Solved

Client tagged as spam

Posted on 2014-04-24
11
372 Views
Last Modified: 2014-07-05
I went through this question in an earlier stage of this problem and unfortunately did not get the help I needed.  The issue is back and I'm taking a second stab at this.  However some new eyes look at it and can generate some helpful hints.  

I have a client that has a serious email issue.  There outbound email is being tagged as spam.  It's ending up in quarantines, junk mail folders or in some cases dropped or generates NDRs.    

We have changed the clients outbound domain name twice in an effort to resolve.  Every time we change the domain it improves for a month or two.  However, in both instances it has come back.

Initially the client was on Office365 when we noticed the problem.  As in an effort to trouble shoot this problem we moved them to Intermedia as their hosted mail provider.  The problem followed them there.

Their Outbound failures are not seen everywhere.  They can get through to 80-90% of their recipients.  However recipients hosted on GoDaddy, Comcast, Verizon, MRIS to name a few, as well as those that use McAfee as their anti spam are not cleanly receiving their mail.

The problem is it's difficult to see if an IP is on a blacklist.  Both O365 and Intermedia have numerous sender IPs.  I have looked at several messages that were successfully delivered, even those caught in quarantine.  When checking mxtoolbox and blacklistalerts, the IP usually isn't listed anywhere.

I had Intermida send me a weeks worth of outbound mail and looked through it myself.  I noticed only two messages in a weeks time that had more than 20 recipients.  Neither of those two look egregious.  Now this is a mortgage company, so most of the other mail looked legit, but is hard to determine from just a subject line.

So we turned our attention to the the organizations blocking the mail to see if they could shed some light.  This was a very difficult task as these companies don't want to share information that might clue me into how their systems work.  I pulled every resource available to me to try and get to the correct people at McAfee/MXLogic.  The only thing I learned is MXL reports that 40% of this clients mail is being tagged as spam by user.  40%!  that seems extremely high.  Based on what I saw from their outbound logs I don't see how 40% is coming from Intermedia.  But no organization blocking their mail will share why they are blocking.  Or at least they will not give me an example of an offending message, so i can see the headers and where it is coming from.

The only other oddity to this client is that this clients old IT service provider hosted this system on their in house exchange.  The client is worried that this old service provider is either intentionally or inadvertently causing this problem.  Without a smoking gun I can't rule this possibility out.  However the most recent outbound domain we created for this client is brand new.  It was never previously used or known by the old service provider.  So if they were sending out spam as the old domain name of this client, you would think that would not affect the new outbound domain.

This is a mortgage company, so the content of their legit mail may at times cover subjects that are the subject of spam.  However most of what I saw from their outbound logs looks like the majority of their mail are sent to specific users and cover specific loans.  I did not see much in the way of generic emails.  But I could only see the subject, not the content of the messages.

I could go on and on and am willing to do so if someone is interested to hear what we have tried and what we "think" we have ruled out.  However without the smoking gun, without an example of a message that was tagged as spam, I am completely in the dark.

So I guess my question is this.  If all these major mail organizations(hosts and spam filters) are keeping the curtain to the wizard tightly drawn, then how do I find out why this client is being targeted?  How can I find that smoking gun email.  MXL at one point mentioned ISP reports.  I'm not entirely clear on what an ISP report is nor how it's used.

The client doesn't send mail for their local LAN.  However I checked the IPs on their local LAN and none of those are listed on blacklists either.

Can a company name be blacklisted in someway?  I'm looking for similarities.  All domains are hosted by Network Solutions under the same account.  

Even though their SPF is clearly set, is it possible someone else is sending out spam as them?  Would this spammer need their current sender domain to affect them in this way?

I specifically asked the client not to tell anyone they had changed their outbound domain.  I was very clear on this so I doubt they told anyone of the change, although email savvy user might have noticed on their own.

I am looking for ideas.  Particularly ideas on how to get my hands on one of these offending email messages.  MXL claims they don't keep them.

Sorry for the long windedness.  This has been an on going battle since January.
0
Comment
Question by:tw525
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40020282
The fact that moving hosting providers doesn't resolve the problem sounds to me that the problem lies more in what is being sent, rather then from where it is being sent.

If the recipients are marking the emails as spam, then is the company sending the emails following best practises in as much as allowing an unsubscribe option in the emails?

An alternative to sending emails out via their own servers is to send out via a 3rd party mailing solution such as mailchimp, then if the senders flag the emails as spam, it shouldn't affect their regular mails sent out that aren't marketing emails.

If you want some actual eyes on the potential problems, please have them send a test email to testmail @ sohomail.co.uk and let me know when one has been send so I can look out for it.

Thanks

Alan
0
 
LVL 9

Expert Comment

by:stu29
ID: 40020383
You have ruled out originating IP and domain name so I would be temped to rule out you being blacklisted.  So sounds like content.  Send an email to stest at elcocorp.com and I will take a look also
0
 
LVL 1

Author Comment

by:tw525
ID: 40020520
I appreciate the offers to send test messages.  I very well may take you up.  However we noticed something on this most recent go around.  Things were running fine and then all the sudden three a chain of messages got stuck in quarantine.  The first message in that chain had a www link to the previous domain name.  Everyone after that responded to the message and had that link it.

I believe it was that link that got the message caught in the spam.  I will investigate and update you all.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40020551
No problems - here as and when you are ready.

Alan
0
 
LVL 7

Expert Comment

by:Steve
ID: 40020569
Seems like you've been through a bunch with this and I can sympathise. We got blacklisted once and talking to the powers to be, it feels like a convicted bank robber asking a bank about their safe. Good luck...


I have had problems where emails were being rejected or marked as spam because the reverse lookup on the domain name did not match the sending domain name's IP address.
Just a thought...
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:tw525
ID: 40021169
Sodea,

Good thought on the rDNS.  Since the client uses Intermedia and O365 before that.  Wouldn't rDNS not be setup on their side, with their ISP?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40021333
rDNS is down to the provider and as you are hosted - this is something they will have setup (unless they are completely crap) and O365 isn't going to have that problem, so I wouldn't expect that to be the problem at all.
0
 
LVL 7

Expert Comment

by:Steve
ID: 40022573
We used in hose software (ActiveCampaign) and never used O365 or Intemedia so you would have to look into how they set that up.
You mention changing domain names but said that they were all with the same provider, did you change your IP address with each domain change?

Even if you have everything completely correct from a technical standpoint, the mass email game is always a delicate balance on the line and a poorly constructed email will kill you as easy as any technical problem. You may want to see if you can get a sample of some of the emails being sent. See if you can find, or get a look at the settings or 'filter' settings in some of the major spam filtering software and compare with the emails.
0
 
LVL 1

Accepted Solution

by:
tw525 earned 0 total points
ID: 40168062
So just a recap,

Client switched to a 3rd domain name, only this time did not inform anyone(clients, recipients, vendors) of the change.  So far, knock on wood, the problem has not come up again.  We never found a smoking gun, which I absolutely hate.  However we poured so many moan hours in trying to find the problem and ultimately ran into to many large anti-spam providers not wanting to give any clue as to what was going on behind the curtain.

I did however find out that we were incorrect in the assumption that their 2nd domain name was completely brand new.  As is typical clients have a primary domain name and then reserve several other similar sounding domain names and just redirect to the primary domain.  While I had asked the client to pick a completely new domain name they actually just gave me one they already owned and had been reserved for a while.  Not that that is a huge deal, but when you're dealing with such a difficult to trouble shoot issues and you take steps to eleiminate potential problems, well we thought the 2nd domain name was completely new and with that assumption ruled out several options, which ultimately wasted time once, we found out and had to throw out the test.  The last domain name change we made it undeniably clear that we needed a brand new completely fresh domain name and so far this has resolved the issue.

The idea that someone targetted this organization, while improbable could never be ruled out.
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 40177714
At the end of the day we never found a smoking gun for this issue.  We simply found a solution/work around.  I would still love to hear options if anyone ever finds a way to evaluate why a legit organization is targetted as spam.  Feels like my client was tried and convicted without ever seeing an ounce of evidense.  Not that we would argue it, but if we could see what was being marked as spam, see the header and originating IPs we could better understand why they domain name was tarnished.

To this day if you even include one of their previous two domain names in your signature or the body of the message, it's tagged as spam.  I've never seen anything like it before.  Would appreciate finding that smoking gun for my own personal knowledge should anyone read this and have some helpful suggestions.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

What is Usenet? There are many different opinions on exactly what Usenet is an isn't. Many opinions are incorrect simply out of ignorance. The Wikipedia listing about Usenet does a good job of explaining it, so instead of repeating it all here I wi…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now