I would like to apologize for the recent outage with our email delivery system. We realize email marketing, transaction emails, and email sending and receiving are important to our customer’s business. We take very seriously providing a consistent and reliable email delivery platform.
Bottlenose uses Amazon Web Services (AWS) Simple Email Service (SES) for upstream email delivery. At 11:53 AM EST on November 14 we received a notice via email from AWS about an immediate ban on Bottlenose's access to SES. This ban had an immediate impact on all email services including email campaign delivery and testing, transactional emails, and email sending and receiving. In over five years of using this service, we had never received such a ban.
We worked with AWS support engineers to identify the reason for the ban which was a dramatic increase in spam coming from Bottlenose's email system as determined by AWS's spam filtering system. AWS identified six user accounts with Bottlenose as the source of the increased spam. Our internal investigation revealed these accounts had likely been hacked and were being used to send spam unbeknownst to the customers with these accounts. We changed the passwords for these accounts and applied to the SES team to have the ban lifted.
We placed an alternative outbound SMTP transport in place to handle outbound email until SES could be restored. Unfortunately, this transport was not as reliable as SES and many upstream recipients such as @comcast.net, and yahoo.com blocked email from this transport. While some emails were being sent though others were not.
After further phone calls to the AWS premium support team, the ban was lifted around 10 AM on November 15. We cleaned our email delivery queue of any suspicious emails in order to not be banned again and restored the outbound AWS SES transport. At this point, we began to see our email related services return to normal.
We have made some changes to our monitoring system which will help us avoid a situation like this in the future. We recognized a pattern in our server logs which is a good indicator of this type of compromise. We have installed a monitor and alert to let our technical staff know when an email account has been compromised using this pattern. We believe we will be able to stop this type of abuse before it gets to the point of getting us banned from SES.
Sincerely,
William Carr
President
Bottlenose