How to fix “550 email blocked” email error
Here at Bobcares.com, our Hosting Support Engineers maintain and support servers of web hosts, digital marketers and other online businesses.
550 Email blocked is an email bounce error that we usually see in Shared servers, VPS servers and Cloud Instances.
Here’s a typical bounce message:
-----Original Message----- From: Mail Delivery System [mailto:MAILER-DAEMON@mx.sender.com] Sent: Thursday, June 21, 2018 02:22 PM To: email@example.com Subject: Undelivered Mail Returned to Sender This is the mail system at host mx.sender.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. The mail system : host smtp.recipient.coml[XXX.211.XXX.31] said: 550 Email blocked by hostkarma.junkemailfilter.com (in reply to RCPT TO command)
It means that the recipient’s mail server smtp.recipient.com rejected the mail from mx.sender.com because the spam filter at junkemailfilter.com classified the mail as spam.
What causes the error “550 Email blocked”?
Mail servers use 3rd party services such as SpamCop, MSRBL, JunkEmailFilter, etc. to identify spam.
These third party services analyze incoming mail and classify them as spam or not-spam based on the sender’s server IP, message header, attachments, and more.
Almost all mail servers refuse to admit mails marked as spam, and it shows the error “550 Email blocked“.
The most common reason for this error is IP blacklisting, where the sender’s server IP is listed as a spam source in SpamHaus, Senderbase, or other such email reputation tracking services.
Fixing incoming mail bounces
DNS blacklists (aka DNSBL) are a great way to keep out potential spammers.
But it can easily backfire if the anti-spam settings are misconfigured.
For eg. we’ve seen servers that used discontinued DNSBLs such as ORDB, Virbl, etc.. Such discontinued services mark all incoming mails as spam to force customers to stop using it.
Here at Bobcares, we monitor the incoming & outgoing mail traffic volume, and we investigate any spike or sudden drop in mails.
So, when we notice a sudden dip in mail volume (compared to the same hour in previous days), we analyze the mail logs and review recent changes to the mail server settings.
If we see all mails rejected by a single DNSBL, we remove it from the referral list.
Instead we use tried and tested DNSBLs.
Generally we’ve seen zen.spamhaus.org as a reliable blacklist which weeds out only actual spammers and is well maintained.
What to do if mails you send bounce
If your mail server IP is listed in a DNS blacklist (DNSBL), a majority of your emails will bounce – especially from large providers such as Google, Hotmail, etc.
You can check if your mail IP is blacklisted by performing a search here : http://multirbl.valli.org/lookup/
If your IP is listed, it means that:
- Someone was able to exploit a web application vulnerability and upload a spam script
- Someone stole the login details to an email account, and is sending out spam through that account.
How to fix a spam script infection
Attackers exploit web application vulnerabilities to upload spam scripts or bots.
These scripts listen for commands from a remote “bot master” and send spam based on these commands.
Here at Bobcares, we systematically analyze server event logs to locate the spam source.
First we find out from the mail logs when the spamming started, and then we check the web logs to find our all script activations at that time.
We look at the upload time, and code of these scripts to determine if they are spam scripts, and if yes, we delete them from the server.
Once we’ve cleaned out the spam scripts, we find out which web application vulnerability was used for the attack, and patch the application to prevent further infections.
How to fix email login compromise
Email login compromises are comparatively easy to find.
The mail server logs will show a single user repetitively logging in and sending hundreds of thousands of mails in a single batch.
Here at Bobcares, we monitor the mail queue size of our customer’s servers.
When we see an abnormal spike in outgoing mails, we immediately locate the sender. If it is a single email ID or a single domain, we’ve seen it’s likely to be a email compromise.
In such cases, we immediately delete all pending mails from that email ID from the queue.
Then we quickly change the email ID password, and block all IPs that abused the account.
Furthermore, we get in touch with the account owner, and help them reset their passwords for FTP, Control Panel and all other logins as the attacker is likely to have accessed them all.
We’ve seen that many of these issues are caused by a compromised PC.
So, we ask the customers to use a new PC to reset the password, re-install the Operating System (eg. Windows 10) in the current PC, and to enable a firewall.
How to prevent “550 Email blocked” errors
If you’ve cleared a spam script infection, and got your IP delisted, that is a good beginning.
But it is not enough.
Unless you’ve implemented preventive measures to block a spam infection and dampen the damage of another attack, this issue will recur.
That is why, here at Bobcares, we make sure we setup preventive actions as a follow-up to spam mitigation.
Here are the top 7 measures, we’ve found to be effective:
1. Block direct outgoing SMTP connections
Spam scripts try to connect directly to remote SMTP servers.
In our customer’s servers we setup firewalls to block such direct SMTP connections, and force all scripts to send mails through the mail server.
This helps us monitor per user email volume, and take action if something seems suspicious.
2. Limit the number of emails allowed per hour
Most email users send only less than 50 mails an hour.
So, in the servers we manage we set a default limit of 50 mails per hour for each user, and increase the limit on a case-by-case basis.
This ensures that even if a spammer gets access to an account, the damage will be limited, and we’ll get time to delete the spam from mail queue.
3. Enable a Web application firewall
We setup web application firewalls like mod_security to prevent attackers exploiting web application vulnerabilities.
A properly maintained firewall will prevent spam script or bot uploads.
4. Setup Malware scanning on file upload
We’ve seen cases of malware uploaded through compromised FTP accounts.
To counter that, we setup Malware scanners that is activated every time a new file is created. This ensures that every spam script is weeded out before it can cause harm.
5. Scan outgoing mail
Despite all these measures, it is possible that spammers can use compromised email accounts to send spam.
To block that we setup anti-spam systems to scan all outgoing mails as well (by default anti-spam software scans only incoming mails). If a mail is detected as spam, it is blocked from going out.
6. Setup Brute force detection
Cyber criminals often steal email logins by using brute force attacks. In this, the attacker sends hundreds of common passwords to a login prompt in an effort to “guess” the right password.
We prevent such an exploit in our customer’s servers by setting up a brute force detector like Fail2ban or LFD.
A properly configured brute force blocker will prevent account compromise while not blocking legitimate accounts.
7. Setup 24/7 monitoring and periodic audits
Attackers keep finding new ways to breach into servers, and security researches keep inventing new ways to block them.
Unless the servers are updated with the latest tools and inspected for effectiveness periodically, new varieties of attack can still breach into the server.
That is why we monitor our customer servers 24/7, and inspect any anomaly in mail traffic.
Then we periodically audit the firewalls, malware settings, database updates, mail server settings, and more to make sure the defenses are strong enough to block new kinds of attacks.
Email error “550 email blocked” is primarily caused when a mail server IP is listed in a spam blacklist. Today we’ve seen two situations where this error can show up, how we fix them, and how we prevent the error from happening again.