fix: improved logic for automated SMTP approval (parallel requests, expanded admin email with more detail, added more parking IP's, added more ns providers, added 0.0.0.0 to REGEX_LOCALHOST check, fixed, added more accurate user-agent to HTTP requests, updated snapshots)

Author: titanism

app/controllers/web/my-account/verify-smtp.js

@@ -151,9 +151,9 @@ async function verifySMTP(ctx) {
       );
 
       if (
-        (ctx.state.user.has_passed_kyc && !hasSomeSuspendedDomains) ||
-        hasLegitimateHosting ||
-        hasExistingApprovedDomains
+        ctx.state.user.has_passed_kyc ||
+        (hasLegitimateHosting && !hasSomeSuspendedDomains) ||
+        (hasExistingApprovedDomains && !hasSomeSuspendedDomains)
       ) {
         domain.has_smtp = true;
         if (!ctx.api)
@@ -198,7 +198,24 @@ async function verifySMTP(ctx) {
               subject
             },
             locals: {
-              message: `<a href="${config.urls.web}/admin/domains?name=${domain.name}" class="btn btn-dark btn-md">Review Domain</a>`,
+              message: `
+              <ul>
+                <li><strong>Legitimate Hosting</strong> ${hasLegitimateHosting.toString()}</li>
+                <li><strong>Suspended Domains</strong> ${hasSomeSuspendedDomains.toString()}</li>
+                <li><strong>Approved Domains</strong> ${hasExistingApprovedDomains.toString()}</li>
+                <li>
+                  <strong>NS Provider(s):</strong>
+                  ${
+                    ns && ns.length > 0
+                      ? `<ul><li>${ns.join('</li><li>')}</li></ul>`
+                      : ''
+                  }
+                </li>
+              </ul>
+              <a href="${config.urls.web}/admin/domains?name=${
+                domain.name
+              }" class="btn btn-dark btn-md">Review Domain</a>
+              `.trim(),
               locale
             }
           })

app/models/domains.js

@@ -1363,6 +1363,9 @@ async function verifySMTP(domain, resolver, purgeCache = true) {
   let returnPath = false;
   let dmarc = false;
   let hasLegitimateHosting = false;
+  let reputableDNS = false;
+  let legitimateA = false;
+  let httpResponds = false;
 
   //
   // attempt to purge Cloudflare cache programmatically
@@ -1434,54 +1437,36 @@ async function verifySMTP(domain, resolver, purgeCache = true) {
       const results = await getNSRecords(domain, resolver);
       ns = results.ns;
       errors.push(...results.errors);
+      //
+      // check NS records for reputable DNS providers
+      //
+      if (Array.isArray(ns) && ns.length > 0)
+        reputableDNS = hasReputableDNS(ns, domain.name);
     })(),
 
     //
-    // check domain reputation for auto-approval
+    // check A records for legitimate hosting (not parking pages)
     //
     (async function () {
       try {
-        //
-        // check NS records for reputable DNS providers
-        //
-        let reputableDNS = false;
-        if (Array.isArray(ns) && ns.length > 0) {
-          reputableDNS = hasReputableDNS(ns, domain.name);
-        }
-
-        //
-        // check A records for legitimate hosting (not parking pages)
-        //
-        let legitimateA = false;
-        try {
-          const aRecords = await resolver.resolve4(domain.name, {
-            purgeCache: true
-          });
-          if (Array.isArray(aRecords) && aRecords.length > 0) {
-            legitimateA = hasLegitimateHosting(aRecords);
-          }
-        } catch (err) {
-          logger.debug(err);
-        }
-
-        //
-        // check HTTP response (basic availability check)
-        //
-        let httpResponds = false;
-        if (legitimateA) {
-          try {
-            httpResponds = await respondsToHTTP(domain.name);
-          } catch (err) {
-            logger.debug(err);
-          }
-        }
+        const aRecords = await resolver.resolve4(domain.name, {
+          purgeCache: true
+        });
+        if (Array.isArray(aRecords) && aRecords.length > 0)
+          legitimateA = hasLegitimateHosting(aRecords);
+      } catch (err) {
+        logger.debug(err);
+      }
+    })(),
 
-        // domain has legitimate hosting if it has reputable DNS AND legitimate A records AND HTTP response
-        hasLegitimateHosting = reputableDNS && legitimateA && httpResponds;
+    //
+    // check HTTP response (basic availability check)
+    //
+    (async function () {
+      try {
+        httpResponds = await respondsToHTTP(domain.name);
       } catch (err) {
         logger.debug(err);
-        // reputation check is not required for SMTP, so we don't add to errors
-        // this is just for auto-approval logic
       }
     })(),
 
@@ -1605,6 +1590,9 @@ async function verifySMTP(domain, resolver, purgeCache = true) {
     })()
   ]);
 
+  // domain has legitimate hosting if it has reputable DNS AND legitimate A records AND HTTP response
+  hasLegitimateHosting = reputableDNS && legitimateA && httpResponds;
+
   if (!dkim) {
     errors.push(
       Boom.badRequest(

config/smtp-reputation.js

@@ -37,60 +37,111 @@ const REPUTABLE_DNS_PROVIDER_SLUGS = new Set([
 
 // Known parking/default IPs that indicate non-legitimate hosting
 const PARKING_IPS = new Set([
-  // GoDaddy parking
-  '184.168.131.241',
-  '50.63.202.1',
-  '50.63.202.2',
-
-  // Namecheap parking
+  // GoDaddy Parking & CashParking
+  // Note: GoDaddy frequently uses Google Cloud IPs for parking. [1]
+  '3.33.130.190', // New GoDaddy Parking [3]
+  '15.197.148.33', // New GoDaddy Parking [3]
+  '34.98.99.30', // GoDaddy Free Parking [1]
+  '34.102.136.180', // GoDaddy Free Parking [1]
+  '50.63.202.1', // Old GoDaddy
+  '184.168.131.241', // Old GoDaddy
+
+  // Namecheap Parking
   '198.54.117.197',
   '198.54.117.198',
   '198.54.116.250',
+  '104.219.251.159', // Added Namecheap
 
-  // Google Domains parking
-  '216.239.32.21',
-  '216.239.34.21',
-  '216.239.36.21',
-  '216.239.38.21',
+  // Squarespace (formerly Google Domains)
+  // Google Domains sold to Squarespace. These are common Squarespace IPs.
+  '198.185.159.144',
+  '198.185.159.145',
+  '198.49.23.144',
+  '198.49.23.145',
 
-  // Bluehost default/parking
+  // Bluehost/Unified Layer Default/Parking
   '162.241.216.10',
   '50.87.144.227',
+  '74.220.216.100', // Added Bluehost/Unified Layer
 
-  // Network Solutions
+  // Network Solutions / Register.com (Web.com Group)
   '69.46.86.18',
   '69.46.86.19',
+  '209.67.50.203', // Register.com Futuresite [2]
+  '65.254.248.100',
 
   // Domain.com
   '69.46.80.151',
 
-  // Register.com
-  '65.254.248.100',
-
-  // Porkbun parking
-  '104.21.2.106',
-  '172.67.148.83',
+  // Porkbun Parking
+  '64.190.63.111',
 
-  // Hover.com parking
-  '216.40.47.26',
+  // Hover.com Parking/Forwarding
+  '216.40.34.41', // Used for forwarding, often indicates a parked state [40]
+  '64.99.80.28', // General Hover IP [30]
 
-  // Name.com parking
+  // Name.com Parking
   '69.46.88.64',
 
-  // 123-reg parking
+  // 123-reg Parking (Part of GoDaddy)
   '212.78.114.207',
   '212.78.114.211',
+  '94.136.40.82', // Added 123-reg
 
-  // OVH parking
-  '213.186.33.5',
+  // OVHcloud Parking
+  '213.186.33.5', // Often shows "site en construction" [7, 20]
   '87.98.231.6',
 
-  // CloudFlare parking
-  '104.21.2.106',
-  '172.67.148.83',
+  // Sedo Parking (Major Parking Service)
+  '64.191.115.111',
+  '64.191.115.110',
+
+  // Afternic (GoDaddy's Resale/Parking Platform)
+  '52.5.19.209',
+  '52.72.48.1',
+
+  // Tucows (Hover, Enom)
+  '64.99.64.37',
+
+  // IONOS (formerly 1&1)
+  '74.208.23.19',
+  '82.165.229.138',
+
+  // HostGator (Endurance International Group)
+  '192.185.16.149',
+
+  // NameSilo Parking (namesilo)
+  '198.105.244.228',
+  '198.105.251.228',
+
+  // Tucows/Hover (hover) - More specific IPs
+  '64.99.80.28', // Hover default IP
+  '216.40.34.41', // Hover forwarding service IP
+
+  // Wix (wix)
+  '23.236.62.147', // General Wix IP, often for parked/unassigned domains
+
+  // Squarespace (squarespace) - Already added, but confirming from your list
+  '198.185.159.144',
+  '198.185.159.145',
+  '198.49.23.144',
+  '198.49.23.145',
+
+  // IONOS by 1&1 (ionos) - Already added, confirming from your list
+  '74.208.23.19',
+  '82.165.229.138',
+
+  // Digital Ocean (digital-ocean) - Placeholder IP
+  '50.116.59.212', // Often used as a placeholder on unconfigured droplets
+
+  // Vultr (vultr) - Placeholder IP
+  '108.61.193.159', // Common default IP for unconfigured instances
+
+  // Linode (linode-akamai)
+  '50.116.59.212', // Also used by Linode for default pages
 
-  // Common sinkhole/blackhole IPs
-  '0.0.0.0'
+  // SiteGround (siteground)
+  '198.54.116.250' // Shared with Namecheap, but also used by SiteGround for parked domains
 ]);
 
 // Function to validate resolved A records are not local/private IPs

config/utilities.js

@@ -465,6 +465,54 @@ const NS_PROVIDERS = {
     'https://portal.ultradns.com/',
     false,
     ''
+  ],
+  sedo: [
+    'sedo',
+    'Sedo',
+    // Sedo is a major domain parking service
+    'https://sedo.com/us/login/',
+    false,
+    ''
+  ],
+  afternic: [
+    'afternic',
+    'Afternic (GoDaddy)',
+    // Afternic is GoDaddy's domain resale and parking platform
+    'https://www.afternic.com/login',
+    false,
+    ''
+  ],
+  bodis: [
+    'bodis',
+    'Bodis',
+    // Bodis is a domain parking and monetization service
+    'https://www.bodis.com/login',
+    false,
+    ''
+  ],
+  hostgator: [
+    'hostgator',
+    'HostGator',
+    // Part of Endurance International Group (EIG )
+    'https://portal.hostgator.com/login',
+    false,
+    ''
+  ],
+  'unifiedlayer.com': [
+    'unified-layer',
+    'Unified Layer (Bluehost/HostGator)',
+    // The infrastructure behind many EIG brands
+    'https://www.unifiedlayer.com/', // No public login
+    false,
+    ''
+  ],
+  'web.com': [
+    'web-com-group',
+    'Web.com Group',
+    // Parent company of Network Solutions, Register.com
+    'https://www.web.com/my-account/login',
+    false,
+    ''
   ]
 };
 

helpers/check-domain-reputation.js

@@ -6,14 +6,18 @@
 const { isIP } = require('node:net');
 const ms = require('ms');
 
+const pkg = require('../package.json');
+
+const REGEX_LOCALHOST = require('./regex-localhost');
 const logger = require('./logger');
 const retryRequest = require('./retry-request');
-const REGEX_LOCALHOST = require('#helpers/regex-localhost');
-const { nsProviderLookup } = require('#config/utilities');
+
 const {
   REPUTABLE_DNS_PROVIDER_SLUGS,
   isValidPublicIP
 } = require('#config/smtp-reputation');
+const config = require('#config');
+const { nsProviderLookup } = require('#config/utilities');
 
 function hasReputableDNS(nsRecords, domain = null) {
   if (!Array.isArray(nsRecords) || nsRecords.length === 0) return false;
@@ -48,8 +52,7 @@ async function respondsToHTTP(domain, timeout = ms('5s')) {
         timeout,
         retries: 0,
         headers: {
-          'User-Agent':
-            'Mozilla/5.0 (compatible; ForwardEmail/1.0; +https://forwardemail.net)'
+          'User-Agent': `Mozilla/5.0 (compatible; ${pkg.name}/${pkg.version}; +${config.urls.web})`
         }
       });
 

helpers/regex-localhost.js

@@ -7,6 +7,8 @@
 // <https://github.com/tinovyatkin/is-localhost-ip>
 
 const IP_RANGES = [
+  // 0.0.0.0
+  /^(::f{4}: )?0\.0\.0\.0$/,
   // 10.0.0.0 - 10.255.255.255
   /^(:{2}f{4}:)?10(?:\.\d{1,3}){3}$/,
   // 127.0.0.0 - 127.255.255.255