Skip navigation
All Places > Support > Blog > Author: Kiersti Esparza
1 2 Previous Next

Support

23 Posts authored by: Kiersti Esparza Employee

The concept of form abuse, AKA email bombing or list bombing, has been around for a long time. At a high level this is where addresses are added to your database through a form by someone other than the address owner. These attacks may not seem bothersome at first, what's a few misrouted emails? However, forms can be filled out programmatically using different methods increasing the scale of impact. At scale these kinds of form attacks can cause harm to the email recipients, junk leads to be added to a business's database, and overwhelm the systems behind the forms making them unusable or causing downtime.

 

I have identified the following distinct patterns from analyzing data sets tied to this behavior:

 

Distributed Denial of Service (DDoS) Attacks - The attacker actively works to overwhelm the systems supporting the form. By loading data at a rate the form cannot keep up with the attacker can cause system failures that may cause downtime for providers. Historically, DDoS attacks were a primary method for disrupting computer systems on a network. Firewalls and other technologies have developed and continue to evolve to combat this kind of attack.

 

Targeting Individuals by Email Bombing - An email address is signed up to a large number of email lists through many different forms at the same time. This causes the individual to start receiving email at such a rate that they may not be able to use their email account. Even if the form operator has set up double opt-in on the form, the rate of emails received at one time typically overwhelms the address owner. This gained attention a couple years ago when Security Research, Brian Krebs, described his own list bombing attack.

 

This kind of attack can be unseen by a service provider, like Marketo, because the attack against the individual is often distributed across many different ESPs and senders. Marketo is made aware this is happening typically through blacklistings of the IP addresses sending the email. Typically these blacklistings are by Spamhaus, an entity that keeps a running list of known spamming operations to which many of the world’s largest Internet service providers (ISPs) subscribe. When Spamhaus lists IP addresses as a source of spam or other abusive mail, ISPs often stop accepting mail from those IP addresses. In this case Marketo's Email Delivery & Compliance Team will reach out to the customer and work with both Spamhaus and the customer to understand and resolve the issue. Spamhaus was instrumental in helping to resolve the attack on Brian Krebs mentioned above.

 

This type of attack seems to be made to punish individuals, as in the Brian Krebs incident, or to render a email account useless so an attacker can compromise other systems, like a customer's bank account, for example. I was sitting with a friend at a conference when this started to happen to him! He was receiving hundred of emails a minute, all he could do initially was sit there and watch the emails pile up. In his case he ended up discovering that one of his online accounts at a popular technology store had been compromised. The attacker appeared to be using the attack to prevent him from noticing the original account being compromised.

 

Delivering Spam Payloads - Another pattern observed leverages personalization in emails sent from form fill outs. In this case we see volumes and volumes of addresses added through a form that asks for details like First & Last Name. The malicious actor puts a spam payload in the form field that personalizes an email so instead of using your first name in a greeting, for example, there is a spam payload in it's place!

 

The email will be delivered with a spam payload where the First Name should be. The victim, whose form was attacked, sometimes has no idea that their content has been taken over like a zombie parasite.

 

Example of using name fields leveraged for personalization

example.png

 

We will see a variety of different spam payloads added to the field that is used for personalization, for example here is a list of similar payloads used in the First Name field

 

Screen Shot 2019-02-12 at 1.54.42 PM.png

It can be difficult for an ESP or MA, like Marketo, to identify these kinds of attacks when done successfully. The point of the attack is to take advantage of the form and the resulting personalized emails, not to take them down. So these attackers try to prevent overwhelming the form with requests, often posting an address once a minute or hour. This attack is more successful the longer this behavior goes undetected and more email is delivered. The most common pattern I have observed with this attack pattern is that addresses from Chinese ISPs are added to the form and in the field that the email is personalized with is filled with spam content in Chinese, often linking to gambling sites. This can become problematic when a database becomes bloated with these junk leads. The majority of new subscribers are coming from qq.com and other Chinese domains, and if you are not targeting China it can be easy to identify and resolve. If you are targeting China then this becomes more difficult to manage and the influx of junk leads and a form sending spam content can impact a sender's reputation at top Chinese domains reducing delivery rates to impacted domains.

 

How is Marketo dealing with this evolving issue?

Marketo employs a variety of defenses for these kinds of attacks and our efforts to prevent and identify them when they do occur is constantly evolving.

Rate limiting - Marketo monitors for and limits key patterns added to forms by time.

Block traffic by IP address - IP addresses that have been associated with abusive traffic are cataloged and blocked from filling out forms.

Block traffic by payload pattern - When Marketo starts to see common patterns in the payload added to a field used for personalization, rules can be built to ignore that activity.

Honey pot - A form field that is hidden via styling or other means. People don’t fill out form fields they don’t see but unsophisticated bots fill out all form fields, including hidden ones. If there is a value in the honey pot, Marketo won’t create a lead record.

Monitoring and Alerting to internal teams with defined mitigation actions - early warning has allowed Marketo to respond before systems are overwhelmed.

 

Additional workarounds implemented by customers:

  • Set up rules that the form only allows entries from approved geo-locations
  • Additional honey pots via forms
  • Additional validation & data cleansing using partners
  • CATPCHA via webhooks
  • Clone and replace the form when abuse is observed - The honey pots are sometimes identified by more sophisticated actors, then the form is cataloged and a script built to attack the form. If the form is being attacked clone, replace, and delete the old form. This can sometimes buy some time while other solutions are put in place because the attacker sometimes has to start over.
  • Remove the personalization from the email that is sent after the form is filled out since that may be what is attracting the abusers.

 

Because this attack vector is ever evolving, so is Marketo's approach to how to manage this abuse so there are some features on the product roadmap* are focused on strengthening form security.

 

*Can't commit to specific release for these features at this time, stay tuned!

For years Marketo has been developing a database of full email addresses and domains that are determined to be so risky to a customer’s on-going success and the health of the Marketo network that the addresses are never mailed to. Some are unsubscribed from a customer’s database and others are soft bounced, both actions are taken to ensure these addresses are never mailed to out of Marketo.

 

This is a common practice for Email Service Providers (ESPs) and Marketing Automation (MA) companies. Some prospects see this as a requirement during the pre-sales process to ensure that Marketo is in the business to protect them.

 

Risky addresses can enter a customer’s database through a number of paths.  From just having an older, legacy database that has not been properly managed but these kinds of addresses are most often are introduced through third party and purchased lists.

 

What kinds of addresses does Marketo block from customer’s mailings:

 

Addresses of known spam traps and vocal complainers.  This list includes full email addresses.

If Marketo’s Email Delivery & Compliance Team is able to identify an address is being used as a spam trap address this is added to Marketo’s Global Blocker. Every night this database is reviewed and if a customer has one of these addresses in their database this is unsubscribed in the customer’s database. The downside with only unsubscribing these addresses is that transactional/operational mail may still be sent.

 

Addresses from people writing to abuse@marketo.com who complain with extreme force or request to receive no marketing mail from Marketo are also added to this database.

 

Domains of known spam trap and temporary email address domains. This focuses specifically on the part of the email address after the @ sign.

When Marketo’s Email Delivery & Compliance Team identifies that a full domain is being used as part of a spam trap network we are able to take stronger action. Those domains are added to a list within our MTA that recognizes outgoing mail to any address at those domains and responds with a Technical Soft Bounce. This does not set the email as invalid=true in the customer’s database but does prevent the mail from being sent so that the customer is protected from mailing those risky addresses.

 

Temporary address domains are also added to this database. This includes providers like Mailinator. Experience has proven that these temporary addresses are quickly turned into spamtrap addresses an are often indicative of a poorly collected, maintained and performing database.

 

Most recently Marketo’s Email Delivery & Compliance Team has been working on the last tier of risky addresses in customer’s databases, generic addresses. This focuses specifically on the part of the email address before the @ sign.

These addresses are viewed as risky because role addresses are built for functions, not people. They’re often forwarded to multiple employees in a company, often change owners, and as a result we often see that these addresses are often a source of multiple complaints for a single email. A number of these addresses are specifically required to be in place by RFC Standards, the "rule book" for the internet, when an email network is put in place. The RFC Standards declare how the addresses should be formatted, what the addresses are supposed to be used for, and which specific roles should use the addresses.  As an extension these prescribed addresses should not be on any list used for marketing purposes. Suppressing generic addresses is also a standard practice among ESPs and MAs like Marketo.

 

Those generic addresses are added to a list within our MTA that recognizes outgoing mail and responds with a Technical Soft Bounce. This does not set the email as invalid=true in the customer’s database but does prevent the mail from being sent so that the customer is protected from mailing those risky addresses.

 

In addition, we maintain a few logical choices that may cause abuse issues. The list of generic addresses that are being blocked include:

 

noc, security, hostmaster, usenet, news, www, uucp, ftp, root, spam, spamtrap, honeypot, devnull, dns, phishing, phish, sysadmin, undisclosed-recipients, spearphish, postmaster, spammer, valued.spammer, robot.spammer

An updated blog related to Understanding a Spike in Click Activity

 

Support, Services and Marketo Executives report an increase in customers escalating elevated email click volumes in performance reporting.  The most typical escalation will identify the instances of this filter’s behavior where all the links within an email have been clicked, often narrowed down to specific business targets at the same corporate domain/s within a customer’s database. This method of link inspection is visible because it is so different from expected human behavior and happens in bulk.  It's easy to identify and ignore this kind of activity that is easy to spot but the methods for this kind of anti-malware detection vary and not all methods are as easy to identify and exclude from reporting.

 

The underlying issue is due to email filters inspecting links to prevent their end users from downloading malware. This can result in the links within Marketo customer email appearing to have been clicked by a recipient but instead were inspected by an email filter. Marketo has been aware of the filter behavior for several years and has been coaching customers with blog content and custom Professional Service consulting projects to reduce the triggers for and impact of this filter method, but this anti-malware methodology is increasing in the marketplace.

 

The escalation of this filter method’s impact is not unique to Marketo customers.  These email security filters impact all email senders including Marketo competitors. 

 

For the anti-malware filter/security provider it is an arms race against bad actors attempting to deliver malware to the security vendor’s end users. Barracuda Email Security Service was the first email security vendor to develop link inspection as anti-malware methodology, but other providers have begun leveraging link inspection to protect their users. Link inspection methods may include but are not limited to:

  • clicking one, to all links within an email
  • links may be clicked at the time of delivery and/or at a later time
  • clicks may occur before the receiving mail server returns a confirmed delivery response
  • clicks may or may not result in a website visit
  • some providers rewrite links within an email to inspect the link every time it is clicked
  • some providers inspect all redirected links; targeting link tracking utilized by all email
  • service providers and marketing automation companies
  • filter click traffic can come from the same IP addresses as legitimate click traffic making it impossible to filter out of activity reporting
    • some filters inspect links from residential IPs spaces instead of their business or corporate IP space to obfuscate the identify behind the link inspection

 

The filter is looking to hide the activity of inspecting the link and will try to look "as human as possible" to prevent the bad actor from changing the link’s potential payload after inspection but prior to the email recipient clicking the link. This intentional obfuscation of the link inspection is what makes it difficult for a provider like Marketo to exclude the activity of the link inspection from customer’s reporting.

 

For some providers link inspection happens as an enhanced or escalated filtering method applied to a message that has been determined to be suspicious by other stages in a multilevel filtering process. For Barracuda there are thirteen different layers of inbound email filtering and link inspection is part of an higher level of filtering that is triggered if other aspects of the message or sender appear suspicious.  Marketo Deliverability consultants, who have been troubleshooting this, have learned that focusing and addressing triggers causing the email may be subjected to a higher level of filtering help alleviate the symptom of the link inspection in the customer’s performance reporting. This kind of project typically requires 12-20 hours of Professional Services paid consulting because the solutions explored can vary from

  • making sure the customer’s email Authentication mechanisms, like SPF and DKIM, are in place and valid
  • reviewing reputation drivers like acquisition and database management practices that may drive a poor sending reputation
  • understanding the segment size within individual companies our customer may be targeting because sending to a large number of recipients within the same company can trigger link inspection
  • inspecting the content for malformed html
  • reviewing specific addresses exhibiting anti-malware filter activity to develop a custom flow to ignore the activity in the customer’s reporting.

 

Marketo’s Product Team has been monitoring this customer escalation and is working to monitor patterns and develop a methodology for identifying click activity in reporting that is the result of filter activity without ignoring legitimate email clicks.  This project is on-going.

 

One of the risks attempting to ignore link activity from anti-malware link inspections is patterns are likely to change over time and hardcoded rules for filtering activities may not be entirely effective. Because of this limitation Marketo has approached this both by looking to see how the product can be improved to reflect true recipient engagement as well as focusing on developing actionable recommendations Support can provide customers as well as Professional Service engagements.

 

Additional Information about this filtering technique can be found here:

https://urldefense.proofpoint.com/

Cracking the Inbox Code: Barracuda

https://campus.barracuda.com/product/essentials/doc/51188521/understanding-inbound-and-outbound- message-flow/

https://www.paloaltonetworks.com/documentation/61/wildfire/wf_admin/wildfire- overview/wildfire-concepts#_73619


Is this article helpful ?

YesNo


spamcan1.gif

The Spam Cannibal DNSBL has been around since at least 2003. 

What is a Blacklist? A DNSBL is a DNS (domain name service) based spam blocking list.

These are also known as blacklists, blocklists, or RBLs.

 

Listings with this DNSBL were caused by sending mail to spamtraps.

 

The blacklist was never widely used and seemed to stop working in 2016.

 

As of May 2018 it has been confirmed that the blacklist is retired and should no longer be used. 

     The domain "spamcannibal.org" is expired and has been taken over by a different owner.

 

If you visit the website, be careful! It is reportedly hosting malware now.


Is this article helpful ?

YesNo


 

An external blog about this DNSBL - blacklist resource: Status of bl.spamcannibal.org: DEAD

bart.gif

 

Why you should have a valid working from and reply to rather than a non-functional or "no-reply":

 

1) Encouraging engagement is key to maintaining a positive reputation. It demonstrates credibility to ISPs when recipients engage with your email and replying to your email and adding your address to an address book are both ways to get some positive reputation points. It is not likely that a subscriber will add "no-reply" to an address book.

tweet-noreply-email-address.png

 

2) Some subscribers will reply to unsubscribe. If that fails, they are likely to complain, which decreases your sender reputation.

 

3) You'll be able to capture out of office notifications that can help you clean up your database by identifying invalid addresses, like employees who no longer work for a company or to identify changes to the recipient's domain when a merger or acquisition occurs.

 

4) Imagine talking all the time to someone but not allowing them to reply. That's a bad relationship. That's the same message a no-reply sends to a subscriber.

 

5) It is important that the From Address be a valid email address, some filtering systems are validating that this is a real address that will accept mail. If the address is not a real email address this can cause mail to be blocked or undelivered.

 

Is this article helpful ?

YesNo

Carmi Lopez-Jones, an AMAZING Deliverability Consultant at Marketo, and I presented on Marketo's University Day at Summit.  I promised to share the content we presented in this blog because our PPTs were updated from the copies you received as attendees.  And if you did not attend you get a view of what was presented at this valuable session! 

 

The PPT has been stripped of the branded template, but the content is intact!  Yesterday I posted the first session, "Improving Email Deliverability by Design: Best Practices and Strategies."  This session covered

  • Developing an envelope strategy using best practice recommendations
  • Understanding the email delivery landscape to prevent email delivery issues
  • Designing content and images for optimal deliverability success

 

Today I have the second session ready to post, "Optimizing Email Deliverability" which covered

  • Deliverability and how it’s measured
  • Important metrics to monitor
  • How to monitor your deliverability metrics using Marketo reporting
  • And how to leverage best practices to increase engagement

 

But I have to say, if you missed the session, the discussion in the Q&A is almost more valuable than the presentation itself - there were so many great questions asked by the audience!  See you at next year's Summit!


Is this article helpful ?

YesNo


Carmi Lopez-Jones, an AMAZING Deliverability Consultant at Marketo, and I presented on Marketo's University Day at Summit.  I promised to share the content we presented in this blog because our PPTs were updated from the copies you received as attendees.  And if you did not attend you get a view of what was presented at this valuable session! 

 

The PPT has been stripped of the branded template, but the content is intact!  Today I am posting the first session, "Improving Email Deliverability by Design: Best Practices and Strategies."  This session covered

  • Developing an envelope strategy using best practice recommendations
  • Understanding the email delivery landscape to prevent email delivery issues
  • Designing content and images for optimal deliverability success

 

Tomorrow I'll have the second session ready to post, "Optimizing Email Deliverability" which covered

  • Deliverability and how it’s measured
  • Important metrics to monitor
  • How to monitor your deliverability metrics using Marketo reporting
  • And how to leverage best practices to increase engagement

 

But I have to say, if you missed the session, the discussion in the Q&A is almost more valuable than the presentation itself - there were so many great questions asked by the audience!  See you at next year's Summit!


Is this article helpful ?

YesNo


2016-05-06_AOL to Verizon.png

 

Earlier this month Laura Atkins over at Word to the Wise (great blog!) talked about the AOL/Verizon merger.

 

"Last year Verizon bought AOL. As part of that merger some @verizon.net email is being migrated to the AOL backend. FAQs published by Verizon say this change is only affecting users in FL, TX and CA."

 

AOL Mail for Verizon Customers - AOL Help

https://www.verizon.com/support/consumer/email

 

We are viewing this as a good thing on the Email Deliverability Team.  At AOL, the postmaster team is solid, and the sending guidelines and remediation processes are pretty clear and easy. Historically, this has not always so much been the case with Verizon. In context, it probably makes sense to keep AOL as the surviving email platform, even though Verizon was the acquiring company. From this outsider's perspective, AOL seems to have the more evolved email platform.

 

No need to change email addresses or take an action with this change.  Users will still have @verizon.net addresses but the backend and filtering will be managed by AOL.

 

NOTE:  Some sub-accounts may not be moved, either because the user forgot about them or because they decided they didn’t want to move them. This may result in a slight increase in “user unknown” bounces from @verizon.net addresses temporarily.


Is this article helpful ?

YesNo


What is it?

The List-Unsubscribe header is in the unseen header portion of email messages. Recipients don't see the header itself but if the receiving email network leverages the List Unsubscribe Header recipients will see an Unsubscribe button they can trust to unsubscribe from future messages. 

The header can look like this to receiving networks:

From: kiersti@marketo.com

Subject: We need to implement this list-unsubscribe thing

Date: February 22, 2016 12:16:59 PM MST

To: sloan@somedomain.com

List-Unsubscribe: <mailto:unsubscribe@marketodomain.com>

What is it important?

"The list-unsubscribe has been a very valuable tool for the email ecosystem, from consumers to businesses to mailbox providers. Over the past 20 years, consumers have slowly been trained to mistrust unsubscribe links located in the footers of email and spam, as some spammers would use the unsubscribe link to verify that the email address was a valid, active user. Once the spammers knew that, they would send them even more email rather than opting them out. In some cases, spammers would use the link as a way to install malware on an unsuspecting users’ machine."  Microsoft Changes List-Unsubscribe Requirements Melinda Plemel, 1/23/15

 

Does Marketo implement the List Unsubscribe Header?

Yes, for every email sent from our system Marketo leverages the mailto: List Unsubscribe Header function.

 

What networks are paying attention to the List Unsubscribe Header?

ISPs and spam filters view it favorably when making filtering decisions because having the List Unsubscribe header can indicate that the sender is actively working to avoid spam complaints. In fact, most major providers like AOL, Hotmail, Gmail, and Yahoo! support List-Unsubscribe functionality.

Looking specifically to Gmail, Gmail's Bulk Sender Guidelines recommend that the List Unsubscribe header be implemented.

gmail.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How the List-Unsubscribe header works at Gmail

Gmail supports the List-Unsubscribe functionality and calls it “auto-unsubscribe.” Gmail inserts an Unsubscribe link next to the From Address.

Screen Shot 2017-02-23 at 2.08.58 PM.png

 

When an email recipient clicks on “Report Spam,” a dialog box will appear that asks if they want to unsubscribe or report the email as spam. If they click unsubscribe, a notification will be delivered to the email address in the List Unsubscribe Header to stop mailing you.

List Unsubscribe Example 2.png


Is this article helpful ?

YesNo


Barracuda Spam Firewall

 

Advanced Threat Protection

The Barracuda Email Security Service includes a rich set of inbound and outbound email filtering policy options, including anti-spam, antivirus, rate control, IP policies, sender reputation and more.  The optional Cloud Protection Layer feature of the Barracuda Email Security Gateway is an additional layer of cloud-based protection that blocks threats before they reach your network, prevents phishing and zero day attacks, and provides email continuity. Once email passes through the Cloud Protection Layer, the Barracuda Email Security Gateway filters email according to the more granular policies, further recipient verification, quarantining, and other features you configure on the appliance or virtual machine. In addition, you can opt to subscribe to the Barracuda Advanced Threat Detection (ATD) service. ATD is a cloud-based virus scanning service that applies to inbound messages, analyzing email attachments in a separate, secured cloud environment to detect new threats and determine whether to block such messages.

 

See Cloud Protection Layer and Advanced Threat Detection Configuration for details.

 

How Spam Scoring Works

All spam messages have an "intent" - to get a user to reply to an email, to visit a web site or to call a phone number. Intent analysis involves researching email addresses, web links (URLs) and phone numbers embedded in email messages to determine whether they are associated with legitimate entities.  Phishing emails are examples of Intent.

Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Service applies the following forms of Intent Analysis to inbound mail, including real-time and multi-level intent analysis.

  • Intent Analysis Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central. 
  • Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS lookups against known URL blocklists.
  • Multilevel intent analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of Web queries to URLs of well-known free websites for redirections to known spammer sites.

 

Intent Analysis can be enabled or disabled on the INBOUND SETTINGS > Anti-Phishing page. Domains found in the body of email messages can also be blocked based on or exempt from Intent Analysis on that page.

 

Additional Resources

SMTP Error Codes

Understanding Link Protection - Understanding Link Protection | Barracuda Campus

How Spam Scoring Works:

 

 

Is this article helpful ?

YesNo

Navigate to your Domain Management page and chose the domain you are setting up the subdomain for to begin.

Once you are in the management page for the domain you chose Add Record, see image below.

 

Add record.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Addzonerecord.png

 

 

 

At this point you start to build your subdomain.  You will be adding a record in three sections: A Record, MX Record and TXT Record.

 

 

 

 

 

 

 

 

 

 

Below is an example of adding the MX record for the subdomain. 

 

Addzonerecord2.png

 

The section titled HOST: is the section that is designating your subdomain.

In the example below I am setting up a subdomain for KIERSTIESPARZA.COM.  I am setting up example.kierstiesparza.com.

 

In the HOST: section I enter “example” for the subdomain. The Points To: record will be provided by Marketo Privacy/Delivery Team.  Priority can be set to 5. 

 

MX Record Type

HOST: example

POINTS TO: example.kierstiesparza.com

PRIORITY: 5

 

 

 

 

 

 

 

 

 

 

 

Once you have the MX Set up follow the same process for the TXT

 

Addzonerecord3.png

 

TXT Record Type

HOST: example

POINTS TO: "v=spf1 include:mktomail.com ~all"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The final record to set up is the A record.

 

Addzonerecord4.png

 

A Record Type

HOST: example

POINTS TO: (this will be the dedicated IP that you have been assigned)

 

 

 

 

 

 

 

 

 


Is this article helpful ?

YesNo


Are you frustrated by an SPF record that is not valid?

man-woman-upset.jpg

 

One of the most common reason an SPF record will break is because it is including too many mechanisms.

Are you looking for a quick win to make sure your SPF record is valid? 

 

Don't use the include:salesforce.com mechanism but instead use the include:_spf.salesforce.com mechanism.

This reduces the number of look up mechanisms being included from 8 to 2! 

 

And using include:salesforce.com approves Gmail IP's which does open your domain up for spoofing across the Gmail network.

overshare1.png

 

The Salesforce Help article also makes this recommendation:

https://help.salesforce.com/apex/HTViewSolution?urlname=Sender-Policy-Framework-SPF-Salesforce-com-SPF-Record-1327365203011&language=en_US

 

Reach out to Marketo Support if this doesn't solve your SPF anguish.  There are SPF experts at Marketo at Marketo who can get you on a path of Validation.

 

Summer-happiness-photo.jpg


Is this article helpful ?

YesNo


Proofpoint Spam Detection performs two analyses:

Connection Level Analysis Connection management features in Proofpoint Enterprise Protection test multiple connection-level data points including DNS, MX record verification, SPF, recipient verification, and reputation data. Proofpoint constantly monitors SMTP connections at the IP address level, looking for suspect or malicious activity. Based on this analysis, SMTP rate control is used to automatically block or throttle malicious connections.

 

Proofpoint performs Contextual, Lexical and Image-based Analysis of content and context of messages using structural tests, English and foreign language content inspection, malicious (spyware/phishing/pharming) URL detection, phishing attacks, image analysis, reputation analysis and any custom policies administrators have defined.

 

An add-on enhancement to ProofPoint's filtering is their URL Defense program.  If an email admin has enabled this program Proofpoint will re-write all URLs in an email with their own unique link.   [URL Defense FAQ's - Powered by Proofpoint Essentials]

 

How can you confirm if a URL has been re-written?

 

What happens when a user clicks on a re-written URL?

The user is redirected to the Proofpoint URL Defense service where the URL and website is analyzed.

    • If the URL is considered bad: The user will be shown a page informing them "The website has Been Blocked!".
    • If the URL is considered good: The user will be re-directed to the website.

 

Is there a noticeable delay when a user clicks on a defended URL?

    • No. Defended URLs are checked real-time to ensure that the latest status determines it to be safe.

 

How long will defended URLs continue to work?

    • Defended URLs will not expire. They will continue to function indefinitely.
    • If the redirection services is not available (i.e., we cannot verify the links reputation) we will redirect to the original link.

 

Will URL Defense protect a URL that is safe at one-time but becomes comprimised later?

    • Yes. Each time a URL is clicked the status of that URL is verified before the redirect is allowed.

 

 

Additional Troubleshooting:

As a sender, if you have the Email Deliverability PowerPack, you can refer to the headers to confirm if Proofpoint has flagged your mail as spam. Each mailbox provider can customize their own scoring rules but the following is the default.

0-49 is clean

50-94 is quarantined

95+ is discarded

 

Market share:

Proofpoint's secure email gateway is used by 4,000+ customers and 53% of the F100 and ~30% of the Fortune 1000.


Is this article helpful ?

YesNo


When you add the Email Invalid Cause to display as a Column to any of your Deliverability Smartlists, you will see a code value*, and potentially a suffix as well, to help you understand the reason for a Hard Bounce.  Soft Bounce reasons can't be viewed through a Smart List report, only one at a time in a lead's activity log.

 

  • Codes in the 400 range are generally Soft Bounces
  • Codes in the 500 range are generally Hard Bounces

 

*Mail server administrators can create custom messages that accompany bounce codes

Traditional Bounce Codes

Code

Explanation

250

Mail accepted by receiving network

421

<domain> Service not available, closing transmission channel

450

Requested mail action not taken: mailbox unavailable (e.g., mailbox busy)

451

Requested action aborted: error in processing

452

Requested action not taken: insufficient system storage

500

The server could not recognize the command due to a syntax error.

501

A syntax error was encountered in command arguments.

502

This command is not implemented.

503

The server has encountered a bad sequence of commands.

504

A command parameter is not implemented.

550

User’s mailbox was unavailable (such as not found)

551

The recipient is not local to the server.

552

The action was aborted due to exceeded storage allocation.

553

The command was aborted because the mailbox name is invalid.

554

The transaction failed for some unstated reason.


Is this article helpful ?

YesNo


Enhanced Bounce Codes

If a suffix appears after one of the codes above, it is an enhanced Bounce code

*Mail server administrators can crate custom messages that accompany bounce codes

Code

Explanation

5.0.0

Address does not exist

5.1.0

Other address status

5.1.1

Bad destination mailbox address

5.1.2

Bad destination system address

5.1.3

Bad destination mailbox address syntax

5.1.4

Destination mailbox address ambiguous

5.1.5

Destination mailbox address valid

5.1.6

Mailbox has moved

5.1.7

Bad sender’s mailbox address syntax

5.1.8

Bad sender’s system address

5.2.0

Other or undefined mailbox status

5.2.1

Mailbox disabled, not accepting messages

5.2.2

Mailbox full

5.2.3

Message length exceeds administrative limit.

5.2.4

Mailing list expansion problem

5.3.0

Other or undefined mail system status

5.3.1

Mail system full

5.3.2

System not accepting network messages

5.3.3

System not capable of selected features

5.3.4

Message too big for system

5.4.0

Other or undefined network or routing status

5.4.1

No answer from host

5.4.2

Bad connection

5.4.3

Routing server failure

5.4.4

Unable to route

5.4.5

Network congestion

5.4.6

Routing loop detected

5.4.7

Delivery time expired

5.5.0

Other or undefined protocol status

5.5.1

Invalid command

5.5.2

Syntax error

5.5.3

Too many recipients

5.5.4

Invalid command arguments

5.5.5

Wrong protocol version

5.6.0

Other or undefined media error

5.6.1

Media not supported

5.6.2

Conversion required and prohibited

5.6.3

Conversion required but not supported

5.6.4

Conversion with loss performed

5.6.5

Conversion failed

5.7.0

Other or undefined security status

5.7.1

Delivery not authorized, message refused

5.7.2

Mailing list expansion prohibited

5.7.3

Security conversion required but not possible

5.7.4

Security features not supported

5.7.5

Cryptographic failure

5.7.6

Cryptographic algorithm not supported

5.7.7

Message integrity failure

lockgmail.jpg

Gmail has started labeling mail that is sent without encryption with a broken lock icon lock.png.

 

 

Email encryption in transit (TLS)

Gmail supports encryption in transit using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can. Some other email services don't support TLS, and therefore messages exchanged with these services will not be TLS encrypted.

In Gmail on your computer, you can check that a message you’ve received was sent over TLS by clicking the small down arrow at the top-left of the email and reading the message details.

If you see a red open padlock iconlock.pngon a message you’ve received, or on one you're about to send, it means that the message may not be encrypted.

https://support.google.com/mail/answer/6330403?p=tls&hl=en&rd=1

 

It is understood that Google is likely giving some preferential deliverability scoring to emails sent through encryption.

 

Good News.  Marketo implemented Opportunistic TLS in the middle of 2015 so we are ahead of the ball!

 

 

Example of mail sent without encryption

2016-04-20_1640.png    

 

Example of mail sent with encryption

2016-04-20_1625.png


Is this article helpful ?

YesNo