Auto detection to Detect and Delist Compromised Email Accounts
Mailbaby utilize advanced detection systems to identify compromised email accounts. This process involves monitoring several key factors, including the IP address used in SMTP authentication, destination email addresses, subject lines, and specific flags that may trigger a manual review.
Our compromise detection system maintains an extremely low false-positive rate. In almost all cases, a flagged account indicates a legitimate security breach that requires immediate attention.
How to Delist Compromised Emails
You can now delist many compromised emails directly through your control panel. Follow these steps to get started:
- Log into your account at my.interserver.net.
- Navigate to the Mail List View and select the specific mail account.
Option 1: Using the Mail Account Delist Feature
Select “Delist Email” after accessing the mail account details. This section displays accounts flagged as likely compromised within the last 24 hours and allows you to submit a delisting request.
Option 2: Delisting via Message ID
If you have a specific message ID (e.g., 1941b51b2430000adb), you can delist it using one of the following methods:
- Enter the message ID into the top search bar of the control panel.
- Navigate to “View Log” and select the relevant message ID.
- Access the message info directly via:
https://my.interserver.net/index.php?choice=none.mailinfo&id=[MESSAGE_ID]
If you are permitted to delist the account, a “Delist Email” option will appear in the top right corner of the compromised email report.
Understanding Bounce Rules and Block Codes
When an email is blocked, the bounce page may display specific rules. Here is what they mean:
| Rule Flag | Description | Action Required |
|---|---|---|
| Dw J Smtps Possible Compromise | The credentials were found for sale on the dark web. | Informational note; does not cause a block. Change password immediately. |
| Compromised Email From Blacklist From Dqs | Automatic compromise detection was triggered. | Generally allows for an automatic delist. |
| Pcomp | The email account was compromised in the past. | Informational note only; does not cause a block. |
| LOCAL BL FROM | The email has been manually or automatically marked as compromised. | Generally allows for an automatic delist. |
Note: If the delist option does not appear, the email may be blocked due to high spam scores or content-based rules rather than a full account compromise. Manual blocks resulting from feedback loops or spam complaints cannot be delisted automatically; in these cases, an official notice is sent to the sender including the queue ID.
How Email Accounts Get Compromised
Account breaches typically occur through one of the following vulnerabilities:
- Exposed Credentials: Usernames and passwords stored in plain text in web-accessible files (e.g.,
.envfiles). - Brute Force: Use of weak, easy-to-guess passwords.
- Malware: Keyloggers or viruses on the user’s local computer.
- Credential Stuffing: Reusing passwords that were leaked in previous third-party data breaches. You can check your status at HaveIBeenPwned.com.
While it is rare for an entire server to be compromised, we occasionally see control panel breaches. In some instances, PHP or shell scripts can modify cPanel password files located at /home/username/etc/DOMAIN.com/shadow. Our system identifies 99% of these cases automatically.
Security Best Practices
To prevent future compromises, we strongly recommend the following steps:
- Enable Encryption: Ensure both incoming (POP/IMAP) and outgoing (SMTP) connections use SSL/TLS.
- Update TLS Versions: Use TLS 1.2 or higher. Avoid older versions (like those used by Windows 7 or Vista), as they do not support secure ciphers.
- Password Hygiene: Use strong, unique passwords for every account and never reuse them across different platforms.
For more detailed industry standards, refer to the M3AAWG Best Practices for Compromised User IDs.