Client tagged as spam
Posted on 2014-04-24
I went through this question in an earlier stage of this problem and unfortunately did not get the help I needed. The issue is back and I'm taking a second stab at this. However some new eyes look at it and can generate some helpful hints.
I have a client that has a serious email issue. There outbound email is being tagged as spam. It's ending up in quarantines, junk mail folders or in some cases dropped or generates NDRs.
We have changed the clients outbound domain name twice in an effort to resolve. Every time we change the domain it improves for a month or two. However, in both instances it has come back.
Initially the client was on Office365 when we noticed the problem. As in an effort to trouble shoot this problem we moved them to Intermedia as their hosted mail provider. The problem followed them there.
Their Outbound failures are not seen everywhere. They can get through to 80-90% of their recipients. However recipients hosted on GoDaddy, Comcast, Verizon, MRIS to name a few, as well as those that use McAfee as their anti spam are not cleanly receiving their mail.
The problem is it's difficult to see if an IP is on a blacklist. Both O365 and Intermedia have numerous sender IPs. I have looked at several messages that were successfully delivered, even those caught in quarantine. When checking mxtoolbox and blacklistalerts, the IP usually isn't listed anywhere.
I had Intermida send me a weeks worth of outbound mail and looked through it myself. I noticed only two messages in a weeks time that had more than 20 recipients. Neither of those two look egregious. Now this is a mortgage company, so most of the other mail looked legit, but is hard to determine from just a subject line.
So we turned our attention to the the organizations blocking the mail to see if they could shed some light. This was a very difficult task as these companies don't want to share information that might clue me into how their systems work. I pulled every resource available to me to try and get to the correct people at McAfee/MXLogic. The only thing I learned is MXL reports that 40% of this clients mail is being tagged as spam by user. 40%! that seems extremely high. Based on what I saw from their outbound logs I don't see how 40% is coming from Intermedia. But no organization blocking their mail will share why they are blocking. Or at least they will not give me an example of an offending message, so i can see the headers and where it is coming from.
The only other oddity to this client is that this clients old IT service provider hosted this system on their in house exchange. The client is worried that this old service provider is either intentionally or inadvertently causing this problem. Without a smoking gun I can't rule this possibility out. However the most recent outbound domain we created for this client is brand new. It was never previously used or known by the old service provider. So if they were sending out spam as the old domain name of this client, you would think that would not affect the new outbound domain.
This is a mortgage company, so the content of their legit mail may at times cover subjects that are the subject of spam. However most of what I saw from their outbound logs looks like the majority of their mail are sent to specific users and cover specific loans. I did not see much in the way of generic emails. But I could only see the subject, not the content of the messages.
I could go on and on and am willing to do so if someone is interested to hear what we have tried and what we "think" we have ruled out. However without the smoking gun, without an example of a message that was tagged as spam, I am completely in the dark.
So I guess my question is this. If all these major mail organizations(hosts and spam filters) are keeping the curtain to the wizard tightly drawn, then how do I find out why this client is being targeted? How can I find that smoking gun email. MXL at one point mentioned ISP reports. I'm not entirely clear on what an ISP report is nor how it's used.
The client doesn't send mail for their local LAN. However I checked the IPs on their local LAN and none of those are listed on blacklists either.
Can a company name be blacklisted in someway? I'm looking for similarities. All domains are hosted by Network Solutions under the same account.
Even though their SPF is clearly set, is it possible someone else is sending out spam as them? Would this spammer need their current sender domain to affect them in this way?
I specifically asked the client not to tell anyone they had changed their outbound domain. I was very clear on this so I doubt they told anyone of the change, although email savvy user might have noticed on their own.
I am looking for ideas. Particularly ideas on how to get my hands on one of these offending email messages. MXL claims they don't keep them.
Sorry for the long windedness. This has been an on going battle since January.