Everything You Need to Know About Cloudmark

cloudmark-logo

One of the biggest challenges in delivering email messages on behalf of our customer base is that we have no control over, and no pre-send insight into, the content of the messages we process. We work diligently to provide an optimized email delivery network, but in the end the message content is one of the most significant factors in inbox placement results. Cloudmark is among the largest providers of content reputation analysis so it is important to understand how they can affect your email deliverability.

What is so different about Cloudmark?

In today’s world, trying to detect spam solely based on keywords and/or utilizing a blacklist is no longer enough to maintain a spam-free inbox. This cat-and-mouse game escalated to a whole new level when Vipul Ved Prakash wrote Vipul’s Razor, the software that led to the formation of Cloudmark. His game-changing idea was to analyze user-contributed data about spam messages to identify malicious content patterns regardless of keywords and point of origin.

Spammers who were constantly changing their IP address could no longer avoid detection. Tricks to avoid k3yw0rd filtering were also no longer effective. It takes the concept of email reputation and abstracts the concept away from IP addresses.

fingerprintWhile Vipul’s Razor started as an open source project, it evolved into one of the worlds largest anti-spam solutions. The product, now known as Cloudmark Authority Engine, has gone on to further optimize the concept of crowd-sourced spam detection. They refer to the analysis process as “fingerprinting.” They identify patterns from messages they’ve caught in spam traps and messages that users have marked as spam in their email clients. They reduce messages to small anonymous chunks of data with custom algorithms to improve efficiency. Anything that is consistent across multiple messages (including the header, body, and attachments) may generate a fingerprint.

Cloudmark updates the known spam patterns as often as every 30 seconds. This allows for an ultra-fast response time to new spam threats! We’ve seen instances in large marketing campaigns where a fingerprint developed mid-send.  This resulted in messages sent later in the campaign being filtered to the spam folder at a higher rate, and some being outright rejected in the SMTP transmission process.

Who is using Cloudmark?

Comcast-Logo

Cloudmark is one of the largest providers of anti-spam services. They protect billions (yes, with a ‘b’) of mailboxes around the world. Whether your messages are going to corporate domains, consumer addresses, or any combination thereof, your messages will likely be analyzed by Cloudmark technology.

Some of the largest users of Cloudmark are ISPs such as Comcast, Time Warner Cable / RoadRunner, Cox, CenturyLink/Embarq, EarthLink, Synacor, and Telus.

godaddy-logo

Cloudmark also protects mailboxes provided by domain registrars and hosted exchange server providers including GoDaddy and Rackspace. A large number of small businesses use packaged solutions from a registrar like GoDaddy that includes a private domain and associated mailboxes.

mcafee-logo

Email security appliances and services have also integrated support for Cloudmark’s filtering technologies. IronPort, now a Cisco product, includes the technology. McAfee’s product, MXLogic is also listed as a partner on Cloudmark’s partners page.

Common Root Causes of Cloudmark Issues

The infected Exchange server

Far and away the most common cause of Cloudmark filtering issues we see here at SocketLabs is the result of an Exchange server user becoming compromised. We have often seen new clients interested in using our services due to their person to person mail being diverted to the spam folder. What they didn’t realize is that a compromised account was spewing thousands of spam messages a day. This resulted in many user complaints and Cloudmark spam trap hits. While the SocketLabs platform can help detect this type of issue quickly, often times the damage has already been done.

Blacklisted Exchange servers moving to use our platform as a smart-host will see immediately improved sending results, but SocketLabs cannot overcome message content matching Cloudmark fingerprints. There are many possible reasons that a fingerprint may match legitimate mail even after shutting down an infected account.

In one case, an organization configured their Exchange server to include a disclosure footer in all of their messages. This meant the malicious spam emails that went out of their server included their footer on every single email. This pattern was quickly discovered by Cloudmark, and all messages with that same footer were then filtered to the spam folder or rejected. This included legitimate messages between users that were not in any way malicious.

External Aggressive Marketing

Aggressive email marketing tactics are not tolerated by the SocketLabs Abuse Team, but for the organizations we support we may only be sending a small subset of their overall mail. Sending practices that carry on outside of the SocketLabs platform can impact messages we process. This also means that third-parties that send on behalf of your organization, like affiliate marketers, may be influencing the reputation of your content.

As an example, we had a top-50 US retailer experience issues with their receipts and transactional messages sent via SocketLabs. In an effort to maintain consistent branding, they used the same template and style in their transactional messages that were used in their marketing campaigns. The volume of advertisements sent greatly outnumbered receipts and alerts. Complaints or spam trap hits from marketing campaigns caused a fingerprint to develop.

In the end receipts were filtered to the junk folder by Cloudmark as a result of email marketing efforts unbeknownst to SocketLabs. Thus, it is important to understand the consequences of sending across the proverbial board.

Other Poor Practices

Any number of poor practices with address acquisition or content creation can also result in issues with Cloudmark. Since Cloudmark issues directly tie to complaints and spam trap hits, here are the most common root causes encountered by senders:

  • Poor address acquisition practices
    • Purchasing addresses
    • List rental
    • Email appending
  • Difficult opt-out process
  • Setting sending (frequency) expectations
  • No incentive for recipients to provide a valid address

How the SocketLabs On-Demand Platform Can Help

The SocketLabs On-Demand platform cannot prevent your email message content from from being identified as a match to a Cloudmark fingerprint, although we do automatically help reduce the likelihood of those fingerprints being created in the first place. Many mail servers provide limited insight into what they are processing. The reports that are available in the SocketLabs Control Panel are more robust and will help you quickly and easily see possible patterns or issues with your stream of mail. Seeing, knowing, and understanding how your mail is performing gives you the advantage to protect your business against possible issues.

The sending IP address does have an effect on holistic Cloudmark filtering decisions, so while their reputation system is unique in analyzing content, they, like many other defense systems, take into account the source of a message. The high quality reputation of the meticulously maintained SocketLabs network can only help to give your messages the best shot at reaching the inbox.

One of the other biggest assets in helping protect against fingerprints is our Suppression List feature. Many of the sources of Cloudmark’s user aggregated spam data, such as Comcast, also offer feedback loop programs. Every SocketLabs On-Demand server is automatically enrolled to received these feedback loops, suppressing the delivery of any further messages to recipients who marked your email as spam. This reduces complaints and helps prevent Cloudmark fingerprints from developing on your content.

Cloudmark’s Blacklist

While the primary focus of Cloudmark is based on content analysis, it is important to note that they also operate a blacklist. When a particular source of messages is identified as consistently sending content with a poor reputation, Cloudmark will blacklist it. This means that any provider using Cloudmark technology will not even accept a connection from your IP address.

The SocketLabs On-Demand Platform intelligently identifies when you’ve been blacklisted, alerting our staff so we can immediately investigate the issue. Cloudmark blacklistings of SocketLabs IP addresses are extremely uncommon, and our abuse team will step in and correct issues before they reach the point of blacklistings.

Are Your Messages Matching Fingerprints?

The best way to test for a possible Cloudmark fingerprint issue is by using Cloudmark’s free desktop tool Cloudmark Desktop One. Capable of integrating with popular mail clients on both Windows and Mac based systems, you can test with speed and ease with your own email address.

Message headers

Another way of identifying possible Cloudmark issues is by analyzing message headers from mail that has processed through a mailbox protected by Cloudmark. In almost all cases, the Cloudmark analysis process results in at least one line being added to the header of an email message. These are subject to change and may vary widely per receiving domain.  The content of the header value may also vary per provide and change. Here are a few examples:

Comcast: X-CAA-SPAM: { }

Rackspace: X-CMAE-Scan-Result: {0/100}

Time Warner/RoadRunner: X-Cloudmark-Score: {0/100}

Sample Failed Error Codes and Bounces

If you are looking through your failed message report, it may be difficult to understand the different error codes and figure out what they all mean. One pattern to look for in regards to Cloudmark issues is “In response to the end of message mark (CRLF.CRLF).” This string is added to the end of failure codes by SocketLabs to indicate when an error occurs in the transmission process. Since Cloudmark content analysis cannot commence until the message body has been transmitted, the “end of message mark” is the only time that a rejection due to Cloudmark can occur.

Provided below are some sample values that you may find in the Reason column of your failed messages report prior to “In response…” additions. These responses are somewhat generic, and while we can tie them directly to Cloudmark failures, they could be caused by other unrelated issues in the message content.

554 5.7.1 Spam detected by Cloudmark content scanner. Message rejected.

554 Denied [*mxlogic.net] (Mode: normal)

554 rejected due to spam content

554 5.7.1 Message blocked due to spam content in the message 

554 5.7.1 [P4] Message blocked due to spam content in the message.

550 Rejected by content scanner (CMAE)

552 5.2.0 XXXXXXXXXXXXXXXXX message rejected, spam detected 

554 Email rejected due to security policies

SocketLabs Testing

If you are still unsure if you are experiencing issues due to Cloudmark, SocketLabs can perform an analysis to determine whether your messages are being affected. To request an analysis open a support ticket or email [email protected].

How to Get Your Messages to Skip Over Cloudmark’s Filters

SocketLabs has partnered with Return Path to offer preferred eligibility to the world’s largest email whitelist.  The Return Path Certification program allows you to skip the hassle of dealing with filters like Cloudmark and ensure your messages reach the 2.2 billion mailboxes covered by this whitelist.  With providers like Yahoo Mail and Microsoft’s Outlook (formerly Hotmail) participating, the benefits are unrivaled.  To find out more information about the program, including to find out if you could be eligible for immediate result improvements contact your account manager or our Support Department.

Removing a Cloudmark Fingerprint

No spam-filtering technology is immune to false positives, even platforms as sophisticated as Cloudmark. In most cases though, there is some underlying reason a fingerprint developed. It is critical that before any action for removal is taken, a full audit of email sending patterns, policies, and practices is performed. Should the root cause of the initial fingerprint be on-going, it will quickly redevelop even after a removal is granted by Cloudmark. They may also be less likely to process subsequent removals.

For more information about how to report an accuracy issue to Cloudmark, see their support website. Finally, the form to report false positives (and false negatives) can be found here. If you need help producing a sample file for submission, or if you have any further questions about Cloudmark or what may be affecting your SocketLabs On-Demand account, contact our Support Department.

If you are not currently a SocketLabs customer but are interested in how we can help get your messages delivered, sign-up now and try it for free today!