GMail suspects confirmation email in stealing personal information

emailgmailspamspam-filterspf

When user registers on my web site, web site sends user email confirmation link.

Subject:
Please confirm your email address

Body:

Please open this link in your browser to confirm your email address:
http://www.postjobfree.com/a/c301718062444f96ba0e358ea833c9b3
This link will expire on: 6/9/2012 8:04:07 PM EST.

If my web site sends that email to GMaill (either @gmail.com or another domain that's handled by Google Apps) and that user never emailed to email — then GMail not only puts the email to spam folder, but also adds prominent red warning:

Be careful with this message. Similar messages were used to steal people's personal information. Unless you trust the sender, don't click links or reply with personal information. Learn more

That warning really scares many of my users, so they are afraid to open that link and confirm their email.

What can I do about it?

Ideally I would like that message end up in user's inbox, not spam folder. But at least how do I prevent that scary message?

IP address of my mailing server is not blacklisted:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a208.43.198.72

I use SPF and DKIM signature.

Below is the email that ended up in spam folder with that scary red message.

Delivered-To: 1@dennisgorelik.com
Received: by 10.112.84.98 with SMTP id x2csp36568lby;
        Fri, 8 Jun 2012 17:04:15 -0700 (PDT)
Received: by 10.60.25.6 with SMTP id y6mr9110318oef.42.1339200255375;
        Fri, 08 Jun 2012 17:04:15 -0700 (PDT)
Return-Path: 
Received: from smtp.postjobfree.com (smtp.postjobfree.com. [208.43.198.72])
        by mx.google.com with ESMTP id v8si6058193oev.44.2012.06.08.17.04.14;
        Fri, 08 Jun 2012 17:04:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@postjobfree.com designates 208.43.198.72 as permitted sender) client-ip=208.43.198.72;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@postjobfree.com designates 208.43.198.72 as permitted sender) smtp.mail=noreply@postjobfree.com; dkim=pass header.i=@postjobfree.com
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
        d=postjobfree.com; s=postjobfree.com;
        h=          received:message-id:mime-version:from:to:date:subject:content-type;
        b=TCip/3hP1WWViWB1cdAzMFPjyi/aUKXQbuSTVpEO7qr8x3WdMFhJCqZciA69S0HB4
          Koatk2cQQ3fOilr4ledCgZYemLSJgwa/ZRhObnqgPHAglkBy8/RAwkrwaE0GjLKup
          0XI6G2wPlh+ReR+inkMwhCPHFInmvrh4evlBx/VlA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=postjobfree.com; s=postjobfree.com;
        h=content-type:subject:date:to:from:mime-version:message-id;
        bh=N59EIgRECIlAnd41LY4HY/OFI+v1p7t5M9yP+3FsKXY=;
        b=J3/BdZmpjzP4I6GA4ntmi4REu5PpOcmyzEL+6i7y7LaTR8tuc2h7fdW4HaMPlB7za
          Lj4NJPed61ErumO66eG4urd1UfyaRDtszWeuIbcIUqzwYpnMZ8ytaj8DPcWPE3JYj
          oKhcYyiVbgiFjLujib3/2k2PqDIrNutRH9Ln7puz4=
Received: from sv3035 (sv3035 [208.43.198.72]) by smtp.postjobfree.com with SMTP;
   Fri, 8 Jun 2012 20:04:07 -0400
Message-ID: 
MIME-Version: 1.0
From: "PostJobFree Notification"
 
To: 1@dennisgorelik.com
Date: 8 Jun 2012 20:04:07 -0400
Subject: Please confirm your email address
Content-Type: multipart/alternative;
 boundary=--boundary_107_ffa6a9ea-01dc-40f5-a50c-4c3b3d113f08


----boundary_107_ffa6a9ea-01dc-40f5-a50c-4c3b3d113f08
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Please open this link in your browser to confirm your email addre=
ss: =0D=0Ahttp://www.postjobfree.com/a/c301718062444f96ba0e358ea8=
33c9b3 =0D=0AThis link will expire on: 6/9/2012 8:04:07 PM EST. =0D=0A
----boundary_107_ffa6a9ea-01dc-40f5-a50c-4c3b3d113f08
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48L2hlYWQ+DQo8Ym9keT48ZGl2
Pg0KUGxlYXNlIG9wZW4gdGhpcyBsaW5rIGluIHlvdXIgYnJvd3NlciB0byBjb25m
aXJtIHlvdXIgZW1haWwgYWRkcmVzczo8YnIgLz48YSBocmVmPSJodHRwOi8vd3d3
LnBvc3Rqb2JmcmVlLmNvbS9hL2MzMDE3MTgwNjI0NDRmOTZiYTBlMzU4ZWE4MzNj
OWIzIj5odHRwOi8vd3d3LnBvc3Rqb2JmcmVlLmNvbS9hL2MzMDE3MTgwNjI0NDRm
OTZiYTBlMzU4ZWE4MzNjOWIzPC9hPjxiciAvPlRoaXMgbGluayB3aWxsIGV4cGly
ZSBvbjogNi85LzIwMTIgODowNDowNyBQTSBFU1QuPGJyIC8+DQo8L2Rpdj48L2Jv
ZHk+PC9odG1sPg==
----boundary_107_ffa6a9ea-01dc-40f5-a50c-4c3b3d113f08--

Update 1:
Here's HTML that is encoded into base64:

<html><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"></head>
<body><div>
Please open this link in your browser to confirm your email address:<br /><a href="http://www.postjobfree.com/a/c301718062444f96ba0e358ea833c9b3">http://www.postjobfree.com/a/c301718062444f96ba0e358ea833c9b3</a><br />This link will expire on: 6/9/2012 8:04:07 PM EST.<br />
</div></body></html>

Update 2:
The reason why HTML is base64 encoded is because I use C# MailMessage to AlternateView to add both plain text and HTML versions of email:

https://stackoverflow.com/questions/44777/sending-a-mail-as-both-html-and-plain-text-in-net

http://msdn.microsoft.com/en-us/library/system.net.mail.mailmessage.alternateviews.aspx

Update 3:
Changing from base64 encoding (default in MailMessage C# class) to SevenBit encoding did not help.
At least not in development environment, when I'm sending links with "localhost" in them.
Here's the email rejected as phishing suspect:

Delivered-To: 24@dennisgorelik.com
Received: by 10.112.84.98 with SMTP id x2csp72117lby;
        Sat, 9 Jun 2012 15:16:37 -0700 (PDT)
Received: by 10.60.28.37 with SMTP id y5mr11589839oeg.35.1339280196971;
        Sat, 09 Jun 2012 15:16:36 -0700 (PDT)
Return-Path: <noreply@postjobfree.com>
Received: from smtp.postjobfree.com (smtp.postjobfree.com. [208.43.198.72])
        by mx.google.com with ESMTP id qk9si7300498obc.155.2012.06.09.15.16.36;
        Sat, 09 Jun 2012 15:16:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@postjobfree.com designates 208.43.198.72 as     permitted sender) client-ip=208.43.198.72;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@postjobfree.com designates 208.43.198.72 as permitted sender) smtp.mail=noreply@postjobfree.com; dkim=pass header.i=@postjobfree.com
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
        d=postjobfree.com; s=postjobfree.com;
        h=          received:message-id:mime-version:from:to:date:subject:content-type;
        b=MT47O2t6ibFcQKArmtx1vWeppQk1noTpazu2I8cQtT9k8aBgSgG0eCTfgMIBm4Hhw
          ienz58tHV8t2IbftHPY2NdD8uaWMm7vsPmZC4MYECfHeMkgz/H5/SqpPIcbodnGtp
          0kvyijSuB3ZRf81+mZUid9zzIcGVAZy+UdTlBQ9zA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=postjobfree.com; s=postjobfree.com;
        h=content-type:subject:date:to:from:mime-version:message-id;
        bh=iEOndDXrxsEIf7PWPR7Mg8nS7FdoL0hyooPO8HHf7ms=;
        b=sPF/JTndeASFWWRuFh+gGLmLOwPApdN7fQJm0Uz39EtY6C+y0dXqQmYlLOryZszgO
          qyKBzOLCMMdrSdmVERS+ui7gegparxw3TwTXa37YHcHO8Zwr/0lfjE0ho9ofITfqV
          V59H1v0mVLdBAwvVTN6Rl0qNUwmZRc9jHkQOPDtZE=
Received: from quad (c-67-191-103-186.hsd1.fl.comcast.net [67.191.103.186]) by smtp.postjobfree.com with SMTP;
   Sat, 9 Jun 2012 18:16:29 -0400
Message-ID: <20120609221620c0254cdabdf44680bb2217bfab121481@smtp.postjobfree.com>
MIME-Version: 1.0
From: "PostJobFree Notification"
 <noreply@postjobfree.com>
To: 24@dennisgorelik.com
Date: 9 Jun 2012 18:16:24 -0400
Subject: Please confirm your email address
Content-Type: multipart/alternative;
 boundary=--boundary_0_421e5237-be5a-40a2-ba77-32fcb2856bdf


----boundary_0_421e5237-be5a-40a2-ba77-32fcb2856bdf
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Please open this link in your browser to confirm your email addre=
ss: =0D=0Ahttp://localhost/PostJobFree/a/054a67e4284a4976bc44e864=
a85f767a =0D=0AThis link will expire on: 6/10/2012 6:16:13 PM EST=
. =0D=0A
----boundary_0_421e5237-be5a-40a2-ba77-32fcb2856bdf
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"></head>
<body><div>
Please open this link in your browser to confirm your email address:<br /><a     href="http://localhost/PostJobFree/a/054a67e4284a4976bc44e864a85f767a">http://localhost/PostJobFree/a/054a67e4284a4976bc44e864a85f767a</a><br />This link will expire on: 6/10/2012 6:16:13 PM EST.<br />
</div></body></html>
----boundary_0_421e5237-be5a-40a2-ba77-32fcb2856bdf--

Update 4:
After we redid our email formatting similar to CopyHacker Letter designed by MailChimp (see that answer below) – it significantly improved email deliverability (+ improved readability).
I guess deliverability improved because we now avoid some potentially spammy words such as "link".

Best Answer

Mailchimp have an excellent article on How To Avoid Spam Filters

Update: Ok, seeing as I got slammed for just giving this link (to be fair its contents probably wouldn't solve your problem here), I've added more specific to what you're sending.

I suspect its the text you're using. 'Please confirm your email address by clicking the link' - I think you should replace the text with 'Subscribe to this list:'. It may even be as simple as switching from 'please confirm your email' to 'please confirm your subscription' - to indicate you're not trying to get any personal information.
I've no idea why you're adding the HTML as an attachment - if you send a client a normal email from your email client you wouldn't attach it as HTML you just send it as normal HTML (or text) - so why would you do things differently when you're trying not to appear like a spammer?
Given how short your email is you could probably just send it as text - in fact you are sending it as text and as base64 encoded - either send the message as html or as text you don't need both.
When trying to send an email to Gmail they will strip off all the html headers (I found Gmail to be the biggest pain for accepting HTML emails in a correct format)
If you're still getting problems I'd recommend you start sending emails through something like MailChimp - they'll end up looking nicer and you'll have happier customers
What you're being accused of is phishing style emails. Here's an example of one from my junk filter:

Dear online service customer,

Access to your account logged in successfully.

To ensure your protection, we've now blocked access to your accounts. You now need to restore your security details. You won't be able to gain access to your accounts until you've done this.

To restore Please click the link below to restore your account access.

RESTORE YOUR ACCOUNT ACCESS (in the email this is a link to a dodgy site)

© Shop Direct Limited. All Rights Reserved.

Here's an example of a nice please confirm your email from CopyHackers:

Subject: CopyHackers Newsletter: Please Confirm Subscription

Body:

enter image description here

Related Solutions

All the emails to Yahoo!, Hotmail and AOL are going to Spam, though I’ve implemented every validation method (works for Gmail though)

In looking at your failures, I have noticed several problems.

The first is that the originating ip for your emails (208.115.108.162) is listed on Five Ten's blacklist (http://www.five-ten-sg.com). Yahoo, Hotmail, and AOL all use their own internal blacklists, and to my knowledge don't rely on third party blacklists (such as Five Ten). That being said, it's a good indicator that something is afoot. You can delist yourself at five ten here: http://www.five-ten-sg.com/blackhole.php?ip=208.115.108.162&Search=Search. Delistings usually take around 12 to 24 hours. While this won't necessarily FIX your Yahoo, Hotmail, AOL problem... you should delist pronto.

The biggest problem is the lack of MX record for gemini.shiftapp.com. The emails are "FROM" james@gemini.shiftapp.com. It is a very common anti-spam tactic to lookup the MX record of the sending domain on incoming email. When AOL etc lookup the MX record for gemini.shiftapp.com, and they see none... they will likely classify as spam on the spot. At the very least, an MX will allow the recipients of these emails to reply.

Reverse DNS: You have a valid PTR record for that IP. AOL etc just simply look to see that PTR records exist... they don't really care what the PTR record returns so you are "good to go" as they say.

I didn't find any SPF records for gemini.shiftapp.com or shiftapp.com. That's ok because SPF never really caught on. Kinda like 8 track or Laser Discs... they look good on paper, but never gained critical mass.

My bet is the lack of MX records. One other thing to consider: make sure your email server is not an open relay (allowing unauthenticated users to send mail to other users not hosted on your server). Also, might be wise to do an audit of all email going through your system... if one of your users is (knowningly or UNknowingly) sending spam through your server, you'll be skating uphill!

Hope this helps, and best of luck! -Chris

Emails are going to spam

The following is based off of the IP I see in your logs as the mail sending IP of 67.55.9.182.

You have a PTR entry, which is good.

;; ANSWER SECTION:
182.9.55.67.in-addr.arpa. 14400 IN      PTR     dsl-67-55-9-182.acanac.net.

However your forward and reverse should match ideally. The reverse entry leads me to believe that you are running this off of a DSL ISP connection. That is enough to get your mail marked as spam in some systems. They do not like seeing mail coming from "home" or "consumer" connections.

Your IP is also listed in several blacklists:

67.55.9.182 is listed in dnsbl-3.uceprotect.net 
67.55.9.182 is listed in bl.spamcannibal.org

This will also result in your mail being sent to the spam bin.

Resolve the above issues and you will likely see your mail being accepted as ham. Hope that helps and let me know if you have any questions.

Best Answer

Related Solutions

All the emails to Yahoo!, Hotmail and AOL are going to Spam, though I’ve implemented every validation method (works for Gmail though)

Emails are going to spam

Related Topic