DigitaOcean sold us a droplet with a blacklisted IP. How do we get another IP?

September 15, 2018 3.1k views
Email Ubuntu 18.04 DigitalOcean

Hello,

About 2 months ago, we purchased a DigitalOcean droplet. We moved our customers websites and email server in there.

To our great dismay, the droplet IP address “looks clean” for some major spam email IP blacklists but not all. Our customers are unable to send email to Hotmail, Live.com, Outlook.com and to the second biggest national email provider in our country.

Microsoft is taking weeks to “evaluate” the blacklist removal and that email provider is totally unresponsive (actually, its third party “email reputation service” is).

So we have 70% of our customers unable to do business and very annoyed with us.

What can we do?

Every other VPS provider sells additional, hopefully “clean” IP addresses but not DigitalOcean.

I thought about saving a droplet snapshot, destroy the snapshot and then rebuild it again, but I just read that, if when we’ll rebuild the server we’ll get back the same, blacklisted IP.

Is there any option to force in another IP address?

Please help us, we hoped to save time and money with DigitalOcean but we’ll probably end up losing hundreds euros to idemnify our customers!

4 Answers

Can you use a floating IP?

DigitalOcean does sell additional IPs. They are called floating IPs.

  • I have an all-in-one LAMP setup + email stack. How do I get that to work with a floating IP?

    It’s an Ubuntu 18.04, Postfix + Dovecot setup.

Hey friend!

This is a great question. You’ve discovered something that I’ve been dealing with for quite some time, regardless of who owned the IP address that I’ve used or how clean it was by any external measure. What you’ve discovered is that the company you are sending mail to has it’s own measure of IP reputation and that you have no way to query it or control it.

The only way to change your droplet IP will be to create a new one. Floating IPs should not function in this capacity. However, this is not likely something that will benefit you. You’ve already submitted a request to have the block removed, changing IPs will reset your position in this process. If you need to guarantee email delivery to a particular provider, without waiting for these steps, the only option you have is to send to their service through a route that you know will not be rejected. You can try an SMTP delivery service like SendGrid, MailChannels, or any number of providers that specialize in email delivery.

Going the DIY route for email delivery is admirable, but there’s no shortcut to resolving these types of issues by hand. This is something I’ve personally spent a lot of years and money on trying to solve. The only viable paths are luck, very hard work to influence the recipient email provider, or money spent on solutions designed to solve the problem. If I can share anything from the years I’ve been dealing with this, it’s that spending the money on a solution that solves this is the only consistently reliable path that will allow you to set it and forget it. I wish it were otherwise, but there’s a whole market for email delivery and it exists for good reason. Hopefully I can help save you time and headaches at least :)

Jarland

  • Thank you for your reply.

    I see two issues with this:

    1. One of those “email reputation services” has been sold (1 year ago) to a new company. The new company does not reply to any blacklist removal request. I’ve contacted them directly and, when they found out I was not there to buy something, they just stopped replying. As of now I am stuck with this, nobody is going to even read my whitelist request.

    2. I manage a number of customers and none of them wants to spend 1 penny on email delivery services. Most of them send a very moderate number of emails and don’t see why they should pay something they don’t use. Nor I can create dozens of 3rd party email delivery accounts without their consent.

    • Thanks for reaching back out, always happy to help :)

      Most blacklists are irrelevant these days, only a handful actually end up being queried by recipient providers. I cannot accurately say which ones are queried by Microsoft, but I am inclined to believe that it is zero and that they only use their own internal list. This is my best guess from experience, given that I cannot know with absolute certainty.

      I totally get that customers have the expectation of simply sending mail and it working, without paying something extra or anything like that. Especially when they can move from A to B and they see it working again. My perspective is that doing this is chasing around the remainders of a time that has passed. Temporary gains from moving around to different IP space.

      When MS blocked a brand new IPv4 range that I received, having not received any spam from it, I began hopping around through IP space to find ranges they hadn’t blocked (at various providers). Soon after, those ranges would be blocked too. Inevitably, a few customers would set up email forwarders that would send spam to their service, causing the blocks to simply follow me around over time.

      My response to this problem was to purchase a MailChannels subscription and set up cPanel to relay all mail through it. It was expensive but it worked great. It cost me all of my profits, but as I learned this is simply the way the game is played these days and whether or not I liked it, I either had to pay up or ask my customers to change their expectations.

      Fast forward to today and I have my own rented /24 that I work hard to keep clean, and I’m still dealing with it (at least today I no longer manage it alone). Last night we had to rotate out an IP and fill out the MS removal form because one user had their password compromised and their account used to send a few spam, the JMRP form doesn’t work because they hit RIPE rate limits constantly. This is the life of an email provider in 2018. There is no rest, there is no easy way out. The easiest path is to spend money, the hard path is to spend a little less money but instead spend all of your time doing it (or hire help). The frustrating path is to move around constantly and wait for the problem to find you again elsewhere because of one email forwarder or a neighbor server.

      I do wish there was an easy way out. A lot of advice out there exists about easy ways out, but I’ve found that they tend to come from people who are in very isolated situations. A single user who never forwards email and does not delegate email services to any significant number of customers is going to have an easier time with everything, for example. For you and I, just trying to get users on a shared server to consistently send to Hotmail, we will see that the old days are gone and the new ones are not so pleasant. We’ll survive, but it will cost us something.

      I hope my insight proves valuable at the least :)

      Jarland

      • Hello Jarland,

        thank you for your articulated and “felt” reply. You have made me search for an emailing solution and I’ve found 2. Our servers emailing “needs” are limited - no bulk emails needed - so I could find a good yet very affordable service that I am now using as relay.

Hi Lucaf,

we are one of the blacklist providers that listed almost all DigitalOcean IP addresses. The reason is not any malware traffic or spam mails since this happens to all providers. We listed DOs networks because they do not care about or handle abuse reports. Attacks keep on even over six months after reporting malicious behavior. It seems to be the business strategy of digital ocean to support this behavior. So we decided to mark DO as a “bad provider” and can only advice you to chose a provider that cares about their IPs being used in a malicious manner, since we - or our partners - are not willing to remove their networks from blacklists, if they dont change their incident handling.

Cheers,

Martin Litter
Darklist.de

Have another answer? Share your knowledge.