19th
Why GoDaddy is awful (Read this if you use EC2 or other virtualized server)
GoDaddy has come under fire a lot recently but surprisingly enough I haven’t heard anything about their absolutely braindead anti-spam strategy.
We were seeing a lot of bounced messages coming in from users trying to sign up for our service, Email Center Pro. Here’s an excerpt from the bounce messages we were seeing:
Reporting-MTA: dns; fly.emailcenterpro.com
X-Postfix-Queue-ID: 446411D20055
X-Postfix-Sender: rfc822; customerservice@paloalto.com
Arrival-Date: Mon, 23 Jun 2008 17:43:26 -0700 (PDT)
Final-Recipient: rfc822; info@example.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host smtp.where.secureserver.net[208.109.80.149]
said: 554 The message was rejected because it contains prohibited virus or
spam content (in reply to end of DATA command)
I won’t reproduce the “prohibited virus or spam content” here, but it’s basically a user’s login information including the username and domain (in the format example.emailcenterpro.com) they picked at the time of signup, and a randomly generated password.
It didn’t take long to notice that the only server that had a problem with us was secureserver.net which is actually GoDaddy.
After a number of fruitless calls and emails to GoDaddy support, we decided to experiment. We found that if we removed the login URL, the email would be delivered. Conversely, an email with nothing but the login URL would bounce with the above error message. We were able to reproduce this both with mail sent from our servers and even from gmail, yahoo, and other mail servers.
GoDaddy seemingly thinks that our login URL is a virus.
A typical Email Center Pro login URL looks something like:
http://paloalto.emailcenterpro.com/
Weird, huh? Weirder still is that if you send an email with our landing page:
http://www.emailcenterpro.com/
It’s delivered fine. What’s going on?
I’m going to reveal something interesting about our architecture. The landing page, www, is hosted at our datacenter. The application pages are hosted on Amazon EC2.
The only information we were able to squeeze out of GoDaddy at this point was that the mail wasn’t delivered because paloalto.emailcenterpro.com was on a Spamhaus blacklist. We found its IP address on Spamhaus’s Policy Black List.
From Spamhaus’s description of their PBL:
The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server
Basically it’s a list of IP addresses which should not be sending email. Naturally it includes all of Amazon’s EC2 servers. Nobody should be sending email from EC2. We don’t send mail from EC2. The mail that was bouncing was sent from a server at our datacenter.
At this point we still don’t totally understand what’s going on. We’re not sending mail from that IP, why should it matter?
Here’s what’s going on- read it twice because it might not sink in fully the first time. When you send an email to an email address hosted by GoDaddy, they scan the email for URLs- whether linked or plaintext. They take any URLs they find, and perform an IP lookup on the server. Then they take the IP that they come up with and run it against Spamhaus.org’s Policy Black List. If the IP appears on Spamhaus’s PBL, they don’t deliver the email.
I complained about this concept on Twitter and a guy from GoDaddy called me. We spoke at length and he confirmed our findings. GoDaddy will not deliver emails that contain URLs of anything hosted on EC2.
He agreed with me that this anti-spam strategy was likely to cause a large percentage of false positives. He also confirmed that there was no way for GoDaddy users to opt-out of this “service”.
His suggestions for solving the issue were insulting. He suggested that we send the login email without the URL for our user to log in to. He suggested we change hosts. He suggested we dynamically perform a lookup on the recipient’s email address to find out whether they were using GoDaddy, and if they were; encode the login URL using something like tinyurl.
At the end of the phone call, he basically told me that we were SOL and while he would take it up with his superiors, I shouldn’t expect anything to change.
A few weeks later I got a call- it was the same guy I’d spoken to from GoDaddy. He told me that they were going to whitelist our domain, but the overall ban would stay in effect. I guess I should be grateful?
Today we got an email from one of our users- he was getting the same message. Surprise surprise, he’s running a webapp off of MediaTemple’s virtualized web server platform- and linking to it in his emails. He assumed it was our fault. It isn’t, but we can’t solve the problem- I gave him GoDaddy’s contact information, hopefully he can whine at them enough to get whitelisted. Then we just have to get everyone else using a virtualized server for web hosting whitelisted.
At best GoDaddy’s strategy here is dishonest to their customers, who doubtlessly expect to be receiving their email. At worst, it’s anti-competitive- GoDaddy is a webhost. Imagine if AT&T Wireless dropped your call if you mentioned the name of a friend who used T-Mobile. That’s not an exaggeration, that is a direct analogy. There would be rioting in the streets and lawsuits abound.
I’m not sure if I’m quite paranoid enough to believe that there are sinister methods at play here- I subscribe to Hanlon’s Razor:
Never attribute to malice that which can be adequately explained by stupidity.
But then again, the guy I spoke to at GoDaddy assured me that they knew exactly what they were doing and realized the implications. So ignorance isn’t really an excuse for them.
Bottom line: if you’re using GoDaddy for email hosting, stop immediately. Switch to Google Apps, or basically any other email hosting.
