Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Management Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
How to keep your board from getting blacklisted as a spammer.
Alfa1's Avatar
Alfa1
Join Date: Dec 2005
Posts: 3,537

 

Netherlands
Show Printable Version Email this Page Subscription
Alfa1 Alfa1 is offline 05-27-2008, 10:00 PM

If your board does not comply to the bulkmail rules of large email providers, then all email from your board to these email providers may get banned.

The way you handle your email protocols and email subscriptions is vital to the well being of your board. Many boards are not even aware that they being punished by large email providers, for the way the boards are handling their email. Have you ever noticed that mail to a specific email provider often does not arrive? If so, then it?s likely that your site has been listed as a spammer. Email providers do share their spammers lists, with other email providers.

If you want to resolve or prevent this, then lets inspect the bulk mail rules of the major email providers. I have extracted them and summed them up for you. My clarifications to the mail rules are in blue.


Hotmail:

There must be a simple method to terminate a subscription.
Mailing list administrators must provide a simple method for subscribers to terminate their subscriptions, and administrators should provide clear and effective instructions for unsubscribing from a mailing list. Mailings from a list must cease promptly once a subscription is terminated. This can be by a link, the receiver has to click on, or a valid Re: address.


*vBulletin has this function built in to terminate subscriptions, so this will not cause problems in this regard. However, there is no functionality to let members automatically unsubscribe themselves from admin mailings. Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail (vb 3.7 and lower only)

There should be alternative methods for terminating a subscription.
Mailing list administrators should make an "out of band" procedure (e.g., an email address to which messages may be sent for further contact via email or telephone) available for those who wish to terminate their mailing list subscriptions but are unable or unwilling to follow standard automated procedures.


*This is something you will need to fix yourself, by editing the template. A good way to resolve this is to add a text to the email message that explains how to remove subscriptions by going to the userCP.

Undeliverable addresses must be removed from future mailings.
Mailing list administrators must ensure that the impact of their mailings on the networks and hosts of others is minimized. One of the ways this is accomplished is through pruning invalid or undeliverable addresses.


*This is a vital issue that needs to be resolved. Especially if you have a big board. If you are sending out large amount of subscriptions and other email, then there will be a lot of outdated and false emails in your database. If you keep sending email to inexistent email addresses, then the risk of getting banned by email providers is very large.

Unfortunately vBulletin does not have a function for this and there is no hack that automatically resolves this problem. However; I highly recommend that you install Anti-Virus his EZ Bounced Email Management for Admins.


Mail volume must take recipient systems into account.
List administrators must take steps to ensure that mailings do not overwhelm less robust hosts or networks. For example, if the mailing list has a great number of addresses within a particular domain, the list administrator should contact the administrator for that domain to discuss mail volume issues.


This only seems to be an issue for very large or local boards.

Steps must be taken to prevent use of a mailing list for abusive purposes.
The sad fact is that mailing lists are used by third parties as tools of revenge and malice. Mailing list administrators must take adequate steps to ensure that their lists cannot be used for these purposes. Administrators must maintain a "suppression list" of email addresses from which all subscription requests are rejected. The purpose of the suppression list would be to prevent forged subscription of addresses by unauthorized third parties. Such suppression lists should also give properly authorized domain administrators the option to suppress all mailings to the domains for which they are responsible.


*vBulletin has this function built in, so this will not cause problems.


The nature and frequency of mailings should be fully disclosed.

List administrators should make adequate disclosures about the nature of their mailing lists, including the subject matter of the lists and anticipated frequency of messages. A substantive change in the frequency of mailings, or in the size of each message, may constitute a new and separate mailing list requiring a separate subscription.


*You should describe in your email text to which email the email has been sent, why the recipient is receiving the email, from who(include your url) and how often.

In addition, e-mail sent, or caused to be sent, to or through the Services may not:
? use or contain invalid or forged headers;
? use or contain invalid or non-existent domain names;
? employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
? use other means of deceptive addressing;
? use a third party's internet domain name, or be relayed from or through a third party's equipment, without permission of the third party;
? contain false or misleading information in the subject line or otherwise contain false or misleading content;
? fail to comply with additional technical standards described below; or
? otherwise violate the applicable Terms of Use for the Services.


Basically this means that you need to make sure that the way you are sending your email makes sense. If the way your server, domain, url and your email address are set up are not consistent this may lead the email provider to throw your site on their spammers list. Some considerations:
Is the domain on your server the same as the url of your website?
Is the sender email address of the same extension as your website?
Is the sender email address reachable?
Is the bounce email address of the same extension as your website?
Is the bounce email address reachable?

Since vb 3.7 there is an option to define a bounce email address. Many thanks to Jelsoft for adding this!


CAN-SPAM act:
What the Law Requires
Here's a rundown of the law's main provisions:
? It bans false or misleading header information. Your email's "From," "To," and routing information ? including the originating domain name and email address ? must be accurate and identify the person who initiated the email.
? It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
? It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor's email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it's illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.


*These 3 points has been discussed above.

? It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.

*If you are sending advertisements or messages of commercial nature, you must include the above information in your email text message.

Hotmail has a special programme for senders. More information and subscription can be found here: http://postmaster.msn.com/Services.aspx

Yahoo!

? Remove email addresses that bounce.

*
As discussed above, this is a vital issue. See above for more information.


? Examine your retry policies.

Your retry policies are:
A. How often you resend email. Simply use common sense and do not send the same message to the same email twice unless it is essential to do so.
B. How often your server retries to send email. Since this is a server setting consult your server admin or your hosting co to make sure settings are correct.


? Pay attention to the responses from our SMTP servers.

*Responses from SMTP servers are sent as email to your bounce email address. Unfortunately vBulletin does not have functionality for this. I highly recommend installing Anti-Virus his EZ Bounced Email Management for Admins mod.

? Don't send unsolicited email. In this process, after you receive a subscription request, you send a confirmation email to that address which requires some affirmative action before that email address is added to the mailing list.

*vBulletin has this function built in.

? Provide a method of unsubscribing from your list in each mail you send.


*This is discussed above.

? Ensure that your mail servers are not open relays, and that your servers attempt to detect and deny connections to open proxies

*This is a vital issue as well. Although (if properly configured) vbulletin will not allow open relays, there are addons that allow bots & spammers to send email/spam through your site, there are hacks & mods that do allow third parties to use your site for a spamming spree. This should be avoided in any case. Often these problems will come to light by examining your catchall email address.

If a spammer is using your site?s functions to send spam, then study each problem and resolve the vulnerability. Please alert the creator of the mod, so that others will not encounter the same problems.

Explanation:
Normally an open relay would mean that your smtp mail server accepts requests without authorization. i.e. anybody can access it and send email from it. This can be tested through many online sites. Google it.

With vbulletin and its addons however, there are other open relay options, trough pages that have a function to send email. Make sure that guests can not use the 'Use Email to Friend' function anywhere on your site. I'd recommend turning this off for newbies as well.

Then go to your catchall email address. This is the standard email address where all bounced email arrives at. Often this is user@domain.com Ask your host if you do not know.

Have a look at the emails that got bounced and should not have sent by you. You may see spam sent from your server, that was then bounced back to your catchall address, because the addressee does not exist. This is where it gets interesting.
Review the message, the headers and the raw view. Find the path used to send the email and specifically the mail script that was used. The mail script often indicates that there is a script in one of your add-ons that allows spammers to send email through your site.

See if you can identify the script and the addon it is part of. If so, then first see if you can correct this by changing the setting of that addon. If yes, then post about it in the relevant thread / site to give others a heads up. If not, then let the coder know that there may be a problem with the addon.


Gmail:
Authentication & Identification
To ensure that Gmail can identify you:
? Use a consistent IP address to send bulk mail.
? Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.


*Please make sure your server admin has these settings right.

? Use the same address in the 'From:' header on every bulk mail you send.

*This speaks for itself.

We also recommend publishing an SPF record, and signing with DomainKeys.
For SPF see: http://www.openspf.org/


*SPF is a very interesting and handy concept. Basically you register how your email is sent. So if there is email sent from another email address, IP, domain, protocol, etc, then email providers will disregard the email. This can come in mighty handy if a spammer is using your email address or domain for spamming.

Subscription
Each user on your distribution list should opt to receive messages from you in one of the following ways (opt-in):
? Through an email asking to subscribe to your list.
? By manually checking a box on a web form, or within a piece of software.
We also recommend that you verify each email address before subscribing them to your list.


*As discussed above.

The following methods of address collection are not considered 'opt-in' and are not recommended:
? Using an email address list purchased from a third-party.


*Speaks for itself.

? Setting a checkbox on a web form or within a piece of software to subscribe all users by default (requiring users to explicitly opt-out of mailings).

*In other words;
adminCP -> vbulletin options -> User registration options -> default registration options
should not have ?automatic thread subscription? set to receive email notification.


Unsubscribing
A user must be able to unsubscribe from your mailing list through one of the following means:
? A prominent link in the body of an email leading users to a page confirming his or her unsubscription (no input from the user, other than confirmation, should be required).


*As described above.

? By replying to your email with the word 'unsubscribe' in the body of the message.

*This can be done by keeping an eye on your webmaster email address. It is my experience that virtually no one uses this method. If your experience is different, then please let me know by posting here.

To help ensure that your messages aren't flagged as spam, we also recommend that you:
? Automatically unsubscribe users whose addresses bounce multiple pieces of mail.


*As described above.

? Periodically send confirmation messages to users.

*Since members can unsubscribe in their userCP, this does not seem needed to me. There surely is no way for Gmail to check if you do this.

? Include each mailing list they are signed up for, and offer the opportunity to unsubscribe from those in which they are no longer interested.
? Provide a 'List-Unsubscribe' header which points to a web form where the user can unsubscribe easily from future mailings (Note: This is not a substitute method for unsubscribing).


*As described above.

It's possible that your users forward mail from other accounts, so we recommend that you:
? Explicitly indicate the email address subscribed to your list.


*In your email message text you need to describe which email address the email is sent to.

? Support a URL method of unsubscribing from your mailing list (this is beneficial if your mailing list manager can't tell who is unsubscribing based on the 'Reply-to:' address).

*Add a text to the email message that explains how to remove subscriptions by going to the userCP.
Reply With Quote
  #22  
Old 05-12-2009, 06:03 PM
Mutt's Avatar
Mutt Mutt is offline
 
Join Date: Nov 2001
Posts: 331
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Alfa1 View Post
Fortunately Kirk made this hack: Unsubscribe link in Administrative Mail
However, you still need to add a text manually, like described in my article.
thanks, that's great
Reply With Quote
  #23  
Old 08-21-2009, 10:09 AM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've updated the article. Pretty soon I will be needing a 3rd post, because there is a maximum amount of characters that can be entered.

Does anyone have questions or remarks?
Reply With Quote
  #24  
Old 09-23-2009, 03:40 AM
VonDoom's Avatar
VonDoom VonDoom is offline
 
Join Date: Dec 2008
Location: USA
Posts: 494
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Great article, ill be going thru most of this soon. i rarely (maybe once a year) send out bulk mail. But i never considered the ramifications of members using the email to friends feature. lol reminds me to check my email account to. umm something i haven't done in a month or more.
Reply With Quote
  #25  
Old 11-05-2009, 04:34 PM
cavyspirit cavyspirit is offline
 
Join Date: Jan 2004
Posts: 151
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for this thread. Great info.

Personally, knowing what I know now, I would never use the vB email system to do a mass mail and I'm glad that in all these years, I haven't used it.

I found out just how damn devastating it can be to be blacklisted as a spammer.

Unbeknown to me about a year ago, one of my lesser used CMS sites was hacked and a spammer was using my account to send out spam emails. My site ended up on email blacklists. It's not just the one email address or site that gets blacklisted, it can be your entire server along with references to any site on that server anywhere in the email. And since I do web development and host around a dozen accounts on this one server, ALL mail--incoming and outgoing from my server was being blocked by many, many providers. Business came to a screeching halt for me and my clients. At least that was my experience.

It was that tough wake-up call that forced to me to institute much more rigorous security on my environments.

In addition, I discovered this site: http://www.mxtoolbox.com/blacklists.aspx which lets you enter in your server IP and see if you are on any major email blacklists. And it helps you deal with getting off of each blacklist. AND they have a service which will send you an immediate alert if you end up on any blacklist for any reason. After setting and forgetting about it last year--after it taking almost a week to recover to being clean again--I did get one alert for a minor problem which I very quickly resolved.

Getting blacklisted once was a big-time learning experience and not a good one.
Reply With Quote
  #26  
Old 11-26-2009, 01:17 AM
porcupine73 porcupine73 is offline
 
Join Date: Nov 2008
Location: New York, USA
Posts: 48
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for this helpful article Alfa. I'm trying to get my board compliant with many of these items.

One quick thing I am trying is I created a new template I called email_footer1, which contains text similar to:
Code:
_____________________________________________________________
This email was sent to $bbuserinfo[email], based on account registration.
To manage your email preferences, update your account settings at $vboptions[bburl]/profile.php?do=editoptions

Alternatively to unsubscribe, go to $vboptions[bburl]/$vboptions[contactuslink], or reply to this email with the word unsubscribe as the subject.
Mailing address: some name, someplace
Telephone: telephone
To report abuse, email abuse@yourdomain
Then I added a plugin hooked on mail_send to hopefully append the relevant info to the bottom of all e-mails sent by vbulletin?
Code:
// Add footer to outbound e-mail
eval('$message .= "' . fetch_template('email_footer1') . '";');
(You don't want to know how long I spent getting that to work, especially since I had \\ instead of // for the comment )

The DKIM looks interesting. My host doesn't let me add any fields to the domain record though so it looks like I'd need to use a different DNS to put out the info
Reply With Quote
  #27  
Old 11-26-2009, 07:24 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Very interesting. Please let me know if this is included to all email.
Reply With Quote
  #28  
Old 12-05-2009, 08:13 PM
dfidler dfidler is offline
 
Join Date: May 2008
Location: London, UK
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Alfa1 View Post
Does anyone have questions or remarks?
Just a remark; awesome article. Thanks for taking the time!
Reply With Quote
  #29  
Old 12-06-2009, 01:48 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your most welcome. I hope IB will do something with it and implement the needed functionality to avoid such problems.
Reply With Quote
  #30  
Old 04-05-2010, 05:25 AM
Biker_GA Biker_GA is offline
 
Join Date: Oct 2004
Location: Where my hat is
Posts: 829
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your reference to Microsoft's tips are pretty much out of date. I've been running in circles attempting to get a delivery issue resolved with them and the majority of the addresses are no longer valid on their site.

Something I've recently run into, and many may be getting smacked for this is NDR and reverse NDR spam. I've been nailed by this recently and as a result, showed up on a blacklist.

I'm still pouring through the rules in Exim to figure out a way to minimize this. You can't really prevent it, short of turning off NDR, but then you'd be in running a mail server that doesn't conform to current mail standards. **sigh** I hate spammers.
Reply With Quote
  #31  
Old 04-05-2010, 08:52 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Biker_GA View Post
Your reference to Microsoft's tips are pretty much out of date. I've been running in circles attempting to get a delivery issue resolved with them and the majority of the addresses are no longer valid on their site.
Please let me know what you have found to be out of date and where new mail conditions can be found. I still see the same anti-spam policy on microsoft.com I see there is new data on http://postmaster.msn.com/Services.aspx and http://postmaster.live.com/Guidelines.aspx but that doesn't seem to replace the Anti-Spam policy.

Quote:
Originally Posted by Biker_GA View Post
Something I've recently run into, and many may be getting smacked for this is NDR and reverse NDR spam. I've been nailed by this recently and as a result, showed up on a blacklist.

I'm still pouring through the rules in Exim to figure out a way to minimize this. You can't really prevent it, short of turning off NDR, but then you'd be in running a mail server that doesn't conform to current mail standards. **sigh** I hate spammers.
Have you considered to limit the number of NDRs within X amount of time to a number that resembles a normal amount?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:29 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05583 seconds
  • Memory Usage 2,345KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete