BLOG

Following the SMTP rules

An old blog post from 2013, that’s still relevant today.
“Blocked for Bot-like Behavior”
An ESP asked about this error message from Hotmail and what to do about it.
“Bot-like” behaviour usually means the sending server is doing something that bots also do. It’s not always that they’re spamming, often it’s a technical issue. But the technical problems make the sending server look like a bot, so the ISP is not taking any chances and they’re going to stop accepting mail from that server.
If you’re an ESP what should you look for when tracking down what the problem is?
First make sure your server isn’t infected with anything and that you’re not running an open relay or proxy. Second, make sure your customers aren’t compromised or have had their accounts hijacked.
Then start looking at your configuration.
HELO/EHLO values

  • are you using a consistent one for each IP or are the values changing?
  • are you using a FQDN (fully qualified domain name, i.e., a.example.com) for the HELO?
  • are you using a bare IP for the HELO/EHLO?
  • does that FQDN match the rDNS of the IP?

IP issues

  • does your IP have rDNS?
  • does that rDNS in any way look like it might be dynamic?
  • how many IPs are you using to send the same message?

Header issues

  • are you using a consistent hostname in the envelope From?
  • is that hostname similar to the hostname in the IP address?
  • are you sending a MessageID?
  • are you authenticating?
  • is that authentication correct?

Content

  • are you sending small amounts of the same content over different IP addresses?
  • is the content you’re sending being sent by other entities?
  • are any of the URLs you’re linking to infected with anything?
  • are any of the URLs you’re linking to serving ads that might be spreading viruses?

Sending issues

  • are you closing connections promptly or are you holding them open?
  • are you opening connections from different IPs and sending the same content at the same time?

The major bot-like behaviours are sending small numbers of messages from many different IP addresses, and using bad HELO/EHLO values. Even small senders using shared pools can trigger this filter at Hotmail. Try not to split small volumes of mail over multiple IPs whenever possible and particularly when you are getting this error message.
 

2 comments

  1. Bill S says

    Laura, couple of questions on this….when you ask the questions about the hostname of the IP and the envelope from and tie them together, for a shared service provider, if you need to keep your mail from, envelope from and signing domains consistent, doesn’t that likely mean the hostname couldn’t really match if the IP was used by more than 1 of your customers?
    I’m curious what small volume is to you. Our company serves a vertical market and do use pooled IPs. I think we do okay on volume but I certainly know we don’t do the volume of any general market sender.
    We haven’t had the issue described here. I just like to always challenge our status quo and try and think about what we could be doing better.

    1. laura says

      It does make it harder to match, if you’re providing a shared service. And it’s not a hard and fast rule, it’s just a really good practice if it’s technically feasible.
      For an ESP (sending bulk, has a dedicated automated bounce handler): envelope from, rDNS and HELO value should match. Mail from and signing domain can be different.
      For a hosting provider (relaying individual mail, most mail sent by humans so bounces should go to the person): rDNS and HELO value should match each other. Mail from and envelope from should match each other. Signing domain can be different.
      There are technical constraints that make it difficult to always make everything match, and the ISPs know that so it’s not necessarily a filter sign. But, if you’re getting the “bot-like behavior” message from Hotmail, or you’re ending up on the CBL, these are the things you’re going to want to look at while troubleshooting.
      The really, really bad thing to do is rotate the HELO / EHLO values – like IMail (I think it was IMail) used to do. That really gets picked up as bot like behavior. Your HELO / EHLO values should be consistent.
      In terms of volume, I think that there are a couple different ranges.

      • Very small: Less than 50,000 emails a month. This is servers like ours, used by a small business, or maintained as a hobby.
      • Small: Less than 1,500,000 emails a month. Bigger businesses, some small ISPs.
      • Medium Volume: Between 1,500,000 and 7,500,000 emails a month.
      • High Volume: Between 7,500,000 and 150,000,000 emails a month.
      • Very High Volume: More than 450,000,000 emails a month.

      There is a bit of a jump between High and Very High, but I tend to think of very high as more than 15 or 20 million a day.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.