[Support Guide] Why is my domain on a spam list?

Support Support Guides
1

DRAFT VERSION - REMOVE THIS LINE AFTER EDITING AND BEFORE WE MAKE THIS LISTED AGAIN

Purpose

The purpose of this support guide is to explain why your domain might have gotten added to a spam list and what can be done to prevent it.

Background

First, we need to understand what a spam list is. The two most common spam list organizations I am asked about are:

Spamhaus - https://www.spamhaus.org/
UCEPROTECT - https://www.uceprotect.net/

These organizations create lists of IP addresses used for the websites of the domains in spammer’s email address.

Important!!! → The lists do not report the IP addresses that send the spam emails. The list reports the IP addresses used for the website hosting the domain name in the email address. This is almost always a different IP address from the one that sends the spam emails.

To summarize that note above:

  • the list does not contain the IP addresses that send the spam email
  • the list does have the IP addresses of the websites that share the domain name with the email address in the email

In other words, if you send a spam email from me@example.com using the IP address 192.168.123.456 and your website for example.com is hosted at 10.9.8.7, the spam list will not contain the email server IP address 192.168.123.456. The spam list will have the website IP address of 10.9.8.7.

How does this affect me at Netlify?

Using the example above, if someone signs up for a Starter plan, creates a website for example.com and then uses some other service to send spam emails from something@example.com, then any and all sites on the Standard Edge Network at Netlify can potentially be flagged as spammers.

All the other sites getting flagged don’t even have the spammers domain name. They are just hosting a website on the same service (Netlify) and, for this reason, all the sites will use the same IP addresses. It is the IP address getting added to the spam list so all sites at Netlify (except those on Enterprise plans) can get listed in this way.

The IP addresses used for Netlify CDN are not allocated to Netlify. They are allocated to the cloud “infrastructure as a service” (IaaS) providers we use for our infrastructure (like AWS, Google Compute Platform, etc.). This means that someone else was likely using these IP addresses before us. After we stop using them someone else using AWS or GCP will use them next. We cannot control what others have done with the IP address before us.

There are three general ways IP addresses get added to these spam list (and the third one is a doozy). The three ways (A, B, and C) are:

  • A) Someone using Netlify puts up a website for example.com and then sends spam emails from spammer@example.com. (It is important to note that Netlify doesn’t send the spam emails. We only host the website. The emails come from some IP address not controlled by Netlify in any way.)

  • B) Before Netlify used the IP address, someone else used it for their example.com website and they sent spam emails from spammer@example.com in the past.

  • C) Someone else used an IP address “near” to the IP address Netlify is using for their example.com website and they sent spam emails from spammer@example.com.

For scenario “A”, some other site at Netlify sends a spam email and the all domains hosted at Netlify get flagged because IP addresses sites use are shared. If any website on a non-Enterprise plan account gets flagged, then all other sites on our Standard Edge Network can be flagged as well.

For scenario “B”, the IP address was used in the past but not by Netlify. However, since we are using it now we have inherited the bad reputation even though we had nothing to do with the reason it was flagged. The reputation follows the IP address.

The spam list companies don’t track who controls the IP address because they cannot do so for the IP addresses of IaaS providers (cloud providers). The WHOIS records for the IP address block (known as ASNs) only show the IaaS provider. In reality, it is the customers of the IaaS providers (like Netlify) that use the IP addresses but there is no public information about who is using which IP address. To the spam list it all looks like Google or Amazon. The spam list organization cannot see when the shared IP address changes hands between customers using the IaaS providers.

For scenario “C”, some spam list organization will block “nearby” IP addresses for things done by other IP addresses.

This is a direct quote from the " UCEPROTECT Blacklist Policy LEVEL 3" page as it was on 2023-02-08:

UCEPROTECT Blacklist Policy LEVEL 3
Description: Draconic
Level 3 lists IP Space of the worst ASN’s.

This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.

UCEPROTECT level 3 automatically lists all IPs assigned to an AS number as soon as its SPAMSCORE is 50 or higher , and (to avoid mini providers being listed because of 1 or 2 spammers) at least 50 impacts of IPs which are assigned to the AS number have been listed in level 1 in the last 7 days.

That states clearly that entire blocks of IP addresses get flagged if enough neighboring IP addresses get flagged (“blocks of IP addresses” = “ASN’s” in the text above). They are also clear that this “probably will” block innocent IP addresses as well.

Here is a hypothetical example of scenario C. Let’s take the example IP address of 10.0.0.1. (Note, IP addresses starting with 10.*.*.* cannot be routed over the public internet because they are part of a reserved IP address block to be used for private networks). So, to be clear, this is only an example and not a real IP address Netlify uses.

Let’s also say, for the sake of this example, that Netlify doesn’t control the whole block of IP addresses from 10.0.0.0-255. We only control 10.0.0.1.

Now, let’s also say for this example, that people sending spam emails are also hosting their websites on 10.0.0.2, 10.0.0.50, 10.0.0.100, 10.0.0.150, etc. They are not using all the IP addresses in the 10.0.0.0/24 block. They are not even using Netlify. However, if they use enough of them, then entire 10.0.0.0/24 block of IP addresses will get flagged. That will flag the IP address 10.0.0.1 which Netlify controls even though that IP address didn’t do anything wrong - not once - not ever. An innocent IP address will be blocked because of the actions of nearby IP addresses.

Okay, I’ve read all that above. Now, what can I do about this?

Unfortunately, if the issue is happening because of scenario C, there is very little you or Netlify can do. The only people that can lobby to have the IP addresses removed are the people that the ASN is assigned to. As that isn’t you and that isn’t Netlify, neither you nor we can submit the removal requests. Only Amazon or Google would be able to request that the ASN be removed. As they won’t be able to validate that the issue is fixed for all IP addresses they won’t be able to submit the removal request.

However, people also should not be using level 3 list to block emails. Even UCEPROTECT calls that list “Draconic”. If people are blocking email using that list, there isn’t anything you can do except to ask the person using that block list to stop using it. They likely won’t as they chose to do so in the first place but that is the only real solution.

For scenarios A and B, the domain that caused the report should be listed. If so, please report it to Netlify. If you do so, we can work to remove that spammer’s site from Netlify and then the IP address will stop being listed as well.

Note, most spam lists require you to pay to remove an IP address quickly. If you won’t pay, you must wait for the IP address to drop off the list. If no new spammers use the IP address for their website, it is typically removed from the list in about one week or less.

The most effective way to prevent this from happening is to upgrade to an Enterprise plan team and include the High-Performance Edge Network add-on in that plan. The High-Performance Edge Network is an Enterprise plan only feature. You must pay to use that network and if we catch someone spamming from email addresses with domains that network we will suspend their account for doing so.

If your site is on the High-Performance Edge Network, it is very, very unlikely for it ever to appear on a spam list. If it does, we will work quickly to get that resolved.

Summary

The answer is that with shared hosting (even with direct hosting at cloud providers) these spam lists are always a risk. The most effect way to avoid being on the list at Netlify is using the High-Performance Edge Network and an Enterprise plan. If you are curious about pricing for Enterprise, please reach out to our account management team from this page.

If your domain’s emails are blocked please make a new topic about this the admin category and share a link to the block list entry at the spam list company if possible. If not, please share the domain or IP address that is blocked in the new topic. If you want to send that information privately, please note that in the topic you create and our support team will make certain private messaging is enabled. If you are using a Pro or higher plan type, please feel free to create a support ticket for this on our helpdesk if you prefer to troubleshoot privately.