Gmail Blocking Email

[KrazyBob]

Gmail is reporting to my customers that we are blocked for spamming. I cannot kind a link anywhere that will allow me to reach Gmail and tell them I have a clean server with a good reputation, but of course allow them to tell me

This server is important to me.

Can you help with delisting an IP at GMail?

Thanks in advance.

[prupert]

What is the SMTP response code from the Gmail servers? That should give you an indication as to why the message was rejected.

Check out the pages at https://support.google.com/mail/topic/1669057 for further info and tips.

[KrazyBob]

<sbnalerts@gmail.com>:
74.125.25.26 failed after I sent the message.
Remote host said: 550-5.7.1 [65.44.220.54 1] Our system has detected an unusual rate of
550-5.7.1 unsolicited mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been blocked.
550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk Email Senders Guidelines. wu4si24552896pbc.288 - gsmtp

This IP went from good to and over night. Their link is of little help.

[KrazyBob]

This always sucks. I need to find the spammer yet my daughters cancer comes first and were out the door for the hospital.

[KrazyBob]

I've located the spammer but I'd really like to know how to contact Google. Or do they plan to conquer the web mail world by not helping us?

[faris]

Right at the bottom of that page, there's a link you can click on that asks you some questions, and basically you say I'm sending from my domain, I've found a problem, I've resolved it.

It then tells you

We're glad that you've identified and corrected the problem. Please note that it may take some time for your domain's reputation to be restored, and you may have trouble delivering mail to Gmail users for a short period of time. This problem will resolve itself as you continue to follow the practices outlined in our Bulk Senders Guide.

Basically you have to wait it out

[KrazyBob]

That's ok. At least I now know how to contact Gmail. I am so sick and tired of spammers. I try so hard but there's only one of me. Thank You for your input.

[faris]

Well, I wouldn't call it "contacting" them. They don't ask for any details. They just ask what you've done and if you say the right thing they give you the text I posted. In other words they will remove you eventually, but won't say when that might be. A day? A week? A month?

I'm always worried something like this will strike at the wrong time. So I've planned for disaster, as follows:

You have a whole heap of IPs and servers (physical and virtual), don't you? You could do one of the following:

1) Rent a cheap VPS from another provider and route email from the blacklisted server through that (adjust qmail's smtproutes file on the source server and whitelist the source server's IP on the VPS -- if it has Plesk do it via the email tab) (requires that the service provider doesn't do something silly with email. For example I think I read that GoDaddy limits number of outgoing emails on some of their servers - don't know if true or not) (requires that the IP allocated to your VPS is not itself already blacklisted).

2) Set up a VPS on your own network to do exactly the same thing (requires that the blocking only covers one IP and not your entire subnet)

3) Change the outgoing IP on the blacklisted server/VPS to a different one (using route command or by inserting a new ip as the first IP allocated to it) (requires that the blocking only covers one IP and not your entire subnet)

If you "own" your own subnet, consider breaking it up into several smaller chunks. This may possibly help in situations where blocklists are applied to an entire subnet. e.g. Microsoft does this. However, some blocklists use arbitrary subnet sizes as opposed to real subnet allocations.

Other potential things to do if you don't already:
Use asl's geoblocking to block the worst offending countries. Or set up an rbl to do something similar on port 587
Use the Atomic qmail-scanner rather than Plesk's built-in stuff. qmail-scanner scans outgoing email as well as incoming.
I've not personally tested Parallels' Premium Outgoing Anti-Spam filter, but it uses quite a sophisticated system as far as I can tell. I forget the details. Looks quite interesting, anyway.
Configure Plesk to insist on Strong passwords (does this work with Email accounts? It certainly does for FTP accounts).

But the bad guys will, of course, still find a way to ruin your day every now and then.

[prupert]

Another tip: monitor the mail activity: outgoing mail rate, delivery failures, queue size, etc.. Set up thresholds that detect unusual activity. This gives you the opportunity to detect most (but not all) abuse of mail accounts or website mail scripts in a very early stage and allows you to find the culprit before it get's out of hand.

Also, educate your clients about vulnerabilities in mail scripts, using strong passwords and never giving it out to somebody else. Set the example yourself: it should be your company policy to never hand out, or ask for, a client password.

[faris]

Another tip: monitor the mail activity: outgoing mail rate, delivery failures, queue size, etc.. Set up thresholds that detect unusual activity. This gives you the opportunity to detect most (but not all) abuse of mail accounts or website mail scripts in a very early stage and allows you to find the culprit before it get's out of hand.

+one million on that.

We have a Nagios (Icinga) monitoring system which has alerted us to this sort of thing. There's a script that checks the qmail queue size and warns if it gets out of control.

We also check email round-trip delivery times - if they go high, it is often a sign something has gone wrong (lots of mail in the outbound queue, for example).

Neither will help if the bad guys install their own smtp engine but that doesn't seem to be common. And anyway, if you have the full ASL kernel installed, you can set all sorts of wonderful limits to help slow down this crap.

Even reducing qmail sending concurrency can help - I've reduced ours to a small number, the idea being that fewer messages will get out before the problem is detected and stopped.

[prupert]

Neither will help if the bad guys install their own smtp engine but that doesn't seem to be common.

You can protect yourself against that very easily with FW_OUTPUT_MTA:
http://www.atomicorp.com/wiki/index.php ... OUTPUT_MTA

We have implemented it on most of our ASL boxes.

[faris]

I suspect that particular feature requires the ASL kernel, which neither I nor KB can use on Virtuozzo.

[prupert]

I suspect that particular feature requires the ASL kernel, which neither I nor KB can use on Virtuozzo.

We aren't running Virtuozzo/OpenVZ in production, blegh... But we have been able to use FW_OUTPUT_MTA successfully on stock CentOS kernels, so perhaps it might work on your machines as well.

[scott]

I dont think the openvz kernels support that xt_ module. We definitely ran into that with a more common one (LOG) already.

[KrazyBob]

This issue is on a last run edition of Centos 4.9 with VZ 3 on board. I am migrating everything to VZ 4 and Centos 6.3 but it is very time consuming. The migration itself breaks more than it fixes.

As of today our Senderbase reputation is neutral but I am still getting rejections. Patience is the key.

In all candor, and I don't like to wave it like a banner, I am a small operator and a single parent of an 11 year old brain cancer survivor. There isn't enough time in a given day to do all that I'd like. I know the solution is to install ASL and I have it to install. But I have to first get Plesk 11 installed. Most of my customers will tell you that I bust my butt for them any time of the day or night. My dedicated server customers (the bulk of my business) rely on me. But it's the pesky budget customer that stamps his feet over $5.99 a month when some bozo hits a spam trap because he bought a list that was guaranteed to be clear. The customer didn't know any better so as I refer to them as pesky I do so knowing that they aren't truly at fault.

I am married to Plesk. I have HSP and have been running it all since 2007. I say that I am a rookie when the truth is that I know some ticks. I just don't know enough. I have formmail.php that replaces sendmail and it will usually give me a PHP script if it is the culprit. I run qmHandle and qmailclear.sh. I have a few other utilities. But I don't know things like asking Plesk which domain is sending the most mail right now. I don't know how to find the domain number. I don't know how to use tcpdump to monitor. I run OpManager but it doesn't help with a spammer. I can use qmail-remote to see whose sending but that's when I've reached my limit.

One reason that I come here with an occasional question is that none of you disrespects me and I appreciate that. Professionals helping professionals -- even new ones.