An IP address earns a negative reputation when Symantec detects
suspicious activity, such as spam or viruses originating from
that address. Symantec strongly recommends that you perform a
security audit on any of your systems that correspond to an
IP address with a negative reputation, as those systems may have
been compromised.
If you believe that your IP address has been given a negative
reputation erroneously, you may request an investigation of that
address.
IP Address Investigation Request
To request investigation of an IP(IPv4 only) address, enter that address in the
IP Address field provided below. Confirm the
security image text in the Image Text field and
click Submit.
Symantec Mail Security Reputation
Symantec uses various methods and data sources to create lists of
IP addresses that are suspected of being untrustworthy. These IP
addresses may include:
-
Compromised machines ("zombies") that send out spam.
-
Open proxies that allow untrusted e-mail to pass through them.
-
Systems that are observed sending spam on the Internet.
Frequently Asked Questions
General Questions:
-
Q:
Why is my IP address assigned a negative reputation?
-
A:
IP addresses are assigned a negative reputation when they are
found to be open proxies or when they send high levels of spam
or viruses to spam traps and users. These IP addresses are
analyzed to see if they belong to machines that should not be
sending mail.
Please remove viruses, open proxies or any potentially
mis-configured applications or bad software from your server.
-
Q:
What is an open proxy?
-
A:
An open proxy is a computer that allows e-mail to be
sent from arbitrary users (or machines). Modern mail hosts
only allow mail to be delivered locally to their own users or
transferred remotely from their own authenticated users. Open
proxies are often old or improperly configured servers, but
they can also be compromised personal computers. Open proxies
can occur on both personal computers and UNIX systems.
-
Q:
What is a zombie?
-
A:
A zombie computer, or zombie for short, is a computer
attached to the Internet that has been compromised by a
computer virus or worm. Such a machine can be controlled from
a central location, without the knowledge of the machine's
owner, and can be made to perform various malicious tasks
including, but not limited to, sending spam. Millions of such
zombie computers are known to exist, linked up into a number
of "zombie networks" (sometimes referred to as botnets) to
form a massive distributed server farm for the purpose of
delivering spam simultaneously from origins distributed across
the entire Internet.
Zombies are now the most common delivery method of spam,
accounting for a majority of all spam worldwide.
-
Q:
What does it mean to be observed sending spam?
-
A:
Symantec maintains a proprietary intelligence network that
monitors e-mail activity across a large portion of the
Internet. When Symantec observes a host/server/computer
sending spam, it means that e-mail specifically identified as
spam was registered as originating from the
host/server/computer in question.
-
Q:
I've requested that Symantec clear the reputation of my IP
address, but I still receive bounce messages when I try to
send e-mail. What should I do?
-
A:
First, be sure that your e-mail program is set up properly: if
your connection is through dial-up, cable, or DSL, your
Internet service provider will most likely require you to send
all mail through the mail server they provide. Second, ensure
that your system is free of security threats by scanning it
with a virus scanner that has up-to-date virus definitions.
Remove any viruses or malware that are found.
If you still find that your IP address has been assigned a
negative reputation, provide additional information in the
provided form to help us further diagnose problems.
-
Q:
What does it mean to be unauthorized to send email
directly to email servers?
-
A:
IPs such as dynamic IPs may be listed because they
generally should not be sending email directly to
email servers. For most home users, this listing
should not impact you. This listing does not prevent
you sending email unless your email program is not
authenticating properly when it connects to your ISP
or company's mail server.
Verify that your mail program is using SMTP
authentication, if it is not enabled you should enable
it. If you are attempting to send mail to an ISP other
than your provider you should verify that you are
authenticating through your ISP's outbound SMTP
server. You should verify that your username and
password are up to date. Additionally you should
verify that you are using the specified port for
sending using authentication; for authentication this
should be port 587. If you are using port 25 you are
most likely not authenticating and could be blocked.
For Server Administrators:
-
Q:
My mailer is professionally hosted with a static IP address,
not a residential dial-up or broadband address. Why was it
identified as a zombie?
-
A:
Make sure that your machine's DNS records don't look like a
residential IP address. You may need to contact your hosting
provider to resolve these issues. Verify that PTR records
exist for all IP addresses that the machine uses to send mail.
This is known as having RDNS (Reverse DNS).
If you do not have any RDNS records, you will encounter
delivery problems to many major ISPs. Verify that the RDNS
records are visible from an outside source, and make sure
that these PTR records are not "generic RDNS"
records, e.g. 201-137-58-21-srv.example.com. Such records are
common for new machines, and are virtually indistinguishable
from residential broadband addresses.
-
Q:
My host does not relay on port 25. Why am I listed as an open
proxy?
-
A:
Open proxies are not limited to using port 25 and can often be
found in relation to other applications that have been badly
configured such as web servers or http proxies.
Make sure that your machine is not accepting non-authenticated
SMTP relay connections on any port. Also check for compromises
to your machine, the existence of an open proxy often
indicates a machine has been successfully attacked.
If the machine is professionally hosted, please contact your
system administrator for help with these tasks. Never run port
scanning software without explicit authorization from the
network owner.
-
Q:
What if my server is behind a NAT?
-
A:
Being behind a NAT alone does not prevent spam and viruses.
Please remove viruses, open proxies or any other
mis-configured applications of bad software from the server in
question.
Firewall rules or other ACLs restricting servers from
connecting to the internet except through specified servers, -
usually mail server on port 25 - is one way of limiting
infected computers from getting spam and viruses out of a
network.