The blacklisting of IP addresses is a common occurrence on today’s internet. Most of us have encountered networking attacks in one form or another, ranging from obnoxious spam emails to crippling malware, phishing or ransomware attacks. Their path to your computer starts from a device on the internet operating behind an IP address.  Who helps police the internet to track down and report these bad IPs? There are many organizations dedicated to this purpose such as Spamhaus, Sorbs and Barracuda, to name a few.  These organizations keep public databases of blacklisted IPs and aid in their discovery. Users can query these public blacklists to block connections and email from dangerous IPs, as well as report and tag potential threats. ISPs or companies may also use private/internal blacklists.

On a related note, there are other security measures to help prevent various attacks and breaches, some of which include DNSSEC, DNS-over-HTTPS, RPKI, HTTPS, TLS and DKIM. Security protocols are expansive topics best left for another blog, but they are worth mentioning. They aid in detection and avoidance of malicious attacks and therefore, contribute to blacklisting of IPs.

IPswiTch Networks Ltd takes blacklisting very seriously. One of our primary goals is to provide buyers with quality and clean IPv4 blocks. When a client agrees to sell an IPv4 block through us, we offer a service to clean the range of all possible blacklisting to prepare it for new ownership. It is difficult to find a reliable service which thoroughly scans large blocks of IPs for blacklisting, which is why we use our own software to comprehensively scan any size IPv4 block against approximately 90 public blacklists. We’ve been using this software for some time now and find it indispensable to see how dirty an IPv4 block is. Beyond our own software we also use several reputable sources to gather more blacklisting information, and then cross-reference the results. There are a multitude of public blacklists for use on the internet, although some of them are not reliable. We avoid unreliable or out-of-service blacklists and focus on current and stable ones.

So how are IPv4 addresses removed from a blacklist? Delisting is not always straight forward, but IPswiTch Networks Ltd has extensive experience with removal from most major public blacklists. First off, it is preferable for the seller of the range to cease assignment of IPs to clients (e.g. dynamic IPs), as to limit any new blacklist entries. Unfortunately, a reputable ISP may have clients who abuse the IPs without the ISP’s knowledge. It is also recommended to stop or limit any non-critical networking on the IPv4 block. After a scan is complete it’s time to analyze the results to understand the type of listings and their severity. On rare occasions a listing can be ignored,  for example, if a listing returns a code stating that no SPF (Sender Policy Framework) record was found for an IP. This does not directly indicate blacklisting, and furthermore, the IP may not even relate to an email server which would use an SPF record. Also, on rare occasions there may be false positives. But most listings are serious, and these IPs must be delisted one-by-one or in bulk.  Many blacklists request justification for a delisting. Removal procedures can range from a simple webform to an email request. But, sometimes things are more complicated. There are times when proof of ownership for an IPv4 block must be submitted to a blacklist organization before delistings can be considered. Once approved, the process can move forward. Often an online portal will become available to the netblock owner to manage the range and perform delistings.

If you have any questions, feedback or suggestions about IPv4 blacklisting please don’t hesitate to contact us and we can start a conversation!