# alimail-security Part of **ALIMAIL** # Alibaba Mail Security Troubleshooting Guide ## Problem Index | Problem | Symptom | Severity | Solution Summary | |--------|--------|---------|------------------| | Forgotten Password | "Forgot Password" option available but SMS or security question fails | High | Reset password via SMS or security question if recovery options are configured | | Unable to Verify Security Questions or Phone Number During Login | Two-step verification fails when logging in from a new location | High | Postmaster must reset security settings via console; user may need to submit a ticket | | Email Rejected with ESO_LOCAL_SPAM Error | Bounce message: `ESO_LOCAL_SPAM: spamed by local spam engine` | Medium | Submit original .eml file to Alibaba Mail support for review and whitelisting | | Legitimate Email Marked as Spam | Email not sent due to anti-spam rules; subject/content flagged | Medium | Avoid bulk sending, prohibited content, and spam-like subjects; ensure valid recipients | | Unwanted Unusual Logon Notifications | Frequent emails about logins from unfamiliar IPs or cities | Low | Disable notifications via Webmail > Settings > Account and Security | ## Problem Details ### Problem 1: Forgotten Password **Symptoms** - Error message: None (recovery flow initiated) - Behavior: User cannot log in and clicks "Forgot Password" but recovery fails - Context: Occurs when the user has forgotten their password but previously set up SMS or security question recovery **Root Cause** - The password is unknown, and recovery depends on pre-configured methods (secure phone number or security questions). If these are missing, expired, or unreachable, reset fails. **Solution** 1. Go to the Alibaba Mail login page at https://mail.aliyun.com 2. Click **Forgot Password** below the login form 3. Choose **Send SMS** to receive a verification code (only available if a secure phone number is bound) 4. Enter the 5-minute-expiring code in the **Verification Code** field 5. Set a new password meeting complexity rules (≥8 characters, letters + numbers) 6. Confirm the new password and click **Set New Password** > **Note**: If neither SMS nor security questions are available, contact your postmaster or submit a support ticket. **Verification** - After reset, log in successfully using the new password - Expected behavior: Access granted without further authentication prompts (unless 2FA is enabled) ### Problem 2: Unable to Verify Security Questions or Phone Number During Login **Symptoms** - Error message: Verification failure during two-step authentication - Behavior: Login blocked when accessing from a location different from registration - Context: Common when traveling or using new devices; affects accounts with two-step verification enabled **Root Cause** - Alibaba Mail enforces strict location-based verification. If the user cannot receive SMS or recall security answers, and no alternative recovery path exists, access is denied. **Solution** For **postmasters**: 1. Log in to the [Alibaba Mail Console](https://alimail.console.aliyun.com) 2. Navigate to **Account Security** in the left menu 3. Select **Mobile Number Unbinding** 4. Click **Reset Security Settings** to clear and reconfigure security questions and phone number For **regular users**: 1. If recovery options fail, submit a support ticket through the Alibaba Cloud console 2. Include account details and proof of identity 3. Wait for postmaster or support team intervention **Verification** - After reset, user can log in from new locations using updated credentials - New security questions and phone number take effect immediately ### Problem 3: Email Rejected with ESO_LOCAL_SPAM Error **Symptoms** - Error message: `ESO_LOCAL_SPAM: spamed by local spam engine` - Behavior: Sent email bounces back with this error; recipient never receives it - Context: Occurs when email content or metadata matches internal anti-spam rules **Root Cause** - Alibaba Mail’s local spam engine flagged the message as unsolicited or policy-violating, even if the email is legitimate (e.g., marketing, bulk, or template-based messages). **Solution** 1. Locate the original `.eml` file of the failed email (from Sent folder or email client) 2. Contact Alibaba Mail support or your enterprise administrator 3. Submit the `.eml` file for manual review 4. Request whitelisting if the email is confirmed legitimate > **Note**: Do not resend the same email repeatedly—this may worsen filtering. **Verification** - After review, send a test email to the same recipient - Expected result: No bounce message; delivery succeeds ### Problem 4: Legitimate Email Marked as Spam **Symptoms** - Error message: `SpamDetected`, `InvalidEmailContent`, or implicit rejection - Behavior: Email fails to send or lands in recipient’s spam folder - Context: Common with newsletters, announcements, or transactional emails **Root Cause** - Anti-spam policies trigger on: - Bulk sending patterns - Subjects matching known spam templates - Content containing prohibited material (e.g., adult content, illegal offers) - Invalid or non-existent recipient addresses **Solution** 1. Avoid sending large volumes of identical emails in short timeframes 2. Ensure all recipients are valid and opted-in 3. Remove any questionable content (e.g., excessive links, promotional language) 4. Use clear, non-spammy subject lines (avoid ALL CAPS, “FREE”, “URGENT”) 5. For business use, consider Alibaba Cloud’s DirectMail service for compliant bulk sending **Verification** - Send a test email to an internal address - Check that it arrives in the inbox (not spam) - Monitor delivery reports if using programmatic sending ### Problem 5: Unwanted Unusual Logon Notifications **Symptoms** - Behavior: Receiving frequent emails titled “Unusual login attempt detected” - Context: Occurs with dynamic IPs, travel, or multiple devices **Root Cause** - Alibaba Mail monitors login geography and IP reputation. Changes trigger alerts by default. **Solution** 1. Log in to Webmail at https://mail.aliyun.com 2. Click **Settings** (upper-right corner) 3. Go to **Account and Security** > **Account Security** 4. Under *Unusual logon notifications*, select **Do not receive** **Verification** - Perform a login from a new network or device - Confirm no notification email is received ## FAQ **Q: How do I reset my password if I don’t have a phone number or security questions set up?** A: You must contact your organization’s postmaster or submit a support ticket through the Alibaba Cloud console. Self-service recovery requires at least one pre-configured method. **Q: What should I do if my email is blocked as spam but it’s a legitimate business message?** A: Do not resend repeatedly. Instead, review content for spam triggers, ensure recipient validity, and if needed, submit the original `.eml` file to support for whitelisting. **Q: How can I tell if an email is part of a phishing drill?** A: Official phishing drills include a clear notice stating it’s a security awareness exercise by your organization’s information security team. If you entered credentials, change your password immediately and report it. **Q: Why am I locked out when logging in from a new country?** A: Alibaba Mail enforces two-step verification for logins from unfamiliar locations. You’ll need to verify via SMS or security questions. If those fail, your postmaster must reset your security settings. **Q: Can I disable all security notifications?** A: You can disable *unusual logon notifications* via Webmail settings, but critical alerts (e.g., password changes, 2FA prompts) cannot be turned off for security reasons.