PDA

View Full Version : How to keep your board from getting blacklisted as a spammer.


Alfa1
28 May 2008, 00:48
If your board does not comply to the bulkmail rules of large email providers, then all email from your board to these email providers may get banned.

The way you handle your email protocols and email subscriptions is vital to the well being of your board. Many boards are not even aware that they being punished by large email providers, for the way the boards are handling their email. Have you ever noticed that mail to a specific email provider often does not arrive? If so, then it’s likely that your site has been listed as a spammer. Email providers do share their spammers lists, with other email providers.

If you want to resolve or prevent this, then lets inspect the bulk mail rules of the major email providers. I have extracted them and summed them up for you. My clarifications to the mail rules are in blue.


Hotmail:

There must be a simple method to terminate a subscription.
Mailing list administrators must provide a simple method for subscribers to terminate their subscriptions, and administrators should provide clear and effective instructions for unsubscribing from a mailing list. Mailings from a list must cease promptly once a subscription is terminated. This can be by a link, the receiver has to click on, or a valid Re: address.

*vBulletin has this function built in to terminate subscriptions, so this will not cause problems in this regard. However, there is no functionality to let members automatically unsubscribe themselves from admin mailings. Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail (http://www.vbulletin.org/forum/showthread.php?t=120855) (vb 3.7 and lower only)

There should be alternative methods for terminating a subscription.
Mailing list administrators should make an "out of band" procedure (e.g., an email address to which messages may be sent for further contact via email or telephone) available for those who wish to terminate their mailing list subscriptions but are unable or unwilling to follow standard automated procedures.

*This is something you will need to fix yourself, by editing the template. A good way to resolve this is to add a text to the email message that explains how to remove subscriptions by going to the userCP.

Undeliverable addresses must be removed from future mailings.
Mailing list administrators must ensure that the impact of their mailings on the networks and hosts of others is minimized. One of the ways this is accomplished is through pruning invalid or undeliverable addresses.

*This is a vital issue that needs to be resolved. Especially if you have a big board. If you are sending out large amount of subscriptions and other email, then there will be a lot of outdated and false emails in your database. If you keep sending email to inexistent email addresses, then the risk of getting banned by email providers is very large.

Unfortunately vBulletin does not have a function for this and there is no hack that automatically resolves this problem. However; I highly recommend that you install Anti-Virus his EZ Bounced Email Management for Admins.

Mail volume must take recipient systems into account.
List administrators must take steps to ensure that mailings do not overwhelm less robust hosts or networks. For example, if the mailing list has a great number of addresses within a particular domain, the list administrator should contact the administrator for that domain to discuss mail volume issues.

This only seems to be an issue for very large or local boards.

Steps must be taken to prevent use of a mailing list for abusive purposes.
The sad fact is that mailing lists are used by third parties as tools of revenge and malice. Mailing list administrators must take adequate steps to ensure that their lists cannot be used for these purposes. Administrators must maintain a "suppression list" of email addresses from which all subscription requests are rejected. The purpose of the suppression list would be to prevent forged subscription of addresses by unauthorized third parties. Such suppression lists should also give properly authorized domain administrators the option to suppress all mailings to the domains for which they are responsible.

*vBulletin has this function built in, so this will not cause problems.

The nature and frequency of mailings should be fully disclosed.
List administrators should make adequate disclosures about the nature of their mailing lists, including the subject matter of the lists and anticipated frequency of messages. A substantive change in the frequency of mailings, or in the size of each message, may constitute a new and separate mailing list requiring a separate subscription.

*You should describe in your email text to which email the email has been sent, why the recipient is receiving the email, from who(include your url) and how often.

In addition, e-mail sent, or caused to be sent, to or through the Services may not:
• use or contain invalid or forged headers;
• use or contain invalid or non-existent domain names;
• employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
• use other means of deceptive addressing;
• use a third party's internet domain name, or be relayed from or through a third party's equipment, without permission of the third party;
• contain false or misleading information in the subject line or otherwise contain false or misleading content;
• fail to comply with additional technical standards described below; or
• otherwise violate the applicable Terms of Use for the Services.

Basically this means that you need to make sure that the way you are sending your email makes sense. If the way your server, domain, url and your email address are set up are not consistent this may lead the email provider to throw your site on their spammers list. Some considerations:
Is the domain on your server the same as the url of your website?
Is the sender email address of the same extension as your website?
Is the sender email address reachable?
Is the bounce email address of the same extension as your website?
Is the bounce email address reachable?

Since vb 3.7 there is an option to define a bounce email address. Many thanks to Jelsoft for adding this!

CAN-SPAM act:
What the Law Requires
Here's a rundown of the law's main provisions:
• It bans false or misleading header information. Your email's "From," "To," and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.
• It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
• It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor's email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it's illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.

*These 3 points has been discussed above.

• It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.

*If you are sending advertisements or messages of commercial nature, you must include the above information in your email text message.

Hotmail has a special programme for senders. More information and subscription can be found here: http://postmaster.msn.com/Services.aspx

Yahoo!

• Remove email addresses that bounce.
*
As discussed above, this is a vital issue. See above for more information.

• Examine your retry policies.

Your retry policies are:
A. How often you resend email. Simply use common sense and do not send the same message to the same email twice unless it is essential to do so.
B. How often your server retries to send email. Since this is a server setting consult your server admin or your hosting co to make sure settings are correct.

• Pay attention to the responses from our SMTP servers.

*Responses from SMTP servers are sent as email to your bounce email address. Unfortunately vBulletin does not have functionality for this. I highly recommend installing Anti-Virus his EZ Bounced Email Management for Admins mod.

• Don't send unsolicited email. In this process, after you receive a subscription request, you send a confirmation email to that address which requires some affirmative action before that email address is added to the mailing list.

*vBulletin has this function built in.

• Provide a method of unsubscribing from your list in each mail you send.

*This is discussed above.

• Ensure that your mail servers are not open relays, and that your servers attempt to detect and deny connections to open proxies

*This is a vital issue as well. Although (if properly configured) vbulletin will not allow open relays, there are addons that allow bots & spammers to send email/spam through your site, there are hacks & mods that do allow third parties to use your site for a spamming spree. This should be avoided in any case. Often these problems will come to light by examining your catchall email address.

If a spammer is using your site’s functions to send spam, then study each problem and resolve the vulnerability. Please alert the creator of the mod, so that others will not encounter the same problems.

Explanation:
Normally an open relay would mean that your smtp mail server accepts requests without authorization. i.e. anybody can access it and send email from it. This can be tested through many online sites. Google it.

With vbulletin and its addons however, there are other open relay options, trough pages that have a function to send email. Make sure that guests can not use the 'Use Email to Friend' function anywhere on your site. I'd recommend turning this off for newbies as well.

Then go to your catchall email address. This is the standard email address where all bounced email arrives at. Often this is [email protected] Ask your host if you do not know.

Have a look at the emails that got bounced and should not have sent by you. You may see spam sent from your server, that was then bounced back to your catchall address, because the addressee does not exist. This is where it gets interesting.
Review the message, the headers and the raw view. Find the path used to send the email and specifically the mail script that was used. The mail script often indicates that there is a script in one of your add-ons that allows spammers to send email through your site.

See if you can identify the script and the addon it is part of. If so, then first see if you can correct this by changing the setting of that addon. If yes, then post about it in the relevant thread / site to give others a heads up. If not, then let the coder know that there may be a problem with the addon.

Gmail:
Authentication & Identification
To ensure that Gmail can identify you:
• Use a consistent IP address to send bulk mail.
• Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.

*Please make sure your server admin has these settings right.

• Use the same address in the 'From:' header on every bulk mail you send.

*This speaks for itself.

We also recommend publishing an SPF record, and signing with DomainKeys.
For SPF see: http://www.openspf.org/

*SPF is a very interesting and handy concept. Basically you register how your email is sent. So if there is email sent from another email address, IP, domain, protocol, etc, then email providers will disregard the email. This can come in mighty handy if a spammer is using your email address or domain for spamming.

Subscription
Each user on your distribution list should opt to receive messages from you in one of the following ways (opt-in):
• Through an email asking to subscribe to your list.
• By manually checking a box on a web form, or within a piece of software.
We also recommend that you verify each email address before subscribing them to your list.

*As discussed above.

The following methods of address collection are not considered 'opt-in' and are not recommended:
• Using an email address list purchased from a third-party.

*Speaks for itself.

• Setting a checkbox on a web form or within a piece of software to subscribe all users by default (requiring users to explicitly opt-out of mailings).

*In other words;
adminCP -> vbulletin options -> User registration options -> default registration options
should not have “automatic thread subscription” set to receive email notification.

Unsubscribing
A user must be able to unsubscribe from your mailing list through one of the following means:
• A prominent link in the body of an email leading users to a page confirming his or her unsubscription (no input from the user, other than confirmation, should be required).

*As described above.

• By replying to your email with the word 'unsubscribe' in the body of the message.

*This can be done by keeping an eye on your webmaster email address. It is my experience that virtually no one uses this method. If your experience is different, then please let me know by posting here.

To help ensure that your messages aren't flagged as spam, we also recommend that you:
• Automatically unsubscribe users whose addresses bounce multiple pieces of mail.

*As described above.

• Periodically send confirmation messages to users.

*Since members can unsubscribe in their userCP, this does not seem needed to me. There surely is no way for Gmail to check if you do this.

• Include each mailing list they are signed up for, and offer the opportunity to unsubscribe from those in which they are no longer interested.
• Provide a 'List-Unsubscribe' header which points to a web form where the user can unsubscribe easily from future mailings (Note: This is not a substitute method for unsubscribing).

*As described above.

It's possible that your users forward mail from other accounts, so we recommend that you:
• Explicitly indicate the email address subscribed to your list.

*In your email message text you need to describe which email address the email is sent to.

• Support a URL method of unsubscribing from your mailing list (this is beneficial if your mailing list manager can't tell who is unsubscribing based on the 'Reply-to:' address).

*Add a text to the email message that explains how to remove subscriptions by going to the userCP.

Alfa1
28 May 2008, 00:48
Format
• All bulk messages you send must be formatted according to RFC 2822 SMTP standards and, if using HTML, w3.org standards.
• Messages should indicate that they are bulk mail, using the 'Precedence: bulk' header field.

*Speaks for itself.

• Attempts to hide the true sender of the message or the true landing page for any web links in the message may result in non-delivery.

*Do not spoof email addresses or links. Duh!

• The subject of each message should be relevant to the body's content and not be misleading.

*Speaks for itself.

Now the most important thing for Gmail that needs to be properly communicated to your members:Delivery
While Gmail works hard to deliver all legitimate mail to a user's inbox, it's possible that some legitimate messages may be marked as spam. Gmail does not accept 'whitelisting' requests from bulk senders, and we can't guarantee that all of your messages will bypass our spam filters. To make sure our users receive all the mail they'd like to, we've provided them with a method for sending us feedback about messages flagged as spam -- users have the option of clicking a 'Not spam' button for each message flagged by our spam filters. We listen to users' reports, and correct problems in order to provide them with the best user experience. As long as our users don't consider your mail as spam, you shouldn't have inbox delivery problems.
There are two important factors that, under normal circumstances, help messages arrive in Gmail users' inboxes:
• The 'From:' address is listed in the user's Contacts list.
• A user clicks 'Not Spam' to alert Gmail that messages sent from that address are solicited.

*Instruct your members to mark email from your site as ‘not spam’ and to add your webmaster email to their contacts. If enough Gmail users mark your messages as spam, then you have a problem.

If you send both promotional mail and transactional mail relating to your organization, we recommend separating mail by purpose as much as possible. You can do this by:
• Using separate email addresses for each function.
• Sending mail from different domains and/or IP addresses for each function.
By using these tips, it's more likely that the important transactional mail will be delivered to a user's inbox. Our guidelines are meant to help you build a good reputation within the Gmail system, resulting in continual delivery to Gmail inboxes.

*This speaks for itself.

Third-Party Senders
If others use your service to send mail (for example: ISPs), you are responsible for monitoring your users and/or clients' behavior.
• You must have an email address available for users and/or clients to report abuse ([email protected]).
• You must maintain up-to-date contact information in your WHOIS record, and on abuse.net.
• You must terminate, in a timely fashion, all users and/or clients who use your service to send spam mail.

*IMHO, unless you allow your members to have a site based email address (branded email), there should be no reason why third parties would be allowed to use your domain to send email. Thats inviting spammers.
Offering branded email to your members is only wise if you can put a considerable amount of trust in your members.

AOL:
Conditions To Bulk Sender Status

The whitelist is designed to help America Online work with organizations and individuals who send out a high volume of solicited email. Whitelist status protects mail originating from whitelisted IP Addresses from some, but not all, of AOL’s proprietary processes for protecting its Members and its network from unsolicited bulk email (UBE). View America Online's Unsolicited bulk e-mail guidelines. Thus, whitelist status exempts an IP address from certain blocking filters, but does not guarantee delivery of mail originating from such addresses. To participate in the AOL whitelist program, you must adhere t o certain technical and other requirements, as stated below.

*See if your site can be added to AOL’s whitelist.

Please read the following terms carefully before clicking "I agree" to proceed to the whitelist request form.

Technical Requirements
• All e-mail must be RFC compliant.
• All e-mail servers connecting to AOL's mail servers must have valid reverse DNS records.

*Speaks for itself.

• All e-mail servers connecting to AOL's mail servers must be secured to prevent unauthorized or anonymous use.

*So no open relays. See my remarks above.

• Direct connections from dynamically assigned IP addresses or residential customers to AOL's mail servers may not be accepted.

*AOL basically says that their system is so twisted that even they do not accept their own IP’s. So do not host on AOL. Do not send mail from a dynamic IP, like AOL has.

• Organizations may not hard code AOL's mx records into their configuration files.
• An organization's mail servers must send a minimum of 100 emails per month to maintain whitelist status.

*Speaks for itself.

E-mail Formatting Requirements:
• Email originating from the whitelisted IP Address must be compliant with the federal Can Spam Act of 2003, available at http://www.spamlaws.com/federal/can-spam.shtml.
• Persons transmitting mail from the whitelisted IP Address must not do anything that tries to hide, forge or misrepresent the sender of the e-mail and sending site of the e-mail.

*Speaks for itself.

• Bulk mailings must specifically state how the AOL members' e-mail addresses were obtained and must indicate the frequency of the mailing. Such details as the date and time when the e-mail address was obtained along with the IP address of the subscriber and the web site they visited to sign-up must be made available to AOL upon request.

As discussed above. IMHO the inclusion of the members IP address is dubious, but you might feel otherwise.

• Bulk mailings should contain simple and obvious unsubscribe mechanisms. We recommend that this be in the form of a working link to a one-click unsubscribe system; however, a valid "reply to:" address may be used instead.

*As discussed above.

• All subscription based e-mail must have valid, non-electronic, contact information for the sending organization in the text of each e-mail including phone number and a physical mailing address.

*Include the physical address of your organisation, in the email text.

Policy and Procedural Requirements:
• All bulk e-mail to AOL members must be solicited, meaning that the sender has an existing and provable relationship with the e-mail recipient and the recipient has not requested not to receive future mailings from the sender. Documentation of the relationship between the sender and the recipient must be made available to AOL upon request.
• Any e-mail sent to AOL members must conform to AOL's Community Guidelines (http://legal.web.aol.com/aol/ aolpol/comguide.html).
• Persons sending bulk mail from the whitelisted IP Address must immediately remove any e-mail address which causes a permanent failure "bounce" message to be generated.
• If a whitelisted IP Address generates member complaints, bounces in excess of 10% of their mail or fails to accept those bounces, the whitelist status may be revoke d for that IP Address. A pattern of such abuses common to a single organization may result in the revocation of whitelist status for some or all of that organization's IP Addresses.
• In no way does the posting of these requirements imply any affiliation, membership, sponsorship or endorsement of business or activities/practices of an organization by AOL.
• Periodic audits of mail, complaint, bounce and bounce acceptance volumes may result in removal of an IP Address or of an organization’s IP Addresses from AOL' s whitelist without notice.


*This speaks for itself or is discussed above.

So in summary this has the following effect on your email text:
- add a text to the email message that explains how to remove subscriptions by going to the userCP.
- You should describe in your email text to which email address the email has been sent,
- why the recipient is receiving the email,
- from who(include your url) the email is sent
- how often the email will be sent
- If you are sending advertisements or messages of commercial nature, you must include the above information in your email text message.
- Include the physical address of your organisation, in the email text.

If you are blacklisted by an email provider then start with this:

Check your catchall email address:
Please go to your catchall email address and see what's in there. If it is full of spam or bounced emails then this is a good indication of your problems. If there is spam, then see where it comes from:
- The kind of email addresses. Is a spammer using your email addresses to fake the sender address? If so, then start by making a SPF. (see above)
- How was it sent? Check the header / raw view of the email messages to see if they where sent through a page / script on your site. If so, then you have open relays that you need to close.

Deactivate accounts with inactive email addresses:
The most likely problem is that you have a lot of members with inactive email addresses. The way to solve this is:
1. Install EZbounced email management (http://www.vbulletin.org/forum/showthread.php?t=138884).
2. Make sure that your Bounce Email Address is a different one than the email address you send your emails from. See adminCP -> vbulletin options -> email options.
3. Then send out a mass email to all your members.
4. Go to your Bounce Email Address to process the bounced email.
5. Check the bounced messages for the reason why each email address is bouncing and decide if the account needs to be deactivated.

This works well, but the downside is that if you have a lot of members then this will be a lot of work. When I did this, I got thousands of bounced emails to process. See if you can safely share this email account with other admins and share the work. Note that if you do not make a different Bounce Email Address, and are using your catchall account, then the password of this account is often the same as directadmin login and there is a security risk in sharing that.

There is another modification that can be of help: Auto Bounce Messages Management (http://www.vbulletin.org/forum/showthread.php?t=181936)
It automatizes the process, but the downside is that it currently deactivates all accounts with bounced mail (even when its just a full inbox) and does not alert the deactivated members why their account is inactive and what they can do to activate their account. So if you choose for this mod, then get ready for a flood of questions and confused members.

Then go through all points in the article and make sure they are in good order.

Princeton
28 May 2008, 12:53
thanks for sharing - very helpful article

Shaheen
30 May 2008, 23:06
Nice and usefull Article .Thanks

ahayat
31 May 2008, 04:39
nice and very informative, i often think about bounced e-mails specially YAHOO server has a big problem. Thanks alot Mate for posting such a useful article. Cheers
Bye

R-n-R
07 Jun 2008, 15:46
Thank you VERY MUCH for taking the time to put this article together, very good info!

Infopro
24 Jun 2008, 16:40
Well done. :up:

Hornstar
11 Jul 2008, 02:03
I am going to buy a PO Box, as I dont want to give away my home address. OR would a PO box not be acceptable either?

aisais
11 Jul 2008, 04:07
Thank you very much. I learned alot from this article.

Alfa1
12 Jul 2008, 07:28
A PO box is a valid address.

--------------- Added 1215851589 at 1215851589 ---------------

ARTICLE UPDATED!

ssslippy
15 Jul 2008, 18:36
I would like to note the ezbounce feature gets caught alot of time as spam. I have had multiple rejections sent back to me while using ezbounce.

Alfa1
16 Jul 2008, 02:06
Strange. I have not encountered that. Did you turn off 'Show EZ Bounce link in email message body'?

Note that there are some interesting developments going on in the EZbouncd topic now. With a little help, the whole bounced email processing might get automatized through the combination of EZBounce, eMail Bounce Handler with Macro Express.

CardMafia
31 Jul 2008, 03:30
very helpful information, thank you

Alfa1
25 Dec 2008, 11:57
Note that there are some interesting developments going on in the EZbouncd topic now. With a little help, the whole bounced email processing might get automatized through the combination of EZBounce, eMail Bounce Handler with Macro Express.

This never got off the ground. A full solution to handle bounced email is still needed. The best option that admins have at this time is to use EZBounced and handle all bounced email manually. Even when this means thousands of bounced mails.

sub_ubi
27 Jan 2009, 19:53
Man that's rough, having to go through thousands of emails manually

Alfa1
27 Jan 2009, 22:28
Yes, i went trough 20.000 emails in a year. Really sucks. But not as much as your new members never getting their email. Cause you will likely not find out when that happens and that problem will seriously delay the growth of your site.

rob01
28 Apr 2009, 05:13
how you check the open relays connections?

im kinda new :S

Alfa1
28 Apr 2009, 10:33
how you check the open relays connections?

im kinda new :S
Normally an open relay would mean that your smtp mail server accepts requests without authorization. i.e. anybody can access it and send email from it. This can be tested through many online site. Google it.

With vbulletin and its addons however, there are other open relay options, trough pages that have a function to send email. Make sure that guests can not use the 'Use Email to Friend' function anywhere on your site. I'd recommend turning this off for newbies as well.

Then go to your catchall email address. This is the standard email address where all bounced email arrives at. Often this is [email protected] Ask your host if you do not know.

Have a look at the emails that got bounced and should not have sent by you. You may see spam sent from your server, that was then bounced back to your catchall address, because the addressee does not exist. This is where it gets interesting.
Review the message, the headers and the raw view. Find the path used to send the email and specifically the mail script that was used. The mail script often indicates that there is a script in one of your add-ons that allows spammers to send email through your site.

See if you can identify the script and the addon it is part of. If so, then first see if you can correct this by changing the setting of that addon. If yes, then post about it in the relevant thread on vb.org to give others a heads up. If not, then let the coder know that there may be a problem with the addon, by posting in the relevant thread.

Mutt
02 May 2009, 05:58
I recently sent out a mass email from the admin control panel and was surprised that there wasn't any kind of unsubscribe message tacked onto the end like there is when members email one another.

is there an easy way to add this or do I need to remember to manually add it myself each time I send an email. are there any hacks for something like this?

thanks in advance

Alfa1
02 May 2009, 12:02
I recently sent out a mass email from the admin control panel and was surprised that there wasn't any kind of unsubscribe message tacked onto the end like there is when members email one another.

is there an easy way to add this or do I need to remember to manually add it myself each time I send an email. are there any hacks for something like this?

thanks in advance
Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail (http://www.vbulletin.org/forum/showthread.php?t=120855)
However, you still need to add a text manually, like described in my article.

Mutt
12 May 2009, 19:03
Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail (http://www.vbulletin.org/forum/showthread.php?t=120855)
However, you still need to add a text manually, like described in my article.

thanks, that's great

Alfa1
21 Aug 2009, 11:09
I've updated the article. Pretty soon I will be needing a 3rd post, because there is a maximum amount of characters that can be entered.

Does anyone have questions or remarks?

VonDoom
23 Sep 2009, 04:40
Great article, ill be going thru most of this soon. i rarely (maybe once a year) send out bulk mail. But i never considered the ramifications of members using the email to friends feature. lol reminds me to check my email account to. umm something i haven't done in a month or more.

cavyspirit
05 Nov 2009, 17:34
Thanks for this thread. Great info.

Personally, knowing what I know now, I would never use the vB email system to do a mass mail and I'm glad that in all these years, I haven't used it.

I found out just how damn devastating it can be to be blacklisted as a spammer.

Unbeknown to me about a year ago, one of my lesser used CMS sites was hacked and a spammer was using my account to send out spam emails. My site ended up on email blacklists. It's not just the one email address or site that gets blacklisted, it can be your entire server along with references to any site on that server anywhere in the email. And since I do web development and host around a dozen accounts on this one server, ALL mail--incoming and outgoing from my server was being blocked by many, many providers. Business came to a screeching halt for me and my clients. At least that was my experience.

It was that tough wake-up call that forced to me to institute much more rigorous security on my environments.

In addition, I discovered this site: http://www.mxtoolbox.com/blacklists.aspx which lets you enter in your server IP and see if you are on any major email blacklists. And it helps you deal with getting off of each blacklist. AND they have a service which will send you an immediate alert if you end up on any blacklist for any reason. After setting and forgetting about it last year--after it taking almost a week to recover to being clean again--I did get one alert for a minor problem which I very quickly resolved.

Getting blacklisted once was a big-time learning experience and not a good one.

porcupine73
26 Nov 2009, 02:17
Thanks for this helpful article Alfa. I'm trying to get my board compliant with many of these items.

One quick thing I am trying is I created a new template I called email_footer1, which contains text similar to:
_____________________________________________________________
This email was sent to $bbuserinfo[email], based on account registration.
To manage your email preferences, update your account settings at $vboptions[bburl]/profile.php?do=editoptions

Alternatively to unsubscribe, go to $vboptions[bburl]/$vboptions[contactuslink], or reply to this email with the word unsubscribe as the subject.
Mailing address: some name, someplace
Telephone: telephone
To report abuse, email [email protected]

Then I added a plugin hooked on mail_send to hopefully append the relevant info to the bottom of all e-mails sent by vbulletin?
// Add footer to outbound e-mail
eval('$message .= "' . fetch_template('email_footer1') . '";');
(You don't want to know how long I spent getting that to work, especially since I had \\ instead of // for the comment :cool:)

The DKIM looks interesting. My host doesn't let me add any fields to the domain record though so it looks like I'd need to use a different DNS to put out the info

Alfa1
26 Nov 2009, 20:24
Very interesting. Please let me know if this is included to all email.

dfidler
05 Dec 2009, 21:13
Does anyone have questions or remarks?

Just a remark; awesome article. Thanks for taking the time!

Alfa1
06 Dec 2009, 14:48
Your most welcome. I hope IB will do something with it and implement the needed functionality to avoid such problems.

Biker_GA
05 Apr 2010, 06:25
Your reference to Microsoft's tips are pretty much out of date. I've been running in circles attempting to get a delivery issue resolved with them and the majority of the addresses are no longer valid on their site.

Something I've recently run into, and many may be getting smacked for this is NDR and reverse NDR spam. I've been nailed by this recently and as a result, showed up on a blacklist.

I'm still pouring through the rules in Exim to figure out a way to minimize this. You can't really prevent it, short of turning off NDR, but then you'd be in running a mail server that doesn't conform to current mail standards. **sigh** I hate spammers.

Alfa1
05 Apr 2010, 21:52
Your reference to Microsoft's tips are pretty much out of date. I've been running in circles attempting to get a delivery issue resolved with them and the majority of the addresses are no longer valid on their site.
Please let me know what you have found to be out of date and where new mail conditions can be found. I still see the same anti-spam policy on microsoft.com I see there is new data on http://postmaster.msn.com/Services.aspx and http://postmaster.live.com/Guidelines.aspx but that doesn't seem to replace the Anti-Spam policy.

Something I've recently run into, and many may be getting smacked for this is NDR and reverse NDR spam. I've been nailed by this recently and as a result, showed up on a blacklist.

I'm still pouring through the rules in Exim to figure out a way to minimize this. You can't really prevent it, short of turning off NDR, but then you'd be in running a mail server that doesn't conform to current mail standards. **sigh** I hate spammers.
Have you considered to limit the number of NDRs within X amount of time to a number that resembles a normal amount?

Biker_GA
06 Apr 2010, 03:24
From what I've been reading, a better solution is to verify prior to accepting via SMTP, and then rejecting back to the originating server. That puts the NDR on that server, rather than your own. There have been some changes to the RFC and it's now suggested that NDRs not be sent under many conditions.

As for those bloody Microsoft pages, I'm very familiar with them. OH am I familiar with them. **banging head on desk** The email addresses dealing with SPF records are all outdated now, and I'm beginning to wonder if the pages themselves are really relevant. Once I finally get through to someone who knows what I'm talking about and get my issue resolved, I'll post the steps I had to take here.

Hornstar
08 Apr 2010, 01:18
I find yahoo to be my biggest problem. I even had to block yahoo for a while as it was just not worth the hassle. I still have far too many issues with them.

Parture
15 Sep 2010, 21:26
A month or two ago I had no problem, but after my forums were hacked into about a month ago, whenever a search bot or someone tried to access one of my forum pages (all my forum pages were down), it sent an email out to either gmail or yahoo to explain the error. Now that my forums are up and running again with a new host, I noticed that the verification email is not received for those who register with a Yahoo email or Gmail. But it is received by Hotmail.

So how do I solve this? For one I put a message in Notices for those who did not receive a verification email, saying a verification email is not received for Yahoo and Gmail because they must have my site on a blacklist. I don't do bulk emailings, so I am guessing why this happened was there was probably over 100,000 error reports sent out the past month when my forums were down so that is what created the blacklist.

Help.

Alfa1
15 Sep 2010, 22:08
Have you followed the instructions in this article? If yes, then its a matter of time before everything goes back to normal.

Parture
16 Sep 2010, 02:26
I believe none of the reasons in the article are why the blacklist occurred. The reason the blacklist occurred was because somewhere betweeen 100,000 and 1 million error reports were sent to my two emails, one at Yahoo an one at Gmail. Of course that has stopped since my forums are back up and running. Maybe overtime it will get reinstated?

Alfa1
16 Sep 2010, 10:08
If those emails have not been sent from your server (IP address) but from gmail/yahoo then its best to just change your websites email account. That is likely an instant fix.
If not then it becomes a matter of time. If providers see no new problems with an account, then it will be reinstated in time. However, I do not know if the same goes for such massive amounts sent.

SaN-DeeP
23 Oct 2010, 07:27
Very good article Alfa1

asylum119
22 Nov 2010, 13:28
Applaud your post

In vBulletin user banning options insert every email address and phrase that you can think of that might cause you being flagged as spam to the ban list, spam, postmaster, microsoft etc etc (because if a mod upsets a prick then a prick will sign up with the following to just be a prick)

I suggest assigning different email functions to different IP addressed and email addresses
newsletter=IP 1 : forum confirmation=IP 2 and so on, Now if you get marked as spam it shouldn't affect all your emails sent.

Now just pray that someone (that same prick) doesn't sign up using a honeypot address because most of the time these do not bounce and will result in your IP being flagged as spam.

If this happens then you will need even more IP addresses to do split email send outs to try and Isolate the bad email address. (start with the latest sign ups)

Before doing any mass sending I suggest sending a trial to [email protected] making sure that in the subject line you put "TEST". The email will bounce straight back and give you a spam score. (if you don't put TEST in the subject and in capital letters your email will just be dropped from the server instead of bouncing back with the results)

Alfa1
17 Dec 2010, 13:19
For those of you that are using Photopost Pro: EZBounce does not remove subscriptions in Photopost Pro.

Another issue is that banned users continue to get their Photopost subscriptions. So until a solution is found, its best to turn off email functions for photopost completely.

ageurtse
27 Dec 2010, 16:04
i'm having trouble sending emails to several email accounts.

when i send an activation email to hotmail or a lost password email to hotmail these aren't deliverd to that specified email adres.

the server indiates everithing went going right.


the problem occured 2 years ago at that time oure server whent hacked.
after discoverd this, the server went taken down. and we installed on a different server on a different hosting provider a newer vbulletin. next we are removed from the blacklists after emailing that whe wen't hacked and how we solved it.

but we still have some problems with several email adressen.
(hotmail.* kpn-mail.nl livemail.*) what could be wrong.

i read the above article but i don't know where or how to start.

rootsxrocks
20 Jun 2011, 01:59
Thank you for this information It took me a few months of hard work but I have successfully gotten my dedicated IP off all the blacklist it was on when I purchased it using your advise.
I was reminded of this today when I received my first feedback were a registered user reported his birthday Email as spam I was able to promptly go and Ban him to assure he never received another.

Alfa1
20 Jun 2011, 02:01
Good that you have it sorted now.

Alfa1
30 Jan 2012, 07:38
Im glad to see that many large email providers have joined forces and release a new email identification system. This open standard for email will have a major impact on the way email can be sent.

See: http://www.dmarc.org/
Google, Facebook AOL, Microsatan, Yahoo, Paypal, and other major companies are involved.

Best thing that you can do to prepare for this is to get your SPF (http://www.openspf.net/) and DKIM (http://www.dkim.org/) configured. Its likely that all major email providers are already modifying their systems to check incoming email for SPF and DKIM.

DragonByte Tech
11 Feb 2012, 00:59
Just a heads up that our vBMail Lite mod can be used to help comply with spam regulations, including an unsubscribe link and automatic removal of bounced addresses.

You can check out the vb4 version here: http://www.vbulletin.org/forum/showthread.php?t=266142http://www.vbulletin.org/forum/showthread.php?t=266142

And vB3 Version here: http://www.vbulletin.org/forum/showthread.php?t=266499

Alan_SP
01 Jun 2014, 19:46
I just received my first gmail bounced email with this content:

550-5.7.1 [x.x.x.x 12] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
550-5.7.1 this message has been blocked. Please visit
550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for
550 5.7.1 more information. fm4si16129174wib.68 - gsmtp

It's thread subscription notifying user about new posts in thread, and AFAIK, all other emails passed so far.

I checked SPF, there is TXT (no SPF) record in DNS and it's so for years. Is there possibility is a fluke, or there could be further problems? And what to do in case further mails get stopped?

rcull
11 Jul 2014, 04:22
Great article! I am a commbull user, and have wondered about these aspects of a newsletter. I will be modifying my template to reflect some of the points.

I only send out my newsletter to active members. One nice feature of commbull is the ability to limit it to active member within a specified time. I limit it to 180 days. This probably covers the bad email address problem mentioned.

Is there any way of determining if you have been blacklisted? With my active members, I only send out about 12-1500 emails. Is that a lot or a minor blip?

Thanks!