Error – Amazon SES Vulnerable Site Review
We're sending you this message because we believe that your account is being used to send emails that you didn't intend to send. Email providers and anti-spam organizations are likely to identify these messages as spam, which could have a negative impact on your reputation as a sender. This kind of issue is most often caused by a third party exploiting a feature or form on your website to send unwanted email. Features that are often abused in this way include "email to a friend," "contact us," "invite a friend," and similar features that allow a user to send email to any address they enter. You should review the bounce and complaint notifications for your account to help determine the cause of the exploitation. When you identify the source of the vulnerability, you should take several actions to prevent further abuse, including the following: –
- Review your website and contact forms.
- Add a CAPTCHA to prevent automated scripts from abusing the feature.
- Limit the rate at which the feature can send email.
- Remove the ability to use the feature to send custom content.
- Require users to log in to send email using the feature.
Solution
To resolve this issue, you should perform a comprehensive security review of the features of your site that allow users to send messages to specific email addresses. Implement the changes listed in the earlier "DETAILS" section, as well as any other changes that are necessary to improve the security of the feature. If your account is currently under review, we'll continue to monitor your account for messages that don't appear to be sent from you. At the end of your review period, if you haven't fixed the vulnerability, we'll pause your account's ability to send email while you work on resolving the issue. If you make changes that you think will correct the issue, send us an email. In your message, tell us about the changes you made, and include the dates when the changes took effect. We'll extend the review period, and will only consider messages sent from your account after the changes took effect. If the issue appears to be resolved, we'll restore your account to good standing. If your account's ability to send email is currently paused, send us an email. In your message, tell us about the changes that you made to prevent this issue from happening again in the future. Also include the dates when these changes took effect.
Error – Amazon SES Complaint Review & Solution
Your current complaint rate is 0.51%. We measured this rate over the last 8,159 eligible emails* you sent. Our analysis covers the last 510.9 days.
We recommend that you maintain a complaint rate below 0.1%. If your complaint rate exceeds 0.5%, we might pause your ability to send additional email.
The complaint rate is based on the number of spam reports that SES receives from email providers. Not all email providers send these reports to SES. Your complaint rate only includes the number of complaints reported by email providers that send this information to SES.
Email providers interpret a high complaint rate as a sign that your recipients don’t want to receive the email that you’re sending to them. Many email providers block your email if your complaint rate is too high. To protect your reputation as a sender, we monitor this metric closely and take action if the rate gets too high.
For more information about what to do if your account is under review or your account’s ability to send email is paused, see our Enforcement FAQ at https://docs.aws.amazon.com/ses/latest/dg/faqs-enforcement.html . You can also use the Enforcement Dashboard to monitor the bounce and complaint rates for your account. For more information, see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sender-reputation.html .
If you’re testing your system’s ability to process bounce or complaint events, you should use the Amazon SES mailbox simulator. You can send email to the mailbox simulator without impacting the reputation metrics for your account. For more information, see https://docs.aws.amazon.com/ses/latest/dg/send-an-email-from-console.html
First, you should have a system in place for monitoring bounces and complaints. When you receive a bounce notification, you should immediately stop sending email to the address that resulted in the bounce or complaint, and ensure that you don’t attempt to contact that address again in the future. We recommend you manage your reputation by using the following SES features:
- Enable account-level suppression list to prevent repeat bounces and complaints from email addresses that have exhibited a history of bounces and complaints for your account. See https://docs.aws.amazon.com/ses/latest/dg/sending-email-suppression-list.html
- Enable Virtual Deliverability Manager for insights into your email sending success metrics, with drill-downs available for your email sending identities, configuration sets, and recipient ISPs. These insights can help you with subsequent remediation steps. See https://docs.aws.amazon.com/ses/latest/dg/vdm.html
- Note that using the Virtual Deliverability Manager will result in additional charges to your account, as per https://aws.amazon.com/ses/pricing/
While we strongly recommend implementing the above SES reputation management features, you can, however, manage bounces and complaints on your own. If you do, we recommend that you start by reviewing our best practices https://docs.aws.amazon.com/ses/latest/dg/best-practices.html and choose between event publishing https://docs.aws.amazon.com/ses/latest/dg/monitor-using-event-publishing.html (recommended) and email identity notifications https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-using-notifications.html for ingesting and processing email sending events.
Second, use the information that you collected to analyze your email-sending practices and determine what caused the complaints. For example, did you collect the addresses that you’re contacting by using a web form that could have been exploited? Did you use a double opt-in strategy to confirm customers’ email addresses? Are you sending email to customers who haven’t engaged with your content in a long time? Do your emails include an unsubscribe link that works and is easy to find? Are you sending email from a domain that customers might not associate with your brand? Identifying the causes of these complaints can help you determine which changes to implement. You can reply to this message to request a small sample of recent messages that resulted in complaints.
Third, make changes to your sending processes or procedures based on your analysis of the issue. Implement these changes fully before you proceed to the next step.
Finally, contact us with answers to the following questions:
- What caused your high complaint rate?
- What changes have you made in your email-sending systems or processes?
- How do these changes ensure that the issue won’t occur again in the future?
We’ll evaluate your responses to these questions. If we agree that your changes address this issue, we’ll reset the metrics for your account, and end your review period or restore your account’s ability to send email.
Error – Amazon SES Bounce Review and Solution
Your current bounce rate is 10.16%. We measured this rate over the last 10,001 eligible emails* you sent. Our analysis covers the last 39.6 days.
We recommend that you maintain a bounce rate below 5%. If your bounce rate exceeds 10%, we might pause your ability to send additional email.
The bounce rate is based on the number of hard bounces that occur as a result of the emails you send. A hard bounce occurs when an email address doesn’t exist.
Email providers interpret a high bounce rate as a sign that you’re not actively managing your customer database, or that you’re sending unsolicited email. Email providers might block your email if your bounce rate is too high. To protect your reputation as a sender, we monitor this metric closely and take action if the rate gets too high.
For more information about what to do if your account is under review or your account’s ability to send email is paused, see our Enforcement FAQ at https://docs.aws.amazon.com/ses/latest/dg/faqs-enforcement.html . You can also use the Enforcement Dashboard to monitor the bounce and complaint rates for your account. For more information, see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sender-reputation.html .
If you’re testing your system’s ability to process bounce or complaint events, you should use the Amazon SES mailbox simulator. You can send email to the mailbox simulator without impacting the reputation metrics for your account. For more information, see https://docs.aws.amazon.com/ses/latest/dg/send-an-email-from-console.html .
First, you should have a system in place for monitoring bounces and complaints. When you receive a bounce notification, you should immediately stop sending email to the address that resulted in the bounce or complaint, and ensure that you don’t attempt to contact that address again in the future. We recommend you manage your reputation by using the following SES features:
- Enable account-level suppression list to prevent repeat bounces and complaints from email addresses that have exhibited a history of bounces and complaints for your account. See https://docs.aws.amazon.com/ses/latest/dg/sending-email-suppression-list.html
- Enable Virtual Deliverability Manager for insights into your email sending success metrics, with drill-downs available for your email sending identities, configuration sets, and recipient ISPs. These insights can help you with subsequent remediation steps. See https://docs.aws.amazon.com/ses/latest/dg/vdm.html
- Note that using the Virtual Deliverability Manager will result in additional charges to your account, as per https://aws.amazon.com/ses/pricing/
While we strongly recommend implementing the above SES reputation management features, you can, however, manage bounces and complaints on your own. If you do, we recommend that you start by reviewing our best practices https://docs.aws.amazon.com/ses/latest/dg/best-practices.html and choose between event publishing https://docs.aws.amazon.com/ses/latest/dg/monitor-using-event-publishing.html (recommended) and email identity notifications https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-using-notifications.html for ingesting and processing email sending events.
Second, use the bounce information that you collect to analyze your email-sending practices and determine what caused the bounces. For example, how did you collect the email addresses that you’re contacting? Did you collect the addresses by using a web form that could be exploited? Are you sending test emails to fictitious addresses? Identifying the causes of these bounces can help you determine which changes to implement. You can reply to this message to request a small sample of recent messages that resulted in bounces.
Third, make changes to your sending processes or procedures based on your analysis of the issue. Implement these changes fully before you proceed to the next step.
Finally, contact us with answers to the following questions:
- What caused your high bounce rate?
- What changes have you made in your email-sending systems or processes?
- How do these changes ensure that the issue won’t occur again in the future?
We’ll evaluate your responses to these questions. If we agree that your changes address this issue, we’ll reset the metrics for your account, and end your review period or restore your account’s ability to send email.
Solution
Based on a review, we have determined that the sending issue is due to a vulnerability on your account. Specifically, messages are being sent using your domain (XXXXXX[.]com) which we believe you do not intend to be sending. It appears that someone is using your domain as a way to distribute mail that is likely to be identified as spam by mailbox providers and recipients.
In these situations, a third party is typically abusing a feature on the sender’s website or application to send unwanted communications. Features that are often abused in this way include “email to a friend”, “contact us”, “invite my friends”, or similar features where a user of a site or application can generate mail to arbitrary email addresses they enter.
Common methods to reduce abuse in these types of features include adding CAPTCHAs, rate limiting, disallowing customized user content, requiring a user to be signed in to use the feature, and prohibiting use of the feature to generate multiple simultaneous notifications.
Once you have addressed the root cause, please tell us:
A) What you determined was the root cause of the vulnerability,
B) What changes you have made in your systems or processes, and
C) An explanation of how those changes will prevent the issue from continuing in the future.
After you fix the problem, please respond to this case and we will evaluate the changes you have described. If we believe there is a significant chance the issue will be resolved by the changes, we will be happy to consider reinstating your account. A sample of the problematic mail has been attached.
Reference
- https://docs.aws.amazon.com/ses/latest/dg/faqs-enforcement.html
- https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sender-reputation.html
- https://docs.aws.amazon.com/ses/latest/dg/send-an-email-from-console.html
- SonarQube Error: Error status returned by url [https://api.sonarcloud.io - September 5, 2024
- AWS SES Errors and Solution - September 2, 2024
- SRE Foundation Certification - August 29, 2024