ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Understanding Private IP Addresses and a lesson Spamhaus should learn

Updated on April 29, 2011
Pcunix profile image

I was born in 1948 and spent most of my career as a self-employed computer trouble shooter for Unix systems.

I recently had a customer who runs an internal mail server get blacklisted by

That's usually because some internal machine has become infected and has managed to bypass all the defenses we put in and found a way to send spam email out. That's not easy, but they had apparently pulled a very ancient box out of the dust bin and hooked it up to the network. It must have done something exceedingly clever, because we block everything at the router except the mail server itself from using mail related ports, but nevertheless, the evidence was plain: Spamhaus had blocked their IP, so something had gotten out.

However, we didn't find this out immediately because I was a little careless when the customer informed me of the block. Because we had been through this before in the past, I told him to just type his mail server IP in at Spamhaus and that they would give him specifics. Once he knew what the actual problem was, he could ask them to unblock his address.

He called me back an hour later to tell me that Spamhaus said his IP was not blocked.

I was a bit surprised, but not totally.  It is possible for this to happen.  I really should have been more insistent right then, but, as I said, this customer had been through this type of thing previously, so I thought he knew what he was doing.  I also foolishly assumed that Spamhaus had better software in place than they do.

The upshot of all this is that I arrived on site to examine the problem two days later.  That's two days where the customer had to suffer annoying blocks.  Here's what happened:

Private vs. Public

When my customer visited the Spamhaus Blocklist Removal Center, he typed in what he thought was his mailserver IP address: That IS the address, but it is the internal, private IP address. What he should have put in is the public IP address - the address of the MX record for his domain.

We'll see in a minute that while it might be understandable that my customer made this mistake, Spamhaus never should have. Their website software should have known he had erred and should have told him that instantly. Let's see why I say that.

Here are the private IP ranges:

  • throuugh
  • through
  • through

You can't use the beginning or end of a range. That is, if you are planning to use 192.168.2 addresses, you cannot use or for a computer or printer.  The first is reseved to refer to the network itself and the last is a subnet mask.

I don't want to get into subnetting here because it can get very confusing. If you are a home user or a small business, you are unlikely to need to worry about that.

Those are addresses you can use inside a private network.  They cannot be used on the Internet - they will not route.  Your Internet router has one or more true, public IP adresses that are not in these ranges and part of its function is to translate your internal addresses to public addresses.  You'll here that commonly referred to as "NAT" or "masquerading" (purists will argue about precise meaning and say it's probably "DNAT" - they are right, but that's not important for most of us).

That's why I say that Spamhaus should have recognized the error.  A mailserver can NOT have a public address of - that is obviously an internal address.

Try This

Find out what your machines addresses are. First, go to That will show you your public IP address. Next, ask your computer what its IP is.

Here's how to tell with Windows: do Start->Run and then type "cmd" (on older systems type "command"). That opens up a "DOS box", or "command window" as we old geeks call it. In that box, type "ipconfig". You'll get back something like this:


Windows IP Configuration

Ethernet Adapter Local Area Connection:
       Connection-specific DNS Suffix:
       IP Address....................:

(and more, but it's the IP Address we want)

Network Settings on a Mac.  Note the IP is
Network Settings on a Mac. Note the IP is

You may also know how to get that from the Windows interface. Similar information is available on Macs - you might open up Terminal and run "ifonfig en0" or use System Preferences to examine your settings.

Warning: If your computer network shows the same address as that WhatIsMyIP site, you are directly connected to the Internet and that is usually a very unsafe condition for a home computer.

What really happened

When I typed in his public IP, we got back confirmation from Spamhaus. Following the provided link gave us very specific information.

This IP is operating (or NATting for a computer that is operating) the "sendsafe" bulk emailing malware. This software is exclusively used for sending "Nigerian 419"/"advance fee" frauds or phishing attempts.

Sendsafe works by acquiring userid and password (usually stolen) for a valid email account on a mail server. Then, a machine compromised by sendsafe (in this case your IP) makes a SMTP connection to that mail server, authenticates with the compromised email login credentials, and proceeds to send Nigerian 419 scam emails.

One way to look for this is to look for authenticated outbound SMTP connections from this IP address either on port 25 or port 587. This particular detection was of a SMTP connection made from your IP address to IP address (removed for confidentiality).

In some cases it turns out to be a SSH login account (with a weak or compromised password) used to proxy inbound connections to outbound SMTP connections. Check your SSH logs for logins from unusual places (such as Nigeria).

A recent case turned out to be a copy of "Mass Sender" (aka "Advanced Mass Sender 4.3"). This appeared have been installed via some sort of remote desktop connection (such as RDT or VNC), and operated by the remote desktop connection. The criminal had gained access to the remote desktop connection via stolen/cracked/keylogged userid/password. First check Windows Installed applications (eg: Control Panel => Add or Remove programs...) and see if anything unexpected is there.

On a NAT, it could be any windows computer on your LAN. Examining your firewall logs for remote desk top connections from outside may help identify which computer it is.

In this case, it was "Mass Sender 4.3". If you find anything like that, delete it. Then, to make sure it doesn't happen again, secure your remote desktop connection as tightly as possible. Close the firewall to that port if possible. Change all passwords etc.

In other cases it appears to be a virus infection that may have disabled your Anti-Virus software. If you have Anti-Virus software, make sure it's operational and up-to-date.

That's very helpful. They also gave us the time the spam was last seen, which was five days back. My customer immediately remembered briefly putting up that ancient box on that day.

I remained concerned about how this box had bypassed our defenses. It should not have been able to send direct email out on those ports as those are blocked by the router for all machines except the actual mailserver. It might have used the internal mailserver (using credentials found on the machine), but I found nothing in the logs there.

Oh, well. I asked the customer to keep checking Spamhaus every week just in case the virus had managed to spread, but after six weeks, there has been nothing else, so I'm reasonably confident it has not. I also asked him to not resurrect five year old machines that should have gone to recycling long ago!

Do you know someone who should be reading this? Click the Share button below to send it to them easily or to post it to Facebook or Twitter.


Submit a Comment
  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    9 years ago from SE MA

    I know. I wanted to avoid subnetting here if I could, and I really can't entirely.

    Oh, well. I changed it as you can see.

  • Manna in the wild profile image

    Manna in the wild 

    9 years ago from Australia

    Yup. There is no way to depict the wire and broadcast address for every possible subnet that could be used.

    But it's a very useful chunk of work here all up. Thanks.

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    9 years ago from SE MA

    And yes, I realize it's still not completely right. I suppose I should just change it to match..

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    9 years ago from SE MA

    I imagine you are referring to the fact that I say to ?

    Yeah, I know: the RFC defines it as to

    But I'm not talking about networks here, I'm talking about IP addresses that you'd use to assign to devices in a private network.

  • Manna in the wild profile image

    Manna in the wild 

    9 years ago from Australia

    Check your definitions of RFC1918 private IP addressing

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    10 years ago from SE MA

    You are confused, Frank. No 127 address can be in a blacklist because no 127 address can route on the Internet.

    You probably misinterpreted this:

    Those are return codes, not ip's.

  • profile image

    Frank Senase 

    10 years ago

    "You don't think Spamhaus should reject private ip's???"

    No, because some private IPs ARE on Spamhaus BLs ( for example and many others in 127.*), instead they should tell the truth if an IP is listed or not, which is what they do already.

    Most users don't even know what a 'private IP' is and if they don't have enough clue to put their mail server's correct IP into a Spamhaus search do you think they have any clue what to do with the result either way. If they don't know enough to know their IP address they have no business anywhere near a mail server or a router, they should employ a competent mail server administrator to do it.

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    10 years ago from SE MA

    Did you not understand when I said I don't support the routers? I have checked them by attemting outgoing connections, and that was blocked, so I do remain puzzled by how this machine got out. I guess you can't understand that, either.

    You don't think Spamhaus should reject private ip's???

  • profile image

    Frank Senase 

    10 years ago

    "My customer immediately remembered briefly putting up that ancient box on that day" - and this caused a load of spam to the internet from your 'secure' network, nice!

    "When I typed in his public IP, we got back confirmation from Spamhaus. Following the provided link gave us very specific information" - well that's what happens when you put in the right IP :) Blaming Spamhaus for not correcting you when you put in a wrong IP is stupid! It's not their job to baby-sit you.

    "I remained concerned about how this box had bypassed our defenses" - that's easy, some idiot had set the customer's network up so the defenses could be bypassed. Might I guess who that was? Sure, you, right? :)

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    10 years ago from SE MA

    Oh, I don't. Stuff like that is always someone with some other axe to grind. He could work for Spamhaus or dislike me for some other real or imagined offense.

  • f_hruz profile image


    10 years ago from Toronto, Ontario, Canada

    Yehhh, very good report ... and don't get too upset if some idiots come around just to post to show how little culture they actually have! :)

  • Pcunix profile imageAUTHOR

    Tony Lawrence 

    10 years ago from SE MA


    As I noted above, the routers (which are not controlled by me, by the way) are set to block outbound email ports from all machines except the mailserver.

    Small customers don't have system admins. The person who pulled out that old box is a manager.

    And no, it wasn't "millions" of emails. As far as we can tell, the centralized virus scanning nullified that machine very quickly anyway and if not it was taken off the network the same day.

    Finally, yes, Spamhaus SHOULD trap that. I bet "idiots" (your ignorant term) make that error frequently. Spamhaus could help prevent longer terms of spamming machines with that simple code change.

    No "idiots" here. Except perhaps you.

  • profile image

    Frank Senase 

    10 years ago

    The summary of this posting is simple:

    An idiot system admin (Pcunix) sets up a customer's network badly allowing infected machines to spew spam to the internet. The idiot customer puts a wrong IP into Spamhaus and Pcunix expects Spamhaus to correct his error. Pcunix does nothing for days until the customer complains some more, then both idiots discover that Spamhaus was right: there was a badly set up trojan-infected PC on the network spewing spam to millions of people! By this time the idiot customer should at least have considered firing the idiot system admin. I would have.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)