XLHOST BLOG

Maximizing delivery of emails sent from your dedicated servers

Posted by Drew Weaver on Sat, Apr 06, 2013 @ 11:36 AM

Thanks to the bombardment of spam that is levied towards business and consumer inboxes it is becoming increasingly difficult for legitimate marketing and transactional email messages to reach the hallowed inbox. XLHost gets questions frequently regarding email delivery and I want to share with you some best practices I have learned and free tools that you can use to ensure that the email you send from your dedicated servers gets delivered to the inbox.

stopsign

The most important question to consider before sending any marketing email is: is what I am sending actually spam? Technically, spam is defined as any email that is unsolicited. Meaning that if you simply purchase a list of email addresses, You are most likely sending email to people who would rather not hear from you. We will assume for the rest of this article that you are sending email to a list of your own customers, or people/businesses whom have expressed interest in your products and services.

If you find that emails that you are sending are ending up in the spam folder of your recipients here are some things You can check.

Blacklists - Make sure that your dedicated server's IP addresses are not listed in Spamhaus or any DNS blacklists. There are several free tools and services available that you can use to check this. MXtoolbox is a very popular choice for this.

Reputation - Check the reputation of the IP address you are sending from with Senderbase. Many large commercial ISPs use information from senderbase to determine whether or not to accept your email.

Reverse DNS - Make sure that the IP address on your dedicated server which you are sending from has proper reverse DNS and that the reverse DNS matches. For example, if your server sends email as server.yourdomain.com make sure that the reverse DNS for the IP address is server.yourdomain.com.XLHost customers can modify their reverse DNS records in Grande.

matching forward/reverse dns

SPF and DKIM - Make sure you have published SPF and Domain Keys in the DNS records for your domain. SPF allows you to publish a list of IP addresses which should be trusted to send email for your domain. Domain Keys allow messages sent from your domain to be authenticated by the receiving server.

My favorite tool to check for email delivery issues has quickly become Mail Tester.

mail-tester.com

Mail Tester is a free, simple, and effective tool for simulating email delivery. When you visit mail-tester.com an email address appears in the box. You simply send the message you are planning to send to your users to the mail-tester.com email address. After you click the button mail-tester provides you with a score that shows you how likely your email will be to reach the inbox based on many of the factors I listed above.

If You are utilizing all of the methods and tools mentioned You should be on the road to email delivery nirvana in no time. If you are still having problems with email delivery please contact XLHost and we will see if we can help.

-Drew

Tags: DNS, dedicated servers, email delivery

Is your dedicated server being used for DDoS attacks?

Posted by Drew Weaver on Thu, Mar 28, 2013 @ 08:57 AM

First, let me welcome you to the new XLHost blog and introduce myself. I am Drew Weaver, Chief Technical Officer at XLHost. If you're a customer of XLHost we have most likely interacted at some point in the past. I have been with XLHost since 1999 and it is basically my job to oversee the operation of anything that has a blinking light and make sure that our amazing technical support staff continues to be the best in the industry. My posts will likely tend to skew towards technical matters so bare with me if my geekness shines through. (I will try to keep it in check)

Welcome to the XLHost blog

It is unfortunate that my first post on our new XLHost blog is about a record breaking DDoS attack but I felt that this topic was important enough to garner some additional attention and to raise awareness on this issue. You may have read recently about the record breaking 300Gbps distributed denial of service (DDoS) attack which has been targeting Spamhaus. Spamhaus is an organization of volunteers whom maintain lists of IP addresses which are used to send spam, spread malware, and generally make the Internet less enjoyable for You and your users. Spamhaus is frequently the target of denial of service attacks but never anything as large as this.

spamhaus ddos

The bulk of the attack traffic was delivered using a technique known as DNS amplification (less specifically UDP amplification). With DNS amplification the attacker sends a DNS query to hundreds or thousands of open DNS resolvers with the source IP address set to the IP address of the target. The hundreds or thousands of open DNS resolvers then send their answers back to the target's IP address. This means that the attacker sends 36 bytes to the open resolver and the resolver replies with as much as 3000 bytes (that is the amplification part). For example if the attacker has a 100Mbps connection to the Internet and they used the entire usable amount (91Mbps) to generate requests; the attack traffic could be as much as 7.6Gbps

This is possible because many Internet Service Providers still allow traffic to leave their networks for IP addresses that they are not responsible for. (This is called IP address spoofing) Mechanisms to prevent IP address spoofing were first proposed in BCP 38 which was originally published in May of 2000. Unicast Reverse Path Verification (URPF) was added as a feature in most routers by 2005 and presently it is a feature available in all ISP router platforms. The only reason that URPF is not effective is because many ISPs choose not to implement it. XLHost has had URPF deployed since 2007.

Since there is very little chance that we can convince large networks to deploy URPF, let's instead talk about what XLHost can do, and what You can do to combat UDP amplification. If you are running a DNS server such as Microsoft DNS, ISC BIND, or PowerDNS on a server connected to the Internet You should make sure that the server is not an open DNS resolver.

XLHost will be launching a free tool very soon that will allow customers to scan their dedicated servers, VPS servers, or Cloud servers to determine whether they are open DNS resolvers. We will also be scanning our network to find any open DNS resolvers and assist customers in closing down open DNS resolvers.

Please let us know if you have any questions about this issue. I recommend anyone interested in any of the information in this post check out the excellent Open DNS resolver project website. There you will find more details on the problem and tools you can use to scan and close open DNS resolvers.

Once again welcome to the blog!

-Drew

Tags: DNS, security, dedicated servers