Video Screencast Help

Submit False Positive for Symantec Brightmail Blacklist

Created: 30 Jul 2013 | 9 comments

We are an Email Service Provider, and one of our shared IP addresses is consistently being granted a negative reputation by Symantec.  I have submitted our IP for investigation several times, each time our reputation is cleared, but within a few hours we're back on the negative list.

We have many clients who rely on the reputation of this Shared IP, and I believe that our presence on any blacklists is a false positive.  We are actively removing any clients who may be hitting spam traps or practicing poor list hygeine from this IP, in order to optimize the reputation of this shared IP.

Our users are contractually required to only email contacts who have specifically opted in to receive email.  We immediately remove hard bounces from any sending lists, and address any abnormal complaint rates immediately.  Our emails are all CAN-SPAM compliant.

Please advise as to what action we can take to remove ourselves from any blacklists.  Thank you.

Operating Systems:
Discussion Filed Under:

Comments 9 CommentsJump to latest comment

Fiendslayer Paladin's picture

Hi there,

It depends what area of the scanning service is blocking your mails. operate an automatic Traffic Shaping service, where by if they see external IPs sending mails to their clients which are classified as spam - but the sending IP itself isn't on a known block list - the service sets up a throttle for that IP, reducing the number of successful connections it can make to the infrastructure.

Over time, if the IP is seen to continue to send spam, the throttle gets more and more, to the point where the majority of traffic is blocked. can reset the throttle on an IP, but if spam is once again seen from that IP the throttle will increase again.

You can certianly contact Symantec (as long as you are a registered client, if not one of your clients will need to contact support on your behalf) and they can put a watch on the IP that keeps being re-added to see what kind of traffic they are seeing.

Alternatively it could be the type of mails you are sending out which are being classed as spam-like, and subsequently blocked. Again, if a client reports these as a False Positive, then the Anti Spam team are able to investigate and whitelist those mails, or aspects of those mails which are causing it to be triggered as spam.

I hope this helps.


- FP

Maropost's picture

Hello Fiendslayer Paladin,

We are also an ESP and had something similar which we discovered via Hotmail SNDS and it was a Symantec Brightmail block... only 4 ips in the range we have so we are thinking they could be blocking the whole range due to someone else, any idea of who we should reach out to?

This just started a couple of days ago and nothing has changed in terms of our sending or client on those ips.

Any feedback is much appreciated :)


Maropost's picture
Did you have any luck getting this resolved?
Fiendslayer Paladin's picture

Hi Marcopost,

Apologies for my delayed response.

As you have this IP shared then it's likely it's being constantly picked up due to clients abusing it. support staff can certainly get the IP cleared, but as long as spam is still seen to be coming from it, then it will get re-throttled again.

What I would recommend is getting a case logged with support (please bare in mind that for security purposes they will only log tickets for authorised contacts of clients - so you may need to ask an intended recipient who uses the scanning service to log this on your behalf initially) but what the support staff can subsequently do is put a watch on the IP and look to analyse more carefully the kind of traffic that is causing your IP(s) to get constantly listed, at least that way they can feed back that information to you so that you can investigate more accurately on your side in case of a repeat offender.

Hope that helps!

- FP

Digital Backups's picture

I was not sure where else to post this,  but I am also having a similar problem having my emails blocked from your internal list... at least  from what I am told by mail support.

I am a small web host with 100 +/- customers and 250 mailboxes,  I recently upgraded servers and was forced to take on a new IP which showed not being on any RBL's but I have found to be on a few internal lists like you folks.

But because I am not a Symantec user they will not open an investigation.  I need to get this resolved ASAP,  from what I have gathered from working with other anti-spam services is the block is from over 3 years ago and not only was I not the owner of the IP,  but neither was my Service Provider at that time as they recently had the whole IP block assigned to him from ARIN.

So I either need help fixing this,  or direction to where I can purchase your least expensive spam blocking software so I can become a customer so you might care enough to help fix it.  Sorry if I come off a bit edgy but trying to resolve this via your email support was frustrating to say the very least.


Bryan Webster
Digital Backups

f731's picture

We are a company in the healthcare sector we have 500 000 clients and +- 100 000 have subscribe to our newsletter. We send every month our newslette without any problem.

Since yesterday all our microsoft client are blocked (hotmail,outlook,live) when we are looking the reason

it say ip blocked by symantec brighmail.

It is normal that our company send so many newsletter, We have 2 isp verizon and skynet

the ip that os blocked is

mhawke's picture

Same thing here. Apparently Outlook and Hotmail are using your BrightMail service and for the past week, none of my members have been receiving emails sent from my little club with less than 100 members. What have you done? My ISP changed the IP on my mail server but that didn't help. How can I possibly figure this out? I have spent 2 days just to figure out that BrightMail is at fault. I am a just volunteer who is donating my time to help our youth sports club and I never thought I would be spending my time trying to figure out how to get my domain off a blacklist!!

My ISP changed the IP of my mail server. That should fix things right? Does your service blacklist by IP or domain name or both? 

Digital Backups's picture

It seems impossible to get any help from Symantec,  but until they do I will just keep telling everyone I know not to buy Symantec Products because their their customer service does not care, eventrually they will start caring or they will go out of business is my hope.  Post it on your Facebook,  tell your friends, customers, family....

So far because they have refused to help me I have assisted 8 people in the last week switch to a different product.... as well as told two commercial clients I refuse to work on their Server/Networks until we replace Symantec which we are now investigating other products.,  I know it won't be enough for them notice,  but at least I feel like its an attempt.

I have tried calling, forums, emails, Facebook, and can't find a single person in the company that cares to help.

Good Luck mhawke.