Re: [mailop] blocked by microsoft -- support procedure?
Am 11.01.2022 um 20:04 schrieb Mark G Thomas via mailop: I'm not generally involved in our support issues, but a coworker at my work (Linode) reached out to me about what looks to be a new problem involving hosting customers being blocked by by Microsoft. It's nice to see another representative of a webhoster brave enough to post on here, welcome :) I've been dealing with blacklist issues at Hetzner for the past 6 years, and I've posted on here multiple times with my experiences. My first post was actually about Microsoft. If you check the archives you'll find some posts over the past few months with general information on Microsoft and blacklists, but I can repeat some of that here that nobody has mentioned yet. Since your issue is with Microsoft, it would be good to figure out which of their blacklists your IPs are on. The error you posted is for the Office365 blacklist, while the error one of your clients posted is for the Outlook blacklist. Those are two separate blacklists with separate processes for getting IPs delisted. If you're mostly dealing with Office365 then I can only wish you all the best. We've had very few issues with this blacklist, which I'm thankful for since there doesn't appear to be much that can be done, other than emailing delist@. As for Outlook, delisting IPs is done through a form, and it works most of the time, though often you will need to escalate the ticket. If you haven't already done so, make sure you sign up your network in the Microsoft SNDS. That will show you all of the IPs currently on the Outlook blacklist. It also shows you (daily) all the IPs that sent over 100 emails to Microsoft accounts, including how many emails, the complaint rate, and trap hits. Incredibly useful (and free!) information. Some additional information on the Microsoft blacklists and services they provide can be found in our docs: https://docs.hetzner.com/robot/dedicated-server/troubleshooting/microsoft-blacklist/ As for the general issue with blacklistings, depending on how constrained you are by management (trust me, I get it), there are a number of things you can look into. For example, Spamhaus has a list of IPs on their public SBL, some of which go back a year: https://www.spamhaus.org/sbl/listings/linode.com If you haven't already done so, you can sign up for their PBL account, and that way you can see all of the IPs in your network that are listed on their various lists. Like the SNDS, this is provided for free and is incredibly useful. Also, while it looks like you paid UCEPROTECT to delist all of your IPs last week, your entire network is back on the level 3 list, and the trend doesn't look positive. Thankfully though, they show you exactly which IPs are causing this (scroll down to the bottom and click the relevant link): https://www.uceprotect.net/en/rblcheck.php?asn=63949 Finally, make sure you're signed up for as many blacklist reports (mainly SpamCop and SORBS) and FBLs (mainly through Validity) as possible. There's an interesting dicussion on here right now regarding how to handle FBL complaints, so it would make sense to look into that as well. The more information you have, the better. I'm assuming you've already done some if not most of what I wrote, but I wanted to at least cover the basics. I hope that made sense and I hope you are able to resolve the issues you are facing. Regards Bastiaan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
Hi, On Thu, Jan 13, 2022 at 12:35:25AM -0800, Jyri J. Virkki via mailop wrote: > On Tue, Jan 11, 2022 at 02:04:56PM -0500, Mark G Thomas via mailop wrote: > > > > I'm not generally involved in our support issues, but a coworker at > > my work (Linode) reached out to me about what looks to be a new problem > > involving hosting customers being blocked by by Microsoft. We have > > 150-200 new support tickets about this, starting on December 21, 2021. > > Our support goes back and forth with the customers and tries to help, > > typically 4 responses, but up to 48, per ticket, and both support and > > customers are growing increasingly frustrated. > > Thanks for the support! > > Mine is one of those hundreds of tickets (FYI 16748061). ... > I got the same response that Linode got (based on the support ticket) > > "Not qualified for mitigation 66.175.223.185/32 Our investigation has > determined that the above IP(s) do not qualify for mitigation." > > However, today I tried writing to my friend at hotmail.com again and > this time didn't get the IP-based block bounce, so at least something > has changed. I'll follow up offline with him later to see if anything > got delivered or not. Linode is taking immediate and drastic measures. Since yesterday 50 accounts represnting several hundred IPs have been cancelled as fraud for this specific SMTP-enabled-customer plus high IP churn abuse pattern. A new policy will be going into effect today, putting further restrictions on when support may grant outbound-SMTP-filter removal to requesting customers. Would Linode meet the criteria for getting someone from the Linode's Trust and Safety department on this list? Mark -- Mark G. Thomas , KC3DRE ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
On Tue, Jan 11, 2022 at 02:04:56PM -0500, Mark G Thomas via mailop wrote: > > I'm not generally involved in our support issues, but a coworker at > my work (Linode) reached out to me about what looks to be a new problem > involving hosting customers being blocked by by Microsoft. We have > 150-200 new support tickets about this, starting on December 21, 2021. > Our support goes back and forth with the customers and tries to help, > typically 4 responses, but up to 48, per ticket, and both support and > customers are growing increasingly frustrated. Thanks for the support! Mine is one of those hundreds of tickets (FYI 16748061). relay=hotmail-com.olc.protection.outlook.com[104.47.14.33]:25, delay=0.85, delays=0.04/0.02/0.63/0.16, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.14.33] said: 550 5.7.1 Unfortunately, messages from [66.175.223.185] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR04FT006.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM command)) Based on discussion in HN, it seems Microsoft has suddenly blocked off large parts of the Internet sometime in late December, the delivery problem is much broader than Linode IP space. Aside from filing a ticket with Linode (due to the "Please contact your Internet service provider since part of their network is on our block list" part in the message) I also tried various ways to contact Microsoft directly with limited success. I received prompt replies but they are the same bot-reply form letter, so not clear if anyone is reading them. I got the same response that Linode got (based on the support ticket) "Not qualified for mitigation 66.175.223.185/32 Our investigation has determined that the above IP(s) do not qualify for mitigation." However, today I tried writing to my friend at hotmail.com again and this time didn't get the IP-based block bounce, so at least something has changed. I'll follow up offline with him later to see if anything got delivered or not. -- Jyri J. Virkki - Santa Cruz, CA -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
On 2022-01-11 12:32 p.m., Mark G Thomas via mailop wrote: Hi, On Tue, Jan 11, 2022 at 11:21:47AM -0800, Michael Peddemors via mailop wrote: On 2022-01-11 11:04 a.m., Mark G Thomas via mailop wrote: Here's an example from one ticket, however I'm more looking for whether there is anything I can do to facilitate improving this overall, then starting trying to intervene about (many!) specific tickets and IPs. I would be happy to help with more details off-list, if so requested. I also could relay suggestions or procedural instructions to our support group. redac...@enlogic.gr: host enlogic-gr.mail.protection.outlook.com[104.47.17.74] said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To request removal from this list please forward this message to del...@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT TO command) Mark No comments on Linode spamming, but looking at this, have to comment. host enlogic.gr enlogic.gr has address 172.105.85.167 enlogic.gr mail is handled by 0 enlogic-gr.mail.protection.outlook.com host 172.104.233.127 127.233.104.172.in-addr.arpa domain name pointer extmail.enlogic.gr If microsoft thinks that the email server for that domain is their infrastructure, why would they accept any email from outside MS with that domain, if it isn't authenticated. The rejection message looks pretty clear.. banned sender. What is the address in the MAIL FROM, it looks liek @enlogic.gr? In this specific case, the sender was reported to be an address @kentia.gr. host kentia.gr kentia.gr has address 31.22.115.154 kentia.gr mail is handled by 10 mx1.mydomain.ro. kentia.gr mail is handled by 20 mx2.mydomain.ro. kentia.gr mail is handled by 5 obd0bh.static.otenet.gr. host -t TXT kentia.gr kentia.gr descriptive text "v=spf1 a mx ip4:62.38.3.0/24 ip4:62.38.240.10 ip4:195.46.27.139/29 ip4:172.104.233.127 a:outgoing.holservices.gr -all" I don't think you would get a response quickly from MS, if they think they are authoritive for the email domain. Anyone can put up a PTR record or MAIL FROM forging a domain on their networks. I get ... Got it. I can look at other cases, which may have other issues. This was an example I snagged, but I'm sure there are other different scenarios. Something changed and now we have this flood of tickets, many from people who have been e-mailing successfully to MS recipients for a long time, until a few weeks ago when something changed. Is there anything I can do to help our support people in handling this? Mark You 'could' simply send an email from the command line to a MS address, using one of your own domains (with of course a wide SPF record) to see if this is an IP based reputation issue, or a domain based reputation issue. You 'could' subscribe to something like 'HetrixTools' to see when IP(s) on your network get listed on RBL's You 'could' put in a network alert in your egress routers to report when too high of SYN packets are generated from an IP address in your networks destined to certain ports. You 'could' start offering 'rwhois' automation, eg a person gets an IP address on your networks, the ownership is updated in your 'rwhois' server. You 'could' do a random walk on your networks for suspicious PTR records. (See where I am heading? Stop the threats first, reduces support calls) But, the thing I was pointing out, and this goes for anyone on the list, if you want to shout out for help, make sure you provide the list members with as much detail as possible. Let's try to get the full information of one (1) case, to confirm that there isn't something obvious that could be causing issues. And pick an easier case where the MX and SPF records are a little simpler and sane, where you see the problem. However, in December there WAS a smaller outbreak from Linode IP(s) i seem to recall.. maybe might have triggered something.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
On 1/11/22 2:21 PM, Michael Peddemors via mailop wrote: On 2022-01-11 11:04 a.m., Mark G Thomas via mailop wrote: Here's an example from one ticket, however I'm more looking for whether there is anything I can do to facilitate improving this overall, then starting trying to intervene about (many!) specific tickets and IPs. I would be happy to help with more details off-list, if so requested. I also could relay suggestions or procedural instructions to our support group. redac...@enlogic.gr: host enlogic-gr.mail.protection.outlook.com[104.47.17.74] said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To request removal from this list please forward this message to del...@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT TO command) Mark No comments on Linode spamming, but looking at this, have to comment. host enlogic.gr enlogic.gr has address 172.105.85.167 enlogic.gr mail is handled by 0 enlogic-gr.mail.protection.outlook.com host 172.104.233.127 127.233.104.172.in-addr.arpa domain name pointer extmail.enlogic.gr If microsoft thinks that the email server for that domain is their infrastructure, why would they accept any email from outside MS with that domain, if it isn't authenticated. The rejection message looks pretty clear.. banned sender. What is the address in the MAIL FROM, it looks liek @enlogic.gr? The mail is being sent by 172.104.233.127, enlogic.gr is the recipient. I too am having this issue, (also a linode customer, but no support tickets from me). I'll be posting more details later. John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
Hi, On Tue, Jan 11, 2022 at 11:21:47AM -0800, Michael Peddemors via mailop wrote: > On 2022-01-11 11:04 a.m., Mark G Thomas via mailop wrote: > >Here's an example from one ticket, however I'm more looking for whether > >there is anything I can do to facilitate improving this overall, then > >starting trying to intervene about (many!) specific tickets and IPs. I > >would be happy to help with more details off-list, if so requested. I > >also could relay suggestions or procedural instructions to our support > >group. > > > >redac...@enlogic.gr: host > > enlogic-gr.mail.protection.outlook.com[104.47.17.74] > >said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To > > request > >removal from this list please forward this message to > >del...@messaging.microsoft.com. For more information please go to > >http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) > >[DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT > > TO command) > > > >Mark > > No comments on Linode spamming, but looking at this, have to comment. > > host enlogic.gr > enlogic.gr has address 172.105.85.167 > enlogic.gr mail is handled by 0 enlogic-gr.mail.protection.outlook.com > > host 172.104.233.127 > 127.233.104.172.in-addr.arpa domain name pointer extmail.enlogic.gr > > If microsoft thinks that the email server for that domain is their > infrastructure, why would they accept any email from outside MS with > that domain, if it isn't authenticated. > > The rejection message looks pretty clear.. banned sender. > > What is the address in the MAIL FROM, it looks liek @enlogic.gr? In this specific case, the sender was reported to be an address @kentia.gr. > I don't think you would get a response quickly from MS, if they > think they are authoritive for the email domain. Anyone can put up > a PTR record or MAIL FROM forging a domain on their networks. I get ... Got it. I can look at other cases, which may have other issues. This was an example I snagged, but I'm sure there are other different scenarios. Something changed and now we have this flood of tickets, many from people who have been e-mailing successfully to MS recipients for a long time, until a few weeks ago when something changed. Is there anything I can do to help our support people in handling this? Mark -- Mark G. Thomas , KC3DRE ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] blocked by microsoft -- support procedure?
On 2022-01-11 11:04 a.m., Mark G Thomas via mailop wrote: Here's an example from one ticket, however I'm more looking for whether there is anything I can do to facilitate improving this overall, then starting trying to intervene about (many!) specific tickets and IPs. I would be happy to help with more details off-list, if so requested. I also could relay suggestions or procedural instructions to our support group. redac...@enlogic.gr: host enlogic-gr.mail.protection.outlook.com[104.47.17.74] said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To request removal from this list please forward this message to del...@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT TO command) Mark No comments on Linode spamming, but looking at this, have to comment. host enlogic.gr enlogic.gr has address 172.105.85.167 enlogic.gr mail is handled by 0 enlogic-gr.mail.protection.outlook.com host 172.104.233.127 127.233.104.172.in-addr.arpa domain name pointer extmail.enlogic.gr If microsoft thinks that the email server for that domain is their infrastructure, why would they accept any email from outside MS with that domain, if it isn't authenticated. The rejection message looks pretty clear.. banned sender. What is the address in the MAIL FROM, it looks liek @enlogic.gr? host -t TXT enlogic.gr enlogic.gr descriptive text "v=spf1 include:_spf.google.com ip4:37.99.196.61 ip4:62.38.2.0/24 ip4:172.104.233.127 include:spf.protection.outlook.com -all" enlogic.gr descriptive text "MS=EB2F0AF170CC8CEB57C60C387F3DEA591B9B84F0" I don't think you would get a response quickly from MS, if they think they are authoritive for the email domain. Anyone can put up a PTR record or MAIL FROM forging a domain on their networks. I get it that you think the SPF record indicates that mail should be accepted from that IP, but SPF saying it is okay, isn't the same thing as it being okay. There are many other checks that can take precedence. (Since they basically allow SPF from any of the Google IP's, easy to run forgeries on those google cloud IPs ;) -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] blocked by microsoft -- support procedure?
Hi, I'm not generally involved in our support issues, but a coworker at my work (Linode) reached out to me about what looks to be a new problem involving hosting customers being blocked by by Microsoft. We have 150-200 new support tickets about this, starting on December 21, 2021. Our support goes back and forth with the customers and tries to help, typically 4 responses, but up to 48, per ticket, and both support and customers are growing increasingly frustrated. Customers and our support team have been reaching out to del...@messaging.microsoft.com, but are concluding this is non-monitored. Linode doesn't provide any e-mail services for the customers, so all these involve different customer-allocated IPs and different hosting customers. While the ones I'm spot checking, looking at these tickets, have DNS, SPF, and other mechanisms set up appropriately, of course the situation varies. At least some of these customers and/or our support has confirmed their Linode IPs are not listed on any public DNSBLS they can find. Linode has by default blocked all outbound SMTP for all accounts starting November 2019, until customers have met certain criteria. I have not become aware of any recent large or not-promptly addressed spamming problems, nor seen recent mention of spammers from Linode IP space on here or other e-mail hosting related lists since I started here in January, 2020. I saw the December thread on this list from a listmember who is (or was?) Linode hosted, and ran into this MS blocking Linode trouble. Here's an example from one ticket, however I'm more looking for whether there is anything I can do to facilitate improving this overall, then starting trying to intervene about (many!) specific tickets and IPs. I would be happy to help with more details off-list, if so requested. I also could relay suggestions or procedural instructions to our support group. redac...@enlogic.gr: host enlogic-gr.mail.protection.outlook.com[104.47.17.74] said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To request removal from this list please forward this message to del...@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT TO command) Mark -- Mark G. Thomas , KC3DRE ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop