as long as they are being used for email delivery decisions.

What you can do if you are blacklisted

We know that being on a blacklist is affecting your business. Be patient! Blacklists are not out there to attack your legitimate email, they are there to protect everyone from spam and phishing attempts. They make money by being relevant to email delivery decisions and sometimes they get over zealous.

Take the opportunity to evaluate your email sending configuration, blacklists are not the only reason your email is failing to make the inbox.

  • Are you still hosting your own email? This could be an opportunity to investigate Inbox Providers that have improved spam filtering and email sending capabilities. It is easier to have all of your email blocked by a blacklisting event if you are sending from a single IP address or small block.
  • Are you using multiple 3rd party email providers? You should evaluate their performance and make sure each of them is in your SPF record and no one else.
  • Adopt DMARC. DMARC compliant email is now a requirement to get into the inbox at Google, Yahoo! and Outlook.com/Office365. If much of your email is non-compliant, you may be blocked entirely. Adopt DMARC to get information on your outbound email to become DMARC compliant or be left behind by your competitors who are.
  • Use a DMARC delivery tool. Inbox Providers give you information on your email senders, including spammers pretending to be you. You need a tool that can aggregate and analyze your email delivery posture using DMARC to improve your email configuration and block the spammers. MxToolbox Delivery Center was designed to make email delivery simpler by highlighting improvements to your email deliverability.

How do I know if I am listed on a blacklist?

Typically, the first time you find out that you are blacklisted is when customers start telling you that they aren’t receiving your email.  Bounced email is the number one symptom of being blacklisted.  Unfortunately, this is finding out about the problem only after it has impacted your business.

The other way to find out if you have been blacklisted is monitoring.  MxToolbox provides active monitoring solutions for blacklisting events.  Our free IP Blacklist monitor checks your server’s IP address every 7 days to give you a general warning of blacklist issues.  Our paid subscriptions check every 4 hours and premium services check at least once an hour, up to real-time blacklist checking.  The higher the frequency of checks, the more likely you will know about being blacklisted before it becomes a customer issue.

What blacklists do I check and how should I?

Amongst our newer users, we often get some confusion between IP and Domain blacklist lookups and what the results mean. There is a distinct difference in the search and results and different benefits for performing the different lookups.  I’m hoping this will clear it up for many users and enable everyone to understand the unique benefits to each.

IP Blacklist Lookups

When you perform a blacklist lookup on an IP address, our system searches a list of 100 IP-based blacklists for the IP you gave us and returns both positive and negative results.  

An IP may be on this blacklist for any number of malicious activities:

  • Sending spam
  • Malware attacks
  • Operating a tor node
  • Hosting a botnet or virus
  • Many others…

Since an IP address represents a server on the Internet, any IP address could be blacklisted.  While any IP address may be listed, it is typically a webserver or email server that is the primary culprit.  We therefore recommend checking and monitoring the IP addresses of your web and email servers on a regular basis.

Domain Blacklist Lookups

When you perform a Domain blacklist lookup, you input a domain name.  MxToolbox algorithms do a DNS lookup of the Domain to produce the primary DNS record for that domain (an A record search).  We then run the IP address of the A record against all IP blacklists and simultaneously we run the domain name through a second set of domain blacklists.  Both could return results of blacklisting.

IP Blacklists vs Domain Blacklist

IP blacklists contain the IP addresses of known spammers, malware infectors, virus and botnet distributors and other bad actors.  When an IP is on a blacklist it is has been caught in some bad act.  Since an IP address identifies a particular server somewhere, you know that the server is performing some bad act.

Domain blacklists contain a list of domain names that have been included in known spam attempts.  This does not mean that the domain is the source of the spam, or that the server is a source of spam.  It only means that the domain name or domain URL was included in spam or malware laden emails. 

So, if you are sending email, you want to check the IP address of your mail server.  If you are running a web server, you want to check the IP address of the server.  If you are concerned about your domain’s reputation, you should check your domain against a domain blacklist.

Blacklist Monitors

MxToolbox Experts recommend that everyone with their own email servers monitor the IP addresses of those mail servers against IP blacklists.  This will give you warning that someone or something is performing a bad act through your email.  Further, it is highly recommended that you monitor you setup a domain blacklist monitor for your website.  Since domain blacklist monitors use both the IP of the web server and the domain in blacklist searches, you get extra protection of your reputation.  

Free Monitoring

MxToolbox offers one free IP blacklist monitor to our registered users.  This enables you to monitor your email server or webserver for blacklisting in the most common IP blacklists.  Our domain blacklist monitors are more comprehensive for web reputation and are therefore a paid feature.  While most of our customers find a free account sufficient for a small business, some want the additional reputation protection of a domain blacklist monitor or our Domain Health Monitoring.

How do you API – Real Life Examples, Part 2

Here’s another example from our series on API’s of how one customer is using MxToolbox’s API to simplify their day-to-day work.

The Security Team

Imagine a a security incident:

There are dozens of systems affected.  Each system has dozens of logs containing hundreds of entries for both good traffic and bad traffic.  And you have to sift through it all to find common entries before you can back track it and analyze it.

Wouldn’t it be easier if you had some automated way of doing reverse DNS on IP addresses?  Would your system be faster if you could supply DNS records for domain entries and check IPs for blacklisting to highlight potential bad actors?

That’s exactly what our customer has done.  By integrated Blacklist and DNS lookups with their threat analysis tools, they have dramatically shortened the time it takes to analyze traffic pattern, determine emerging threats and diagnose past issues.

MxToolbox’s API

MxToolbox provides an API to our paid and free customers that allows you to perform lookups, control and poll monitors and check your API status.  Depending on your account, Free, Basic or Pro, you may have different access to Local or Network lookups or access to your monitors.  Many customers use our API on a daily basis to integrate their internal systems with our technology to make the work days easier.  To learn more about the MxToolbox API, click here.

How do you API – Real Life Examples, Part 1

I’ve talked a little bit about API integrations and some questions you should ask yourself before digging in and coding.  Now, I’d like to discuss some unique and interesting examples of how our customers have integrated with MxToolbox to make their daily lives easier.

The Email Service

One of our customers has a consolidated email server management platform for small businesses.  Sold as-a-service, this includes email server status and performance.  As blacklist issues are naturally important as a blocker for email performance and delivery, this company contacted us about using the API to integrate our blacklist lookup technology into their centralized management console.  Now, paid users of MxToolbox can view complete Domain Health information in their mail console, including blacklist information on all their email servers.


Another MxToolbox customer is a regional Internet Service Provider with many small online business clients, both web and email hosting.  Because they have a limited IP space, they’re using our Blacklist monitors rather than our Service Provider product for large IP spaces.  Rather than using the API, they utilize our Callback Hooks to connect to their network monitoring servers.  When one of their customers is blacklisted, our monitors call their systems, where they connect it to their customer’s account.  The ISP’s techs then reach out to their customer to notify them of the blacklisting and work with them on security practices that will enable them to stay off of blacklists in the future.  Since websites can be blacklisted due to a hack or malware infection and email servers can be blacklisted for spam, this integration gives them realtime insight into potential security and reputation issues that could affect their entire network.  Further, because incidents are connected to their internet customer management systems, they have a history of which customers are problematic and can work to segregate them from “good” customers.

MxToolbox’s API

MxToolbox provides an API to our paid and free customers that allows you to perform lookups, control and poll monitors and check your API status.  Depending on your account, Free, Basic or Pro, you may have different access to Local or Network lookups or access to your monitors.  Many customers use our API on a daily basis to integrate their internal systems with our technology to make the work days easier.  To learn more about the MxToolbox API, click here.