CloudMail - poor SPAM scoring with AWS

[Terrible Toll]

I have set up several client systems with the CloudMail plugin to facilitate small batch email facilities. Despite setting the system as per the AWS guidance with SPF and DKIM validation, the system works well but we have some problems with SPAM filtering by some recipient servers (Office 365) where they have filters set strictly.

After running some tests, it appears that the AWS SES system is picking up some poor scoring on the [unsubscribe] facility. Example:

<p class=3D'style5'><a href=3D'http://54.91.242.137/CloudMail/unsubscribe/13aef5d0-6cf1-48da-85ba-9ef0eb2f8a57'>Unsubscribe</a></p><img border=3D'0' src=3D'http://54.91.242.137/CloudMail/view/13aef5d0-6cf1-48da-85ba-9ef0eb2f8a57' width=3D'1' height=3D'1'>

The SPAM scoring seems to highlight the IP addressed unsubscribe feature as poor and applies 3 points, with an additional 0.5 point for the img containing no alt attribute.

So my query here is: can we use a proper URL to the unsubscribe link and can I make sure that the img border that it assigns has an alt attribute? 
CORRECTION: it may be that the img is the AWS tracking pixel that doesn't have the alt attribute.

This alone would half our SPAM score and might solve our immediate problems in this regard.

 

Any hints or tips would be much appreciated.

Many thanks, Anatole Beams

Edited February 26, 2019 by Terrible Toll
more information uncovered in the AWS SES documentation

[Terrible Toll]

It appears that the issue was not one of poor SPAM scoring at all, but a result of not applying a custom DNS name. By leaving the DNS name as the IP address, the email system worked, but the filters could detect the AWS instance IP address within the email. Applying a custom DNS name to the DNS listing for the clients domain and using that instead cleared up the issue.

 

Many thanks to the prompt response from 360works support.

[ryan360Works]

Happy to help!  Just to elaborate on this... there is a parameter in the CMQueueMessage function called "dnsName" where by passing in the host name of the machine for the value will replace all links in your email with that name rather than the IP address to that machine. You will need to create a record in your DNS that points to the CloudMail instance in order to this. 

[Terrible Toll]

All sorted - the SPAM scoring is now around 9/10, so pretty much as good as we could hope for.

Many thanks for your response Ryan

[Terrible Toll]

Further to correcting the previous issue we are still getting a lot of mails being received in recipient junk folders. Particularly when handled by Outlook Exchange servers. On examining the headers of the recipient emails the SPF test was always failing on AWS emails because the "domain of amazonses.com does not designate 94.100.134.10 as permitted sender” ...(or any other shared IP address that SES has used - SES seems to just use 83.246.65.101 and 94.100.134.10). Whether emails pass or fail the spam testing seems entirely random and the only critical difference between them that I have spotted is their respective SCL ratings of -1 or 5 for non-spam or suspected spam.

Today I ran some checks on several client systems also using the AWS system with the same SPF results and concluded that the SPF settings for amazonses.com may not be correct or are now out of date. The IP addresses that SES was using for our emails at this time was: 94.100.134.10 and 83.246.65.101, but they are not included in the SPF settings for amazonses.com . I have posted a query on the forum, but have had no response. I have even changed our subscription to 'Developer' to try to get some technical support, but nothing has been forthcoming yet. So in desperation I am posting here too.

Any help would be much appreciated.

Anatole Beams

- - - -
DNS record: amazonses.com
(results shown from dmarcanalyzer.com )

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:76.223.180.0/23 -all

IP
199.255.192.0/22
199.127.232.0/22
54.240.0.0/18
69.169.224.0/20
76.223.180.0/23
- - - -
Email header shows:

Authentication-Results: spf=fail (sender IP is 83.246.65.101)  smtp.mailfrom=amazonses.com; butterflylondon.com; dkim=pass (signature was  verified) header.d=butterflylondon.com;butterflylondon.com;  dmarc=bestguesspass action=none header.from=butterflylondon.com;compauth=pass  reason=109
Received-SPF: Fail (protection.outlook.com: domain of amazonses.com does not designate 83.246.65.101 as permitted sender) receiver=protection.outlook.com;  client-ip=83.246.65.101; helo=hsmx05.antispameurope.com;
Received: from hsmx05.antispameurope.com (83.246.65.101) by  VE1EUR02FT055.mail.protection.outlook.com (10.152.13.34) with Microsoft SMTP  Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id  15.20.1750.20 via Frontend Transport; Mon, 1 Apr 2019 16:07:07 +0000
Received: from a43-137.smtp-out.amazonses.com (54.240.43.137) by mx-gate86-hz2.hornetsecurity.com;  
Mon, 01 Apr 2019 18:07:07 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=ylwamdh6eitpmqro6pafgsjzjiwoxo6k; d=butterflylondon.com;
    t=1554134810;
    h=From:To:Subject:MIME-Version:Content-Type:Message-ID:Date;
    bh=bHx40E+7UjshcrjXD91KQXpnO6dK/pOB8KvNgdIwlYM=;
    b=BN3hZtKuCwTitv80Ta2iwqIQxV6c+QiJiprx6s+huCEvpr8in23WAMh3+puKBTBW     bKmYpxoKW2EgXAkkbhd0ZgIiOqurvE28nlLYtcf9jkh/YY7d0H9cr2XmA7nJcJ9MlkR     Pvfww6/r3RUcqhCdhV/Co1F2hpQ4DZhZZ5zs+y+U=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com;
    t=1554134810;
    h=From:To:Subject:MIME-Version:Content-Type:Message-ID:Date:Feedback-ID;
    bh=bHx40E+7UjshcrjXD91KQXpnO6dK/pOB8KvNgdIwlYM=;
    b=kHYeLbt2OKOenT2L5gnI4Cd5dtLCtEH1br1b2BvRwxaCg4v6JPz0EgmN3TLI9SvL     ITHQzKeGNp3mHhdE/WxSTO9Vzr1/PUmxG8f27kQ1Z0gUB4zDnhMwpjF6dYDtwVca73Z     hjWChFGnVCY2RRnRADXt5R6/l1KxexDDFWeBcCUE=
From: [email protected]
To: [email protected]
Subject: POTENTIAL SPAM: SIMPLE TEST
MIME-Version: 1.0
Message-ID: <01000169d9a73d7b-0b2d1193-f7e6-4475-bad8-21dd528f77d9-000000@email.amazonses.com>
Date: Mon, 1 Apr 2019 16:06:50 +0000
X-SES-Outgoing: 2019.04.01-54.240.43.137
Feedback-ID: 1.us-east-1.uMOQwmFugmdoVcy4W1AbM/Osc73Of2TtTIloxaj1zSg=:AmazonSES
X-antispameurope-sender: 01000169d9a73d7b-0b2d1193-f7e6-4475-bad8-21dd528f77d9-000000@amazonses.com
X-antispameurope-recipient: [email protected]
X-antispameurope-MSGID: 5f87ead918d374999f135010e830add5-03cf307c2b77c2826c97ea89d007e361 X-antispameurope-Virusscan: CLEAN
X-antispameurope-disclaimer: This E-Mail was scanned by www.antispameurope.com E-Mailservice on mx-gate86-hz2 with 7E956D79B7B
X-antispameurope-date: 1554134812 X-antispameurope: INCOMING:
X-antispameurope-Connect: a43-137.smtp-out.amazonses.com[54.240.43.137],TLS=1;EMIG=0
X-antispameurope-detected-infomail: yes
X-antispameurope-WC: 2:288:2:4688:0:142:0:0:0:0:0:2:2:0:1:0:1:103:121:103:0:0:0:0:1:40:0:0:0:2:0:0:0:0::0:1:0:0:0:0:0
X-antispameurope-SPFRESULT: PASS X-antispameurope-RBLWL: CLEAN
X-antispameurope-Spamstatus: CLEAN
X-antispameurope-REASON: XARG-WL:xw_exprx_190313-62-0141

--//--

X-MS-Exchange-Organization-SCL: 5

Edited April 1, 2019 by Terrible Toll

[Terrible Toll]

It appears that the SPF failure is the result of an intermediary filtering service provided by Everycloud. The email path is being spotted by the Outlook server and their domain (antispameurope.com) is not being recognised or included in the original SPF details.

[Grégoire]

On 2/27/2019 at 9:51 AM, ryan360Works said:

Happy to help!  Just to elaborate on this... there is a parameter in the CMQueueMessage function called "dnsName" where by passing in the host name of the machine for the value will replace all links in your email with that name rather than the IP address to that machine. You will need to create a record in your DNS that points to the CloudMail instance in order to this. 

Hello! I have the same problem of poor spam result. Could you explain to me how to create a record in my DNS that points to the CloudMail instance?

Thank you for your help !

[ryan360Works]

The process to do this will vary depending on your DNS provider. You can get the IP address of the CloudMail instance by looking at the running instances section in the EC2 module of your AWS account. Once you have assigned your domain to the CloudMail instance, follow the Easy DKIM instructions here. 

[Grégoire]

Hi !

Yes, that's exactly what I did. I have my instance of Cloudmail and I install DKIM as suggest. I still have a poor spam result because of the unsubscribe link (-3). What can I do to avoid this?

Here is the unsubscribe link that seems not working on spam. Do I have a configuration to do at Cloudmail? http://3.208.121.226/CloudMail/unsubscribe/fc9307bb-9fca-42bf-bb10-f7eb5d59f7ce

Edited November 8, 2019 by Grégoire
precision

[Grégoire]

On 3/12/2019 at 7:04 PM, Terrible Toll said:

All sorted - the SPAM scoring is now around 9/10, so pretty much as good as we could hope for.

Many thanks for your response Ryan

Hello,

I have the same problem and I search the DNS configuration in my Cpanel ... Can you explain to me what you did as a configuration? Thanks in advance !

[Terrible Toll]

Hi Grégoire

The process of getting to the bottom of the SPAM scores was really troublesome.

I had to send and resend emails and then examine the source code received and also using services like mail-tester.com and ISnotSPAM.com.

This revealed where the specified addresses/URLs were not being used. Setting up the custom DNSname was essential. We set up both for SPF and DKIM.

The AWS sender IP addresses are also a potential problem that flag up in some SPAM filters. We ended up having to setup and train our own. Some of the links that CloudMail/AWS use to provide the feedback are also potential SPAM triggers, but I had no way of changing these. Plus the img that is the AWS tracking pixel still doesn't have an alt attribute - I could do nothing about this.

It would be really nice to be able to configure the unsubscribe option more fully. Particularly with regard to the dialogue webpage - which it would be nice to brand and style to match our identity. I believe this is on the 'further development' list at 360works.

Edited January 16, 2020 by Terrible Toll

[Terrible Toll]

I have a further query about this for 360works support.

Is the tracking pixel img added by the CloudMail plug-in? If so can you add an alt attribute to it please (alt=""). This would perfect the code in the eyes of the SPAM testing algorithms. I don't believe that there is anything that we can do on our side of the plug-in to achieve this.

Many thanks - Anatole