Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Blocked Email Part 1: “Why me?”

Everyone’s had it happen. You forward a joke to a friend or coworker, email a possible new vendor requesting a quote, or send out your daily/weekly/monthly newsletter and, a short time later, you get back that dreaded notification: “Subject: Undelivered Mail Returned to Sender”. Your first reaction is probably indignation. “I’m not a spammer,” you think to yourself, “so how dare they block my email!” Believe it or not, the receiving ISP probably doesn’t think that you’re a spammer. 

Over the course of the next few blog posts, we’re going to discuss what you can do when you find mail bouncing – who to talk to, things to say, actions to take – whether you’re an individual, or the overworked sysadmin at a small company, or the deliverability manager at an ESP. We’ll also talk about things you shouldn’t do when your mail is blocked. We’ll even look at proactive things to do to try to prevent mail blocks in the first place.

Today, though, we’re going to look at a couple of the most common reasons for which your mail may have been blocked in the first place. This is not an exhaustive list of reasons, of course, but it should serve to give you some things to look for in your mail that might have caused it to be blocked. As you read, remember that all of these reasons have evolved over time – as various forms of email abuse (like spam and viruses) evolved, the methods to stop them evolved, too.

Blocking dynamic/generic IP addresses
This is one of the oldest methods of stopping abusive mail. In the early days of consumer-level Internet access, inexpensive dial-up connections with dynamically assigned IP addresses made it easy for abusers to rapidly cycle through a number of IPs. They’d dial in, send spam, disconnect, dial in (getting a new IP address), send spam, disconnect… lather, rinse repeat. Unfortunately for them, this pattern was pretty easy to detect when they were using their ISP’s mail server to forward all that mail, so the abusers added a twist, which they called ‘Direct-to-MX’. The abusers would connect their dialup connection directly to the receiver’s inbound mail server (sort of acting as a mini mail server) and inject the spam directly, thus avoiding any monitoring their ISP may have had. Receiving ISPs found ways to determine if a given IP was a dialup or a ‘real’ server, including looking for patterns in the reverse DNS (rDNS) for the IP address, or consulting one of the many dialup lists that sprang up. As dialups gave way to DSL, satellite, cable, and fiber connections, ‘dynamic’ was expanded to include ‘generic’. The definition for dynamic or generic rDNS has been evolving but, in a nutshell, it comes down to this:

If an IP has reverse DNS that appears to have been created by a script and which indicates that a given IP is one of many in a large pool of very similar names, that IP address is more likely than not to be dynamically assigned. Because the user behind that IP address can change at a moment’s notice – even if you’ve kept the same IP for 3 years, it could change – a receiving ISP is less likely to assign a positive reputation to that IP, and is more likely to be unwilling to accept mail directly from that IP.

Blocking abusive content

Most ISPs have implemented a method by which their customers can complain about spam which they’ve received. In many cases, this was originally used to find IP addresses which could be blocked, but has now expanded so that content common to spam messages can be detected and blocked. ‘Content’ can refer to anything in the email but, in this case, is used to describe the ‘call to action’ (the thing the spammer wants you to do – the phone number he wants you to call, or the web site he wants you to visit). Content in the body of email that garners a lot of complaints is going to be looked at suspiciously by the receiver and is more likely to be blocked.

Blocking based on DNSbls (DNS-based blocklists)
People realized early on that it made sense for everyone to share common lists of IPs that they might want to block. Early blocklists, transferred via BGP, caused data from listed IP addresses to be completely dropped, earning them the nickname ‘Black Hole Lists’. Later refinements moved the blocklist data to DNS, so that a receiving mail server could do a simple query, determine if the originator of an email was already known to be bad, and make the decision to block or accept their mail in real time. DNSbls may list an IP for many reasons – it may have been seen originating spam, or it may be part of a block of IPs that has acted suspiciously, or it may appear to be a dynamic IP. Some DNSbls will list an ISP’s entire network space if that ISP doesn’t appear to deal with abuse in a timely fashion. With so many possible listing criteria, it follows that there are many public DNSbls, with wildly varying levels of quality and reputation, and a listing on one or more of them may cause your mail to be blocked.

Coming in Part 2 – what should you, as an individual, do when you receive bounce messages?

5 thoughts on “Blocked Email Part 1: “Why me?””

  1. Thanks for the useful information. I’m a novice and still learning about email. I’m not too clear about dynamic IPs.
    For ESPs like gmail that only assign dynamic IPs to their customers, do they run into more risk of getting blocked.
    Since majority of the users use such kind of free ESPs and using mostly dynamic IPs, how is this fact taken into consideration by ISPs/ESPs when they look into blocking it?

  2. We notice you also implement wide IP based blocks. These IP addresses are not part of any blacklisting, and are not flagged on other IP based reputation monitoring systems like sender base.

    Can you explain why you implement wide IP range blocking as part of your services. That would appear to be some methods form the past and not used any more for reliable email services.

    Additionally the requests to remove appear to be based on individual domain sending. That too would appear to be a strange way to lift an IP block for an ISP based service. Can you confirm this and or provide a method to have all blocks delisted for an IP.

    Lastly, can you advise how we can find out how / why the IP was part of a wide range of blacklisted IP addresses?

  3. Hi, David. Many spammers use a technique called show shoe spam, in which they send spam from a large range of IP addresses, but with only low volume coming from each IP address, and not using all the IP addresses at once. When we see this happening, we will preemptively block the entire range. We will also block ranges in the case of rogue ISPs or hosting companies that do not take any action against spammers operating from their network, or do not screen new sign ups for known bad actors. The best way to get a range of IP addresses unblocked is for that range to stop sending spam. A good way to do this is to install spam filtering on outbound mail from those IP addresses by running outbound port 25 through a proxy with a spam filter installed.

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2020 Cloudmark, Inc.