Mails being blacklisted by MWEB and Afrihost

[MacMuffin 1]

Hi all,

 

as many of you know, since Friday morning over 43,000 bidorbuy users are unable to receive our transactional mails due to Afrihost and MWEB flagging our mail as spam.

 

If you are one of the affected users, as a start switch to a reliable email provider such as Google, Yahoo, Hotmail or AOL.

 

Some more details about this incident:

• We noticed transmission failures on Friday for outbound transactional mails (outbid notifications, sales notifications, winning bid notifications etc) only affecting MWEB- and Afrihost accounts (just remember, that you can be affected if you have a different email domain, and are hosting with MWEB / Afrihost).
  
• The blacklist only affects our transactional mail and not our weekly newsletters.
  
• We are not blacklisted and transactional mail to other ISPs and big mail providers (such as Google, Yahoo, Hotmail etc) continue to work.
  
• We escalated on Friday to MWEB and Afrihost and yet have to receive a response why this actually happened.
  
• Afrihost seem to have lifted the block on 4th June in the early evening. No concrete response what happened, other than pointing to SpamExperts.com which provides them with blacklists. SpamExperts does not list our servers as blacklisted (and neither does any other service) and we are still awaiting a formal response.
  
• MWEB has not reacted to anything and we are still awaiting resolution.
  

 

This disaster is extremely frustrating for us and must be even more so for bidorbuy users affected.

 

Just to summarise:

• bidorbuy complies to CAN-SPAM (double confirmed opt-ins for promotional mail, unsubscribe functionality). We have never and will never send unsolicited email.
  
• We are whitelisted in all major email reputation lists and have a good SenderBase- and SenderScore rating.
  
• We segment our mail traffic (separate blocks of outbound servers for transactional and promotional mail)
  
• We adhere to ISP mail-traffic ratios (i.e. we throttle outbound mail based on ISP standards).
  
• We apply sender id (part of the mail-header gets encrypted/signed to prevent mail-spoof attacks)
  
• We use one of the best commercial mail-servers (PowerMTA by Port25)
  

 

We are working very hard with the different parties involved to resolve this issue as soon as possible. Unfortunately customer support and willingness to assist from some ISPs is literally nonexistent.

 

As suggested above, as an interim measure, please change to a mail-service such as GMAIL to continue receiving transactional mail from bidorbuy.

[Miss Jewels 10]

Thanks MacMuffin. I'm with MWeb but still receiving mails from you regularly. No hic-ups yet (touch wood)

[svw 10]

Thanks MacMuffin. I'm with MWeb but still receiving mails from you regularly. No hic-ups yet (touch wood)

 

 

I am also with MWeb but have still been receiving mails although the odd mail gets marked as SPAM and ends up in my junk mail inbox

[MacMuffin 1]

I am also with MWeb but have still been receiving mails although the odd mail gets marked as SPAM and ends up in my junk mail inbox

 

Hi all,

 

we have now identified the root-cause of the blacklisting/ban and ISP's affected by this, have started whitelisting bidorbuy email.

 

CAUSE: Most ISPs use 3rd party provides for anti-spam measures. Afrihost for example uses the services of SpamExperts.com to filter mail. During our investigation we found that SpamExperts applies a fuzzy/partial match of our DKIM mail signature (i.e. they match only 22 characters against our 240 character public key) which resulted in false positives due to a SPAM botnet using the same first 16 and last 6 characters.

 

Our DKIM key looks like this and the bolded section shows the part which is matched by SpamExperts resulting in the false positive:

p=

MIGfMA0GCSqGSIb3

DQEBAQUAA4GNADCBiQKBgQCgJ26A+MJotjZE/VbuLK+X6GmzV4JsA9qzHx4PNQlmc2/y/uAIRTOCwMC0hncer2I77s6t6qisSiH6v4iY7nXmdWu47cWmVQwf6V0kiKXF+OsjjdcqJG5zjruZieCBj+w2YtBMsAILPk4OEgdGRUc/dE7gS6WWm4chZKuh/XHCxw

IDAQAB

 

 

DKIM (DomainKeys Identified Mail) is a standard which allows mail senders like ourselves to digitally sign outbound mails, allowing recipients to verify the identity and origin of the mail with the intention to block spam, phishing and mail spoofing. We encrypt and sign a portion of all our outbound mail-headers and the recipient mail servers (ISPs like Afrihost or MWEB) are supposed to lookup our public key (the one shown above) and then decrypt the our DKIM signature to verify the identity of the mail.

 

Since SpamExperts only performs a partial match (and also ignores our excellent domain- and mail reputation as well as our whitelisting across all major spam-lists), this resulted in a false positive due to a SPAM botnet using a similar signature (only the bold blocks match).

 

One can compare this to a merchant blocking your credit card due to another card's first and last 4 characters having been blacklisted - as you can imagine this resulted in a huge issue for us, as over 40,000 bidorbuy users did not receive transactional mail since Friday morning.

 

Surprisingly, our promotional mail (newsletters) which uses the same public key had not been affected by this.

 

We have yet to receive a detailed explanation from SpamExperts, why they could not apply a full signature match (which would have never resulted in a false positive), and similar to the credit-card number example above, the only option we have, is to recycle our domain keys over the weekend.

 

We do believe that recycling domain keys is not a reliable solution, as this could result in future again in a false positive.

 

We have engaged with various ISPs and large corporates in South Africa to ensure that our mails are whitelisted, especially since we have consistently applied safe sender policies over the last decade and have never been flagged for inappropriate mail transmission.

 

We apologize for the potential loss of revenue sellers might have encountered due to buyers not receiving outbid alerts. We have certainly noticed a large decrease of turnover since the false positive prevented us from transmitting mail to Afrihost- and MWEB clients.

 

Afrihost and MWEB support has provided us good support in resolving the issue, considering, that a 3rd party data feed containing false positive caused the issue in the first place.

 

We are still experiencing a small number of mails bouncing (about 500 out of over 100,000 per day) and hope that the affected ISP's will resolve this issue as soon as possible.

[lilythepink 11]

A couple of my emails read today (from the past week) were also relegated to "spam". I am with hellkom!

[miraclebabycaw 10]

This happened to our "bug logging" system at work last week as well so all our clients were also not getting mails. Don't think it was just bidorbuy that was affected..

[MacMuffin 1]

This happened to our "bug logging" system at work last week as well so all our clients were also not getting mails. Don't think it was just bidorbuy that was affected..

 

Hi there - if it does not take too much effort, could you possibly mail/PM me some extra information what exactly happened in your scenario?