Email Security.cloud

Hi,

Recently I have moved a website from a customer to a new VPS. Since then his mail get’s blocked because the IP is on your Symantec blacklist with the warning:

The IP address XX.XX.XX.XX was found to have a negative reputation. Reasons for this assessment include:
    The host has been observed sending spam in a format that is similar to snow shoe spamming techniques.

I have checked all DNS black list which I could find and the ip is not listed on them. Also I have checked the mailheaders from the mail, but can’t find anything strange.

Already made several times a removal request through your IP reputation Investigation tool, and asked for contact. But no response at all. Also have send a mail yesterday to CLOUDfeedback@feedback-87.brightmail.com, but also no response. Right now it’s again on the blacklist after removing it 2 days ago.

This start to become very annoying! Every DNS black list remove you when you ask them and provide them with information. Only Symantec not. And I am not the only one I see in this forum.

So hopefully somebody here on this forum will response and is willing to look into it. I can provide all the information you need, like mail headers and server logs.
Thanks in advance,

Martin

To speed this up, the blocked IP address is 81.171.24.142 and at the time writing still on the blacklist after 2 request for removal. In one of them I attached a mail header.

Bumping into this post because after 24 hours still no anwser from Symantec. To be clear: I want this to be solved, because we lose customers like this. And from a serious company like Symantec I would expect more.

Like you can read in my first message the mail from my client is not delivered to customers because Symantec thinks that the mailserver send spam in a format that is similar to snow show spamming techniques.

When you start to search for "snow shoe spamming" you will find a lot of pages which explain that snow shoe spamming is gaining popularity and even a document from Symantec with the subtitle “Snowshoe spam outbreak”. Some of them come with a little explaination. Like from Symantec:

snowshoe spamming distributes a broad load of spam across a varied array of IP addresses in much the same way.

Doesn’t say much, right?

A little further in the document:

Snowshoe campaigns commonly have the following characteristics:
- Originate from IP address ranges with a neutral reputation.

Ok, so if you move to a new VPS with a new IP you already have 1 flag. But in the real world hosting companies sell servers. They all got a new IP (or not used for a while). Is this fair to flag it? Answer: No. Should this be the problem? Don’t know because:
Symantec doesn’t answer!

-Use a large IP address range to delute the amount of spam sent from each IP address.

Ehh, what does it means? Large IP address range, for the mailserver? Ok, let’s try. Many websites use Cloudflare. For this you have to point your DNS to Cloudflare. There you get 2 IP4 addresses and 2 IP6 addresses. But you can’t use Cloudflare for your mail server, so that will be the 5th IP4 address and if you have IP6 installed on your server a 6th IP. Again, this is a normal situation. But hé…what if Symantic does a domain lookup? Then it will find 6 IP’s for the same domain. Wow!!! This is Snow Shoe spamming technic, right?  Eh…NO! This is a misconfiguration from your scanner!
Against a domain lookup you can’t do anything. It will just find your IP’s. But for mail you can use a SPF record. It could look like this:
    v=spf1 a mx a:domain.com ip4:xx.xx.xx.xx ?all
But this also will approve 5 or even 6 IP’s to send mail. When Symantec would check the spf record, bingo! Again multiple IP’s, so Snowshoe spam! I changed it already to this:
    v=spf1 mx ip4:xx.xx.xx.xx ?all
Like this it will only valid the IP from the mx record in your DNS. But not sure if it will help. Because:
Symantec doesn’t answer!

Another thing related to changing IP’s. The website from my customer was hosted on another VPS with another IP till I moved it to a new VPS with new IP. Further the mail was send through a hosting company. But…also with different IP’s. Could be the fact that I just moved the website AND mail to another server? That somewhere in the Symantec records the old IP's are still kept. Could be, but:
Symantec doesn’t answer!

Contain features (such as the subject line, from line, and URL’s) which change quickly.

Ok, so imagine you have a webshop and customers can register for an account. So while ordering they fill in some information. Then the account is made and the website send a mail to the customer with some information. Almost immidialtly the mail with the order confirmation will be send. Ofcourse this mail has a different subject line, and different URL’s. Don’t have to explain this further, right? According the document this also give a flag. But is this Snowshoe spamming? Answer: NO. But could this be the problem? Don’t know because:
Symantec doesn’t answer!

- Include the call-to-action in the URL.

Ehh…should I take this literally? Or is a call to action already a link to their account or order? Could this be the problem? Don’t know because:
Symantec doesn’t answer!

I could go on, but I guess you get the point. This is like walking in the dark and trying to find the exit, while screaming for somebody to put on the light. Don't count in this case on Symantec because:

Symantec doesn't put on the light for you!

I thought already about a solution. But till now everything I tried doesn’t work. Ow wait..just one solution pops up. I could put a huge banner on the website with the following text:

Dear customer, when you use a mailaccount from KPN, Planet, Hetnet, XS4all you can’t order. Because all those providers use KPN mail, which will be scanned by Symantec. And it will not pass. We can’t fix it because:
Symantec doesn’t answer!

I will send KPN a mail with the link to this topic too. Maybe they can put some pressure on it, to avoid a bad reputation. In the mainwhile I will walk into the dark, trying to find the exit........

Update:

After intervention from the Dutch mail company KPN my problem is solved. I asked them to contact Symantec because none of my contact attents seems to work. They put the IP on the whitelist. But still don't have a clue why it was on the blacklist in the first place.

I am trying to contact Symantec about the problem, but they just ignore everything!!! Even a facebook message where they claim to answer in a few minuts. A private message to the Community Manager RGMDonaldson also doesn't have a result.

For me never, never, never, never a Symantec product. And let this be a warning for other people, if you have a problem, don't count on Symantec!!!

Hi Martinqws,

I am sorry to hear you have had a poor experience as described in your post. Below is some information I hope you or others will find useful should the same situation arise.

https://support.symantec.com/en_US/article.TECH82881.html

Should the IP appear to be showing a bad reputation, and that requesting an investigation does not resolve the issue, you can send an email to our Symantec threat analysts team at Investigation@review.symantec.com

When sending them an email, provide as much details as possible, including an example of mail you are trying to send and NDR that you may be receiving and allow up to 7 business days for them to analyze and provide feedback to resolve the issue.

Regards,
    
Ben Beaulieu
Sr Technical Support Engineer