All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Suspended + termination triggered due to hostname mismatch - industry standard?
Hi all,
Looking for feedback from the community on a situation we just experienced with a provider.
We’ve had a dedicated server with them for ~2 years and have been a customer since 2021 (spending several thousand EUR/month across services).
Server history:
- No abuse reports
- No spam history
- No incidents
Today, the server was:
- Suspended
- Marked for cancellation/termination
- No prior notice given
Reason provided:
Spamhaus CSS listing
After investigating, the root cause was:
A temporary DNS inconsistency involving:
- HELO hostname
- PTR (rDNS)
- Forward-confirmed reverse DNS (FCrDNS)
At the time:
- Hostname did not resolve properly (domain issue)
- PTR pointed to that hostname
- Result → FCrDNS mismatch
- IP listed on Spamhaus CSS (Apr 27)
Spamhaus reason:
HELO/EHLO & DNS checks (hostname / rDNS mismatch)
Important context:
- The server does NOT send direct outbound email
- Outbound mail is relayed via MailBaby (relay.mailbaby.net)
- No spam activity occurred at any time
Current status (fully verified):
✔ Hostname: resolving correctly
✔ A record: resolves to IP
✔ PTR: matches hostname
✔ FCrDNS: valid
✔ SMTP banner: correct
✔ Exim config: correct
✔ Outbound mail: relayed (no direct sending)
✔ Spamhaus: NOT LISTED anymore
Provider stance:
They referenced their AUP clause:
“Any activity that may lead to IP blacklisting”
They classified this as a violation and:
- Suspended immediately
- Initiated termination
- Refused escalation multiple times
- Stated reactivation was “not negotiable” (later reactivated as an “exception”)
No logs, abuse reports, or spam evidence were ever provided.
Example replies:
"You violated the rules of using our services, the server remains suspended, reactivation is not negotiable."
"If any of our Terms of Service are violated, the service is suspended without prior notice and without the possibility of reactivation… Please do not waste time opening tickets…"
Key questions for the community:
- Is a temporary DNS / FCrDNS mismatch typically treated as an abuse violation?
- Is immediate suspension + termination (no warning) standard for this scenario?
- Do most providers differentiate between:
- Misconfiguration
- Actual abuse (spam, malware, etc.)
- How would your provider normally handle this?
From our understanding:
Spamhaus CSS can list:
- Misconfigured systems
- Not only confirmed spam sources
So a listing alone ≠ confirmed abuse.
We’re not disputing that DNS should be correct, it is now fully fixed.
The concern is the handling:
- No warning
- No remediation window
- Immediate enforcement as “violation”
- Refusal to escalate to management or abuse team
Would appreciate insight from providers and sysadmins here.
Is this normal handling, or an overreaction?
Thanks
Comments
name and shame
What triggered SpamHaus listing if you did not send email?
It's possible that you have misconfiguration or malware, so that outbound proxy is bypassed.
Temporary DNS inconsistency shouldn't result in spam listing.
When not using an outbound proxy, the mailing software should verify DNS before making any outbound connection.
I fucking hate LLMs posts.
Fair point, let me clarify without overcomplicating it.
The domain tied to the server hostname expired on the 26th. During that period:
So the chain became:
IP → PTR → hostname
hostname → no longer resolves
That breaks basic DNS identity checks (FCrDNS).
Since the mail service (Exim) is reachable on port 25, external systems can connect, read the hostname, and verify it. When the hostname does not resolve, the server appears misconfigured or unreliable.
Spamhaus CSS does not require spam to trigger confirmed with them, it can flag:
Because Exim is still listening on port 25, external systems (including Spamhaus sensors) can:
Why would Spamhaus sensors be monitoring that particular IP/Range? I would assume it is related to the provider’s reputation.
So this was not:
Everything is now fixed and consistent.
However, the way this was handled is beyond what I can understand. Is having a temporary hostname mismatch on a server with a mail service installed now considered a violation of any policy or abuse standard?
We are not naming the provider or sharing specific identifiers here, as we prefer to avoid any potential repercussions given the way the situation was handled.
As for the use of an LLM, is it not more clear and structured than sending a poorly formatted wall of text? The message was still fully written by me. The only change was improving the structure and readability.
No money - no chicken.
Nobody Few people want to read 5000 words with bullet points to figure out what your problem is. A second essay full of bullet points won't have convinced anyone who already noped out. Just explain your issue in 3 or 4 brief sentences.
edit: no need to generate another list of bullets to explain it wasn't 5000 words, I know.
Okay, well i will simply reply with a few sentences.
I added the full redacted ticket interaction as well:
https://pastes.io/0fdaQ5Dr
But from what I understand, this is not something normal. If the provider/manager see the post, I am fully open to a public or private apology since they are active here with "two" company, along with an explanation of how this happened, how much should I be worried in future when a domain attached to my hostname expire?
I have no idea what your issue is from that wall of text, but I often find it interesting when I get a new VPS from somewhere that the provider doesn't remove the previous user's rDNS when the IP address is reused.
I only bother with rDNS on machines that are going to be used for mail or other outgoing connections, but the majority of my web boxes have rDNS set up for all manner of domains I have no involvement with.
TLDR:
Our server has IP 1.1.1.1 resolve to -> cloudflare.mybox.com -> PTR -> HELO
mybox.com expired on 26th spamhaus flagged on 28th
HELO hostname not resolving properly/PTR (rDNS) mismatch with hostname
(mybox.com is not really used it's was registered for the hostname, no websites, so I did not even notice)
Datacenter:
Suspend, Create Cancellation Request (Pending immediate termination), ignore request for supervisor/manager.
Unblocked machine after some back and forth. I renewed domain everything resolve again. They continue telling me next time any issue will result in direct termination, without them ever acknowledging any fault in their system. It's all me abusing their system for failing to renew a domain I don't even use.
That's still a huge wall of text that doesn't explain your problem.
But if your domain has expired, of course the IP sending mail claiming to be from that domain should be marked as sending spam.
There are few providers who are trigger happy with any kind of spamhaus listings like it is some kind of God. A simple act of remotely browsing/opening a domain which is listed in some kinda sinkhole can attribute your ip as part of malware distribution and as soon as that happens you will start get ToS violations mail. And as per the ticket interaction trail, you should basically move out of the clutches of this provider and transfer the service elsewhere and also name there here so that we are also aware who those trigger happy providers are who doesn't even listen to valid reasons.
I couldn't find with a quick ctrl-f whether you were sending mail or not, simple yes/no?
edit: how does spamhaus know dns/ptr don't match if it doesn't send mail?
edit2: lol see all the bullets in your support tickets? remember what i said upthread?
I can't help feeling some people here need a little chill time. They complain when a post is clearly laid out, because it was AI assisted, and they complain when posts aren't detailed enough.
If you don't have the attention span to read the whole post before asking questions that are already clearly answered, why not just go and play with your goldfish instead?
Yes, email via mail.baby relay Nootropics website on WooCommerce.
as for your edit:
Spamhaus is probably monitoring that datacenter’s IP ranges more closely because they advertise “free DMCA” services everywhere, which likely attracts a higher volume of abuse and reputation issues.
I haven't done it here, at least not yet, but in forums where I need help I will usually give a ton of details but I will also include a TLDR. In my experience, the average person perfers reading the TLDR and if they know anything about it/willing to help, then they will look over the details.
P.S. If someone makes a wall of text using AI to assist them, surely they can use AI to assist them creating a TLDR
Yes, but...
The clue is in the acronym. If it is too long to read, and therefore fully comprehend for someone, then their reply also won't be worth reading.
TLDR is so you can see if you're interested. If you are, you'll read the whole thing. If not, you move on. Except that's not what the truly addicted do in here. They reply to everything, whether they've read it or not.
Anyway, FWIW I don't think spamhaus do any active probing of machines (i.e. connect to your machine, and then error because HELO and rDNS/DNS don't match)
It's most likely that you send an e-mail out from that machine, using the domain that had expired, the recipient (possibly also receiving it late if it'd been delayed for any reason) then saw that rDNS and DNS didn't match, and then had automatic reporting to spamhaus set up.
And reading the OP again now I understand the context, yes it seems like the provider is heavy handed considering it was a mistake, and rectified, but also seems a bit weird that they're that concerned that they won't listen to what you're saying. But, maybe that's a good reason to just accept it and move on.
Idk whats with the secrecy of the provider. They even give you red flag to get the fak out from there, and its probably best to look for alternative. Its just not worth imho
The only reason we are being careful here is because we still have a few thousand euros worth of ongoing services with them. If they react badly , we would be facing a massive migration and a significant amount of operational work to move everything away safely. We need to plan ahead make sure everything is backup. It's 10+ dedicated machine and 3,xxx$/m
They do advertise here. Once everything is safely moved away, I will share the name of the datacenter.
If a customer sent me paragraph long AI generated replies I’d ban them too.
Glad you’re not a provider then.
I’m 42 years old, and I stay far away from summer hosts and Discord kids anyway. That said, I respect your dislike for AI, but the next 10/20 years are going to be very difficult for you.
I do not hate what is new. I only fear when men stop dreaming. AI is not here to replace the human soul, but to amplify it.
I don’t hate AI. I use AI every day.
I hate people that make their message 10x longer with AI for some reason. So annoying. If they didn’t put the time in to write it themselves, why would I waste my time reading it?
I did write it myself then used "Reformat for WHMCS markdown" since I pay them 2/3000$+ month I do expect them to read yes.
Asking ChatGPT to rewrite your own text is not writing it yourself. Nobody wastes their time writing that much, and especially not in that writing style.
Hey
It was in their mind and chatgpt was able to grab that and just put into typed words
so, maybe the reason is money, you ordered these dedi a few years ago, price going up to hell these days, they just do not want you keep the old deal anymore.
try resolve the issue from another point of view
sorry if this post make someone unhappy
Your limited post history - if still in same lines - dmca ignor could be another angle that provider wants to offload you/ this story may be missing some pieces.
Time to find a new provider and make peace with this.
whoa i was just parsing the math in the topic, it makes NO SENSE.
Extremely weird for a provider to terminate for this -- but I'm guessing plumberg is on to something... payment up front via BTC on a sketchy 'bulletproof' host and now they're doing a rugpull or just decided the heat is too much.
The datacenter or the provider itself?
You should name, or at least offer to warn others in PM so they don't get screwed by this host too.