An old blog post from 2013, that’s still relevant today.
“Blocked for Bot-like Behavior”
An ESP asked about this error message from Hotmail and what to do about it.
“Bot-like” behaviour usually means the sending server is doing something that bots also do. It’s not always that they’re spamming, often it’s a technical issue. But the technical problems make the sending server look like a bot, so the ISP is not taking any chances and they’re going to stop accepting mail from that server.
If you’re an ESP what should you look for when tracking down what the problem is?
First make sure your server isn’t infected with anything and that you’re not running an open relay or proxy. Second, make sure your customers aren’t compromised or have had their accounts hijacked.
Then start looking at your configuration.
- are you using a consistent one for each IP or are the values changing?
- are you using a FQDN (fully qualified domain name, i.e., a.example.com) for the HELO?
- are you using a bare IP for the HELO/EHLO?
- does that FQDN match the rDNS of the IP?
- does your IP have rDNS?
- does that rDNS in any way look like it might be dynamic?
- how many IPs are you using to send the same message?
- are you using a consistent hostname in the envelope From?
- is that hostname similar to the hostname in the IP address?
- are you sending a MessageID?
- are you authenticating?
- is that authentication correct?
- are you sending small amounts of the same content over different IP addresses?
- is the content you’re sending being sent by other entities?
- are any of the URLs you’re linking to infected with anything?
- are any of the URLs you’re linking to serving ads that might be spreading viruses?
- are you closing connections promptly or are you holding them open?
- are you opening connections from different IPs and sending the same content at the same time?
The major bot-like behaviours are sending small numbers of messages from many different IP addresses, and using bad HELO/EHLO values. Even small senders using shared pools can trigger this filter at Hotmail. Try not to split small volumes of mail over multiple IPs whenever possible and particularly when you are getting this error message.
Laura, couple of questions on this….when you ask the questions about the hostname of the IP and the envelope from and tie them together, for a shared service provider, if you need to keep your mail from, envelope from and signing domains consistent, doesn’t that likely mean the hostname couldn’t really match if the IP was used by more than 1 of your customers?
I’m curious what small volume is to you. Our company serves a vertical market and do use pooled IPs. I think we do okay on volume but I certainly know we don’t do the volume of any general market sender.
We haven’t had the issue described here. I just like to always challenge our status quo and try and think about what we could be doing better.
It does make it harder to match, if you’re providing a shared service. And it’s not a hard and fast rule, it’s just a really good practice if it’s technically feasible.
For an ESP (sending bulk, has a dedicated automated bounce handler): envelope from, rDNS and HELO value should match. Mail from and signing domain can be different.
For a hosting provider (relaying individual mail, most mail sent by humans so bounces should go to the person): rDNS and HELO value should match each other. Mail from and envelope from should match each other. Signing domain can be different.
There are technical constraints that make it difficult to always make everything match, and the ISPs know that so it’s not necessarily a filter sign. But, if you’re getting the “bot-like behavior” message from Hotmail, or you’re ending up on the CBL, these are the things you’re going to want to look at while troubleshooting.
The really, really bad thing to do is rotate the HELO / EHLO values – like IMail (I think it was IMail) used to do. That really gets picked up as bot like behavior. Your HELO / EHLO values should be consistent.
In terms of volume, I think that there are a couple different ranges.
There is a bit of a jump between High and Very High, but I tend to think of very high as more than 15 or 20 million a day.