vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Management Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=217)
-   -   How to keep your board from getting blacklisted as a spammer. (https://vborg.vbsupport.ru/showthread.php?t=180732)

Alfa1 05-27-2008 10:00 PM

How to keep your board from getting blacklisted as a spammer.
 
If your board does not comply to the bulkmail rules of large email providers, then all email from your board to these email providers may get banned.

The way you handle your email protocols and email subscriptions is vital to the well being of your board. Many boards are not even aware that they being punished by large email providers, for the way the boards are handling their email. Have you ever noticed that mail to a specific email provider often does not arrive? If so, then it?s likely that your site has been listed as a spammer. Email providers do share their spammers lists, with other email providers.

If you want to resolve or prevent this, then lets inspect the bulk mail rules of the major email providers. I have extracted them and summed them up for you. My clarifications to the mail rules are in blue.


Hotmail:

There must be a simple method to terminate a subscription.
Mailing list administrators must provide a simple method for subscribers to terminate their subscriptions, and administrators should provide clear and effective instructions for unsubscribing from a mailing list. Mailings from a list must cease promptly once a subscription is terminated. This can be by a link, the receiver has to click on, or a valid Re: address.


*vBulletin has this function built in to terminate subscriptions, so this will not cause problems in this regard. However, there is no functionality to let members automatically unsubscribe themselves from admin mailings. Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail (vb 3.7 and lower only)

There should be alternative methods for terminating a subscription.
Mailing list administrators should make an "out of band" procedure (e.g., an email address to which messages may be sent for further contact via email or telephone) available for those who wish to terminate their mailing list subscriptions but are unable or unwilling to follow standard automated procedures.


*This is something you will need to fix yourself, by editing the template. A good way to resolve this is to add a text to the email message that explains how to remove subscriptions by going to the userCP.

Undeliverable addresses must be removed from future mailings.
Mailing list administrators must ensure that the impact of their mailings on the networks and hosts of others is minimized. One of the ways this is accomplished is through pruning invalid or undeliverable addresses.


*This is a vital issue that needs to be resolved. Especially if you have a big board. If you are sending out large amount of subscriptions and other email, then there will be a lot of outdated and false emails in your database. If you keep sending email to inexistent email addresses, then the risk of getting banned by email providers is very large.

Unfortunately vBulletin does not have a function for this and there is no hack that automatically resolves this problem. However; I highly recommend that you install Anti-Virus his EZ Bounced Email Management for Admins.


Mail volume must take recipient systems into account.
List administrators must take steps to ensure that mailings do not overwhelm less robust hosts or networks. For example, if the mailing list has a great number of addresses within a particular domain, the list administrator should contact the administrator for that domain to discuss mail volume issues.


This only seems to be an issue for very large or local boards.

Steps must be taken to prevent use of a mailing list for abusive purposes.
The sad fact is that mailing lists are used by third parties as tools of revenge and malice. Mailing list administrators must take adequate steps to ensure that their lists cannot be used for these purposes. Administrators must maintain a "suppression list" of email addresses from which all subscription requests are rejected. The purpose of the suppression list would be to prevent forged subscription of addresses by unauthorized third parties. Such suppression lists should also give properly authorized domain administrators the option to suppress all mailings to the domains for which they are responsible.


*vBulletin has this function built in, so this will not cause problems.


The nature and frequency of mailings should be fully disclosed.

List administrators should make adequate disclosures about the nature of their mailing lists, including the subject matter of the lists and anticipated frequency of messages. A substantive change in the frequency of mailings, or in the size of each message, may constitute a new and separate mailing list requiring a separate subscription.


*You should describe in your email text to which email the email has been sent, why the recipient is receiving the email, from who(include your url) and how often.

In addition, e-mail sent, or caused to be sent, to or through the Services may not:
? use or contain invalid or forged headers;
? use or contain invalid or non-existent domain names;
? employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
? use other means of deceptive addressing;
? use a third party's internet domain name, or be relayed from or through a third party's equipment, without permission of the third party;
? contain false or misleading information in the subject line or otherwise contain false or misleading content;
? fail to comply with additional technical standards described below; or
? otherwise violate the applicable Terms of Use for the Services.


Basically this means that you need to make sure that the way you are sending your email makes sense. If the way your server, domain, url and your email address are set up are not consistent this may lead the email provider to throw your site on their spammers list. Some considerations:
Is the domain on your server the same as the url of your website?
Is the sender email address of the same extension as your website?
Is the sender email address reachable?
Is the bounce email address of the same extension as your website?
Is the bounce email address reachable?

Since vb 3.7 there is an option to define a bounce email address. Many thanks to Jelsoft for adding this!


CAN-SPAM act:
What the Law Requires
Here's a rundown of the law's main provisions:
? It bans false or misleading header information. Your email's "From," "To," and routing information ? including the originating domain name and email address ? must be accurate and identify the person who initiated the email.
? It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
? It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor's email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it's illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.


*These 3 points has been discussed above.

? It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.

*If you are sending advertisements or messages of commercial nature, you must include the above information in your email text message.

Hotmail has a special programme for senders. More information and subscription can be found here: http://postmaster.msn.com/Services.aspx

Yahoo!

? Remove email addresses that bounce.

*
As discussed above, this is a vital issue. See above for more information.


? Examine your retry policies.

Your retry policies are:
A. How often you resend email. Simply use common sense and do not send the same message to the same email twice unless it is essential to do so.
B. How often your server retries to send email. Since this is a server setting consult your server admin or your hosting co to make sure settings are correct.


? Pay attention to the responses from our SMTP servers.

*Responses from SMTP servers are sent as email to your bounce email address. Unfortunately vBulletin does not have functionality for this. I highly recommend installing Anti-Virus his EZ Bounced Email Management for Admins mod.

? Don't send unsolicited email. In this process, after you receive a subscription request, you send a confirmation email to that address which requires some affirmative action before that email address is added to the mailing list.

*vBulletin has this function built in.

? Provide a method of unsubscribing from your list in each mail you send.


*This is discussed above.

? Ensure that your mail servers are not open relays, and that your servers attempt to detect and deny connections to open proxies

*This is a vital issue as well. Although (if properly configured) vbulletin will not allow open relays, there are addons that allow bots & spammers to send email/spam through your site, there are hacks & mods that do allow third parties to use your site for a spamming spree. This should be avoided in any case. Often these problems will come to light by examining your catchall email address.

If a spammer is using your site?s functions to send spam, then study each problem and resolve the vulnerability. Please alert the creator of the mod, so that others will not encounter the same problems.

Explanation:
Normally an open relay would mean that your smtp mail server accepts requests without authorization. i.e. anybody can access it and send email from it. This can be tested through many online sites. Google it.

With vbulletin and its addons however, there are other open relay options, trough pages that have a function to send email. Make sure that guests can not use the 'Use Email to Friend' function anywhere on your site. I'd recommend turning this off for newbies as well.

Then go to your catchall email address. This is the standard email address where all bounced email arrives at. Often this is user@domain.com Ask your host if you do not know.

Have a look at the emails that got bounced and should not have sent by you. You may see spam sent from your server, that was then bounced back to your catchall address, because the addressee does not exist. This is where it gets interesting.
Review the message, the headers and the raw view. Find the path used to send the email and specifically the mail script that was used. The mail script often indicates that there is a script in one of your add-ons that allows spammers to send email through your site.

See if you can identify the script and the addon it is part of. If so, then first see if you can correct this by changing the setting of that addon. If yes, then post about it in the relevant thread / site to give others a heads up. If not, then let the coder know that there may be a problem with the addon.


Gmail:
Authentication & Identification
To ensure that Gmail can identify you:
? Use a consistent IP address to send bulk mail.
? Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.


*Please make sure your server admin has these settings right.

? Use the same address in the 'From:' header on every bulk mail you send.

*This speaks for itself.

We also recommend publishing an SPF record, and signing with DomainKeys.
For SPF see: http://www.openspf.org/


*SPF is a very interesting and handy concept. Basically you register how your email is sent. So if there is email sent from another email address, IP, domain, protocol, etc, then email providers will disregard the email. This can come in mighty handy if a spammer is using your email address or domain for spamming.

Subscription
Each user on your distribution list should opt to receive messages from you in one of the following ways (opt-in):
? Through an email asking to subscribe to your list.
? By manually checking a box on a web form, or within a piece of software.
We also recommend that you verify each email address before subscribing them to your list.


*As discussed above.

The following methods of address collection are not considered 'opt-in' and are not recommended:
? Using an email address list purchased from a third-party.


*Speaks for itself.

? Setting a checkbox on a web form or within a piece of software to subscribe all users by default (requiring users to explicitly opt-out of mailings).

*In other words;
adminCP -> vbulletin options -> User registration options -> default registration options
should not have ?automatic thread subscription? set to receive email notification.


Unsubscribing
A user must be able to unsubscribe from your mailing list through one of the following means:
? A prominent link in the body of an email leading users to a page confirming his or her unsubscription (no input from the user, other than confirmation, should be required).


*As described above.

? By replying to your email with the word 'unsubscribe' in the body of the message.

*This can be done by keeping an eye on your webmaster email address. It is my experience that virtually no one uses this method. If your experience is different, then please let me know by posting here.

To help ensure that your messages aren't flagged as spam, we also recommend that you:
? Automatically unsubscribe users whose addresses bounce multiple pieces of mail.


*As described above.

? Periodically send confirmation messages to users.

*Since members can unsubscribe in their userCP, this does not seem needed to me. There surely is no way for Gmail to check if you do this.

? Include each mailing list they are signed up for, and offer the opportunity to unsubscribe from those in which they are no longer interested.
? Provide a 'List-Unsubscribe' header which points to a web form where the user can unsubscribe easily from future mailings (Note: This is not a substitute method for unsubscribing).


*As described above.

It's possible that your users forward mail from other accounts, so we recommend that you:
? Explicitly indicate the email address subscribed to your list.


*In your email message text you need to describe which email address the email is sent to.

? Support a URL method of unsubscribing from your mailing list (this is beneficial if your mailing list manager can't tell who is unsubscribing based on the 'Reply-to:' address).

*Add a text to the email message that explains how to remove subscriptions by going to the userCP.

Alfa1 05-27-2008 11:48 PM

Format
• All bulk messages you send must be formatted according to RFC 2822 SMTP standards and, if using HTML, w3.org standards.
• Messages should indicate that they are bulk mail, using the 'Precedence: bulk' header field.


*Speaks for itself.

• Attempts to hide the true sender of the message or the true landing page for any web links in the message may result in non-delivery.

*Do not spoof email addresses or links. Duh!

• The subject of each message should be relevant to the body's content and not be misleading.


*Speaks for itself.

Now the most important thing for Gmail that needs to be properly communicated to your members:
Delivery
While Gmail works hard to deliver all legitimate mail to a user's inbox, it's possible that some legitimate messages may be marked as spam. Gmail does not accept 'whitelisting' requests from bulk senders, and we can't guarantee that all of your messages will bypass our spam filters. To make sure our users receive all the mail they'd like to, we've provided them with a method for sending us feedback about messages flagged as spam -- users have the option of clicking a 'Not spam' button for each message flagged by our spam filters. We listen to users' reports, and correct problems in order to provide them with the best user experience. As long as our users don't consider your mail as spam, you shouldn't have inbox delivery problems.
There are two important factors that, under normal circumstances, help messages arrive in Gmail users' inboxes:
• The 'From:' address is listed in the user's Contacts list.
• A user clicks 'Not Spam' to alert Gmail that messages sent from that address are solicited.

*Instruct your members to mark email from your site as ‘not spam’ and to add your webmaster email to their contacts. If enough Gmail users mark your messages as spam, then you have a problem.

If you send both promotional mail and transactional mail relating to your organization, we recommend separating mail by purpose as much as possible. You can do this by:
• Using separate email addresses for each function.
• Sending mail from different domains and/or IP addresses for each function.
By using these tips, it's more likely that the important transactional mail will be delivered to a user's inbox. Our guidelines are meant to help you build a good reputation within the Gmail system, resulting in continual delivery to Gmail inboxes.


*This speaks for itself.

Third-Party Senders
If others use your service to send mail (for example: ISPs), you are responsible for monitoring your users and/or clients' behavior.
• You must have an email address available for users and/or clients to report abuse (abuse@yourdomain.com).
• You must maintain up-to-date contact information in your WHOIS record, and on abuse.net.
• You must terminate, in a timely fashion, all users and/or clients who use your service to send spam mail.


*IMHO, unless you allow your members to have a site based email address (branded email), there should be no reason why third parties would be allowed to use your domain to send email. Thats inviting spammers.
Offering branded email to your members is only wise if you can put a considerable amount of trust in your members.

AOL:
Conditions To Bulk Sender Status

The whitelist is designed to help America Online work with organizations and individuals who send out a high volume of solicited email. Whitelist status protects mail originating from whitelisted IP Addresses from some, but not all, of AOL’s proprietary processes for protecting its Members and its network from unsolicited bulk email (UBE). View America Online's Unsolicited bulk e-mail guidelines. Thus, whitelist status exempts an IP address from certain blocking filters, but does not guarantee delivery of mail originating from such addresses. To participate in the AOL whitelist program, you must adhere t o certain technical and other requirements, as stated below.


*See if your site can be added to AOL’s whitelist.

Please read the following terms carefully before clicking "I agree" to proceed to the whitelist request form.

Technical Requirements
• All e-mail must be RFC compliant.
• All e-mail servers connecting to AOL's mail servers must have valid reverse DNS records.


*Speaks for itself.

• All e-mail servers connecting to AOL's mail servers must be secured to prevent unauthorized or anonymous use.

*So no open relays. See my remarks above.

• Direct connections from dynamically assigned IP addresses or residential customers to AOL's mail servers may not be accepted.

*AOL basically says that their system is so twisted that even they do not accept their own IP’s. So do not host on AOL. Do not send mail from a dynamic IP, like AOL has.

• Organizations may not hard code AOL's mx records into their configuration files.
• An organization's mail servers must send a minimum of 100 emails per month to maintain whitelist status.


*Speaks for itself.

E-mail Formatting Requirements:
• Email originating from the whitelisted IP Address must be compliant with the federal Can Spam Act of 2003, available at http://www.spamlaws.com/federal/can-spam.shtml.
• Persons transmitting mail from the whitelisted IP Address must not do anything that tries to hide, forge or misrepresent the sender of the e-mail and sending site of the e-mail.


*Speaks for itself.

• Bulk mailings must specifically state how the AOL members' e-mail addresses were obtained and must indicate the frequency of the mailing. Such details as the date and time when the e-mail address was obtained along with the IP address of the subscriber and the web site they visited to sign-up must be made available to AOL upon request.

As discussed above. IMHO the inclusion of the members IP address is dubious, but you might feel otherwise.

• Bulk mailings should contain simple and obvious unsubscribe mechanisms. We recommend that this be in the form of a working link to a one-click unsubscribe system; however, a valid "reply to:" address may be used instead.

*As discussed above.

• All subscription based e-mail must have valid, non-electronic, contact information for the sending organization in the text of each e-mail including phone number and a physical mailing address.

*Include the physical address of your organisation, in the email text.

Policy and Procedural Requirements:
• All bulk e-mail to AOL members must be solicited, meaning that the sender has an existing and provable relationship with the e-mail recipient and the recipient has not requested not to receive future mailings from the sender. Documentation of the relationship between the sender and the recipient must be made available to AOL upon request.
• Any e-mail sent to AOL members must conform to AOL's Community Guidelines (http://legal.web.aol.com/aol/ aolpol/comguide.html).
• Persons sending bulk mail from the whitelisted IP Address must immediately remove any e-mail address which causes a permanent failure "bounce" message to be generated.
• If a whitelisted IP Address generates member complaints, bounces in excess of 10% of their mail or fails to accept those bounces, the whitelist status may be revoke d for that IP Address. A pattern of such abuses common to a single organization may result in the revocation of whitelist status for some or all of that organization's IP Addresses.
• In no way does the posting of these requirements imply any affiliation, membership, sponsorship or endorsement of business or activities/practices of an organization by AOL.
• Periodic audits of mail, complaint, bounce and bounce acceptance volumes may result in removal of an IP Address or of an organization’s IP Addresses from AOL' s whitelist without notice.



*This speaks for itself or is discussed above.

So in summary this has the following effect on your email text:
- add a text to the email message that explains how to remove subscriptions by going to the userCP.
- You should describe in your email text to which email address the email has been sent,
- why the recipient is receiving the email,
- from who(include your url) the email is sent
- how often the email will be sent
- If you are sending advertisements or messages of commercial nature, you must include the above information in your email text message.
- Include the physical address of your organisation, in the email text.

If you are blacklisted by an email provider then start with this:

Check your catchall email address:
Please go to your catchall email address and see what's in there. If it is full of spam or bounced emails then this is a good indication of your problems. If there is spam, then see where it comes from:
- The kind of email addresses. Is a spammer using your email addresses to fake the sender address? If so, then start by making a SPF. (see above)
- How was it sent? Check the header / raw view of the email messages to see if they where sent through a page / script on your site. If so, then you have open relays that you need to close.

Deactivate accounts with inactive email addresses:
The most likely problem is that you have a lot of members with inactive email addresses. The way to solve this is:
1. Install EZbounced email management.
2. Make sure that your Bounce Email Address is a different one than the email address you send your emails from. See adminCP -> vbulletin options -> email options.
3. Then send out a mass email to all your members.
4. Go to your Bounce Email Address to process the bounced email.
5. Check the bounced messages for the reason why each email address is bouncing and decide if the account needs to be deactivated.

This works well, but the downside is that if you have a lot of members then this will be a lot of work. When I did this, I got thousands of bounced emails to process. See if you can safely share this email account with other admins and share the work. Note that if you do not make a different Bounce Email Address, and are using your catchall account, then the password of this account is often the same as directadmin login and there is a security risk in sharing that.

There is another modification that can be of help: Auto Bounce Messages Management
It automatizes the process, but the downside is that it currently deactivates all accounts with bounced mail (even when its just a full inbox) and does not alert the deactivated members why their account is inactive and what they can do to activate their account. So if you choose for this mod, then get ready for a flood of questions and confused members.

Then go through all points in the article and make sure they are in good order.

Princeton 05-28-2008 11:53 AM

thanks for sharing - very helpful article

Shaheen 05-30-2008 10:06 PM

Nice and usefull Article .Thanks

ahayat 05-31-2008 03:39 AM

nice and very informative, i often think about bounced e-mails specially YAHOO server has a big problem. Thanks alot Mate for posting such a useful article. Cheers
Bye

R-n-R 06-07-2008 02:46 PM

Thank you VERY MUCH for taking the time to put this article together, very good info!

Infopro 06-24-2008 03:40 PM

Well done. :up:

Hornstar 07-11-2008 01:03 AM

I am going to buy a PO Box, as I dont want to give away my home address. OR would a PO box not be acceptable either?

aisais 07-11-2008 03:07 AM

Thank you very much. I learned alot from this article.

Alfa1 07-12-2008 06:28 AM

A PO box is a valid address.

--------------- Added [DATE]1215851589[/DATE] at [TIME]1215851589[/TIME] ---------------

ARTICLE UPDATED!


All times are GMT. The time now is 06:50 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01345 seconds
  • Memory Usage 1,853KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete