1

I am running a website where the users register using their e-mail addresses and receive a confirmation code before they can log in. (After this every contact is opt-in.)

Every now and then some user uses an e-mail address that does not belong to them - either due to misspelling or intentionally providing a made up e-mail address.

In a few years time it is the second time that a user provided a spam trap e-mail address during registration and my server got blacklisted because of this.

As the blacklist needs time to update I could only find the spam trap address by asking removal from it and then finding the common e-mail address after a subsequent blacklisting. Then I disabled delivery for that address on my end.

The first spam trap e-mail address was easily guessable by incident (a@[some domain]) the second was more complex.

What is the best way to avoid such things from happening or at least reducing the chances?

How do bigger sites/providers handle this?

Gábor Héja
  • 323
  • 2
  • 14

2 Answers2

1

Could you send "initial email verification" from another IP address and custom subdomain?
It should limit blacklisting to "initial email verification" service.

AnFi
  • 5,883
  • 1
  • 12
  • 26
0

You should be able to reduce issues by validating the domain of the email address that is entered. It is reasonable to check that an MX record exists for the domain. While it is permitted to run a mail server without an MX record, in practice this is uncommon for internet facing servers.

Sending your registration email through your mail server should help. Configuring SPF, DKIM and DMARC may help keep single emails from triggering SPAM traps. Your mail server should also have a correct PTR record, and announce itself using that domain.

I frequently get email from web-servers that looks like SPAM. Make sure your registration email has valid headers and is well formatted. Sending directly from the web server or using a domain like www.example.com tends to trigger spam filters.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • How should I validate the domain, could you explain? (The MX record should exist otherwise I could not hit the spam trap either.) I have configured SPF and DKIM, I also have a FQDN mailname that resolves to the originating IP and PTR set up. The e-mails are not phishy or spam-like, Gmail and Hotmail do not mark them as spam. – Gábor Héja Nov 16 '18 at 16:24
  • @GáborHéja Validate the domain by doing a DNS lookup for and MX record. If an MX record does not exist, the A record will be used to deliver the mail. However, legitimate domains will almost certainly have one or mre MX records. – BillThor Nov 17 '18 at 05:22
  • I suspect some spammers/botnets use registration services to mailbomb spamtraps. – AnFi Dec 13 '18 at 22:29