Never-Ceasing "Undelivered Mail Returned to Sender" E-mails Result from Invalid E-mail Submissions

Hi everyone! I’m not a new admin of phplist, but I admit I haven’t given it much attention over the years while helping to manage our small organization. I have a problem which hopefully a few of you could help me with. I have sadly not found any matching issues via basic search engine searches.

Okay, so basically, here is what is going on with this problem:

When a subscriber visits our subscription URL for phplist (accessible on our main web page), they get added to our main mailing list. They also get a confirmation e-mail in return. If the person on the other end clicks on that confirmation e-mail, they get labeled “confirmed” as a subscriber. If they do not, then they remain “unconfirmed” but are still a member of the mailing list.

If an invalid e-mail is submitted to the subscription URL, then the person is added to the list and the confirmation e-mail is sent out. The e-mail bounces, though, from whatever remote server the e-mail address was claimed to be coming from. This e-mail gets forwarded to our webmaster e-mail, and the webmaster sees it. As far as I can tell, this is proper behavior.

Somehow, some bots or some people are continually trying to subscribe the same invalid e-mail addresses over and over again, hour after hour, day after day. Hence, these “Undelivered Mail Returned to Sender” bounced e-mail messages keep coming to our webmaster e-mail.

I would think that this should be easily fixed by finding the corresponding subscription entries for each of these invalid e-mail addresses in phplist and then either 1.) blacklisting them, 2.) marking them as “confirmed” manually (so that future confirmation e-mails are no longer necessary, 3.) disabling the account, or 4.) removing the subscriber. However, I have tried all of these options multiple times, often in combination with one another, and none of them seem to work. The bounced confirmation e-mails entitled, “Undelivered Mail Returned to Sender” keep coming. Interestingly, phplist will change a disabled account back to enabled or even re-create a subscriber that has been manually removed by myself if a fresh subscription is requested again later.

My guess is that phplist ignores all of the settings or actions listed above if a person or bot submits a fresh request to be added to the mailing list through the subscription link, which is not the behavior I would expect. I would expect that I should be able to mark subscriptions as permanently “do not engage” through some method. In particular, I know that the blacklist option only appears to prevent campaign messages from being sent to a particular subscriber, but doesn’t affect other things.

I have no idea what to try next.

I apologize if this is a common problem and I just don’t know about it, or if there is a known solution. I just wasn’t able to find anything in the manual or web searches. I’m using phplist 3.6.7 on Hostgator, and the website is on Wordpress 5.9.2.

Thanks!

@LoftyGuy Just to be clear, you are referring to the bounce mail itself? That usually goes to a dedicated address such as bounces@yourdomain.com. Is phplist configured for bounce handling?

You can look at using a captcha to try to prevent automated sign-ups. There are plugins for Captcha, Recaptcha and Recaptcha v3, and hcaptcha, see plugins:start [phpList Resources]

There is also a plugin to block “disposable” email addresses. If the problematic sign-ups are from distinct domains then you can add that domain to the list within the plugin code.

Hi duncanc,

Thank you very much for your reply. When I go to Manage Bounces → View Bounces, there are always zero bounces listed. I don’t think I’ve ever seen a single one. Hence, I guess this could mean that bounce handling is not configured, or that bounces are not getting back to phplist at all. I’m not sure which. The “Undelivered” e-mails are all getting back to our webmaster e-mail, though.

Recaptcha v3 is installed on our website.

The problematic e-mail sources all appear from specific e-mail addresses at specific domains. I’d hate to ban the entire domain because some of them are large ones like hotmail or verizon. But again, I suspect these e-mail submissions are just all invalid and that the other remote domains can’t handle them for whatever reason and then bounce them back to the webmaster e-mail. So it wouldn’t be the domains’ fault.

Below is an example of the e-mails I receive. They all look just like this, although the reason for bounce can be different. I replaced the remotely-bounced e-mail address with BAD E-MAIL and made our other references generic.

=====

Mail Delivery System 1:10 AM (8 hours ago)

to webmaster

This is the mail system at host [gateway31 DOT websitewelcome DOT com](LINK TO gateway31 DOT websitewelcome DOT com).

I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[BAD E-MAIL](mailto:BAD E-MAIL)>: delivery temporarily suspended: lost connection with
[hotmail-com DOT olc DOT protection DOT outlook DOT com](LINK TO hotmail-com DOT olc DOT protection DOT outlook DOT com)[104.47.14.33] while sending RCPT TO

---------- Forwarded message ----------
From: OUR MAILING LIST <[noreply@OUR DOMAIN](mailto:noreply@OUR DOMAIN)>
To: [BAD E-MAIL](mailto:BAD E-MAIL)
Cc:
Bcc:
Date: Sun, 3 Apr 2022 22:48:20 -0500
Subject: Request for confirmation

Almost welcome to our newsletter(s) …

Someone, hopefully you, has subscribed your email address to the following newsletters:

  • OUR MAILING LIST

If this is correct, please click the following link to confirm your subscription.
Without this confirmation, you will not receive any newsletters.

LINK TO OUR DOMAIN/phplist/?p=confirm&uid=c79ac516d5cc5c15eb7ea937c1f68358

If this is not correct, you do not need to do anything, simply delete this message.

Thank you

Hi duncanc,

I stand corrected: Although Recaptcha v3 was set up on our site for Contact Forms 7 and other things, it had not yet been set up for phplist. I downloaded the Recaptcha v3 plugin for phplist and installed it, then configured it. Now I’m no longer getting any of the invalid e-mails.

Thanks for your suggestion!