Vps e-mails don't arrives to Hotmail and Aol accounts

[Carlo]

Hello,

today I discovered that e-mail sent from my vps/hosted domains don't arrives to hotmail,outlook and aol accounts.

I did a blacklists check and I'm not listed (My vps seems ok).

I checked on senderscore.org and today my vps went down on the reputation.

I see that there are 2 parameters that are red, as you can see in the attached image.

And I see that in the "sending domain" there are some real domains hosted on my vps, and some other domains that are absolutely not hosted...

I analyzed mailenable smtp logs and I can only see legitimate emails from legitimate domains and customers.

It's really strange and new thing for me... what could it be?

Thanks in advance,

Carlo

 

[EQ Admin]

Hi Carlo,

Checking the mail logs is good. You'll also want to check your web server logs, most likely for POST that don't make sense.

It's also possible that your server is not the source of the problem. If you're on a shared server, another customer with the same IP address could be the source of the spam.

PS: I think it's excellent that you're already aware of sender scores!

 

[Carlo]

Hello popowich, thank you for your fast reply and for your kindness!

I've checked for virus and malware scripts (usually php) on all the websites folders with an antivirus, but they results virus free, and in that case, I should see a strange increase of outgoing smtp mail (for example, for a single wordpress hacked website, in the past, in only one night 3000 e-mails were sent!).

Moreover I suppose I would also have to see the sent spam mails in the email smtp log (usually they result sent from the main plesk adress postmaster@mydomaincompany.biz).

My vps is a private vps with a private ip (i suppose), so I'm not on a shared one! So strange...

 

[EQ Admin]

My vps is a private vps with a private ip (i suppose), so I'm not on a shared one! So strange...

Have you confirmed with your service provider that you have a dedicated IP address? It's good to be sure of that before spending too much time checking your server.

Do you mind sharing your IP address so I can check in more detail? Please feel free to reply to the welcome message in the private conversations if you don't want to reply with that info in a public post.

 

[Carlo]

As I said in PM, the ip is dedicated. I see that now the only sendscore reported paramether is: Unknown Users. I also see that on plesk panel I had never set a catch all address for all spam or not spam e-mails sent to inexistent users/inexistent hosted e-mail accounts, so my vps reply with an error message to these spammers/people that try to send e-mails to non-existing users. Is it possible that a big number of error reply messages from my vps to inexistent users could be treated as a "unknow users" e-mail sending?

I don't know if it is clear.

The catch-all address for every domain have to be set, to increase reputation?

Now I'm setting a unique postmaster@mysocietyname.biz catch-all address for all the domains hosted. Is it a good idea?

Thanks again,

Carlo

 

[EQ Admin]

I checked why of the strange domains are listed in the sending domains section! There was a forward on an e-mail account that automatically forward ingoing e-mail of an account to an external account. I see in the log that in the forward action, the original e-mail keep the original detestation (for example if the email come from info@en-adv.com, it will be forwarded to the external account keeping the original sender address). I deactivated the forward function for this email account and I'll contact my customer.

The solution to this problem was that the mail server owner found a forward that was causing the poor reputation.

There was an email address with forwarding enabled, and the spam email was passing through that email address back out to a big email service provider.

It seems strange to me that a single email address could cause that much damage, but the sender score did fix itself after the forwarding was disabled.

@Carlo is the problem still resolved?

 

[Carlo]

Hello popowich, yes, hotmail doesn't blacklist me again, and the senderscore is now 89, but senderscore's unknown users parameter changed from 'high' to 'moderate', and from 'moderate' to 'high' again. I can't understand why, because i disabled the only one mail forward and i'm still checking outgoing queue, but all sent e-mails are legitimate and to real receivers users. So i will check outgoing queue and still monitor the situation

 

[EQ Admin]

Are you checking the mail logs too? Do you see "unknown user" types of error messages in your outgoing mail logs?

 

[Carlo]

1. Sure I'm checking them for days! 2. No, no error messages of that kind.

 

[EQ Admin]

It's also possible that there is old feedback still coming in. Not everyone reads their email right away. Sometimes spam complaints are made weeks after the email was actually received.

As long as the sender score stays good, and you don't see any trouble in your mail logs, I wouldn't worry too much about the other metrics being reported.

 

[Carlo]

The only one thing that is making me think, is the fact that for a lot of domains I haven't set a catch-all e-mail address yet, and so mailenable is responding with an e-mail error delivery message for every e-mail directed to non-existent mail user.

 

[EQ Admin]

A possible problem you're explaining is called backscatter.

It's good if your server returns a 5xx code before accepting an email for an unknown user. It's bad if your email server accepts an email and later decides to create a bounce message.

The reason is that the From/Reply-To can't be trusted and it can cause spam and bounces to be sent to innocent 3rd parties that didn't actually send the original email.

What you're looking for is to make sure that you have "valid recipient checking" enabled in your smtp server. The wording for that feature is a little different between MTA's.

I doubt this is the problem though, since you'd show up on the backscatter RBL's and your sender score would suffer if this was happening.

 

[Carlo]

I got it.

thank you so much for your advices!

 

[unlocktheinbox]

Carlo,

Sometimes, if any bad senders on your CIDR /24 range. What I mean is that your hosting company issues the address 198.0.1.10 to a spammer and issues you 198.0.1.11. The spammer on 198.0.1.10 can affect you. You should test the entire range 198.0.1.XXX - A lot of places will reject the entire range. If you find anyone in the range on a bunch of blacklists (report them) to your provider, most serious email senders will pay for a monitoring service and monitor the entire range, not just their own IP.

In additional, there are a lot of different RFC's and Postmaster guidelines that need to be followed - I built a tool that displays some of the information for free, you can read about the tool here.

 

[Carlo]

Ok I got it, I will check and I will take the suggested measures!

Thank you a lot for all these new informations!