Subscribe to RSS Feed

Cloudmark Blog

Intelligence Briefings from the War on Spam

Blocked Email Part 1: “Why me?”


Fri, Apr 10, 2009 by David Romerstein

Everyone’s had it happen. You forward a joke to a friend or coworker, email a possible new vendor requesting a quote, or send out your daily/weekly/monthly newsletter and, a short time later, you get back that dreaded notification: “Subject: Undelivered Mail Returned to Sender”. Your first reaction is probably indignation. “I’m not a spammer,” you think to yourself, “so how dare they block my email!” Believe it or not, the receiving ISP probably doesn’t think that you’re a spammer.

Over the course of the next few blog posts, we’re going to discuss what you can do when you find mail bouncing – who to talk to, things to say, actions to take – whether you’re an individual, or the overworked sysadmin at a small company, or the deliverability manager at an ESP. We’ll also talk about things you shouldn’t do when your mail is blocked. We’ll even look at proactive things to do to try to prevent mail blocks in the first place.

Today, though, we’re going to look at a couple of the most common reasons for which your mail may have been blocked in the first place. This is not an exhaustive list of reasons, of course, but it should serve to give you some things to look for in your mail that might have caused it to be blocked. As you read, remember that all of these reasons have evolved over time – as various forms of email abuse (like spam and viruses) evolved, the methods to stop them evolved, too.

Blocking dynamic/generic IP addresses
This is one of the oldest methods of stopping abusive mail. In the early days of consumer-level Internet access, inexpensive dial-up connections with dynamically assigned IP addresses made it easy for abusers to rapidly cycle through a number of IPs. They’d dial in, send spam, disconnect, dial in (getting a new IP address), send spam, disconnect… lather, rinse repeat. Unfortunately for them, this pattern was pretty easy to detect when they were using their ISP’s mail server to forward all that mail, so the abusers added a twist, which they called ‘Direct-to-MX’. The abusers would connect their dialup connection directly to the receiver’s inbound mail server (sort of acting as a mini mail server) and inject the spam directly, thus avoiding any monitoring their ISP may have had. Receiving ISPs found ways to determine if a given IP was a dialup or a ‘real’ server, including looking for patterns in the reverse DNS (rDNS) for the IP address, or consulting one of the many dialup lists that sprang up. As dialups gave way to DSL, satellite, cable, and fiber connections, ‘dynamic’ was expanded to include ‘generic’. The definition for dynamic or generic rDNS has been evolving but, in a nutshell, it comes down to this:

If an IP has reverse DNS that appears to have been created by a script and which indicates that a given IP is one of many in a large pool of very similar names, that IP address is more likely than not to be dynamically assigned. Because the user behind that IP address can change at a moment’s notice – even if you’ve kept the same IP for 3 years, it could change – a receiving ISP is less likely to assign a positive reputation to that IP, and is more likely to be unwilling to accept mail directly from that IP.

Blocking abusive content
Most ISPs have implemented a method by which their customers can complain about spam which they’ve received. In many cases, this was originally used to find IP addresses which could be blocked, but has now expanded so that content common to spam messages can be detected and blocked. ‘Content’ can refer to anything in the email but, in this case, is used to describe the ‘call to action’ (the thing the spammer wants you to do – the phone number he wants you to call, or the web site he wants you to visit). Content in the body of email that garners a lot of complaints is going to be looked at suspiciously by the receiver and is more likely to be blocked.

Blocking based on DNSbls (DNS-based blocklists)
People realized early on that it made sense for everyone to share common lists of IPs that they might want to block. Early blocklists, transferred via BGP, caused data from listed IP addresses to be completely dropped, earning them the nickname ‘Black Hole Lists’. Later refinements moved the blocklist data to DNS, so that a receiving mail server could do a simple query, determine if the originator of an email was already known to be bad, and make the decision to block or accept their mail in real time. DNSbls may list an IP for many reasons – it may have been seen originating spam, or it may be part of a block of IPs that has acted suspiciously, or it may appear to be a dynamic IP. Some DNSbls will list an ISP’s entire network space if that ISP doesn’t appear to deal with abuse in a timely fashion. With so many possible listing criteria, it follows that there are many public DNSbls, with wildly varying levels of quality and reputation, and a listing on one or more of them may cause your mail to be blocked.

Coming in Part 2 – what should you, as an individual, do when you receive bounce messages?

3 Responses to “Blocked Email Part 1: “Why me?””

  1. Useful links: May 21 at Word to the Wise Says:

    [...] Part 1: Blocked email: Why me? [...]

  2. Al Says:

    Thanks for the useful information. I’m a novice and still learning about email. I’m not too clear about dynamic IPs.
    For ESPs like gmail that only assign dynamic IPs to their customers, do they run into more risk of getting blocked.
    Since majority of the users use such kind of free ESPs and using mostly dynamic IPs, how is this fact taken into consideration by ISPs/ESPs when they look into blocking it?

  3. David Romerstein Says:

    @Al: GMail’s outbound mail servers are not on dynamic IPs, and that’s what ISPs are checking for when you try to send mail.

Leave a Reply


(will not be published)


Submit Your Comments

* Indicates a required field

Site Map  •  Privacy Policy  •  ©2002–2014 Cloudmark, Inc.