Bounces being detected as spam/virus sending rate
![](https://secure.gravatar.com/avatar/5615a372d9866f203a22b2c437527bbb.jpg?s=120&d=mm&r=g)
Hi,
I run a mailing list of about 1-2 thousand subscribers for announcements only. My ISP has started sending me automated messages claiming that there is a high spam/virus sending rate from my IP address. It took me a long time to get a straight answer from them, but eventually they told me that they are not triggering on me sending email, but on the number of bounces that come back.
My setup is that outgoing mail goes through the ISP's mail server (that was their recommendation) but incoming mail comes directly to me. I send out an announcement, and a few days or a week later I get an automated message from the ISP suggesting I might be sending spam or a virus and pointing me to the usual generic Windows anti-virus solutions.
All my computers here are Linux, so while it is not impossible that I have been infected and am now part of a spammer's botnet, I think it's unlikely.
I receive unhandled bounce notifications (no more than a handful of those, which I then manually remove) and see notifications of addresses that are removed for excessive bouncing, again no more than a handful at a time. How can I see a list of members set to No Mail for bouncing?
Can you suggest anything I can do to avoid triggering the ISP's system? (A hard question, I know, since we don't know precisely what triggers it in the first place.)
-- Steve
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 04/22/2015 07:28 PM, Steven D'Aprano wrote:
bin/list_members --nomail=bybounce LISTNAME
or for all lists
for l in bin/list_lists --bare
; do
echo $l
bin/list_members --nomail=bybounce $l
done
To see more detail get the script at <http://www.msapiro.net/scripts/get_bounce_info.py>, copy it to Mailman's bin/ directory and run
bin/withlist -a -r get_bounce_info
You need much more information as to what is actually happening. If this is one of the larger ISPs, see <http://wiki.list.org/x/4030690> for tips on signing up for their feedback system.
It's a difficult process to get the information you need. Here's a case story somewhat on topic.
I used to run my own outgoing MTA on my desktop computer. Everything was properly configured including full circle DNS and a nice domain name (msapiro.net). As far as I could tell, everyone accepted my mail, but I used to check the status of my IP at <https://postmaster.live.com/snds/ipStatus.aspx> (a service you can sign up for).
Every couple of months, my IP would show up as "exhibiting bot like behavior", even if I only sent a couple of personal messages to any microsoft server, and even though the report at <https://postmaster.live.com/snds/dataIP.aspx?ip=1152893423> always says "Error: no data for the specified IP" because I have never sent the threshold number of messages in a day. They never actually blocked my IP; they just flagged it. I would report the flag and they would reply with a message like
Your IP (68.183.193.239) was blocked by Windows Live Hotmail because the majority of all the email that you send has been judged to be spam by our internal filtering system. I have conducted an investigation into the emails originating from your IP space and have implemented mitigation for your deliverability problem. This process may take 24 - 48 hours to replicate completely throughout our system.
I have numerous saved emails from me asking them to just verify that they have actually seen even one such spam message. The exchange usually went something like this
No one ever confirmed that they had seen even one alleged spam message, but they always removed the flag, but a couple of months later, it would return and we'd do the same dance.
I finally decided that what was actually happening is every couple of months they would notice that my IP was in a "home DSL" net block, and sending even one message from such an IP was "bot like behavior".
The end of the story is I switched to sending my outgoing mail via my production server that's in a commercial colocation facility, and Microsoft stopped flagging my desktop IP as it sends them no mail at all.
The moral here is the bigger the ISP, the more difficult it is to get any relevant information from them.
Good Luck.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/5615a372d9866f203a22b2c437527bbb.jpg?s=120&d=mm&r=g)
On Wed, Apr 22, 2015 at 08:23:38PM -0700, Mark Sapiro wrote:
Thanks Mark. According to that, there are currently 12 bouncing members. But when I run the more detail script below, I get 30 bouncing members. What's the difference between the two?
(Oh, and for the record, there's only two Hotmail, and one each AOL and Yahoo, addresses in the 30.)
Thanks for the feedback. I look forward to many frustrating conversations.
I currently get Uncaught bounce notifications, and process them by hand as they come in. I also see unsubscribes. Is there a way I can be notified of *caught* bounce notifications?
-- Steve
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 05/09/2015 10:51 PM, Steven D'Aprano wrote:
bin/list_members --nomail=bybounce lists those members whose delivery is currently disabled by bounce processing because their bounce score reached threshold. These are members that haven't yet been removed, but will be after they've received and not responded to bounce_you_are_disabled_warnings warning notifications.
These will show in the get_bounce_info output with current score >= bounce_score_threshold last bounce date in the recent past email notices left < bounce_you_are_disabled_warnings last notice date in the recent past confirmation cookie = a hex string
The other 18 are either stale or currently bouncing but not yet disabled. They will all have current score < bounce_score_threshold email notices left = bounce_you_are_disabled_warnings last notice date = (1970, 1, 1) confirmation cookie = None
The difference between stale and current is whether last bounce date is older than today - bounce_info_stale_after days.
I currently get Uncaught bounce notifications, and process them by hand as they come in.
Please send them to me or post them here so we can improve the heuristic bounce recognition. You may sanitize them by munging email addresses to a form like user@example.com, list-bounces@example.com, etc. and if the original list post is included, you may replace it with a note, but otherwise we would like the exact headers and MTA boilerplate from the notice.
I also see unsubscribes. Is there a way I can be notified of *caught* bounce notifications?
If you set bounce_notify_owner_on_disable to Yes, you will get a notice including the actual bounce DSN when the member's delivery is first disabled by bounce. Beginning in Mailman 2.1.19, you can set bounce_notify_owner_on_bounce_increment to Yes to receive a similar notice every time a member's bounce score is incremented, i.e., for at most one bounce per member per day.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/334b870d5b26878a79b2dc4cfcc500bc.jpg?s=120&d=mm&r=g)
Steven D'Aprano writes:
Can you suggest anything I can do to avoid triggering the ISP's system?
<humor mood="DMARC black, very very black, Sir!"> Start by removing all yahoo.com and aol.com addresses! ;-) </humor>
The timing is wrong, and knowing you I suppose you probably already have a mitigation in place, but to cover all bases: it's possible you're running afoul of DMARC bounces. To address that, make sure your mailman is at least v2.1.18-1, and set one of the DMARC mitigation options (most likely, you should use Munge From) in the General Options screen. See the from_is_list option.
Otherwise, you're right, we need to see the addresses which are bouncing to guess why they might be bouncing. Perhaps they are some kind of spammy thing, subscribed in an attempt to either collect addresses (but then they should bounce) or to use your list as an expander for spam.
The bin/list_members script with the --nomail option will get you the list you want. It's usually in /var/lib/mailman/, but depending on your distro it might be somewhere else (/usr/lib/mailman, or yet another place).
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 04/22/2015 07:28 PM, Steven D'Aprano wrote:
bin/list_members --nomail=bybounce LISTNAME
or for all lists
for l in bin/list_lists --bare
; do
echo $l
bin/list_members --nomail=bybounce $l
done
To see more detail get the script at <http://www.msapiro.net/scripts/get_bounce_info.py>, copy it to Mailman's bin/ directory and run
bin/withlist -a -r get_bounce_info
You need much more information as to what is actually happening. If this is one of the larger ISPs, see <http://wiki.list.org/x/4030690> for tips on signing up for their feedback system.
It's a difficult process to get the information you need. Here's a case story somewhat on topic.
I used to run my own outgoing MTA on my desktop computer. Everything was properly configured including full circle DNS and a nice domain name (msapiro.net). As far as I could tell, everyone accepted my mail, but I used to check the status of my IP at <https://postmaster.live.com/snds/ipStatus.aspx> (a service you can sign up for).
Every couple of months, my IP would show up as "exhibiting bot like behavior", even if I only sent a couple of personal messages to any microsoft server, and even though the report at <https://postmaster.live.com/snds/dataIP.aspx?ip=1152893423> always says "Error: no data for the specified IP" because I have never sent the threshold number of messages in a day. They never actually blocked my IP; they just flagged it. I would report the flag and they would reply with a message like
Your IP (68.183.193.239) was blocked by Windows Live Hotmail because the majority of all the email that you send has been judged to be spam by our internal filtering system. I have conducted an investigation into the emails originating from your IP space and have implemented mitigation for your deliverability problem. This process may take 24 - 48 hours to replicate completely throughout our system.
I have numerous saved emails from me asking them to just verify that they have actually seen even one such spam message. The exchange usually went something like this
No one ever confirmed that they had seen even one alleged spam message, but they always removed the flag, but a couple of months later, it would return and we'd do the same dance.
I finally decided that what was actually happening is every couple of months they would notice that my IP was in a "home DSL" net block, and sending even one message from such an IP was "bot like behavior".
The end of the story is I switched to sending my outgoing mail via my production server that's in a commercial colocation facility, and Microsoft stopped flagging my desktop IP as it sends them no mail at all.
The moral here is the bigger the ISP, the more difficult it is to get any relevant information from them.
Good Luck.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/5615a372d9866f203a22b2c437527bbb.jpg?s=120&d=mm&r=g)
On Wed, Apr 22, 2015 at 08:23:38PM -0700, Mark Sapiro wrote:
Thanks Mark. According to that, there are currently 12 bouncing members. But when I run the more detail script below, I get 30 bouncing members. What's the difference between the two?
(Oh, and for the record, there's only two Hotmail, and one each AOL and Yahoo, addresses in the 30.)
Thanks for the feedback. I look forward to many frustrating conversations.
I currently get Uncaught bounce notifications, and process them by hand as they come in. I also see unsubscribes. Is there a way I can be notified of *caught* bounce notifications?
-- Steve
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 05/09/2015 10:51 PM, Steven D'Aprano wrote:
bin/list_members --nomail=bybounce lists those members whose delivery is currently disabled by bounce processing because their bounce score reached threshold. These are members that haven't yet been removed, but will be after they've received and not responded to bounce_you_are_disabled_warnings warning notifications.
These will show in the get_bounce_info output with current score >= bounce_score_threshold last bounce date in the recent past email notices left < bounce_you_are_disabled_warnings last notice date in the recent past confirmation cookie = a hex string
The other 18 are either stale or currently bouncing but not yet disabled. They will all have current score < bounce_score_threshold email notices left = bounce_you_are_disabled_warnings last notice date = (1970, 1, 1) confirmation cookie = None
The difference between stale and current is whether last bounce date is older than today - bounce_info_stale_after days.
I currently get Uncaught bounce notifications, and process them by hand as they come in.
Please send them to me or post them here so we can improve the heuristic bounce recognition. You may sanitize them by munging email addresses to a form like user@example.com, list-bounces@example.com, etc. and if the original list post is included, you may replace it with a note, but otherwise we would like the exact headers and MTA boilerplate from the notice.
I also see unsubscribes. Is there a way I can be notified of *caught* bounce notifications?
If you set bounce_notify_owner_on_disable to Yes, you will get a notice including the actual bounce DSN when the member's delivery is first disabled by bounce. Beginning in Mailman 2.1.19, you can set bounce_notify_owner_on_bounce_increment to Yes to receive a similar notice every time a member's bounce score is incremented, i.e., for at most one bounce per member per day.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/334b870d5b26878a79b2dc4cfcc500bc.jpg?s=120&d=mm&r=g)
Steven D'Aprano writes:
Can you suggest anything I can do to avoid triggering the ISP's system?
<humor mood="DMARC black, very very black, Sir!"> Start by removing all yahoo.com and aol.com addresses! ;-) </humor>
The timing is wrong, and knowing you I suppose you probably already have a mitigation in place, but to cover all bases: it's possible you're running afoul of DMARC bounces. To address that, make sure your mailman is at least v2.1.18-1, and set one of the DMARC mitigation options (most likely, you should use Munge From) in the General Options screen. See the from_is_list option.
Otherwise, you're right, we need to see the addresses which are bouncing to guess why they might be bouncing. Perhaps they are some kind of spammy thing, subscribed in an attempt to either collect addresses (but then they should bounce) or to use your list as an expander for spam.
The bin/list_members script with the --nomail option will get you the list you want. It's usually in /var/lib/mailman/, but depending on your distro it might be somewhere else (/usr/lib/mailman, or yet another place).
participants (3)
-
Mark Sapiro
-
Stephen J. Turnbull
-
Steven D'Aprano