[NA]Blocked-email help, for a business[NA]

[Let'sgoflying!]

I offered to put this question/plea for help out there for a good friend who offers educational programs for her (professional) colleagues. She has been doing this for many years and is well-respected for top-notch scientific programs and also for being of superior personal character.
These programs have in the past been advertised through print or word of mouth and then conducted in a classroom-type setting and more recently, advertised on her website and via email then I believe she has shifted to zoom-type presentations.
She says "over the past 6 months, our seminar website has been repeatedly reported to various internet authorities as a spammer and as a phisher site, and we are repeatedly shut down.
The result of these complaints is that any e-mail with my website name in it can be 'disappeared' by any ISP at any time, and our website is blocked by a number of browsers. We thought we had all of this straightened -- it took a great deal of time. And now the whole thing is happening again.
We are using the same e-mail list we have used for the past 8 years, and we add no more than 20 or so per year. We send out less than 100 e-mails per year. Our e-mail list is run through Constant Contact, and it is very easy to opt off, in case someone gets tired of hearing from us. We have never had any problems until this year.

We do not collect any personal information at all, except for attendee names -- information required by our professional board for CE record keeping. Registrants are transferred to the PayPal server for collection of payment information, and we do not have access to that info. We have never sold any list to anyone for any reason. We do not store any personal information on the internet anywhere, ever, except for our Constant Contact e-mail address list. All we keep is a hard copy of attendee sign-in lists, in case the Board ever calls.

We have never received any complaint from any person ever about privacy issues being violated. We have no disputes with anyone about anything that we know about. We sent faxes out for the first two meetings in 2013 and 2014, and one person got really mad, and left us an angry voice mail. So we stopped sending faxes altogether and took him off our e-mail list. That's the only problem I can remember.

I sure wish I knew who I have upset, and why, and what I can do to make it right. If anyone knows, please help. Today, we are blocked on Microsoft browsers and I am working to correct it. If you try to get to our website on Edge or Explorer and get a security warning, try another browser. Right now, we are fine on Firefox and Chrome."

I suggested to her that it might not be a person actively blacklisting her site so much as automation doing it. But I have zero knowledge of these things.
If someone here is interested in helping I would be grateful; PM me and I will give you the website.
Thanks
Dave

 

[RJM62]

1. If the site doesn't force SSL, make it so. It's pointless in some cases, but nonetheless expected nowadays. In Apache, this can be done in the .htaccess file with something along these lines at the top of the file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

There are other ways, but the code above should always work and shouldn't break anything (assuming, of course, that an SSL cert is properly installed for the domain). If it does break the site, delete it and re-upload the .htaccess file.

I have no idea how to do it on any other server besides Apache.

1a. Replace any internal or incoming http links to https links once SSL is enabled and forced, including on the sitemaps, Google Search Console, emails, advertising, etc.​

2. Have someone check the site, and especially the mail server, for security problems.

3. Enable rDNS and PTR if not already enabled. That has to be done through the host.

4. Use SPF with hard fail, if practical, to reduce spoofing. That can usually be done by the site owner, but in some cases may have to be done by the host. Many hosts will make the changes upon request just to avoid the users hosing their mail (easy to do if they don't know what they're doing).

4a. Make sure the IP addresses of all authorized mail servers are in the SPF entry. If that's not possible, then use soft fail.​

5. Bear in mind that many users are idiots. They will sign up for a mailing list, and then report the mail as spam when they no longer want to receive it rather than politely unsubscribing. Asking them to confirm their interest every so often isn't a bad idea, especially if they seem not be reading the emails.

6. Consider having the mail server use a separate IP than the one the Web server uses, or outsourcing the mail altogether. This is of very limited value for a mailing list because if a link to the site is included in the mail, typically both the site's IP and the mail server's IP will be reported. But not always. I do it if I happen to have a spare IP laying around. Otherwise, it's usually not worth the bother.

7. Sign up for the Feedback Loops (FBL's) of the blocking providers, if they have them, and actually respond to any reports if that functionality is provided. Some (not all) providers will send a spam notice to the responsible party of record rather than block the IP after a single or a few spam complaints. In any case, being in the FBL does provide information about the mail(s) that the reporting user(s) found objectionable. This is advantageous both to make sure the mail is legit, and to reduce its overall spamminess as algorithms see it.

If I think of anything else, I'll add it in a new post.

Rich

 

[schmookeeg]

5. Bear in mind that many users are idiots. They will sign up for a mailing list, and then report the mail as spam when they no longer want to receive it rather than politely unsubscribing. Asking them to confirm their interest every so often isn't a bad idea, especially if they seem not be reading the emails.

I do this. A sender of an email gets exactly one second from me to find their one-click unsubscribe link. If they ask me to type in my email address (I have 8, I don't want to figure out which was sent to), I flag spam. If they present me a list of checkboxes to individually opt-out of, I flag spam. If they oh-so-cleverly used a soft color and a micro font size for their link and I can't find it in one pass, flag spam.

A normal-font contrasting-colored link titled "Unsubscribe" is indeed polite and I'll use it. Unless you're an outfit that I suspect will generate "proof of life" and share my email with 20 other spammers.


OP needs to find a digital marketer (aka professional spammer) to sort out her mess. Something has been done wrong. (No DMARC on the domain maybe?)

 

[Stan Cooper]

I do this. A sender of an email gets exactly one second from me to find their one-click unsubscribe link. If they ask me to type in my email address (I have 8, I don't want to figure out which was sent to), I flag spam. If they present me a list of checkboxes to individually opt-out of, I flag spam. If they oh-so-cleverly used a soft color and a micro font size for their link and I can't find it in one pass, flag spam.

A normal-font contrasting-colored link titled "Unsubscribe" is indeed polite and I'll use it. Unless you're an outfit that I suspect will generate "proof of life" and share my email with 20 other spammers.


OP needs to find a digital marketer (aka professional spammer) to sort out her mess. Something has been done wrong. (No DMARC on the domain maybe?)

Make sure there is a highly visible link to unsubscribe preceded by note that reporting the emails as spam causes problems for those who signed up for and want to continue receiving them. Also, make sure the unsubscribe link URL isn't, in and of itself, spammy looking (like a tinyurl link for example).

 

[gdwindowpane]

go to mxtoolbox.com and type in your domain. then in the upper right click the blacklist link. it will check your domain against quite a few blacklist providers and pass/fail. you can also run smtp tests. My exchange server was getting blocked by gmail I think because I had two spf records in my zone file. I combined them to 1 spf file and things seemed to clear up. of course as others have stated, if someone marks it as spam, your email will start getting sent to the spam folders.

Good luck.

 

[RJM62]

go to mxtoolbox.com and type in your domain. then in the upper right click the blacklist link. it will check your domain against quite a few blacklist providers and pass/fail. you can also run smtp tests. My exchange server was getting blocked by gmail I think because I had to spf records in my zone file. I combined them to 1 spf file and things seemed to clear up. of course as others have stated, if someone marks it as spam, your email will start getting sent to the spam folders.

Good luck.

That also happens sometimes when migrating an existing site from a server running cPanel to a server running Virtualmin, which quite a few hosts are doing due to the cPanel license price increases.

Rich

 

[denverpilot]

Thoughts ...

SPF and DMARC set properly is a must anymore. All sorts of places will simply throw stuff without it straight to the bit bucket.

Shared servers for small business that share a public IP are a business risk these days. You don’t have to be a spammer or malware distributor but your dumb “server neighbor” might be. Get off of shared hosting unless the hosting company has a zero tolerance for such things and acts VERY fast to cut off any shared tenant who has a problem or is flat out malicious.

A great many small business websites are running Wordpress. If it’s not professionally maintained and patched nearly constantly and any plug ins with security vulnerabilities never ever used by policy, it’ll become a malware distributor in days if not minutes. I recommend small business never ever attempt to run Wordpress on their own and to use only hosts that really understand what a security nightmare that thing has always been from day one. Even with pro management we use it and we still had to segregate it and the marketing sites it runs far far away from our production a systems and IP ranges. It’s a continual disaster. Investigate using a different CMS.

Even companies that have their act together on their servers are vulnerable to desktop and laptop systems becoming infected side malware that sends emails with bad payloads right out the door, fully correct at the server level. That one machine will get your entire company server listed as malicious and eat an entire day for a sysadmin to clean up the resulting mess. You must have control of desktops and understand the vulnerabilities that running any out of date software plus no security software with behavior monitoring are. It’s too big a topic for here but if end users can install crapola they found on their favorite website at lunchtime, and your inventory monitoring system doesn’t alert and your security suite doesn’t stop it, both... you’re doing it wrong.

She’s at least doing Constant Contact. However if she doesn’t have SPF and DMARC set up properly for their servers, they’re just showing up at the receiving side as possible or likely spam.

Finally the contents of the messages do count. Loading messages with certain key words and piles of html and graphical crap can get messages immediately tagged as high likelihood of spam. Enough of those and a couple of complaints and she’s blacklisted. Send simple text only emails with a link to an SSL only website for the fancy stuff. Email is not intended for brochures and many spam guessing algorithms know that the flowery stuff is usually junk mail.

It’s a lot of stuff for a small business person to know and deal with. It’s pretty much impossible these days to learn it without pro help. A guy like Rich who knows his stuff and works with small biz can really be an asset and people like that don’t have to be local to the business at all. Many even assist with choosing a hosting vendor or they run hosting themselves directly with their own serves or partnered with cloud services.

The mxtoolbox link someone provided above is an excellent first pass at everything that needs to be fixed, but it won’t know things like third party services that are authorized to send for the domain like maybe Constant Contact or stuff like Salesforce. It only finds blatant errors.

Another tip. Even with all sorts of things I don’t like about Google, GMail has absolutely fantastic spam filtering and all sorts of brains around it. If her messages aren’t making it to a test Gmail account, she’s seriously blacklisted or something is very wrong. If she is making it to their stuff, but users are getting warnings about the message, the message headers will have a ton of information about exactly what’s wrong.

And here’s one more thing that’s just life in email now... some ISPs are simply way too aggressive about spam. Some percentage of any large customer base simply won’t receive marketing style emails.

Long ago you’d get a bounce message to let you know. Those are essentially dead and not used anymore due to the ability of bad actors to easily use them die backscatter attacks. Things that look malicious are simply sent straight to the bit bucket. The only person who can see that they were is the sysadmin with access to the mail server logs on the receiving end.

If there’s really a problem between two systems at the end of the day the two admins have to be involved and look at the logs. It’s a tedious and annoying process for all involved.

Oh yeah. One more thing. A good mail server has proper TLS keys on it and always attempts to send to other servers encrypted. Not really for security although it’s a partial side effect, but email without user based encryption is never a secure channel... but because the receiver can truly identify the sending server. When we ran our own spam filtering we gave extra brownie points to servers that cryptographically identified themselves. Anybody with enough clue to set that up and make sure their keys were kept updated, was usually not a spammer.

There’s my email sucks donkey balls brain dump. Get involved at your own risk. Sanity is not included in the smtp protocol. It should have been crap canned a decade or more ago for something with all the bolt on crap glued together with DNS entries and duct tape, required just to play and secure clients for desktops and mobile with end to end encryption.

But that ain’t gonna happen. It’s well entrenched hot garbage from the 70s when open relays were the only way to get things to work. Nowadays If you’re not authenticating every client, with crypto, you’re doing it wrong.

Good luck! Been doing email servers for a couple decades and I loathe them. But it pays the bills. So I smile and read the logs.

 

[tspear]

I dumped doing my own email years ago for exactly the reasons Nate mentions.
I either pay a little extra and use Google business apps, or Office 365.
There are other good choices. But I do not think they were worth my time chasing down.

Tim

Sent from my HD1907 using Tapatalk

 

[RJM62]

If I were going to offload the mail, I'd probably use Fastmail.com. They're one of the few companies I deal with that have always worked, with no downtime I can recall, and no aggravation.

Rich

 

[wsuffa]

If I were going to offload the mail, I'd probably use Fastmail.com. They're one of the few companies I deal with that have always worked, with no downtime I can recall, and no aggravation.

Rich

Likewise on Fastmail. They do a good job. Let them do the DNS stuff, too, as their DNS page will help get it right. It will allow you to point to an external web server (recommended).

Put the web site elsewhere. Web serving is a bigger mess (and opportunity for malware) than email. Find a service that has a good reputation & use them. Some offer hosted Wordpress; the one I use is constantly updating the Wordpress system and the hooks to your website. Perfect? No. But tons better than hosting your own. If you do have a "contact me" link on your web page, turn on the CAPTCHA protection. As a user, I hate CAPTCHA because some of the pictures are so obtuse that you really can't tell and end up doing the process 2-3 times, but as a business owner, it's essential to keep the level of spam from the website down as much as possible.

Finally, any business that deals with private information or PII also needs a fully end-to-end encrypted email system to use. Consultants, accountants, any kind of financial stuff, and anything in the medical field (must also meet HIPAA) needs an encrypted solution. Basically anything that has confidential business information or PII needs it to prevent IP/identity theft. It's not just the transit piece that Nate mentions, it's also the end-user link. I like ProtonMail, but there are several other good solutions. Beware that some companies use DLP and other protection software that doesn't like end-to-end encryption.

For all these reasons, email has lost a lot of it's lustre. I personally prefer a good phone call, but also need email for those that still believe in it.

 

[tspear]

Thinking of WP and web sites. I have two friends that build websites for companies and maintain them.
Both have switched over to Webflow. It allows them to generate a static site; so many fewer issues to worry about it.
Note: above is the sum of my knowledge on Webflow. Never used it beyond a 15 minute demo.

Tim

 

[RJM62]

Likewise on Fastmail. They do a good job. Let them do the DNS stuff, too, as their DNS page will help get it right. It will allow you to point to an external web server (recommended).

Put the web site elsewhere. Web serving is a bigger mess (and opportunity for malware) than email. Find a service that has a good reputation & use them. Some offer hosted Wordpress; the one I use is constantly updating the Wordpress system and the hooks to your website. Perfect? No. But tons better than hosting your own. If you do have a "contact me" link on your web page, turn on the CAPTCHA protection. As a user, I hate CAPTCHA because some of the pictures are so obtuse that you really can't tell and end up doing the process 2-3 times, but as a business owner, it's essential to keep the level of spam from the website down as much as possible.

Finally, any business that deals with private information or PII also needs a fully end-to-end encrypted email system to use. Consultants, accountants, any kind of financial stuff, and anything in the medical field (must also meet HIPAA) needs an encrypted solution. Basically anything that has confidential business information or PII needs it to prevent IP/identity theft. It's not just the transit piece that Nate mentions, it's also the end-user link. I like ProtonMail, but there are several other good solutions. Beware that some companies use DLP and other protection software that doesn't like end-to-end encryption.

For all these reasons, email has lost a lot of it's lustre. I personally prefer a good phone call, but also need email for those that still believe in it.

I've thus far managed to avoid the necessity of CAPTCHA through some novel techniques that evaluate behavior more so than content. They're designed specifically to trap bots, as the great bulk of spam is robotic.

For example, a session is started and a temporary checkfile is created when the form page is loaded, containing various information about the browser, time, IP address and so forth. That file is stored in home/[user]/tmp/ and named using the PHP session id.

The form processor in turn looks for that file by its name whenever it is called. If the file is absent, the script dies and dumps the user on the success page without actually processing the mail. That way a human spammer (or a smart bot) will think they succeeded and stop trying.

If the file is present, the form processor does various evaluations, including comparing the time the page loaded to the time the form was submitted. If that time is too short for even a fast typist to have filled in the form, the script dies and dumps the user on the success page.

If it passes that stage, it looks for some other signs of spam, such as hyperlinks where they should never be; and also checks the IP against known recent spammers. If it finds enough signs of spam, the script dies and the user is dumped on the success page.

I tested and tweaked the script for about 10 years, tagging the mail rather than discarding it, to make sure I wasn't getting false positives. At this point, I get none, so I let it discard spam on sites that I own. (For clients, I give them a choice of discarding or tagging.) When allowed to discard the spam, the script also reduces server load because the vast majority of the robotic spammers are stopped early on because they either bypassed the form or submitted it too quickly.

I do get the occasional spam that slips through (false negatives), but we're talking about single digits in any given month. They're typically unwanted solicitations that were submitted by human spammers, generally SEO offers and the like. So they're semi-spam. It's an okay trade-off for trapping thousands of bots.

Rich

 

[weilke]

Is she using a web hosting service ? One way to get on the 'spam lists' is to have your domain hosted in the same IP range as that used by some high volume spammers. If you use one of those low-budget shared hosting services, your web server shows up with the same address as that of dozends of other domains.

 

[jsstevens]

One of our customers (US Gov) was expanding and diversifying their email servers (a few years ago). They were allocated a new static IP for a new email server by their ISP. Turned out to be on a black list. Depending on which email server the internal load balancing used to send email, we would either get the email, or it would be blocked as spam upstream from our email server. Our IT folks chased that one for a few days until we were able to work with theirs and figure it out. They got a new IP and the problem disappeared.

 

[RJM62]

One of our customers (US Gov) was expanding and diversifying their email servers (a few years ago). They were allocated a new static IP for a new email server by their ISP. Turned out to be on a black list. Depending on which email server the internal load balancing used to send email, we would either get the email, or it would be blocked as spam upstream from our email server. Our IT folks chased that one for a few days until we were able to work with theirs and figure it out. They got a new IP and the problem disappeared.

I estimate that 80 to 90 percent of IP addresses I've acquired came with bad reps. Except for Verizon, getting off the lists is usually pretty easy.

Verizon basically never takes an IP off the list. However, BellSouth and AT&T use the same list, and either can and will remove an IP if the situation is explained and they're asked nicely.

Rich

 

[jsstevens]

I estimate that 80 to 90 percent of IP addresses I've acquired came with bad reps. Except for Verizon, getting off the lists is usually pretty easy.

Verizon basically never takes an IP off the list. However, BellSouth and AT&T use the same list, and either can and will remove an IP if the situation is explained and they're asked nicely.

Rich

We've had to do that with our IPs a few times. It's not too hard once you know what's going on. In this case, we didn't own the IP and the owner kept telling us the problem was on our end because we got some emails from them and not others. It took a fair amount of log diving to figure out that all of their (8 IIRC) email servers could send to us except one. (I'm not the IT people, I'm the CTO who they report too and this is how it was explained to me.)

Anyway, the point being if your IP has moved recently, it may not be your behavior that got you on the spam list.

 

[RJM62]

We've had to do that with our IPs a few times. It's not too hard once you know what's going on. In this case, we didn't own the IP and the owner kept telling us the problem was on our end because we got some emails from them and not others. It took a fair amount of log diving to figure out that all of their (8 IIRC) email servers could send to us except one. (I'm not the IT people, I'm the CTO who they report too and this is how it was explained to me.)

Anyway, the point being if your IP has moved recently, it may not be your behavior that got you on the spam list.

That's one of the reasons I unsubscribed from an upstream mail scanner I'd been using. It provided minimal improvement over the resident scanner (SpamAssassin with a few customizations), but greatly complicated troubleshooting incoming non-delivery issues because the mail never hit my servers.

What I replaced it with morphed into a network of servers that share an RBL database of my own making. It stores all the spammer IP's (along with the IP's of other bad actors) in a database, which is shared between the servers (and others) and imported into CSF every hour. Rehabilitated IP's are automatically removed from the database between 48 and 72 hours after the most recent bad act.

In addition to spammer IP's, it also adds any IP deny event initiated by CSF (for example, hits on 3389 or other commonly-abused ports), as well as hits on non-existent CMS login pages (for example, wp-login.php or xmlrpc.php on a non-WordPress site). Thresholds are set from 1 to 10 depending on the likelihood of innocent error.

Finally, all of the malicious IP addresses are automatically shared with AbuseIPDB. My page is here. Although I've been a member since 2015, most of the IP's were reported within the past year, when I automated the reporting scripts.

Being semi-retired gives me time to do this sort of thing.

Rich

 

[denverpilot]

One of our customers (US Gov) was expanding and diversifying their email servers (a few years ago). They were allocated a new static IP for a new email server by their ISP. Turned out to be on a black list. Depending on which email server the internal load balancing used to send email, we would either get the email, or it would be blocked as spam upstream from our email server. Our IT folks chased that one for a few days until we were able to work with theirs and figure it out. They got a new IP and the problem disappeared.

Had that happen once at a multi-homed multi-ISP data center.

Was an entire Class C block.

Apparently Verio gave us the entire IP block from a spammer they tossed off their backbone.

Customers were kinda ticked. Haha.

We had so many IPs we just gave them another one and often a block of them for free just to be nice, if they wanted them.

And by saying it was Verio, that dates how long ago it was. LOL