Helping clients succeed on the internet since 1999

At your Service

There's no need to know how the internet works when you have the team at COOLCOM working with you. From simple domain help to advice on complex applications, you'll find every base covered under one friendly roof. 

Blog: The Coder Corner

Rejected email and the political underpinnings

So, you find that your email is being rejected. At first you want to know why this is happening and try to send another email. After all, "services" are listening in everywhere and they may not like what they see, right?

Not so much.

More likely, your server is being used or abused by what is called a botnet. A botnet is a piece of programming that is waiting for instructions from elsewhere.

To make that more clear, it's like the butler waiting to be ordered to serve dinner. Spam in this case.

When this happens, indignation sets in and anger might even take over. The first kneejerk reaction is to cancel your hosting and move elsewhere. How dare they, that hosting company run insecure servers?

Going elsewhere is surely the best move of your career!

... Probably not ...

All hosting companies have to deal with so-called Blacklists, some are severe, others insignificant. The bigger the blacklist company, the more email recipient companies will listen to them.

Spamhaus and CBL are the top dogs in this arena. Send an email to an Outlook server and Outlook/Microsoft will first check if your IP is not listed with CBL or Spamhaus. If it is, your email will be sent back with a nasty error message stating that your email is not acceptable and comes from a non-reputable server.

Hence the knee-jerk reaction to change hosting on the spot.

Is that the right solution? Probably not. Your first reaction should be to go to your hosting company and show them that error message. They will them be alerted to the fact that something is going on.

On a shared hosting plan, you are sharing your server (and its unique IP address) with many others. You or (probably more accurate) someone else is running an infected website. In today's world, and infected iPhone, Android, tablet, PC or Mac can also be a culprit.

At that moment, a small light should start to shine. Perhaps it's not the hosting company with its "infected" server that is to blame.

Let's take a look at what the hosting company will do when they get your error message.

Big companies will simply blame you, the customer, for not running a tight ship and they claim they can do nothing. If that is the answer you get, indeed it is time to change hosting company.

Then you have the others (Coolcom is one of them).

They will start looking at your website first. If it is infected with something, they will tell you and should offer to help you out. This will often come with a cost, they don't work for nothing.

Their next step is to go and get their IP delisted from the blacklisting company. That may take a few hours, during which email may be severely impacted.

Companies like Spamhaus offer woefully little insight as to what or who is to blame. Partly because they can't see what is on a server, only what is coming out of it.

They will answer with something like this:

"This IP address was detected and listed 8 times in the past 28 days, and 1 times in the past 24 hours. The most recent detection was at Thu Apr 19 23:35:00 2018 UTC +/- 5 minutes"

So for having 8 times hit on a specific IP address they blacklist the server and disrupt normal business for all on that server. Not cool.

Their explanation then continues with:

"This IP address is infected with or NATing for an infection of "Eitest". This IP address is probably a web server where one or more virtual hosts have been infected using an exploit kit (eg: angler, empire, RIG) using EItest protocols to download, install and operate malicious code, such as gootkit, dreambot, ramnit, vawtrak, cryptXXX - infostealers, ransomware etc."

Also a nice statement, but with no substance. At this point the hosting company only knows that someone or something on their server is infected but doesn't know what it is or where it is.
In the case of a botnet, the culprit is not even active. A single call of the botnett per 24 hours can get the server blacklisted again.

Then the blacklist company seems to be more helpful. They propose tools like Windows Defender or Norton Power Eraser. Those are tools for individual machines, not for Linux powered shared hosting servers.

So we, the hosting companies, have also a quick reaction, close the firewall to that specific IP address that Spamhaus likes to use and we're good, right? Not so much.

"We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP address[es] given above. These IP address[es] are of sinkholes operated by malware researchers. In other words, they are "sensors" (only) run by "the good guys". The bot "thinks" its [sic] a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, will still be able to connect to command and control servers under the botnet owner's control, and they will STILL be stealing your users/customers personal information, including banking information to the criminal bot operators."

However, blocking that specific IP address will result in an entry in the firewall logs and could pinpoint us to the real culprit.

So we put traps in place to see what is going on, log any activity from our server to the indicated Spamhaus IP address and wait.

Then wait some more, and some more.

As you can see from the first quote from Spamhaus, 8 times in 28 days, that's only twice a week! No way the hosting company will be getting someone to stare at a screen until something pops up. Hence the traps.

We run a script that tells us what is going on and where. In the end we find the account/website guilty of getting us blacklisted. Then steps are taken to clean up the mess and be open for business again.

So the name Spamhaus implies that it is all about spam... According to Spamhaus:

"Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent."

So no email sent, and yet we as hosting companies end up on a blacklist that prohibits us from doing business. That is fundamentally wrong. While understandable from all sides, this is still a crappy situation. The hosting company can be out of business because one of its clients is sending out the wrong information or makes (unknowingly) the wrong connection to the internet.

That doesn't sound justified.

The only solution we have against this behaviour is to remain as close as we can to our servers, monitor blacklisting and its possible causes and delist when allowed. Not all blacklist companies allow for delisting, an even worse situation of hostage taking in my opinion.

What can you do for yourself? Well, there are a few possibilities, but most come with a cost.

You can make sure that your website software is up to date and not hacked. If hacked, clean it up or replace it with a clean version of your site.

Clean up your email from garbage. Accounts that house Gigabytes of unused email are an easy playground for hackers and attackers.

Keep your personal machines and devices clean from infections. Here (and only here) is where Norton Power Eraser or Microsoft Defender will be useful. Personally I use Malwarebytes if I have a doubt that either of the previous programs left me with something undesirable.

At a cost, you can order your own personal IP address that won't be blacklisted if you do nothing wrong. Keeping everything clean is still mandatory.

Getting your own email IP means that only you are responsible for the email. If someone else has a spam problem and gets blacklisted, that won't affect you.

Henk von Pickartz

Written by : Henk von Pickartz

Hit the Help Desk