Symantec Reputation Blocking IP

bluerayconcepts

Active Member
Mar 24, 2013
32
0
56
Yuba City, CA
cPanel Access Level
Root Administrator
So last week I started getting a couple complaints from customers about not being able to send to some people. THe bounce messages they were getting had no info in them about what was going on, only SMTP error. Nothing that we normally see when blocked or unknown user etc. So I ran through the standard RBL checks and nothing.. all clean.
So Monday I had another customer send me a bounce message that actually showed a good bounce message:
> SMTP error from remote mail server after RCPT TO:<[email protected]>:
> host mx.usa.net [165.212.65.113]: 550 Mail from xx.xx.xx.xx
>refused. Please refer to IP Reputation Investigation for an
>explanation.

So i proceeded to follow their instructions as it turns out the issue from the week before was also because of Symantec. 3 days later I am still blocked with Symantec with no idea of why. I have now put in the removal request twice. Turns out that now I have users that cannot send to outlook.com, hotmail or MSN. So I went through their process and joined their SNDS and see that the IP Status for hotmail is showing we are block by Symantec so all my problems are revolving around the Symantec Block.

I have gone through my logs and have found no mass mailing done by our customers. I do not allow mailing lists on the server. Of course they never give you a specific reason why you were block so at this point it could be anything.

I am currently at a loss as to what to look for. Any help would be appreciated.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Due to suspicious activity your server IP is blacklisted in Symantec, I will suggest you enable DKIM and SPF for your domain and setup the RDNS for your server. Here are the good DOC of How to: Prevent Email Abuse
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello :)

It's difficult to guess the specific reason you were added to that blacklist because it's not something listed publicly. Ensure you have RDNS configured for the IP address you are using to send emails, and that SPF/DKIM records are configured for your domain names.

Thank you.
 

bluerayconcepts

Active Member
Mar 24, 2013
32
0
56
Yuba City, CA
cPanel Access Level
Root Administrator
Yeah RDNS has been setup since the server was spun up. I started going through all the accounts and checking DKIM and SPF last night and finished them up this morning. There were a lot not enabled, some spf were wrong. Which is weird because I have DKIM and SPF enable on WHM so I would have thought it would have created them on account creation. I also noticed that on accounts that were created on other servers with spf and then migrated to this server, the SPF record was not updated.

But they are all fixed now. So is it just a wait and see game now? This is the first time I have had to deal with Brightmail/Symantec, normally any other block I have had to deal with was due to a specific email and they were always pretty quick to respond or take care of it.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Looks like we have been removed from Brightmail Block. Still not sure what caused it, and I doubt that the DKIM and SPF record changes I made within the last hour would have caused it be removed that fast. Would it?
It's possible, but it's difficult to say without knowing the type of system they use to lower a server's reputation. You may want to contact their support team directly to see if they can provide you any additional information.

Thank you.
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
looks like we are still blocked at hotmail though. aggrevating
It certainly used to be the case that blocks at hotmail marked to expire were removed once every 24 hours, think if memory served it used to hit around 15.00 GMT

If you haven't identified the spam send that caused the problem in the first place, it might be worth joining the ms jmr feedback loop (which in my experience they sometimes will make you join before they'll remove a block)