Blog , 15 Mar 2021

Abusix Mail Intelligence – IP Blacklist

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Welcome to part 2 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our IP blacklist. This list is built solely by messages hitting our trap infrastructure and is ~98% automated, but is the only list in our set where we maintain some manual entries for some of the worst repeat offenders.

How the IP Blacklist is being built:

Let’s start by talking about traps. All of our traps are domains that we have managed through a lifecycle. Nearly all of our traps will start off in our “recycled” pool and will remain there for an absolute minimum of one year.  

At Abusix, we have a policy that we never use typo domains (e.g. domains that are “almost” the same as a well-known domain) as traps that can cause blacklisting events as we feel they make very poor traps and are likely to cause false-positives.

All emails sent to “recycled” traps will be SMTP hard rejected at the end of DATA whilst the messages sent will still go through our infrastructure. We also have domains donated to us via our service.  As we have no idea about the history of these domains or how long they will be pointed at us, they always remain in the same state as “recycled”.

We closely monitor the metrics of all of our traps and trap pools, e.g. how long have we owned them, how much daily traffic and whitelisted traffic hits them etc. The traffic from all of our traps is separated into different “origins” so that our detectors know exactly which trap pool the message came from. Once we’ve had the domain for at least a year and we’re happy with the metrics, it’s moved into our “trap” pool which means that we stop rejecting all mail sent to it, and it will start to be used to generate “blacklisting” events.

To build our IP blacklist, any messages hitting our “trap” pool from IP addresses that are not whitelisted, will be immediately included. Additionally, any messages which come into our trap network, regardless of the trap pool that attempts to use our traps as a relay are automatically included.

Any IP added to the list will then remain listed for 5.2 days after the last event that we saw from it, or until it is delisted. (If you need to delist your IP/domain from one of our lists, you can use our free lookup service here.)

To help catch additional spam where the spam is sent from a spread of IP addresses (so-called “snowshoe” spam), we record any hits on any trap pool from IPs in a /24 over 5.2 days and if we see “trap” hits on the same /24, then all the IP addresses that we’ve seen for that /24 during that period are also listed.

Additionally, any new IPs we see hitting any trap pool is also listed

Reasons for being listed & how to avoid getting listed on our IP Blacklist:

Common reasons for being listed in our IP blacklist:

Let’s deal with each of these (except the professional spam case) and how you can avoid these problems.

Compromised or Infected hosts

Keep your devices up-to-date with the latest software, firmware, and plugin updates.  Make sure you run Anti-Virus.

Currently, the most common compromises we see are from Windows PCs, Mikrotik routers, and WordPress. All of these could be avoided if they were kept up to date with the latest patches, firmware update, plugins etc.

Compromised email accounts

Weak passwords, passwords reused on other sites (which have their databases stolen), stolen credentials via malware, or stolen credentials via Phishing are some of the most common causes.

Using password managers and using unique passwords for each site is one of the best defenses to all of these.
On the server-side, enforcing good password strength and uniqueness using services like are some strategies that can prevent your users’ credentials from being used to send spam via your service.

Abusable web forms

Spammers constantly search the internet for services to exploit in some way to send spam, phishing, or malware.
They do this by using automated bots that are used to look on your site for sign-up/registration forms, mailing-list sign-ups, or “Send to a friend” features to see if they can be abused to send messages to an innocent 3rd party.

Here is a good (bad) example:

To: <spam target>
Subject: [Your Company Name] Your username and password
X-PHP-Originating-Script: 1032:class-phpmailer.php
Date: Tue, 18 Aug 2020 16:30:23 +0000
From: WordPress <>
Message-ID: <>
X-Priority: 3
X-Mailer: PHPMailer 5.2.1 (
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="UTF-8"
Username: date Lori and Jenny www[dot]rb2020[dot]sitew[dot]org
Password: dWnBdsHjWbe7

This is a website registration page that has been abused to send spam to our trap network.  In this case, the spammer used one of our email addresses to register and then used the username field to insert their message payload. In this case a dating spam website.

This will also cause significant issues for the website owner:

To avoid this, all sign-up forms and any forms that might cause email to be sent should:

Doing all of these will reduce the chance of your web forms being abused to send spam and poison your databases.

Poorly managed mailing lists

Automated sign-ups (e.g. bots), users typoing their addresses at sign-up, or messages being sent to very old customers (e.g. >1 year) are a common cause of getting blacklisted.

As with web forms, your mailing list sign-up procedure should do the following to avoid these common pitfalls:

M3AAWG publishes a full Sender Best Practices guide which is worth reading.

Until next time – stay safe.


Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Free Trial

Keep malicious messages out of your mail server and your user’s inboxes with our 14-day free trial!

Get started

Products & Tools



Get in Touch

Talk to Us

Do you want to know more about our products and services? Get in touch, we are always happy to answer any questions you may have.

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page.

Alternatively, feel free to email us at or send us a message via our form.