How to use the Symantec Mail Security IP Lookup Service

book

Article ID: 177352

calendar_today

Updated On:

Products

Mail Security for Domino Mail Security for Microsoft Exchange

Issue/Introduction

You want to know if an IP address is on a Symantec Block list.

 

Resolution

You can use the Symantec Mail Security IP lookup service to determine if an IP address is on a Symantec block list or request removal from the Symantec Block list.
To check the status of an IP, click Query IP Status by following the link to the Symantec Mail Security IP lookup service:
https://ipremoval.sms.symantec.com/

IP addresses are added to the Symantec Block Lists because of suspicious activity such as spam or viruses originating from the IP address in question.
If your IP address has been listed in a Symantec Block List, you should perform a security audit on the systems corresponding to the blocked IP address, as they may have been compromised.
For more information and a definition of what Symantec considers suspicious activity in various categories, please refer to the Technical Information section of this document.




Technical Information
From the Help menu of the IP Lookup Service:


Symantec Mail Security Block Lists
Symantec, using various methods and data sources, publishes lists of IP addresses that are believed to be untrustworthy. These include the addresses of compromised machines ("zombies") sending out spam; open proxies allowing untrusted e-mail to pass through them; and systems observed sending spam on the Internet.

Frequently Asked Questions

General Questions:

Q: Why is my IP address on a Symantec Block List?
A: IP addresses are listed when they are found to be sending high levels of spam or viruses to spam traps and users. The IP addresses are then analyzed to see if they belong to machines that should not be sending mail.

Q: What is an open proxy?
A: An open proxy is a computer that allows e-mail to be sent from arbitrary users (or machines). Modern mail hosts only allow mail to be delivered locally to their own users, or transfered remotely from their own authenticated users. Open proxies are often old or improperly configured servers, but they can also be compromised personal computers.

Q: What is a zombie?
A: A zombie computer, or zombie for short, is a computer attached to the Internet that has been compromised by a computer virus or worm. Such a machine can be controlled from a central location, without the knowledge of the machine's owner, to perform various malicious tasks including, but not limited to, sending spam. Millions of such zombie computers are known to exist, linked up into a number of "zombie networks" (sometimes referred to as botnets), forming a massive distributed server farm for the purpose of delivering spam simultaneously from origins distributed across the entire Internet. Zombies are now the most common delivery method of spam, accounting for a majority of all spam worldwide.

Q: What does it mean to be observed sending spam?
A: Symantec maintains a proprietary intelligence network monitoring e-mail activity across a large portion of the Internet. When Symantec observes a host sending spam, it means that e-mail specifically identified as spam was registered as originating from the host in question.

Q: I've requested removal from Symantec Block Lists, but I'm still receiving bounce messages when I try to send e-mail. What should I do?
A: First, be sure that your e-mail program is set up properly: if your connection is through dial-up, cable, or DSL, your Internet service provider will most likely require you to send all mail through the mail server they provide. Second, ensure that your system is free of security threats by scanning it with a virus scanner that has up-to-date virus definitions. Symantec offers a free virus detection tool and a 15-day free trial for Norton AntiVirus. Other major vendors have similar offerings. Remove any viruses or malware that are found.

For Server Administrators:

Q: My mailer is professionally hosted with a static IP address, not a residential dial-up or broadband address. Why was it identified as a zombie?
A: Please ensure that your machine's DNS records don't look like a residential IP address. You may need to contact your hosting provider to resolve these issues. Verify that PTR records exist for all IP addresses that the machine uses to send mail. This is known as having RDNS (Reverse DNS). Not having any RDNS records at all is a serious problem that will cause delivery problems to many other major ISPs. Verify that the RDNS records are visible from an outside source, such as http://www.dnsstuff.com/. Verify that these PTR records are not "generic RDNS" records, e.g. 201-137-58-21-srv.example.com. Such records are common for new machines, and are virtually indistinguishable from residential broadband addresses.

Q: My host does not relay on port 25. Why am I listed as an open proxy?
A: Please ensure that your machine is not accepting non-authenticated SMTP relay connections on any port. Please also check for compromises to your machine; the existence of an open proxy often indicates a machine has been successfully attacked. If the machine is professionally hosted, please contact your system administrator for help with these tasks. Never run port scanning software without explicit authorization from the network owner.