"Blocked for Bot-like Behavior"

An ESP asked about this error message from Hotmail and what to do about it.
“Bot-like” behaviour usually means the sending server is doing something that bots also do. It’s not always that they’re spamming, often it’s a technical issue. But the technical problems make the sending server look like a bot, so the ISP is not taking any chances and they’re going to stop accepting mail from that server.
If you’re an ESP what should you look for when tracking down what the problem is?
First make sure your server isn’t infected with anything and that you’re not running an open relay or proxy. Second, make sure your customers aren’t compromised or have had their accounts hijacked.
Then start looking at your configuration.
HELO/EHLO values

  • are you using a consistent one for each IP or are the values changing?
  • are you using a FQDN (fully qualified domain name, i.e., a.example.com) for the HELO?
  • are you using a bare IP for the HELO/EHLO?
  • does that FQDN match the rDNS of the IP?

IP issues

  • does your IP have rDNS?
  • does that rDNS in any way look like it might be dynamic?
  • how many IPs are you using to send the same message?

Header issues

  • are you using a consistent hostname in the envelope From?
  • is that hostname similar to the hostname in the IP address?
  • are you sending a MessageID?
  • are you authenticating?
  • is that authentication correct?

Content

  • are you sending small amounts of the same content over different IP addresses?
  • is the content you’re sending being sent by other entities?
  • are any of the URLs you’re linking to infected with anything?
  • are any of the URLs you’re linking to serving ads that might be spreading viruses?

Sending issues

  • are you closing connections promptly or are you holding them open?
  • are you opening connections from different IPs and sending the same content at the same time?

The major bot-like behaviours are sending small numbers of messages from many different IP addresses, and using bad HELO/EHLO values. Even small senders using shared pools can trigger this filter at Hotmail. Try not to split small volumes of mail over multiple IPs whenever possible and particularly when you are getting this error message.
 
 

Related Posts

Anti-Botnet Code of Conduct Published

The Communications Security, Reliability and Interoperability Council (CSRIC) published a Anti-botnet code of conduct for ISPs. This is a purely voluntary code for U.S. ISPs that want to mitigate the botnet threat to follow. You can download a full copy of the final report from the MAAWG website. The FCC has published a fact sheet about the report on their own website.

Read More

Phones part of SMS botnet

Spammers have been moving into the phone market for a long time. Just recently security firms have discovered an Android  botnet. This botnet sends viruses over SMS, and when a link in the SMS is clicked, the phone is infected with the virus which then sends more SMS.
The technology for blocking and reporting SMS spam is comparable to email blocking technology 10 or 12 years ago. There just aren’t many tools for people to use to control this spam. M3AAWG is addressing mobile spam, but it still seems that the volumes are increasing without much recourse. Even the 7726 reporting number doesn’t seem to stop the spam (nor remove per-text charges).
At least in the beginning of the email spam problem, we didn’t have botnets. Now, at the beginning of the curve for SMS spam, we already have self replicating botnets. I’m afraid the good guys might be behind on this issue.
Then again I might just be cranky because SMS spammers woke us up at 4:30 am.
Infoworld article
TNW article
PCWorld article

Read More

Another one bites the dust

NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.

Read More