OVH reports are crucial to maintaining our service, they will appear in System Notifications queues: OVH Phishing and OVH Block. They must be processed fully and with top priority.

Most of them will contain links by which you can easily find account responsible. Here's how:

In message copy the string after "d="

Then paste it into LinkDecryptor on Admin screen:

There are three types of such reports. Please look below:

"Abusive use of your service": https://elasticemail.com/account#/admin/discussions/1427866667282724650

Solution:
Use Link Decryptor in Admin screen, find the account and take action against it. In most cases you should disable this account, but in rare situation where the account was hacked and we will reactivate the account - we will need to disable the URLs. People with access to FatAdmin can disable those URLs via Lookups -> LinkClickBlacklist.

Leave information returned by LinkDecryptor as a note.
Once done - reply to OVH that necessary steps were taken.


If there are no URLs, try to find the sending account, by using IP data and email headers data. If you cannot find the sender - request more information from OVH. If you find it - please take necessary action - at least use "Mark as abuse", but you should consider putting account as Risky or Under Review.

Once done reply to OVH about actions that have been taken.

"You are hosting a phishing webpage on ip"

https://elasticemail.com/account#/admin/discussions/1423529306952408362

Solution:
Use Link Decryptor in Admin screen, find the account and take action against it.

In most cases you should disable this account, but in rare situation where the account was hacked and we will reactivate the account - we will need to disable the URLs. People with access to FatAdmin can disable those URLs via Lookups -> LinkClickBlacklist.

Leave information returned by LinkDecryptor as a note.

Once done - reply to OVH that necessary steps were taken.

If there are no URLs, try to find the sending account, by using IP data and email headers data. If you cannot find the sender - request more information from OVH. If you find it - please take necessary action - at least use "Mark as abuse", but you should consider putting account as Risky or Under Review.

Once done reply to OVH about actions that have been taken.

"Action taken on ip"
https://elasticemail.com/account#/admin/discussions/1426936106812804242

This is most critical notification (email's subject will include: "Action taken on ip") - it means that we have missed some reports or the reported URLs were so severe that OVH decided to block one of our IPs - usually this is IP that is used for api.elasticemail.com - so it affects all customers and will cause issues with sending and using dashboard. When API IP is blocked, API Calls will fail and Dashboard will get connection timeouts.

You need to find earlier reports about this IP and address things from those reports. Once this is done you need to escalate it to the Management team, Beverly or Ania to log in to OVH panel and unblock the IP from there.


Once all required actions are taken you can close the notifications.

Process flow chart:

How to decode base64 email contents sent to us in OVH reports

How to decode base64 email to find more information (like EE tracking links) that are forwarded to us in some of OVH reports. This is the notification we will be working on:

https://elasticemail.com/account#/admin/discussions/1437474544469283806

The string that begins with DOpla is the base64 encoded email.

1. Copy the string, in this case it starts with

DQpIaSBTdGl

and ends with

OU1VCU0NSSUJF

2. Paste it to www.base64decode.com with "decode" option selected

3. A full, decoded email will show up in the bottom text box, including EE unsubscribe link that can be now decrypted via the link decryptor. It will give us information like accountID and messageID.

Did this answer your question?