OVHcloud AntiSpam - Best Practices and Unblocking an IP

For every IP available with OVHcloud products and services, as an Internet Service Provider, we will register and reserve it with organizations such as RIPE or ARIN. This means that we appear as the IP abuse contact for litigation in the WHOIS database.

If an IP is reported to organizations such as Spamhaus and SpamCop, which work to combat SPAM, malicious websites, and phishing, then the reputation of the entire OVHcloud network is at stake.

It is therefore important that OVHcloud takes care of the reputation, quality, and security of the network, which also forms an important part of your service.

How does the protection system work?

Our system is based on the Vade Secure anti-spam technology.

Once an IP is "blocked for SPAM", an email will be sent to your account containing information like the example below:

Dear Customer,

Our anti-spam protection layer has detected that your IP 122.122.122.122 is 
sending spam.
In order to protect our network, we have blocked the port 25 of your server, 
at the network level.
To help you investigate about this problem and fix it, here is a sample of 
some advanced details on your emails:
    
Destination IP: 188.95.235.33 - Message-ID: 
d24aa492-5f37-457f-9595-23ddc9e0f714@xxxxxxxxxxxxx.xx.local - Spam score: 300
Destination IP: 188.95.235.33 - Message-ID: 
fc090jdhf934iu09bf084bfo92@xxxxxxxxxxxxx.com - Spam score: 300
Destination IP: 188.95.235.33 - Message-ID: 
P0hbfo93407684bfoqljrlqvpLatS3RRB9rZw7e8s@xxxxxxxxxxxx.online - Spam score: 300
Destination IP: 188.95.235.33 - Message-ID: 
6ZUnls843bnf0934StxFasYGmhtDJRo@xxxxxxxxxxxx.online - Spam score: 300
Destination IP: 188.95.235.33 - Message-ID: 
zcb.3z54da3kdfkl45802n0c0q98rqcc57e3b8aadfac63b2c408e3f5f9a27.
1d44jkgnddfef.166489320375@xxxxxx.xxxx.net - Spam score: 300
Destination IP: 188.95.235.33 - Message-ID: 
zcb.3z54da33hn98v9bcq-nrf3r67cc57e3b8aadfac63b2c408e3f5f9a27.1d44jd9340252.
1655508652095@xxxxxx.xxxx.net - Spam score: 300

Instructions

What to do after receiving the email alert?

The process is to identify the issue, resolve it, then unblock your IP.

Identify and resolve the issue

Before unblocking an IP:

• Stop sending emails (e.g. stop all email software such as qmail, Postfix, Sendmail etc.).
• Check the email queue (e.g. qmHandle for qmail, postqueue -p for Postfix) and clear it.
• Analyze your logs using the Message-ID found in the block alert.
• If you are indeed sending SPAM or illegitimate emails, we strongly recommend you to resolve the issue before unblocking the IP. Please consult the second part of this guide for email best practices.

Once the issue has been resolved, you can unblock your IP by performing the following steps.

Unblock Your IP

Unblocking your IP using OVHcloud Control Panel

In your OVHcloud Control Panel, go to the Bare Metal Cloud section and click on IP.

In the yellow window for IP alerts, click on the View all alerts drop-down arrow to view all alerts on your IP(s).

If you have an alert on any your IP(s), the information will be displayed right underneath:

Next, in the section "My public IP addresses and associated services" , click on the ... next to the corresponding IP/service and select Anti-spam.

In the new tab, click on Unblock the anti-spam at the bottom and confirm.

The IP is being released, the operation may take several minutes.

Once done, your IP will be unblocked.

Unblocking your IP using OVHcloud API

Log in to the OVHcloud API interface according to the relevant guide and follow the steps below.

First, retrieve the list of IPs for each OVHcloud service (Dedicated Server/Hosted Private Cloud/VPS/Public Cloud):

Here's an example of what you should see:

"2001:41d0:67:d200::/56",
"2001:41d0:68:a00::/56",
"2001:41d0:68:f000::/56",
"2001:41d0:117:db00::/56",
"122.122.122.121/28",
"145.56.222.96/28",
"188.81.49.30/28",

Next, search for IPs in a particular state with the following call. If you already know the IP blocked, you can move on to the next step:

Here's an example result (in this instance, the 122.122.122.121/28 block was selected):

"122.122.122.122" 

If the IP is blocked, you can get information on the blocking with the following call. Otherwise, move on to the next step.

Here's an example result (in this instance block 122.122.122.121/28 and IP 122.122.122.122 were selected):

time: 3600,
date: "2022-08-29T17:42:50+01:00",
ipSpamming: "122.122.122.122",
state: "blockedForSpam" 

Which means:

- The IP is blocked for 1 hour (or 3600 seconds).
- It was blocked on 29/08/2022 at 5:42 p.m.
- Its current state is blocked.

If you wish to obtain the statistics on what has been detected, use the following api call, otherwise move on to the next step.

Here is an example result:

{
"messageId": "2PXQSX-3JRAUU-SF@obfuscated.com",
"destinationIp": "188.95.235.33",
"date": 1385640992,
"spamscore": 410
}

Unblock the IP

To unblock your IP:

1. Click POST /ip/{ip}/spam/{ipSpamming}/unblock.
2. In the ip menu, specify the IP block retrieved in the previous step with the netmask.
3. In the ipSpamming menu, specify the previously retrieved IP in "blockedForSpam" state.
4. Click Execute.

Here is an example result:

"message": "This IP address is still blocked for 129 seconds"

More than 129 seconds later:

time: 3600,
date: "2022-08-29T17:42:50+01:00",
ipSpamming: "122.122.122.122",
state: "unblocking" 

The IP is being released, the operation may take several minutes.

In case of false positives

In some cases, the antispam alert could be false positive. If you have checked and found that Message-ID are from your legitimate email, you should then ensure that your email messages comply with the RFC and the Best Practices indicated below.

RFC

RFCs (Request For Comments) are documents intended to describe technical aspects of the Internet. They are produced and published by the IETF (Internet Engineering Task Force), a group which basically produces and defines standards. For more information, see: RFC, IETF and Internet Draft.

Best Practices

Best practices are recommended methods which are often based on the RFC documents and are intended to advise you on the best way to proceed. In this instance, this means the basic rules to follow so that your emails are not marked as spam.

Sending Volume

If your outgoing email volume is very high, you are advised to:

• reserve an IP block dedicated solely to email usage.
• provide an 'abuse' address on this block in order to receive complaints.
• configure Reverses on all IPs correctly.

This operation will enable you to simultaneously isolate the IP and domain reputation if you send emails from various domains, to receive the complaints, and thus do what is necessary to get unblocked by various organizations. It also enables you to locate a problem more quickly on a form that uses domain X or Y, as the emails are not sent out from the same IP and don't have the same reverse.

Email Content

• Avoid using spammer keywords in your emails such as “buy” and “last chance”, and avoid capital letters, impersonal subjects, exclamation marks, and % discounts.
• Do not forget to provide an unsubscribe link for people who have not requested to receive your email or who believe it to be illegitimate.
• Pay particular attention to ensuring that your emails contain the sender's address (or an alias), a subject line and a correct ratio of text, images and links in the body of the message.
• The ratio of text to image and text to link should be high. Do not overload the email with hyperlinks and avoid Javascript.

FBL - Feedback Loop

This system enables you to follow up on feedback provided by some internet service providers directly, informing you that their users have flagged your message as illicit, and that it has therefore been classified as spam. This will allow you to interact directly with these ISPs regarding your reputation. Some FBLs include:

• Yahoo & AOL Postmaster
• SpamCop
• Outlook & live.com

Authentication

Some authentication services allow you to protect your reputation:

• Sender-ID: An email authentication technology developed by Microsoft which validates the authenticity of your domain name by verifying the IP address of the sender. This technology is based on the IETF standard: RFC4406
• SPF: Sender Policy Framework is a standard for verifying the domain of the sender. It is based on RFC4408 and consists of adding an SPF or TXT field to the domain DNS, which contains the list of IPs authorized to send emails from this domain.
• Reverse DNS: Reverse enables your IP to be "translated” into your domain. That allows the domain associated with the IP address to be found.
• DKIM: This standard is described in RFC4871. AOL and Google (Gmail) work on this basis.

For more information on the above services, please consult our guide on How to Optimize the Sending of Emails.

Specific types of email sending

• To a Microsoft server (Outlook, etc.)

Microsoft uses a whitelist policy. This means that initially, everything starts off on a blacklist, and a specific procedure is required to validate your email server. 

• To a Gmail server

If your recipients are with Gmail, adding specific records (e.g. a DMARC record) may ensure that emails reach them. Here is a Google article that can help you with this: Add a DMARC record.

Google also has a dedicated article regarding spam prevention to Gmail users.

Conclusion

Having read this guide, you should be able to check alerts on your IPs in OVHcloud Control Panel and unblock the affected IPs. You also should be aware of strategies to deal with false positives.