Do you want to stay off email blocklists? Although the tips provided are aimed at helping companies and individuals from being blocked, a few of these tips will also work for ISPs, hosting companies, or email service providers.
You don’t like to read? Check out our #askabusix session on YouTube.
1. Address Confirmation
The number one tip is to confirm all email addresses. This is the most common issue that arises for a number of reasons, most commonly, users or employees that key in information might misspell part of the address.
Additionally, automated bots cause all types of problems when they attempt to abuse your services by auto-filling forms using the email addresses of their targets. Anti-bot prevention measures, like Google Recaptcha, can reduce some of the problems with bots, but they won’t eliminate the issue completely.
Confirm any email addresses being added to your lists by doing a confirmed opt-in or double opt-in. Send a message that contains a link that the recipient has to click to confirm that the email address is correct and that they wish to receive messages from you. Using this type of opt-in procedure will keep your list clean and you won’t ever have issues with ending up on blocklists.
Autoresponders, applications that automatically send a message in response to receiving a message or web form submission, can quickly land you on blocklists. While they can seem like a good idea, you can find yourself on a blocklist because you are replying to people who never sent you a message to begin with.
One of the worst autoresponders is the type that sends a response message from the “Contact Us” form on many websites. Typically, after the form has been filled out, the autoresponder sends a copy of the filled form to the supplied email address. The problem is that you can’t trust what was filled in.
Bots often misuse these types of forms and autoresponders to send spam. The bot will enter their target email address and then they add their spam message into another field. When your autoresponder sends a confirmation regarding the completed form, the bot has just used your URL to deliver their spam payload.
Again, using Recaptcha can help you mitigate this type of abuse if you do want to use these forms. If you are seeing loads and loads of spam per day, then all of that spam is going to external recipients, and probably traps too which can get you listed.
Other types of autoresponders, ones that say this email address is not in use, or this email address has been changed, or even a friendly message saying we’ve received your email and we’ll reply as soon as possible, can be problematic as well. These are particularly bad when they are directed to role accounts, like [email protected], [email protected], [email protected], postmaster@, and [email protected] type addresses. These are addresses that tend to attract more spam so they auto-respond to a lot.
A large percentage of the spam that you receive is using spoofed addresses. This means that you’re going to respond to many people who didn’t send you an email in the first place. Typically, autoresponders are not well set up. They can get you blocked when you are spamming people who didn’t want to receive messages because they never originated anything in the first place.
3. Outbound Traffic Security
First and foremost, don’t share external IP addresses that use network address translation (NAT) for your internal network with your email server(s). Infected PCs and compromised devices are commonplace, and these can cause NAT IPs to be blocked when spam or compromised host activity is detected from them.
Except for mail servers that need it, always block TCP port 25. If your internal clients don’t need external access, also block TCP ports 465 and 587. If you’re running Exchange and you provide webmail, you typically don’t need to allow those ports outbound so you can safely block them off.
Use spam filtering on all your outbound mail to look for any blocked URLs, domains, email addresses, etc. Also, check any external IPs that are authenticating to your servers to send mail via SMTP auth or webmail against authentication blocklists specifically designed for this purpose. That will help you identify compromised accounts and prevent them from sending traffic.
Also, establish sensible rate limits per user and per domain on your outbound mail. Track rejection and bounce rates to look for obvious signs of compromised accounts so you can stop them and protect your reputation. Finally, limit access to your network services by using a VPN.