So, you're blacklisted. Often people only find out after their email bounces, their internet connection is blocked or their ISP starts complaining. If you have listed your urls and ip addresses as assets in ShadowTrackr we'll check them against a large number of blacklists directly and notify you if you're in trouble. There are two types of blacklists: ip based and url based. Of course there are a lot more subcategories, like dns based registers, periodic downloads, list of specific evil webpages or evil subdomains, ... But these are things we'll worry about. You'll just hear when you are listed, and you'll want to know if it concerns one of your hosts (ip address) or websites (url).
It's not the most fun part, but it is essential to getting delisted. If you haven't found the reason why you have been put on the list, you will very likely end up blacklisted again after your delist request.
The first clue you have is from the name of the blacklist you are on. Inspect this carefully. Your problem will be in one of the following categories:
Not all categories are necessarily evil of course. Bitcoin, proxies and TOR can be fine choices if made by yourself and not some evil hacker. And misunderstandings do happen. Sometimes a legitimate mailrun is classified as SPAM or a mailserver has some configuration problems.
Go to the website of the blacklist you are on (just Google it). Often you can enter the offending ip or url find more information on what the exact reason was that you ended up on their list.Also look for any information on removal, you'll need this in Step 3.
Next, you should inspect the current state and logging on the system that is blacklisted. Look for anything out of the ordinary: peaks in traffic, connections to unexpected systems, unfamiliar processes running, weird ports that are open, etc.
What you need to do largely depends on the operating system and software you are using, and the type of problem you are "accused" of by the blacklist. There is no one answer, but here are some tips to get you started.
SPAM
Check these things, in this order:
Spreading malware
You might be part of a wateringhole attack. This means that when your website is is visited, your audience doesn't only get your webpage delivered but also a malware infection. If you have found the full url of the webpage at the website of the blacklist in Step 1, go and fix that page. If not, differentiate your pages against a backup and check the changes. Find the lines of code in your html or javascript that deliver the malware, save them for reference, remove them and check if they are present in any other webpage on your server. After that, do a compromise assessment. You need to find out how this could happen to prevent it from happening again.
Attacking others / malicious behavior
Either you are hacked and someone is abusing your system, or one of your employees has gotten a bit too enthousiastic with testing hacker tools. Find out who was the user on the system at the time of the incident and contact them. Do not rush in and start with accusations. Do your homework first, find times and patterns of abuse, and ask if the person was active at that time first. Then explain that some unexpected things happened that you need to check out and ask what they where doing.
If it wasn't the user, do a compromise assessment. If it was the user, reprimand and try to get them on the path to ethical hacking :-)
All other cases
Obviously, your system has been hacked and someone has installed extra software on it that does things you don't want. If you just remove these extras or return to a backed up state, the hacker will notice and do the same trick again. You need to find out how it happened and fix that problem first. Do a compromise assessment, or hire a pro to do this for you.
Some blacklists are updated often and if you've fixed the problem, your system will be automaticcaly removed. Other blacklist have quite a long memory and you'll need to take action and ask for removal. Most blacklists where you need to take action have helpful information about removal on their website, like the Blocklist removal center at Spamhaus.
If you can't find this information, check if they have a published security contact in a security.txt file. Just append "security.txt" after the domain name in the browser like this https://shadowtrackr.com/security.txt.
Still nothing? Try abuse@[domain], soc@[domain] or security@[domain] accounts, and if these don't respond try any contact option on the website. It wouldn't be the first time someone got through to a security department by chatting with a sales representative. Be creative. If you're still stuck then there are companies with special contacts that provide a delisting service. We've seen this work, but it'll cost you.
<- back to FAQ