The reason given by the email services for blocking his IP address was that it was a suspected source of spam. Yet the customer was in contact with all the users on his VPS and knew that they were not sending out spam.
The customer further shared that all the user emails coming into the VPS were being forwarded to various personal email accounts at AOL, Gmail, yahoo, etc. This was the first red flag for Mike that pointed to a possible reason these third-party email services were blocking the IP address. Here’s what he had to say about this in the ticket.
The bottom line is, just because your clients want their email set up this way, it’s still one of the most inadvisable things for someone to do with their email… forward it to free web-based email services. If you forward mail to Yahoo, then Yahoo gets to decide what to do with it. It’s out of our hands at that point.
Nobody is suggesting that your customers are sending spam. But if they’re forwarding a lot of incoming spam to Yahoo, for example, then Yahoo gets to decide what to do with it… and your server will be seen as the source. That’s just the reality of the situation.
My clients are having a fit.
I logged onto the ATT site: http://att.net/blocks
Here are some of the questions they asked if we did:
- Reinstalled Antivirus and Firewall – Removed viruses
- ACL to block egress SMTP traffic was created
- Removed/blocked machine from network
- Removed vulnerable script from webserver
- Removed malicious user from network
- Reconfigured server to ignore
- NDRs to forged addresses/domains
Is there anything in this list that we need to do? Is there any way to see the mail that is coming through the server so we can see if one particular client is the culprit. I’m sure they are unsuspecting and probably have a virus or something. Any suggestions?
It could be a lot of things at this point, though it isn’t anything that you have listed above. It’s the email behaviors and practices of your users that have caused these problems. Your customers are forwarding everything off-server to all sorts of networks. And I see that you’ve disabled SpamAssassin server wide. So spam is inevitably coming into your server, not being filtered, being forwarded to other networks, THEN being filtered… and those networks see your server as the source. The equation is that simple.
But let’s also look at ***@***.com for example. Apparently he went on vacation on the 17th. I know that because he set up an autoresponder:
-bash-3.2# pwd /home/***/.autorespond -bash-3.2# ls -la -rw-r--r-- 1 *** *** 359 Oct 17 19:12 ***@***.com
…which says: “I am away from the office and unable to check email, I will return on October 23…”
Just so you know, it’s now November 8th and the autoresponder is still active. Also, he may have just modified the autoresponder on the 17th because I see log entries for his autoresponder as far back as September 14th. In that time, his autoresponder has responded to 1,288 messages.
Autoresponders themselves are “not smart” software, as they respond to everything. Autoresponders don’t know when to “shut up.” They’re programmed to respond to any message they receive. This means they respond to spam too. Spammers can easily spoof the sender of a message, to which your client’s autoresponder responds, essentially spamming an innocent party. On top of that, this user is forwarding copies of everything (he also has an email account on your server) to an @sbcglobal.net email address, which is a domain within the AT&T network.
Admittedly, I have no idea if this user and/or his autoresponder are causing or contributing to the problem or not. I can only make educated guesses based on what I see. Only AT&T knows for sure. But it’s certainly a good illustration of a combination of factors that can add up to negative consequences: no spam filtering, forwarding mail off-server, and using “not smart” software.
The first bit of evidence pointing to this user being responsible for the blocks is in the mail logs of when AT&T started blocking mail from your server. This user was the first of all your clients to be blocked by AT&T.
Second, here are the number of messages, per email address, that have been rejected by AT&T, according to your mail logs.
2 firstname.lastname@example.org 2 email@example.com 107 firstname.lastname@example.org
Again, I have no way to prove that this user is to blame. It could be a coincidence that his email was the first one blocked, but I doubt it. The evidence certainly suggests that his email configuration choices, combined with your own (no spam filtering, for instance) might cause AT&T to have issues with your VPS, problems only solved by blocking your server.
If I were you, I would enable SpamAssassin server-wide, choose the option that forces your clients to use it, login to each of their cPanel interfaces and confirm that it’s been enabled. (Need to know how to enable SpamAssassin on your VPS? click here.) I would remove the user’s autoresponder as well. Then I would contact AT&T and tell them everything you did.
Your clients need to understand that SMTP (email) is the most sensitive, most volatile, most poorly-designed, out-dated Internet protocol on Earth. That’s just the way it is. We can all thank spammers for exposing and exploiting all of its faults and failures and making what should be a simple protocol, a disastrously complicated one. Until someone replaces SMTP with something better, it’s all we’ve got.
If you want email to work for you and your clients, for it to be a useful, successful, profitable tool, it simply cannot be taken for granted. You can’t overlook security and smart choices in favor of convenience.
If your clients want to do whatever they want with their email, they should run their own mailservers out of their own offices. People do that all the time. You host the site, they manage their mail locally… a very common scenario. But if they want you to host their websites AND their mail too, then they have to comply with your terms… and you should set those terms smartly and strictly.
A mailserver in their own office belongs to just them, used by just them. They can set up whatever rules and practices they want, as they would only be hurting themselves if something went wrong. But on your VPS, your mailserver is shared by everyone on your VPS. It’s for that reason that you can’t open the “rules” up just to try and accommodate everyone. If a client doesn’t want his mail filtered for spam, then he should find a different place to host his mail… because your server does filter for spam, for the betterment of everyone. If you had an @hotmail.com address, you couldn’t tell Hotmail not to spam filter your account. That’s not in Hotmail’s best interest… and it’s not in yours to allow these sorts of requests either.
SpamAssassin will filter all of your email for spam. It will not, however, force your clients to do anything with it after it’s filtered. It will simply mark spam as spam, nothing more.
If they’re still forwarding it somewhere, the receiving mailserver may still consider it “new” spam, despite the fact that it’s already been labeled as such. It just depends on how those remote mailservers are configured and how “smart” they are (something on which you can’t always depend). So just because it’s been filtered and labeled as spam on your VPS, that doesn’t mean it’s safe to then forward to Hotmail, for instance. It is, after all, still spam. So…
Have your clients log into cPanel for each account and click on the SpamAssassin icon. On the resulting page, there’s an option to delete spam upon arrival. SpamAssassin is pretty robust and reliable; it’s been around a long time. So it’s no surprise that cPanel includes it in their software. The risk in missing a legitimate message is minimal.
If your clients still insist on forwarding mail, then implementing what I described above should be mandatory. If they want to simply retrieve their mail from your server, whether it be through popping the mail with Outlook or something similar, using IMAP (also with Outlook, Mac Mail, etc.) or using the webmail interface your VPS offers, then the option to delete spam upon arrival isn’t as vital.
Finally, autoresponders aren’t as potentially bad if they’re used sparingly, for short periods of time, and in conjunction with SpamAssassin. That being said, they still are what they are and will never be without risk. So use with caution is certainly smart.
Photo by NTR23