[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Client tagged as spam

Posted on 2014-04-24
Medium Priority
Last Modified: 2014-07-05
I went through this question in an earlier stage of this problem and unfortunately did not get the help I needed.  The issue is back and I'm taking a second stab at this.  However some new eyes look at it and can generate some helpful hints.  

I have a client that has a serious email issue.  There outbound email is being tagged as spam.  It's ending up in quarantines, junk mail folders or in some cases dropped or generates NDRs.    

We have changed the clients outbound domain name twice in an effort to resolve.  Every time we change the domain it improves for a month or two.  However, in both instances it has come back.

Initially the client was on Office365 when we noticed the problem.  As in an effort to trouble shoot this problem we moved them to Intermedia as their hosted mail provider.  The problem followed them there.

Their Outbound failures are not seen everywhere.  They can get through to 80-90% of their recipients.  However recipients hosted on GoDaddy, Comcast, Verizon, MRIS to name a few, as well as those that use McAfee as their anti spam are not cleanly receiving their mail.

The problem is it's difficult to see if an IP is on a blacklist.  Both O365 and Intermedia have numerous sender IPs.  I have looked at several messages that were successfully delivered, even those caught in quarantine.  When checking mxtoolbox and blacklistalerts, the IP usually isn't listed anywhere.

I had Intermida send me a weeks worth of outbound mail and looked through it myself.  I noticed only two messages in a weeks time that had more than 20 recipients.  Neither of those two look egregious.  Now this is a mortgage company, so most of the other mail looked legit, but is hard to determine from just a subject line.

So we turned our attention to the the organizations blocking the mail to see if they could shed some light.  This was a very difficult task as these companies don't want to share information that might clue me into how their systems work.  I pulled every resource available to me to try and get to the correct people at McAfee/MXLogic.  The only thing I learned is MXL reports that 40% of this clients mail is being tagged as spam by user.  40%!  that seems extremely high.  Based on what I saw from their outbound logs I don't see how 40% is coming from Intermedia.  But no organization blocking their mail will share why they are blocking.  Or at least they will not give me an example of an offending message, so i can see the headers and where it is coming from.

The only other oddity to this client is that this clients old IT service provider hosted this system on their in house exchange.  The client is worried that this old service provider is either intentionally or inadvertently causing this problem.  Without a smoking gun I can't rule this possibility out.  However the most recent outbound domain we created for this client is brand new.  It was never previously used or known by the old service provider.  So if they were sending out spam as the old domain name of this client, you would think that would not affect the new outbound domain.

This is a mortgage company, so the content of their legit mail may at times cover subjects that are the subject of spam.  However most of what I saw from their outbound logs looks like the majority of their mail are sent to specific users and cover specific loans.  I did not see much in the way of generic emails.  But I could only see the subject, not the content of the messages.

I could go on and on and am willing to do so if someone is interested to hear what we have tried and what we "think" we have ruled out.  However without the smoking gun, without an example of a message that was tagged as spam, I am completely in the dark.

So I guess my question is this.  If all these major mail organizations(hosts and spam filters) are keeping the curtain to the wizard tightly drawn, then how do I find out why this client is being targeted?  How can I find that smoking gun email.  MXL at one point mentioned ISP reports.  I'm not entirely clear on what an ISP report is nor how it's used.

The client doesn't send mail for their local LAN.  However I checked the IPs on their local LAN and none of those are listed on blacklists either.

Can a company name be blacklisted in someway?  I'm looking for similarities.  All domains are hosted by Network Solutions under the same account.  

Even though their SPF is clearly set, is it possible someone else is sending out spam as them?  Would this spammer need their current sender domain to affect them in this way?

I specifically asked the client not to tell anyone they had changed their outbound domain.  I was very clear on this so I doubt they told anyone of the change, although email savvy user might have noticed on their own.

I am looking for ideas.  Particularly ideas on how to get my hands on one of these offending email messages.  MXL claims they don't keep them.

Sorry for the long windedness.  This has been an on going battle since January.
Question by:tw525
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40020282
The fact that moving hosting providers doesn't resolve the problem sounds to me that the problem lies more in what is being sent, rather then from where it is being sent.

If the recipients are marking the emails as spam, then is the company sending the emails following best practises in as much as allowing an unsubscribe option in the emails?

An alternative to sending emails out via their own servers is to send out via a 3rd party mailing solution such as mailchimp, then if the senders flag the emails as spam, it shouldn't affect their regular mails sent out that aren't marketing emails.

If you want some actual eyes on the potential problems, please have them send a test email to testmail @ sohomail.co.uk and let me know when one has been send so I can look out for it.



Expert Comment

ID: 40020383
You have ruled out originating IP and domain name so I would be temped to rule out you being blacklisted.  So sounds like content.  Send an email to stest at elcocorp.com and I will take a look also

Author Comment

ID: 40020520
I appreciate the offers to send test messages.  I very well may take you up.  However we noticed something on this most recent go around.  Things were running fine and then all the sudden three a chain of messages got stuck in quarantine.  The first message in that chain had a www link to the previous domain name.  Everyone after that responded to the message and had that link it.

I believe it was that link that got the message caught in the spam.  I will investigate and update you all.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 76

Expert Comment

by:Alan Hardisty
ID: 40020551
No problems - here as and when you are ready.


Expert Comment

ID: 40020569
Seems like you've been through a bunch with this and I can sympathise. We got blacklisted once and talking to the powers to be, it feels like a convicted bank robber asking a bank about their safe. Good luck...

I have had problems where emails were being rejected or marked as spam because the reverse lookup on the domain name did not match the sending domain name's IP address.
Just a thought...

Author Comment

ID: 40021169

Good thought on the rDNS.  Since the client uses Intermedia and O365 before that.  Wouldn't rDNS not be setup on their side, with their ISP?
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40021333
rDNS is down to the provider and as you are hosted - this is something they will have setup (unless they are completely crap) and O365 isn't going to have that problem, so I wouldn't expect that to be the problem at all.

Expert Comment

ID: 40022573
We used in hose software (ActiveCampaign) and never used O365 or Intemedia so you would have to look into how they set that up.
You mention changing domain names but said that they were all with the same provider, did you change your IP address with each domain change?

Even if you have everything completely correct from a technical standpoint, the mass email game is always a delicate balance on the line and a poorly constructed email will kill you as easy as any technical problem. You may want to see if you can get a sample of some of the emails being sent. See if you can find, or get a look at the settings or 'filter' settings in some of the major spam filtering software and compare with the emails.

Accepted Solution

tw525 earned 0 total points
ID: 40168062
So just a recap,

Client switched to a 3rd domain name, only this time did not inform anyone(clients, recipients, vendors) of the change.  So far, knock on wood, the problem has not come up again.  We never found a smoking gun, which I absolutely hate.  However we poured so many moan hours in trying to find the problem and ultimately ran into to many large anti-spam providers not wanting to give any clue as to what was going on behind the curtain.

I did however find out that we were incorrect in the assumption that their 2nd domain name was completely brand new.  As is typical clients have a primary domain name and then reserve several other similar sounding domain names and just redirect to the primary domain.  While I had asked the client to pick a completely new domain name they actually just gave me one they already owned and had been reserved for a while.  Not that that is a huge deal, but when you're dealing with such a difficult to trouble shoot issues and you take steps to eleiminate potential problems, well we thought the 2nd domain name was completely new and with that assumption ruled out several options, which ultimately wasted time once, we found out and had to throw out the test.  The last domain name change we made it undeniably clear that we needed a brand new completely fresh domain name and so far this has resolved the issue.

The idea that someone targetted this organization, while improbable could never be ruled out.

Author Closing Comment

ID: 40177714
At the end of the day we never found a smoking gun for this issue.  We simply found a solution/work around.  I would still love to hear options if anyone ever finds a way to evaluate why a legit organization is targetted as spam.  Feels like my client was tried and convicted without ever seeing an ounce of evidense.  Not that we would argue it, but if we could see what was being marked as spam, see the header and originating IPs we could better understand why they domain name was tarnished.

To this day if you even include one of their previous two domain names in your signature or the body of the message, it's tagged as spam.  I've never seen anything like it before.  Would appreciate finding that smoking gun for my own personal knowledge should anyone read this and have some helpful suggestions.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello Friends, My friends and relatives always ask me how to delete all the various types of emails at once in our g-mail  or windows live account.  So I researched this topic to find a unique solution to this query.  Here it is for those who do …
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question