Mimecast - Cloudmark woes

[w1z4rd]

This has become a really frustrating and I am not sure what to do.

I have a domain with its own dedicated IP that is often getting blacklisted with just one company (and its provider). Mimecast (who apparently uses Cloudmark). On no other black lists are we listed. Its generally a squeaky clean IP Just randomly, the client gets blacklisted. I have to end up emailing the local mimecast guys, about a day later they get back to me and tell me Cloudmark was the lister and give me the address to get delisted with Cloudmark.

Now no where in this entire process are we told why we are listed. When we enquire why we simply get told, "cause Cloudmark listed you". There is no explanation. So its very hard to trouble shoot. We are pretty sure its not spam. The server they are on has an hourly limit of 200 email per hour. All their PC`s have been checked for viruses and their passwords updated. There is no spam coming from their website. So I dont know how to troubleshoot this.

I kinda feel that if companies are going penalize people so hard on blacklists, they should clearly highlight why you are blacklisted in the first place so you can troubleshoot the issues. I also feel that mimecasts systems are a little bit insane, and probably costing their clients a lot of money in the amount of legitimate email that is being blocked.

How are you guys trouble shooting blacklists like mimecast ?

 

[Grimis]

sent you a PM.

 

[grim]

We use Mimecast and haven't had a single client complaining about emails being blocked, sure there's a ton of emails being blocked by Mimecast but they are all spam, now and then a legit email gets put on hold which the user can then release if it is legit.

Is port 25 only allowed outbound from your mail server?

 

[Fulcrum29]

No issues with Mimecast on any end in relation to blacklisting, customer and provider side.

 

[w1z4rd]

We use Mimecast and haven't had a single client complaining about emails being blocked, sure there's a ton of emails being blocked by Mimecast but they are all spam, now and then a legit email gets put on hold which the user can then release if it is legit.

Is port 25 only allowed outbound from your mail server?

I can guarantee you some legitimate is being blocked with false positives like this. Im seeing it! Legitimate clients of well known companies trying to email other legimate companies. I see the bounces. Perhaps you just dont have a big enough pool to work with or something but I know it is happening. I can show you logs if you want.

So as per usual, I email mimecast, they refuse to take responsibility for their product They have no clue why the IP is being blacklisted. They refer to me the company that actually does their filtering lists which is Cloudmark. I go on my knees a begging Cloudmark to please tell me why the IP is being black listed. They ALWAYS respond back with "we have reset the counter for the IP". Which does NOTHING! No one at Cloudmark or Mimecast can tell you why the IP is being blacklisted.

This is piss poor. Never had more headaches with false positives than what I have had with Mimecast.

PS, there is also no issues with the security of my MTA. Its very tight, which is why I am trying to find out why the **** Cloudmark / Mimecast keep listing me.

 

[grim]

What does the bounce message state as the reason for the rejection?

 

[w1z4rd]

What does the bounce message state as the reason for the rejection?

Poor reputation.

 

[grim]

Poor reputation.

Can you pm me the domain you're having issues with. Will see what I can find out from the technical guys at mimecast

 

[irBosOtter]

Get the domain removed from the blacklists. (that could take a week or two) You can't really blame Mimecast for doing exactly what they are supposed to do, like blocking domains that's on a blacklist. Domains (or IP's) don't get blacklisted for nothing either so at some point spam/crap must have been sent from that domain, or still is if it gets added back to the blacklists.

We have been using them for 5 years, and not a single issue, ever. (We were also on some blacklists at one point, but that has zero to do with Mimecast) It's your responsibility to make sure your mail system does not send out crap and end up on blacklists. And if it does, you need to sort it out, not Mimecast.

 

[w1z4rd]

Get the domain removed from the blacklists. (that could take a week or two) You can't really blame Mimecast for doing exactly what they are supposed to do, like blocking domains that's on a blacklist. Domains (or IP's) don't get blacklisted for nothing either so at some point spam/crap must have been sent from that domain, or still is if it gets added back to the blacklists.

We have been using them for 5 years, and not a single issue, ever. (We were also on some blacklists at one point, but that has zero to do with Mimecast) It's your responsibility to make sure your mail system does not send out crap and end up on blacklists. And if it does, you need to sort it out, not Mimecast.

Im not sure you are understanding the issue. We are not on any other blacklists. (checked with mxtoolbox). There is one domain on that IP. If we are getting blocked I would like to know why so I can resolve the issue as when I look at the server and the logs, there is no high volume amounts of mail being sent. I dont think its unreasonable to know why you are blocked if you are blocked.

They have removed the IP for now. Not sure why I was listed, not sure why I was delisted :/

If this had been a shared IP, hundreds of emails would have been bounced. Ive seen it a couple of times. Recently we changed to a new server and for some reason our IP was listed as dynamic. So Mimecast blocked us and I had to email Cloudmark to let them know that the servers IP was not part of a dynamic IP range. Until they unblocked it, hundreds of legitimate users on that server had bounced emails to mimecast clients. So I know without a doubt certain policies do result in legitimate email not getting through.

I know this is a pretty common problem with shared hosting. Ive also seen it happen to the MTN smtp servers

 

[irBosOtter]

Im not sure you are understanding the issue. We are not on any other blacklists. (checked with mxtoolbox). There is one domain on that IP. If we are getting blocked I would like to know why so I can resolve the issue as when I look at the server and the logs, there is no high volume amounts of mail being sent. I dont think its unreasonable to know why you are blocked if you are blocked.

They have removed the IP for now. Not sure why I was listed, not sure why I was delisted :/

If this had been a shared IP, hundreds of emails would have been bounced. Ive seen it a couple of times. Recently we changed to a new server and for some reason our IP was listed as dynamic. So Mimecast blocked us and I had to email Cloudmark to let them know that the servers IP was not part of a dynamic IP range. Until they unblocked it, hundreds of legitimate users on that server had bounced emails to mimecast clients. So I know without a doubt certain policies do result in legitimate email not getting through.

I know this is a pretty common problem with shared hosting. Ive also seen it happen to the MTN smtp servers

I'm pretty sure I understand 100% correct, you did say you are getting blacklisted did you not?

And yes, it is very difficult to see why you were being blacklisted. Could be one of many things.
How secure is your internal network?

Do you only allow smtp traffic out from internal email server to the mimecast IP ranges only? (That would be configured on the firewall obviously) Relaying allowed perhaps? Hows the setup for incoming smtp? Do you only accept SMTP incoming from the mimecast servers?

Can you telnet to port 25 on your external IP? (Should not be able to obviously, only mimecast IP's should be allowed to talk to your external IP on port 25)

Once you are sure no internal client can send out mails (except for your exchange, and it's not allowed to relay, and incoming firewall rule is also 100% setup correct then one can start looking at other places, but something is currently happening causing you to get blacklisted...

 

[SilverNodashi]

Just because you don't send spam, doesn't mean the recipients don't think it's spam and report it as spam.

One of our clients sit with the same thing. One of their (stock market listed) supplier often block them for sending spam, because they feel the client is sending to many emails - in this case it's only invoices and security updates (they're a security monitoring company). This has been going on for a few years now. Invoices don't get paid on time, because the accountant doesn't receive the invoices, because the network admin / "upstream mail filter company" blacklist them from time to time for sending too many emails with attachments.


Something else I have picked up though, is someone in the company (it could be any company) decides to send out a re-marketing email to existing clients ("they're clients already, so surely they will want to receive this re-marketing email with great specials?") but some of the clients don't want the emails and immediately flag the email as spam, instead of telling the supplier they don't want the re-marketing email. Or there isn't an easy way to opt-out of the marketing emails. Just cause a client dealt with you in the past doesn't mean he'll want your emails in the future. Rather give him a client choice and allow him to remove himself from the mailing list if he doesn't want the bulk mailer.

 

[w1z4rd]

Just because you don't send spam, doesn't mean the recipients don't think it's spam and report it as spam.

One of our clients sit with the same thing. One of their (stock market listed) supplier often block them for sending spam, because they feel the client is sending to many emails - in this case it's only invoices and security updates (they're a security monitoring company). This has been going on for a few years now. Invoices don't get paid on time, because the accountant doesn't receive the invoices, because the network admin / "upstream mail filter company" blacklist them from time to time for sending too many emails with attachments.


Something else I have picked up though, is someone in the company (it could be any company) decides to send out a re-marketing email to existing clients ("they're clients already, so surely they will want to receive this re-marketing email with great specials?") but some of the clients don't want the emails and immediately flag the email as spam, instead of telling the supplier they don't want the re-marketing email. Or there isn't an easy way to opt-out of the marketing emails. Just cause a client dealt with you in the past doesn't mean he'll want your emails in the future. Rather give him a client choice and allow him to remove himself from the mailing list if he doesn't want the bulk mailer.

The IP has four email accounts from an accounting firm. Their email volumes are very very low. 0 Marketing, advertising or any type of such emails are sent out.

 

[w1z4rd]

I'm pretty sure I understand 100% correct, you did say you are getting blacklisted did you not?

And yes, it is very difficult to see why you were being blacklisted. Could be one of many things.
How secure is your internal network?

Do you only allow smtp traffic out from internal email server to the mimecast IP ranges only? (That would be configured on the firewall obviously) Relaying allowed perhaps? Hows the setup for incoming smtp? Do you only accept SMTP incoming from the mimecast servers?

Can you telnet to port 25 on your external IP? (Should not be able to obviously, only mimecast IP's should be allowed to talk to your external IP on port 25)

Once you are sure no internal client can send out mails (except for your exchange, and it's not allowed to relay, and incoming firewall rule is also 100% setup correct then one can start looking at other places, but something is currently happening causing you to get blacklisted...

...

Thanks for trying anyways. The server is at Hetzner... its a dedicated server, not an onsite corporate mail server. The security on the server is fine. Its not an open relay, it sends mail to many MTA`s. Mimecast is one of many. It has hourly limit rates, authentication, spam filters, AV`s, strict policies, etc etc etc. This is not my first rodeo. I have dozens of dedicated servers with thousands of domains on them which in turn have thousands of email accounts on them. This is the only one having an issue.

One of the ways Im pretty sure its not the server is that sever probably has around 200 domains on it. None of their IPs are black listed.

Im thinking perhaps a strange type of trojan on a client pc thats trickling spam out or something... as there is no large volume. Would be nice if I had the header information of the email so I could get more information.

 

[SilverNodashi]

The IP has four email accounts from an accounting firm. Their email volumes are very very low. 0 Marketing, advertising or any type of such emails are sent out.

Are you using DKIM and SPF?

Perhaps you should BCC all outgoing mail to one of your own mailboxes and monitor it for a while to see if something slips through?
Check the mail logs on your own server and make sure someone else didn't steal one of the email passwords and is purposefully using it to send spam?

 

[w1z4rd]

Are you using DKIM and SPF?

Yip.

Perhaps you should BCC all outgoing mail to one of your own mailboxes and monitor it for a while to see if something slips through?

I will do this if blacklisted again.

Check the mail logs on your own server and make sure someone else didn't steal one of the email passwords and is purposefully using it to send spam?

I did check the logs, could not see anything strange.