Prevent users from sending emails that gets server IP blocked?

[Shood]

Hello there,
I need your suggestions please about avoiding this issue:

Before about 3 months ago, one of my customers sent an email message with about 40 recipients email addresses (@yahoo.com) So yahoo.com received about 40 messages at the same time delivered from my server.
Immediately they blocked my server. So all other domains hosted on my server cannot send emails to Yahoo.
I contacted them for hundreds of time within three months but no luck.
Finally, my server can sends to Yahoo now.

My question is: How you can protect your server against a similar scenario?
Suppose that there's someone has a domain on your server and wants to play with you, he can send a message to 50 emails (and maybe he choose mistake addresses to harm you). In this case your server will get blocked on Yahoo, Hotmail ...etc
From your experiences as a server owner, how to protect your server?
I think that setting MAX_HOURLY_EMAIL to 10 emails isn't a good idea.

Any idea will be appreciated.
Thank you

 

[cPanelLauren]

Hello @Shood

Sending 40 messages to yahoo actually shouldn't have blocked your server unless one of the following conditions were met:

1. The mail was obvious spam
2. Your server doesn't meet their bulk sender guidelines; Yahoo Mail deliverability FAQs | Yahoo Help - SLN24439
3. Related to both above an email can match either of these conditions if you don't have a valid PTR, SPF or DKIM for the domain.

With those points in mind it's difficult at this point to tell you what specifically happened (especially with no access to the server)
I will say that protecting your server from this kind of behaviour occurring again would need to include a few points:

- There are several spam protection settings in tweak settings that would be relevant in this case one of which is as following found in WHM>>Server Configuration>>Tweak settings:
Monitor the number of unique recipients per hour to detect potential spammers.
The system will monitor the number of emails to unique recipients that each individual email user sends. If this number exceeds the specified threshold, the system will send a notification.
-

I think that setting MAX_HOURLY_EMAIL to 10 emails isn't a good idea.

While setting this to 10 may be restrictive this can be modified to whatever you find reasonable for your domains

- You can enable SpamAssassin for outbound mail which can help prevent spam from leaving your server in the event an account is compromised.


The documentation here may also be helpful:
How to Keep your Email Out of the Spam Folder - cPanel Knowledge Base - cPanel Documentation
How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation
How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Thanks!

 

[Shood]

Hello @cPanelLauren
Thank you very much for this rich information.
My server meeting the three conditions you've mentioned, I think that the major reason of blocking is the invalid email addresses that user sent to, about 10 of 40 addresses on Yahoo are missing.
Yahoo support team said that "maybe" the reason is that: my server wasn't sent emails to Yahoo for a while then suddenly it received a big amount (40) emails with some invalid email addresses.

About protecting my server from this kind of behavior in the future, I will take a deep look at the helpful links and steps you've provided me, in case I need your advice again I will get back here

Regards.

 

[cPanelLauren]

Hi @Shood

I would suggest if nothing else you ensure that each domain has a valid SPF and DKIM and the server's IP's used to send mail have valid PTR records. This is one of the most important methods of preventing blacklisting/blocking. Please let me know if you have any questions on the documentation I provided as well.


Thanks!

 

[Shood]

Hello @cPanelLauren,
Thank you for your interest.
I think that all settings are well, I even got an assistance from a support team.
PTR is valid, I tested it through "dig command"

Only I need your answer about the following please:
1- You said: "...each domain has a valid SPF and DKIM", I processed: Home »DNS Functions »Enable DKIM/SPF Globally, is it enough to ensure that all are valid or is there a command to check it for a specific domain?
2-About Max_Hourly: are emails sent between the same domain users count? e.g. from: [email protected] To [email protected]

Thank you.

 

[cPanelLauren]

1- You said: "...each domain has a valid SPF and DKIM", I processed: Home »DNS Functions »Enable DKIM/SPF Globally, is it enough to ensure that all are valid or is there a command to check it for a specific domain?

Enabling this globally will enable it for all domains but will only take effect on domains that have DNS hosted locally on your server (meaning their nameservers are pointed to your server) You can confirm manually per domain by running the following:

For SPF

dig txt domain.tld +short

For DKIM

dig txt default._domainkey.domain.tld +short

2-About Max_Hourly: are emails sent between the same domain users count? e.g. from: [email protected] To [email protected]

Yes that's included in the max hourly total as well

 

[Shood]

Thank you @cPanelLauren
All is well, according to all links and information you've provided me.
All settings applied correctly and working fine

So there's nothing to do more to prevent this bad kind of behavior (a user send deliberately one message from my server contains an amount of invalid email addresses to a single destination e.g. @Yahoo.com)
Thank you again & Best regards

 

[rpvw]

So there's nothing to do more to prevent this bad kind of behavior (a user send deliberately one message from my server contains an amount of invalid email addresses to a single destination e.g. @Yahoo.com)

There is not much you can do to prevent this type of behaviour, other than what @cPanelLauren has already advised.

If the laws of your country permit it, you should make sure that your Terms and Conditions allow you to suspend or delete any user that is found to be abusing your server for any malicious or illegal activities.

 

[Shood]

Hi @rpvw,
Yes this is already one of our terms of use.
Thank you for your reply.