550 5.7.511 Access denied, banned sender - Office 365
I'm having issues sending emails to office365 accounts - live/hotmail are not affected
I see this being reported at - and it describes my issue exactly:
https://docs.microsoft.com/en-us/answers/questions/674558/550-57511-access-denied-banned-sender.html
The timing is precise, I became aware of the issue on 22 December.
Is anyone else seeing this ?
257 Replies
✓ Best Answer
Hi folks. I have two updates:
- Microsoft reported that they delisted a number of our subnets. We've seen a big decrease in the number of new reports of this issue from customers. Customers have also reported to us that their bans have been lifted.
- We're unfortunately still seeing new reports of this issue from customers, some of them from subnets we hadn't originally sent to Microsoft, which suggests that the underlying issue hasn't been identified or resolved.
I've asked Microsoft for an RCA multiple times. Absent some information on what's causing these bans, new IP addresses/subnets will likely continue to be banned.
If you're having this or other NDR issues, the best way to get our help is to open a ticket.
We are aware and have received multiple reports from users facing this issue and working closely with Microsoft to get this resolved as soon as possible.
As far as we know, this is affecting other non Linode customers as well and Microsoft has acknowledge the problem and looking into it.
You may want to consider looking into a third-party SMTP delivery service, if you want a surefire way to get your mails delivered. A few of them I've listed below such as:
https://www.smtp2go.com/
https://sendgrid.com/
https://www.mailgun.com/
Being able to host a mail server directly from your Linode is certainly more ideal, but if mail is absolutely critical and you want a way that is certain to fix your email deliverability, I personally recommend switching to a service like one of these. If anything you could switch at least temporarily until Microsoft finally figures out why your mail isn't being delivered.
We have also become aware of this issue around 17-19 December 2021 and it is still unresolved.
We tried to delist the IP using https://sender.office.com/ and contacted delist@messaging.microsoft.com and joined SNDS and JMRP and still no progress.
We submitted a support ticket to Linode a few hours ago but no reply yet.
We have hundreds of users on our Linode which is running cPanel and switching to a third party provider is not an easy and quick option.
Hope this gets resolved pretty soon!
we have same problem from 22 Dec.
Microsoft support request submit delisting of IP address to sender.office.com, but system telling that our IP is not blocked.
same time emails is not delivered and it's making problem.
Looks that mostly all Linode customers have same issue for last 15 days.
when we can expect resolving of that problem from Linode side ?
Hi isackey
Hey thanks for the - somewhat brutal - honesty, I really appreciate that. I've been researching this for the duration and this is first concrete thing thats been said.
Like the other comments - this is major for me.
Is your response an official Linode position ?
I have to say OMG - Linode would suggest, use someone else ?
What can we do to bring about a resolution? - microsoft seem to not acknowledge emails about this issue.
Again, appreciate the honesty, but 3rd party and doing nothing don't seem like viable options
I can confirm we've also seen this issue with servers in Sydney and Tokyo. Our IPs had appeared in the MS blocked list. We delisted them but are still seeing the problem. We had our first bounce related to this on 22 Dec 2021.
I can also confirm this issue, started from 22. DEc. 2021. We can't easily change our server to alternatives. I hope Linode will find a solution as soon as possible with Microsoft.
Microsoft didn't response to my e-mail yet..
I have to admit… this is the first time ever in our 10 years with Linode that I submit a support ticket and I still have no response 12 hours later. What happened to the amazing customer service?!
Our operations are severely affected by this issue and we deserve better communication from Linode.
@Linode staff Please share with us what/how you are tackling this situation and manage our expectations in an effective manner so we better handle our business and our clients.
Thank you!
Hi, hey further note to isackey
The use of Mailgun, assume others, is not an option
because they are api services - or at least authenticated, so if you have 2 virtual domains, the 2nd domain will use the same credentials.
It results in quite an ugly - sent on behalf scenarion
john@domain.tld on befalf of john@domain2.tld
Is there an update on this yet?
As @brayworth has indicated, mailgun changes the headers, so if sending from a second domain you get the fugly "on behalf of" in mail clients.
Has anyone found an authenticated mail relay service that doesn't mess with the headers like that?
A bit more information about this:
This doesn't seem to be down to Defender 365 - we're not using it on our 365 tenancy and we're affected by this
Adding a connector in Exchange to allow the IP as a partner site doesn't have any effect ( https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner )
Not all Linodes are affected. We have an existing mail relay in London and this can (currently) send mail to 365 users. We're using this to route our Tokyo and Sydney mails through and that seems to work-around the issue for us. Our working relay is in the 212.111.40.0/22 netblock.
Well… We could not wait for Linode and Microsoft to resolve this matter and Linode support team have completely ignored our support ticket submitted over 24 hours ago — for the first time ever in over 10 years working with them.
We have therefore integrated SendGrid this morning and had to verify every single domain on the server using CNAME records to prevent the ugly on behalf of issue.
It has been a tedious task to verify 85 domain names but hopefully it will be less hassle from now on.
I am very disappointed with the way Linode have handled this… It is really not like them!
Good luck to you all.
Hey folks – just an update, we're still trying to get this escalated with Microsoft. We believe this is an error. The Microsoft Deliverability team (with whom we frequently work) has told us IP addresses getting this error don't appear to be blocked; Microsoft's own IP delist portal also reports that these IPs aren't blocked.
We're hoping to hear from Microsoft soon. We'll update this thread when we have more information to share.
Dear @jackley
When Linode will sort out this problem ?
We know very well that Microsoft IP delist portal said to us, but we need solution.
We don’t want get answer once a day that you still communicate with Microsoft. We need result.
Our reputation is going down, because we can’t answer to our partners from our corporate emails.
And looks that we can’t get professional support from Linode.
We also have this issue, I reported it to Microsoft 8:30am (GMT) December 21st and they have not managed to find the IP or the problem. I have a support engineer emailing me updates, who has escalated it, but quite frankly its taking a ridiculous amount of time to solve. Especially considering it's Microsoft!
So in the meantime, as @isackey suggested, you can use 3rd party SMTP servers to send email. I am using smtp.com to relay sending email from Postfix. It's quite simple to setup. You can do it with other mail providers, e.g. SendGrid. Maybe even your own 3rd party server. It was important to ask SMTP.com set the return path to the originating email so the original SPF record still stands (apparently!). Here's how to configure Postfix to relay https://kb.smtp.com/article/944-postfix
Seriously, what's up with blaming Linode? Microsoft has been totally incompetent here, they are unable to find out what is blocking Linode? Seriously? Is there no logs in their systems?
It's MS' servers that cause the bounces, it's not Linode.
I've gotten through to their support system - sort of - but got nothing but a boilerplate "Nope. We're not going to help you. Here is our requirements (SPF records etc, that we already do). Nowhere are they able to tell in which way we are "in breach" of their policy.
It's incompetent. It's rude. And I am pretty damned sure Linode is just as frustrated as you are. Give them some leeway, and go on report this any way you can to Microsoft, too. And if you have people that actually are Microsoft customers that miss mail from you, they might have more luck as paying customers.
+1, from Frankfurt DC
Thanks @jackley for the update;
It certainly helps that Linode is on our team, so any updates are welcome.
I've also found valuable information in these posts - thanks for that !
I'm interested in both @amityweb and @BrianSalvador experience
amityweb - so that was a set once solution, not a per domain solution like BrianSalvador, and in addition - you had to send an email to smtp.com's support to ask SMTP.com set the return path to the originating email
that's it ?
it sounds like a simple solution (albeit the cost of the subscription)
thanks in advance
Glad to see it's not just me … been dealing with Microsoft randomly blocking my server since late November. Linode helps get it unblocked, then it gets re-added with a different error message a short while later. All reputation tools report the IP is fine (rDNS, SPF, DMARC, IPv6, etc are all configured correctly).
Our Tokyo server ip also affected in this issue, we have checked all common DNSBL, all passed not on the list.
@jackley the SNDS service does say the IP is blocked, but the delist service says it's not. Might be something to follow up.
https://sendersupport.olc.protection.outlook.com/snds/ipStatus.aspx
says:
View IP Status
The table below lists any IPs you are authorized to view that have an abnormal status. This data is updated once per day, so it may not reflect the current state of the IPs.
First IP Last IP Blocked Details
172.105.172.47 172.105.172.47 Yes Blocked due to user complaints or other evidence of spamming
172.105.179.64 172.105.179.64 Yes Blocked due to user complaints or other evidence of spamming
The second address is a NEW server set up two hours ago, new IP address already blocked.
Just to throw some more support behind the Linode crew: This type problem isn't new and isn't limited to Microsoft. The ATT/Verizon steaming pile of a mail system is also prone to random blocks of both Linode IPs and IPs from any similar cloud server providers. It has been happening for a few years but has gotten worse in the past two. There really isn't anything Linode can do besides try coaxing Microsoft to help sort out the issue. The good news is that they are probably one of the few groups who have a decent chance of getting a response from Microsoft/AT&T-Verizon. The big carriers really coudldn't care less if your mail gets delivered or not.
If you are running cPanel, be sure to configure the DKIM support and ensure your TLS certs are renewing correctly. If you aren't, learn how to use OpenDKIM and integrate it with your mail system. It does support signing for multiple domains. However, if you host email for multiple domains it's hard to get both SPF and DKIM alignment for DMARC since the reverse DNS for the server's IP will only align with one domain. That doesn't seem to affect deliverability too much as long as your DKIM setup works well and you are using SMTP over TLS. Register an email address to receive DMARC deliverability reports and process those on a regular basis to look for problems. So far, URIports.com is the least expensive DMARC analysis service I have found. Even with all of these fixes, problems like this will pop up.
@pmcneil Unlike your IPs, most users’ IPs here are not listed under snds and can normaly send messages to outlook.com/hotmail. You either got ip from a spammer or your server is compromised.
+2x London Linodes - same issues as everyone else.
Update - Frankfurt and Toronto also affected.
Also experiencing this.
Trying to delist using https://sender.office.com/ but gets the famous message that the IP isn't blacklisted.
It seems like 100 % Microsofts fault, but there are no way to get through there. It seems the only option now, is to utilize a SMTP service away from Linode.
The latest I've had from Microsoft support is:
"From what I can gather from our technicians on our end is that Microsoft is aware of the issue and is currently working to unblock the IPs in question as the complaints come in. If you have already submitted a ticket with them directly, be sure to include the IP ranges affected so Microsoft can unblock them from their end. After that it comes down to when they get to your request as there are a good amount they are currently working through at the moment."
Hi - Also experiencing this, exact same symptoms. SNDS showing no data for the IP and I, get no junk returned from JMRP…
After delisting an IP, 1 domain started accepting our mail again after a few hours, but 2 others didn't (all 3 outlook.com hosted domains). The 1st domain is now blocked again.
I went through the de-listing process a second time, it assured me the IP was not blocked and invited me to open a ticket - the form didn't work several times but I eventually got one in. A few hours later I was told (by WINLV.EDFS.WW.00.EN.MSF.RMD.TS.T01.SPT.00.EM@css.one.microsoft.com):
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation
XXX.XXX.XXX.XXX/32
Our investigation has determined that the above IP(s) do not qualify for mitigation.
…
(I've put the whole email into our open ticket with Linode)
And as you might predict, attempting to reply to that email only gets it bounced. I have got to this exact stage while hosting a mail server with another provider before - you can actually get responses from this team, but nothing useful. They won't discuss why you're blocked (it now seems evident they don't actually know). It is because of this I migrated a mail sever back to Linode…. who I'm really hoping have made some progress here?
@vittal_cognidox: Can you please advice where to submit such a ticket?
@Michael_Sahl We have a 365 account and we've submitted a ticket through there. See https://docs.microsoft.com/en-us/microsoft-365/admin/get-help-support?view=o365-worldwide
Is this because of Microsoft's blatant abuse of it's market share to extinguish it's competition using underhanded tactics like we've seen in the past, or is this due to incompetence and neglect? I don't know but either way it's unacceptable. In a way they are messing with peoples livelihoods. My customers aren't going to accept "It's microsofts fault, there's nothing I can do about it" for an answer. Eventually they are going to move on to another provider.
Same problem in EUA datacenters!
Since December 17th we are still blocked from send mails to Microsoft 365 accounts.
My customers are angry with this situation and it's not simple to migrate to another provider now.
We have found a solution, using the OpenSource anti-spam gateway called scrollout ( http://www.scrolloutf1.com/ )
But, the IP address of a server that host it, is new and the reputation is poor yet. We can send mails, but they go to the spam folder, and some mails bounced.
So we are still in trouble
@interactivesun Thanks, but you are incorrect. The IP is Linode's it is a small email server and very closely monitored. It is NOT compromised and is correctly set up (as have all my mail servers since the 1990's.)
I get no junk returned from JMRP but SNDS IP Status is showing the IP status above, despite the .64 address being brand new.
Started getting this yesterday. Spent most of today trying to wade through Micros**t's help pages and finding 95% of the links were stale or required a login at live.com. We don't have a login for any Micros**t services! Just now landed on this topic, so please LiNode, push harder against their turgid underbelly.
We've exhausted all options with Microsoft support and delisting attempts.
We swapped IP addresses with another Linode that has never been used to send e-mail, and this didn't help. The new IP address experienced the same block.
We subscribe to the JMRP and SNDS programs through Microsoft. These IPs are not listed as blocked. SPF, DMARC, and DKIM are all in place.
I opened a ticket with Linode about 14 hours ago but haven't gotten a response yet.
Same here… All MS options have been tried, Linode ticket unanswered for 19 hours.
Totally stuck, full of blocked emails.
We have MS accounts, but it doesn't make any difference.
Just tried telnet to outlook mx and sending email manually. On unaffected server this went through correctly and email got delivered to inbox, on affected server the moment you set recipient it triggers 5.7.511. Please note that I edited personal information/hostnames/ips
telnet somemx.mail.protection.outlook.com 25
Trying 104.47.22.138…
Connected to somemx.mail.protection.outlook.com.
Escape character is '^]'.
220 DB8EUR06FT018.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 5 Jan 2022 18:25:43 +0000
ehlo my.hostname.tld
250-DB8EUR06FT018.mail.protection.outlook.com Hello [xxx.xxx.xxx.xxx]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from: me@linode.server
250 2.1.0 Sender OK
rcpt to: somebody@o365.server
550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list please forward this message to delist@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [DB8EUR06FT018.eop-eur06.prod.protection.outlook.com]
It is because of this I migrated a mail sever back to Linode…. who I'm really hoping have made some progress here?
Me too. OVH were having their whole IP range blacklisted in exactly the same way. I got no replies from OVH about the issue.
So a year ago I moved to Linode. Sadly, after 24 hours I've had no reply from Linode either.
Can I suggest you run your IP through http://www.uceprotect.net/en/rblcheck.php
They are currently giving Linode's ASN an "Extreme" spam score, which may be why MS is blocking most of the range. They provide a list of the individual IPs causing the issues, I wish Linode would act to remove them for the sake of the rest of their customers.
@swiftoid I just compared ucprotect listings of affected ip and unaffected ip. In both cases level 1 was green and level 3 (network) was red. There was a difference on level 2 where affected had yellow and unaffected had green. While I doubt Microsoft uses ucprotect, they probabbly have their own implementation of ucprotect level 3, that they have no clue of its existance.
I've registered a free @outlook.hu email address for testing.
It seems now email is delivered to this address from my server (which is Frankfurt), however it landed in SPAM folder.
Is this issue come out also for @outlook.hu or @outlook.com addresses?
Yes we have the same problem. I opened a ticket with Microsoft and after two days of exchanging emails their latest answer was:
Detail checks from our end shows that the IP address xxx.xxx.xxx.xxx is not listed as also confirmed by the delisting team, therefore there is little or no help we can render. However, I will advise that you open a support request with Linode so as to help you look into the issue.
This is ridiculous answer because it's clearly Microsoft's problem.
We currently have two blocked server IPs, one in Frankfurt and one in London DC.
Hi all
I just did a test from my Linode (IP in London, previously blocked and reporting the same error as above) running cPanel and it was successful -
Received: from redacted.eurprd05.prod.outlook.com (2603:10a6:20b:4d8::2000)
by redacted.eurprd05.prod.outlook.com with HTTPS; Thu, 6 Jan 2022
04:44:27 +0000
Received: from redacted.NORP000009.PROD.OUTLOOK.COM (2603:10a6:f10:11::14)
by redacted.eurprd05.prod.outlook.com (2603:10a6:20b:4d8::2000) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1111.14; Thu, 6 Jan
2022 04:44:26 +0000
Received: from redacted.eop-EUR02.prod.protection.outlook.com
(2603:10a6:f10:11:cafe::2000) by redacted.outlook.office365.com
(2603:10a6:f10:11::2000) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1111.9 via Frontend
Transport; Thu, 6 Jan 2022 04:44:26 +0000
Authentication-Results: spf=pass (sender IP is [redacted])
smtp.mailfrom=[redacted]; dkim=pass (signature was verified)
header.d=[redacted];dmarc=bestguesspass action=none
header.from=[redacted];compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of [redacted]
designates [redacted] as permitted sender)
receiver=protection.outlook.com; client-ip=[redacted];
helo=[redacted].com;
Received: from redacted.com (redacted) by
[redacted].mail.protection.outlook.com (redacted) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1111.9 via Frontend Transport; Thu, 6 Jan 2022 04:44:25 +0000
So something has happened. I did a couple of tests, one landed in the O365 Junk folder, but I'll take that for now rather than being blocked. Anyone else having success? I'm going to be monitoring the mail flow throughout the day, but here's hoping the issue is getting resolved. (PS. I redacted and changed the actual details for privacy.)
@swiftoid That's very concerning. Did a check on my IP, came out as green. Did a check on my network block and it was in danger of being listed as it had a few offenders. And the entire linode network is as you say in the red.
So by the looks of it, this isn't coming out of the blue and there is a reason for Microsoft blocking Linode as a whole. Welp. Maybe time to look for another provider and migrate.
Talking to Microsoft support about this issue, is like asking the local gardener to fix global warming.
We have now implemented AWS SMTP-services and is running again through them.
Same problem here in all 3 datacenters we use.
We also implemented SMTP via AWS SES for now, but don't see the point of having to use two competing cloud providers…
I went with the suggestion, set up DNS with mailgun through all my domains, set up a separate relay transport rule in postfix. So at least my customers can communicate with microsoft users again. It's a temporary fix until this gets sorted out. Hopefully soon.
Please could someone talk me through setting up AWS SMTP-services or setting up mailgun as a separate relay transport in postfix? many thanks
@igennus we use Cpanel and used this guide:
https://support.cpanel.net/hc/en-us/articles/360056322734-How-to-use-Amazon-SES-as-a-Smarthost
Microsoft has asked us to perform some troubleshooting that we could use your help with. If you have a server with mail traffic being bounced with "Banned Sender" replies and an Outlook account with which you receive mail (or a client who is also willing to help), please perform the following steps and open a Support ticket to let us know the result.
Our Support team has been advised as to how to collect the information from this troubleshooting via ticket.
Here are the steps that Microsoft provided:
Please send an email to yourself on an Outlook.com account.
If the issue prevails then check by adding the email addresses of the recipients in the safe senders list.
In order to add emails to safe senders list please follow the steps mentioned below:
1. Sign in to http://outlook.live.com
2. Go to Settings > View all Outlook Settings
3. Go to Mail > Junk Email
4. Select “Safe Senders”
5. Enter domain or email address from which you are not receiving emails.
6. Click (+) icon
7. Hit SAVE.
After that, please try sending an email again. We're interested to know if the mail is delivered successfully or the bounce message received if it isn't. We intend on collecting multiple data points to ensure consistency in the resolution of this problem.
Thank you to everybody for your patience and willingness to help. We're aware that this is an ongoing issue and are working to resolve this as soon as possible.
I know others are going to read those MS instructions and just shake their head…
I did it anyways. Or at least in one case - because in most my cases the sender and recipient are both in my own domain and are already in the safe senders list.
It's the same error everyone else sees: 550 5.7.511 which happens during an smtp session right after you give the 'rcpt to:'.
In every case I've been able to find another Linode, same datacenter, that isn't impacted and relayed through it (after adding it to my spf and doing all the good mail server hygiene things).
I even found a few systems that have never sent mail (and the IPs have been mine for many years) and are also included in the MS block.
I'll submit the tickets so you can add it to the 'me-too' list.
Shaking my head, while performing this tests. I suggest opening many many more support tickets at Microsoft and reminding them that this issue is limited to Office 365 email servers only.
intteractivesun wrote, "this issue is limited to Office 365 email servers only"
Bingo. We can send to outlook.com and hotmail.com addresses fine.
We have a mail server being blocked with the 550 5.7.511 and we also have access to an Office 365 Exchange admin center. I can tell you that attempting a message trace from the Exchange admin side does not even show these messages. They're being deferred prior to being able to be traced.
We have tried setting a domain in the "Manage allowed domains" in our 365 account and testing. These failed. Again, these are being blocked prior to anything that can be controlled in the 365 admin center.
I'm also shaking my head. It is painfully obvious that this problem is nowhere near being solved, because those who have the power to do so are not understanding or listening to what the problem actually is. Something isn't being communicated clearly.
We've all gone through these steps ourselves already with Microsoft's "deliverability team". Linode, this needs to be escalated with Microsoft beyond their entry level support.
We can't send to outlook.com nor office365.com. On the other hand hotmail.com is just fine!!
Well, this is painful. Since the issue is so straight forward to reproduce (with telnet, see above), could we perhaps have Linode explore whether all of their net blocks are affected or just some.
If there is a range of IPs that works, maybe some temporary Linodes could be made available in those networks to paying customers as a temporary measure until the root cause has been resolved.
@_Brian,
If it helps, here is what we attempted in the Office 365 tenant's antispam portal located at https://security.microsoft.com/antispam portal. The messages are deferred before reaching these filters, so I don't think this was time well spent, but if MS needs you to go through the processes, then you may use this example.
We were asked to do this when I attempted opening a Microsoft support ticket from the Office 365 user side. After this was complete, we were told that a ticket needed to be opened by the sender. Obviously we used an IP and domain experiencing the issue, not "example.com".
Connection filter policy (Default)
Connection filtering
IP Allow list
- xxx..xxx.xxx.xxx
### IP Block list
Safe list
On
Allowed and blocked senders and domains
Allowed
Senders (0)
Always deliver messages from these senders
Manage 0 sender(s)
Domains (1)
Always deliver messages from these domains
Allow domains
Manage allowed domains
Add senders and domains to this list to ensure messages are always delivered to them.
List loaded
Add domains
- 1 item
example.com
Hi Guys,
I hate to be whipping a dead horse here (and I know you guys are working through it), but I have been stuck on the "utilize the portal found at https://sender.office.com/ to complete the process of IP removal" merry-go-round for the last couple weeks, I cant even respond to their tickets as they are being blocked, I run a small email hosting business and this is starting to have serious effects on me and my clients as I cant just explain to my customers to just go and use some 3rd party smtp outbound service and my excuses are starting to wear thin, its becoming a real worry - any suggestions that doesnt involve me telling my customers to go use another mail service would be awesome,
Stu
@stuangel open free trial o365 account. Open support ticket at Microsoft to increase awareness and that they get serious at fixing this.
You may also bag Linode for IP that is not yet affected, though there are no guarantees.
You may also try to use smarthost like sendgrid to relay mails (free 1 trial for a total of 40.000 mails), but with many domains, authentiaction might be painful. And if here is a better way I would love to know myself.
@interactivesun thanks for the response, couple of quick Qs from a non-sys admin perspective
1/ "open free trial o365 account" - will try that once I hit "post your reply"
2/ "bag Linode for IP that is not yet affected" - without digging through hundreds of documents, is there any way they could do this via routing (even at a cost), as I cant fathom what this would effect off the top of my head as I have a pool of 5 servers (not all email servers that rely on IPs etc)
3/ "try to use smarthost" - I am not fluent in relaying email, will doing something like this effect DKIM signatures etc?
best regards
Stu
@stuangel as for #3, it won't affect your existing DKIM signature. But you would have to set up a new signature that identifies with the outgoing relay you are going to use. Just leave your old DNS entries in place. At least that's what I have done, in case this gets resolved and I can stop using a relay host.
Hi @_Brian, thankyou for your advice
Hey Linode could supply Microsoft with a VM and let them see the problem first hand, it's accoss several datacenters
@interactivesun has supplied a very simple test
- Setup a Nanode - I tried Sydney/Nanode 1GB/CentOS Stream 8
- Log in
- dnf install telnet
below here - sub in some real values (this is @interactivesun test)
- telnet somemx.mail.protection.outlook.com 25
- ehlo my.hostname.tld
- mail from: me@linode.server
- rcpt to: somebody@o365.server
it reliably produced the result
550 5.7.511 Access denied, banned sender[172.105.168.78]. To request removal from this list please forward this message to delist@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [SY4AUS01FT004.eop-AUS01.prod.protection.outlook.com]
I've deleted the VM now, but that ip failed straight up
again - for clarity the issue is with sending emails to office365 accounts
thanks to those putting in positive efforts for resolution here
http://www.uceprotect.net/en/rblcheck.php
…says the linode network is level 3 spam listed.
They also say:
As you should know now: It is not you, it is your complete provider which got UCEPROTECT-Level 3 listed.
Your IP xxx.xx.xxx.xx was NOT part of abusive action, but you are the one that has freely chosen your provider.
By tolerating or ignoring that your provider doesn't care about abusers you are indirectly also supporting the global spam with your money.
Seen from this point of view, you really shouldn't wonder about the consequences.
I really like Linode. But uceprotect have a point.
@stuangel relay of email via another Linode server or some 3rd party smarthost is essentially the same thing. Though if you go with Linode even if you do get a working IP it might get blocked the next day, so let's concentrate on 3rd party smarthost.
In support ticket Linode suggested using:
https://groups.io/
https://www.smtp2go.com/
https://sendgrid.com/
https://www.mailgun.com/
Some users in this thread suggested also using Amazon SES
Whichever you choose, you will need to:
- setup an account at one of the smarthosts.
- authenticate each sending domain with additional dkim record and adding smarthost include to spf record.
- configure your mail server to route non local addresses through remote host. All this providers have their own tutorials for integration with various mail servers. This ones are exim specific:
https://support.cpanel.net/hc/en-us/articles/360036537354-How-to-use-SendGrid-as-a-Smarthost
https://www.smtp2go.com/setupguide/exim/
https://support.cpanel.net/hc/en-us/articles/360036537314-How-to-use-MailGun-as-a-Smarthost
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-exim.html
This is a great solution if you have few domains and send few monthly emails, but with many domains or many emails per month, this becomes unpractical or too expensive and I'd love to know a more practical solution.
We are also experiencing this from an email server running in London
It is difficult to assume that once the problem has been identified, it is taking days and days to solve it.
I imagine that the explanation we will receive at the end will be very, very, very rich in technical details.
Same here. Since 22/12/21. Over *** 2 weeks ago ***.
"To request removal from this list please forward this message to delist@messaging.microsoft.com."
Been sending these daily since Monday and not had a single response from MS.
Can't even reply to the auto-acknowledgements because "Banned Sender".
MS Delist portal won't even send to my linode-hosted addresses and when I use a gmail address claims the host IP address isn't banned.
I appreciate that Linode staff are working on it but "use a third-party smtp" is not a valid resolution and it's been 2 WEEKS.
Some detail (any detail???) would be perhaps be reassuring.
Update as I finally received a reply from MS:
We have completed reviewing the IP(s) you submitted. The following
table contains the results of our investigation.
More information needed
IP ADDRESS REDACTED
We were unable to identify anything on our side that would prevent your
mail from reaching Outlook.com customers.
If you are still experiencing deliverability issues, please reply to
this email with a detailed description of the problem you are having,
including specific error messages, and an agent will contact you.
Which is BS because they bounced my reply.
Hi there.
Exactly the same problem here. My Linode is on Texas DC [50.116.XXX.XXX].
My IP address is not listed on https://sender.office.com/ neither on https://sendersupport.olc.protection.outlook.com/snds/
My customers can't send emails to office365 destinations, which is used a lot by medium-large corporates.
Any news about it? It's really urgent.
Thanks a lot.
It looks like the whole linode network is spam listed, not individual IP's. For email servers that takes network level spam risk into account, this may affect you even if your individual IP is not listed since the Linode network is listed. This has happened because too many Linodes are spammers, and Linode has not taken proper action against these spammers according to the spam listings.
We are punished by this because we have selected and is giving our money to a provider (Linode) that does not take enough or proper action against spamming on their networks, unfortunately. This policy is defended by saying that since we use and support and give money to a provider that enables spamming and does not take proper action against spamming, we are contributing to the spam problem, and deserve the consequences.
I think Linode needs to take spamming on their network even more seriously and temp block smtp for those who are found to spam for this to be resolved and not happen again.
Have a look here, insert your Linode IP:
http://www.uceprotect.net/en/rblcheck.php
…says the linode network is level 3 spam listed.
They also say:
As you should know now: It is not you, it is your complete provider which got UCEPROTECT-Level 3 listed.
Your IP xxx.xx.xxx.xx was NOT part of abusive action, but you are the one that has freely chosen your provider.
By tolerating or ignoring that your provider doesn't care about abusers you are indirectly also supporting the global spam with your money.
Seen from this point of view, you really shouldn't wonder about the consequences.
I'm affected as well. Linode Fresno CA. Noticed this issue Jan 1st as people were returning to work. I have 350 unhappy clients.
Just like everyone else the IPs are not blocked in MS, maintain a 95+ senderscore, and are not on any blocklists.. except UCEPROTECT.
UCEPROTECT is such a scumbag service. Just read through their website, oof. They don't seem legit at all… and googling them brings up a ton of complaints about them.
I sincerely hope a company like Microsoft isn't using them for anything.
@epstudios
after seeing your reply I had a squiz and found this on Twitter from back in July 2021
https://twitter.com/ErzaEscarlet00/status/1415006860512567299
"sorry to reply to an old twit, but we cant just "ignore it" because for some reason Microsoft is using it in their spam lists. if you are in UCPROTECT LVL3 you cant send mail to office365, and a big % of the companies are already hosting their mail there."
looks like this might be it? unless MS has stopped using their service since then
has anyone shelled out for UCEPROTECTs extortion racket whitelisted.org and had any luck?
Stu
Hey folks. We've spent a bunch of time this week trying to work with Microsoft on this.
I do have a small update: Microsoft has requested some troubleshooting information, so we've been working with some customers to get that information back to Microsoft. We're also working on ways to escalate this even further.
We hear you. We're just as frustrated. This is not our normal experience with Microsoft and delisting requests. We routinely work with them to resolve deliverability issues for customers without such difficulties. This banned sender issue is new (our first tickets about this came in on 21 December).
It looks like the whole linode network is spam listed, not individual IP's. For email servers that takes network level spam risk into account, this may affect you even if your individual IP is not listed since the Linode network is listed. This has happened because too many Linodes are spammers, and Linode has not taken proper action against these spammers according to the spam listings.
We are punished by this because we have selected and is giving our money to a provider (Linode) that does not take enough or proper action against spamming on their networks, unfortunately. This policy is defended by saying that since we use and support and give money to a provider that enables spamming and does not take proper action against spamming, we are contributing to the spam problem, and deserve the consequences.
I think Linode needs to take spamming on their network even more seriously and temp block smtp for those who are found to spam for this to be resolved and not happen again.
I understand why you might think this, but we don't think this is correct. We have layers of automation to find and squash spammers.
I think Linode needs to take spamming on their network even more seriously and temp block smtp for those who are found to spam for this to be resolved and not happen again.
We do this. Additionally, every new customer since November 2019 has been restricted from sending email without first opening a ticket with us.
Microsoft maintains their own blocklists and we have no reason to suspect this has anything to do with UCEProtect (and I'm not aware of any bounced emails that specifically mention UCEProtect). MXToolBox has written specifically about spikes in UCEProtect listings. The level at which we're listed on UCEProtect has fluctuated throughout the year.
I think it's worth reviewing Microsoft's own guidelines and documentation for non-delivery reports (which is linked to from the error message). The specific error we're talking about here is this:
5.7.511 Access denied, banned sender The account you are attempting to send from has been banned.
Microsoft has other errors specific to banned IPs and banned ranges.
We hope to have another update next week.
I have a one Linode (London) that hosts a small nbr of domains. I sent an email to my dentist and received the following response a few mins later:
Info@somedomain.co.uk: host
somedomain-co-uk.mail.protection.outlook.com[104.47.21.36] said: 550
5.7.511 Access denied, banned sender[178.79.xxx.xx]. To request removal
from this list please forward this message to
delist@messaging.microsoft.com. For more information please go to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[LO2GBR01FT025.eop-gbr01.prod.protection.outlook.com] (in reply to RCPT TO
command)
I sent the above to delist@@messaging.microsoft.com and got a reply with a ticket number saying they would get back to me in 24hrs. Didn't hear anything back for 3 days.
I checked on https://sender.office.com/delist and the IP was showing as not blocked.
I replied to the email that I had received in 1 and got another bounce back but with a mention of Frontbridge. After a bit of messing about - I realised if you send anything to delist@@messaging.microsoft.com other than the bounce back email (550 5.7.511) you'll get the Frontbridge response. Try to send anything like a real world email to delist@@messaging.microsoft.com and it will bounce back with a 550 5.7.511 with mentions of Frontbridge.
I joined SNDS & JMRP over a year ago - the IP address is "Normal Status", has been since day 1, is in zero blacklists except in UCE Level 3 (and we all know what that means). I have received zero emails from JMRP.
To anyone (Linode staff really) - the blocks have nothing to do with emails being undelivered to Hotmail.com, Live.com or Outlook.com email account recipients.
The issue is with emails being undelivered to email accounts on Microsoft's Hosted Exchange platform, i.e. Office 365. PLEASE FOR THE LOVE OF GOD, TRY TO UNDERSTAND THIS.
Linode staff - Asking folk to send emails to Outlook.com accounts is a complete waste of time. If someone at MS is asking you to do this, they haven't got a clue of what the issue is and are fobbing you off.
I must have gotten lucky, because I just received a mail from Microsoft that they are implementing a mitigation for my mail server's IP address and that I should be able to send mail to Microsoft's servers again after the changes has been replicated through their systems.
So for anyone struggling with this, I would suggest opening a support ticked with them directly.
1. I did get a response from MS to another ticket I opened using - https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75 - in fact I opened several.
In the field that says "Contact e-mail address (this email must be valid to receive the investigation report): *" - put in a Hotmail/GMail/Outlook/etc email address that you have, otherwise you won't be able to reply to it.
When you get an automated response, sit tight - there will be 2nd one within 1hr. This one will say -
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation
178.79.xxx.xx
Our investigation has determined that the above IP(s) do not qualify for mitigation."
2. My reply to this was:
Hello,
I have been using SNDS and JMRP for over 12 months and no issues have been reported with this IP (178.79.xxx.xx) - The IP has been shown as having normal status at all times and currently shows as having normal status.
This IP is on zero blacklists. rDNS, SPF, DKIM and DMARC are all setup correctly and have been from the start, so I do not understand why it has been blocked and why it does not qualify for mitigation.
Kind Regards
3. I subsequently got a reply:
Hello,
My name is Punith Kumar and I work with the Outlook.com Sender Support
Team.I do not see anything offhand with IP: (178.79.xxx.xx) that would be
preventing your mail from reaching our customers.
i.e. getting fobbed off because the L1 person doesn't understand.
4. persevere - I replied to this with the following email:
Hi Punith Kumar,
Thank you for your email.
I am unable to reply to your email or any email from
winlv.edfs.ww.00.en.cvg.bgl.ts.t03.esc.00.em@css.one.microsoft.com
from the IP - _178.79.xxx.xx _without receiving a message such as:
OLSRV.FOPE.WW.00.EN.WIP.BOM.TS.T01.DLS.ST.EM@css.one.microsoft.com: host
css-one-microsoft-com.mail.protection.outlook.com[104.47.53.36] said: 550
5.7.511 Access denied, banned sender[178.79.xxx.xx]. To request removal
from this list please forward this message to
delist@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653 [1]. AS(1410) [BL2NAM06FT013.Eop-nam06.prod.protection.outlook.com] (in reply to
RCPT TO command)
this clearly shows that a block is in place.
Regards
5. I got another reply:
Hello,
My name is Leema and I work with the Outlook.com Sender Support Team.
We will be looking into this issue along with the Escalations Team
regarding IP: [178.79.xxx.xx]. We understand the urgency of this issue
and will provide an update as soon as this is available. Rest assured
that this ticket is being tracked and we will get back to you as soon as
we have more information to offer.Thank you for your patience.
Sincerely,
Leema
Outlook.com Deliverability Support
6. My reply to this escalation email is\was
Hello,
Thank you for your email.
Our mail server's IP address appears to been blocked by any domain hosted by Office 365.
Hotmail.com and Live.com appear fine.
When I request that the IP address is removed from the block list, the automated email response is:
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation178.79.xxx.xx
Our investigation has determined that the above IP(s) do not qualify for mitigation.
The IP address applies to a Linux server which is shared by a small number of domains, all of which are affected by this block.
The IP address does not appear to be being blocked by Office 365 (or so the Delist portal states). Yet sending an email to an Office 365 hosted domain results in the following type of error:
Info@somedomain.co.uk: host somedomain-co-uk.mail.protection.outlook.com[104.47.21.36] said: 550
5.7.511 Access denied, banned sender[178.79.xxx.xx]. To request >removal from this list please forward this message to delist@messaging.microsoft.com. For more information please go >to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[LO2GBR01FT025.eop-gbr01.prod.protection.outlook.com] (in reply >to RCPT TO command)
When I check the IP address in SNDS it shows that it has a "Normal status" and has done for at least 12 months. When I managed to speak to someone at Microsoft via the telephone, they were able to confirm that the mail flow was clear and they couldn't see the IP address on a block list at all.
I have also received no notifications of junk mail reporting via the JMRP system for this IP.
What I need to know is:
Why is the IP address on this list which neither myself or the representative at MS were able to view/access?
Is it just this single IP address that's affected, or a whole range?
How can our mail server's IP address be removed?
Please let me know if you need me to send any specific email header information to help diagnose and resolve the problem.
It appears to suggest that the IP's presence on the block list is irreversible. Is this the case?
We are not in a position to change the IP address for the mail server, so we need to have it removed from the block list.
Kind Regards
No response to my last email yet, it's been almost 12hrs.
I'll post up what the response is from MS.
Sadly it's like having an issue and repeatedly getting the "Log off & back on again, and if that doesn't help reboot your PC." - you know the type I'm on about. Even when you know more than L1 & L2 you have to play the game to get to L3 and they usually know exactly what the issue\fix is.
In my earlier message:
- I did get a response from MS to another ticket I opened using - https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75 - in fact I opened several.
I'd suggest you open at least 2 - increases your chances of at least one of the tickets being read by someone who knows what SMTP actually stands for.
If both tickets get fobbed off with "we can't help you" - open another 2. Throw enough tickets - odds are you'll hit a real person as opposed to an idiot.
I work for an email host in Norway and we have experienced the exact same bouncing issues and futile attempts at getting Microsoft to act on this.
When it comes to Microsoft being slow as molasses at investigating and fixing this problem, I do understand that companies as large as Microsoft need to have pretty strict barriers as to which tickets that gets to be escalated to higher level technicians and which (probably the vast majority) that perfectly fine can be answered with a pre-written template.
But seeing how many have been affected and subsequently have been in touch with Microsoft, I have much less of an understanding that this now can drag out in time.
Since we got the first reports on the 21st of December we have contacted Microsoft several times, every day. At first we naturally thought that one of our own clients might have caused the IP to be blocked, but we quickly understood that this was highly unlikely as a thorough internal investigation of our logs found absolutely no evidence of spamming or any other suspicious behaviour.
At this point we are leaning towards not only seeing this as a technical issue, but also as a legal one. Tort liability can and will occur when your actions, or lack of them, cause another entity to lose money. This might in some cases even occur before you are aware of the risk of damage, but after you have been made aware of the risk and you still do not amend your behaviour to not cause damage you will most certainly be liable. This is basic tort law, and most legislations all over the world will have implemented this in some way or another.
Another legal aspect here is that this issue seems to affect a lot of servers located in the EU, and also servers (that is Linodes) owned by companies located within the EU or EEC. This means that the issue is subject to EU law, where strict rules apply to combat misuse of majority market share and lack of free flow of services, capital and information.
Most of the small businesses affected by this issue will not have the resources to pursue legal action towards Microsoft, but perhaps Linode have a legal department that could look into this.
Another possible option would be to consider doing it class action, and a third could be that reps from a EU business affected contacts their MEP.
Banging our heads against friendly, but nonetheless helpless, staff at lvl 1 over at Microsoft will not help. The last two weeks have pretty much made that crystal clear. The prospect of a massive EU fine might at least rise an eyebrow at some higher ups at Microsoft, hopefully.
On a sidenote, even though UCEPROTECT seems like a somewhat scammy scheme akin to the likes of SORBS etc., we did shell out for their "unlisting fee". This was about 24 hours ago, and it did not in any way help with the bouncing of emails sent from our server to accounts using Microsoft Office 365. So I think it is rather safe to say that those 25 Swiss Francs were a waste.
@pascual I am also situated in Norway and run a fairly small business. Problem with a lawsuit is that, while Microsoft might be slower than molasses, pursuing this through legal channels will take years (unless you can file a temporary injunction/midlertidig forføyning but I doubt this is applicable in this case).
I have now had a dialogue with Microsoft and a technician there that have incredibly enough not served me with pre written templates. And they say they have implemented a mitigation for my linode running my email server. That response was sent yesterday at midnight and my mail still gets blocked (though the technician said that it will take up to 48h for the change to replicate through all of their systems. So we will have to see).
I am all for a class action lawsuit in any case. If not to pursue an immediate resolution (which a lawsuit will not bring), then to pursue damages and just for the sheer principle of it. Microsoft has a very bad history with antitrust and even if this is not a willful anti competition measure from their part, the precedent set in previous cases where Microsoft where involved puts Microsoft at a disadvantage as a defendant. Especially given their market position/share within email hosting.
Would you mind sharing a summary of how that contact was done? There are so many different ways of opening tickets with Microsoft, so there is a chance you have found a more efficient one.
I also completely agree with you on the other points. Whether deliberate or not, the effect that Microsoft causes here by lack of action is effectively pushing their competition out of business.
I have had several customers asking me the laste week if moving to Office 365 would fix the problem for them, and I can't lie to them - of course that would fix it.
@pascual sure. As you say there are so many ways of opening tickets, and I recon I've explored most of them too, so I would have to backtrack a little bit. I know I filled out a form somewhere, because I've also tried to send a mail to them directly (trough the contact info in the refusal/bounce email), and reviewing my last sent items in my mail, none of those where related to the reply I got from Microsoft. I'll have to shift through my browser history.
edit: There's a specific contact form on Microsoft's webpage for requesting support when you're IP's are blocked. But the URL in question for opening a ticket has a hash appended to it, so I'm a bit reluctant to share it publicly as that is in no doubt tied to me personally. It's not this one there's actually another page I randomly stumbled upon and I can't remember where it was, I am frantically shifting through my browser history at the moment /o\
BTW, if you haven't already done so I would first of all signup to Microsoft's Junk Email Reporting program (JMRP), by filling out this form
The search continues. I'll let you know if I find it
Microsoft support is completely incompetent. We are stuck on Level1 and they can't even understand the issue. I asked them to escalate the ticket but nothing. After two calls and having exchanged a lot of messages their last response was:
On the call i informed you that the domain info@xxxxxxxxxx.xx is not associated on this tenant and to any tenant, and I advised that you raise a support request where the domain is associated with for troubleshooting purpose. You confirmed that the domain is from an external sender.
He is talking about the sender domain which is associated with one of the blocked IPs. Totally unacceptable and i am not sure they have even read what i wrote them so far.
We are a small dev/hosting company having many affected clients.
The funny thing is that we also have ~200 users on Office365.
The issue is with emails being undelivered to email accounts on Microsoft's Hosted Exchange platform, i.e. Office 365. PLEASE FOR THE LOVE OF GOD, TRY TO UNDERSTAND THIS.
Linode staff - Asking folk to send emails to Outlook.com accounts is a complete waste of time. If someone at MS is asking you to do this, they haven't got a clue of what the issue is and are fobbing you off.
Exactly!
@kpapamanos
I feel your pain. Dealing with Level1 is rarely pleasant.
For what (little) it may be worth, I would suggest you open a ticket (or few) via
https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
(even if that's the mechanism you already used) and feel free to use my replies to them as a template.
It's just a numbers game - throw enough tickets at them & at some point, there's a chance someone at MS with more than a few brain cells will pick up the ticket.
What I would additionally suggest is this - in the above form (for at least 1 ticket), put in your email address (related to the IP that's blocked).
When you get replies to it - reply back which will be blocked, forward the thread to your hotmail\gmail\etc account and reply from there (doing a CC to your blocked IP email account).
You may need to do this reply from your blocked IP every time, then forward to your hotmail\gmail\etc and reply from there with a CC every time. Annoying extra step\s but it will keep the bounce back headers in the email thread.
That way when they try to fob you off, ask why your replies from your email account (at the blocked IP) are getting blocked with a bounce back.
That did get me from Level1 to Level2 - although not sure what Level2 is going to do.
https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
That's the form I used. Seems the hash is just an identifier for that form and not me.
Just thought to send an email to a friend whose email is on the MS Hosted Exchange platform, i.e. Office365 and got:
user@somedomain.com: host somedomain-com.mail.eo.outlook.com[104.47.1.36] said: 550
5.7.511 Access denied, banned sender[178.79.xxx.xx]. To request removal
from this list please forward this message to
delist@messaging.microsoft.com. For more information please go to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[VE1EUR01FT021.eop-EUR01.prod.protection.outlook.com] (in reply to RCPT TO
command)
I've sent & received emails to\from this user numerous times over the last few years and had zero issues, so the IP block is still in place.
To any Linode staff reading this - the bit in bold in the 1st line, is where the issue is - nothing to do with outlook.com recipients.
I have just spoken to a reporter at Politico.EU who has previously done reporting antitrust and Microsoft.
They might be interested in doing a story on this if they are provided with evidence that it is indeed affecting a lot of different businesses.
I was just reading round on Google about what it would take to use an external SMTP service and came across the following article on Linode - https://www.linode.com/docs/guides/postfix-smtp-debian7/
The date of it looks rather suspicious - almost like a warning of things to come, i.e. Linode know the issue, won't or are unable to do things and folk with Linode mail servers will be forced to use 3rd party SMTP relays.
@dibsh
Users can submit Linode docs too. Santiago Ti found a solution, and published a guide. I would do it too
After trying a few times via delist@messaging.microsoft.com to escalate my IP (linode Sydney DC) blocked, Microsoft did eventually reply on Friday beyond the generic canned response, stating the "Anti-Spam Team would investigate the IP address's traffic history and current activity". I also have a ticket going as a Microsoft hosted 365 customer.
Perhaps Microsoft actually did something, as I can email my hosted 365 domain again today. HORAY! Fingers Crossed it stays that way.
Ongoing problem however, emailing an outlook.com address still bounces with "Unfortunately, messages from [172.105.xxx.xx] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140).
@RedisK
Fair enough. I suppose with the not so great response from Linode support - one starts seeing things that perhaps aren't there. :)
Being a weekend I'm rather surprised to get an update:
Hello,
My name is Yaqub and I work with the Outlook.com Deliverability Support Team.
We continue to look into this issue along with the Escalations Team. We understand the urgency of this issue and will provide an update as soon as this is available.
Thank you for your patience.Sincerely,
Yaqub
Outlook.com Deliverability Support
Whilst not a fix, at least I haven't had a "computer says no" one (yet).
Good luck to all of you waiting for resolution!!
I'll gladly share our full story here in short:
Blocked on Dec 20th. After daily conversation with Microsoft (via support ticket through our O365 account - admin.micorosoft.com) we finally got unblocked on late Dec 23rd. It did not work on the first try, but they managed to get it unblocked on the 2nd try.
This stayed until Jan 4th when we got blocked AGAIN and it's still blocked.
Throughout the conversion for our first unblock and after a lot of severe complains from my side and a request for an explanation WHY we got blocked (root cause), I got a response from "Himansukh, Microsoft Office 365 Technical Lead":
It contains a lot of text about IP reputation in general and "how to be a good mail hoster" and so on, but also contains this very text at the very end:
Please note that this is NOT the RCA [root cause analysis] for this specific issue so if customer asks our IP’s reputation was already good, our tenant was not compromised, we did not exceed the sending limits etc we can’t and won’t be able to answer why specifically it was blocked. At least one of the above-mentioned reasons could be the cause or maybe something in addition to those.
Mind the part "we can’t and won’t be able to answer why specifically it was blocked".
So the Technical Lead officially tells us they have no clue at all why their system blocks something.
My takeaway from all this => Their anti spam AI simply got out of hands and got wild. Now they are not able to tell anymore why something was blocked. It is just blocked because the AI decided to.
(I might be wrong about this, but this is the only explanation for me, which is consistent to what the tech lead says)
I am fully with you that it is about time to drag all higher managers of M$ out of their beds and in front of the judge. Furthermore, take away their full year's salary, they don't deserve it. How can one of the richest IT companies in the world run a service, where they don't know WHY something happens in their system?
I got a response from "Himansukh, Microsoft Office 365 Technical Lead"
One thing you have to understand about M$ is that it's not a tech company…it's a marketing company specializing in fear, uncertainty and doubt. M$ could care less about it's customers. This is the true legacy of Bill Gates & Steve Ballmer!
Employee titles at M$ are on the same level of banks (where a promotion from "teller" makes you a "Senior Vice President") and WWF championship match award belts ("InterGalactic Federation of Planets InterSpecies Champion"). Ergo, Mr Himansukh is the support 'droid (probably his actual organization title) who drew the short straw…
Office 365 is a hosted service… Most of the management of the O365 platform was shuffled off to low-wage/-skill entities long ago. Redmond is only in charge of the marketing hype. You get what you pay for…
It could be worse…at least Mr Himansukh has acknowledged the problem is theirs. Be prepared for the "Senior VP of Hosted-Platform Development" (second-level support 'droid) to disavow Mr Himansukh's statement completely if the problem gets escalated to him.
M$s usual tactic would be to blame you…for using a non-M$ provider in the first place. You can bet that no Exchange server anywhere in the world is blacklisted…no matter how much spam it spews out every microsecond of every day…
There are a lot of smart people that work at M$. NONE (zero, goose egg, nada, bupkis…) work in General Customer Support. Working in General Customer Support either by design or demotion is a serious CLM (career-limiting move). Working on customer-specific support teams (e.g., Nike or Intel here in the Pacific Northwest) is a different story.
-- sw
so I got the standard response with the likes of
My name is Xxxxxx and I work with the Outlook.com Sender Support Team.
I do not see anything offhand that would be preventing your mail from reaching our customers. For the following IP (xxx.xxx.xxx.xxx)
then all the standard copy/paste blocks of text, but for some reason it all felt like an advert leading to
Return Path's IP Certification (https://www.validity.com/products/returnpath/certification/) is the only service to which we subscribe
I have replied asking he escalate my issue rather than the standard script responses, I am wondering if anyone is part of this "Return Path IP Certification" and if you still have the same problem?
Stu
quick update:
My name is Raju and I work with the Outlook.com Deliverability Support Team.
We will be looking into this issue along with the Escalations Team regarding this IP: (xxx.xxx.xxx.xxx). We understand the urgency of this issue and will provide an update as soon as this is available. Rest assured that this ticket is being tracked and we will get back to you as soon as we have more information to offer.
Thank you for your patience.
I am not going to be holding my breath (btw ~ I did have to request escalation to an actual tech at least twice)
Stu
I wonder if there are any reps from companies here that have any good news? Have you been able to get this issue sorted for your email servers? If so, would you be so kind to share any information that you can as it might give valuable hints to the rest of us?
Well, there has been three days since Microsoft said they would implement a mitigation for my mail server, and still no bueno.
We have implemented mitigation for your IP: [...*] and this process may take 24 - 48 hours to replicate completely throughout our system.
:/
I couldn't help but chuckle at the little green button at the top of this page offering "Free Cloud Migration" - does that include out as well as in?!
Hey everyone, just a small update: our case with Microsoft is being escalated and we're expecting a response within 24 hours.
@jackley Good luck with that, I've been waiting a week for a response from the escalations team.
Today I received the first response to a support request sent on January 2nd.
I am currently balancing outgoing email from 5 linodes between 2 different providers while we wait for news from linode or microsoft.
The most recent email received from Microsoft: (2 days ago)
Hello,
My name is Sai and I work with the Outlook.com Deliverability Support Team.
We continue to look into this issue along with the Escalations Team. We understand the urgency of this issue and will provide an update as soon as this is available. Rest assured that this ticket is being tracked and we will get back to you as soon as we have more information to offer.
Thank you for your [blablablah]
@jackley please keep update the latest status, our mail server located in 139.162.64.0/19 affected by the issue since late December. we tried every way to report and deal with M$, none progressing. really high stress because of this issue.
@jackley Yeah, I sincerely hope that you will receive good news soon, but from what I have understood that last couple of weeks is that Microsoft low level technicians have a very peculiar interpretation of the term "escalation".
One of our recent lines of communication with Microsoft seemed somewhat promising as we finally were able to get hold of a real person that was not just purely droning out templated answers. This has been going on of 6 days. However, the following was the answer I got after providing vast amount of technical documentation and all the proof found in this thread and others that something actually happened on the 21st of December.
Hello Pascual.
Thank you for your response.
I do understand your concern regarding this issue; however, I support Microsoft 365 Online Professional Support and our support scope does not include the provision of root cause analysis as we are a break and fix team.
Regarding this issue, I will highlight your concerns with the internal team, but we are only able to troubleshoot and work on this issue within the bounds of the affected tenant, in this case, it is the […] tenant.
Hence why we require the report mentioned as requested by the internal team.
Looking forward to your feedback.
Warm Regards,
[…]
Let me translate that from BS to English:
What I am basically telling you is that I am willing to ignore a plethora of information regarding what might be a serious malfunction for Microsoft in Europe for purely formalistic reasons.
Please do let me know if I can waste more of your time on this lovely journey towards your complete exhaustion regarding this issue.
Love and happy thoughts,
Your caring Microsoft Drone
… does not include the provision of root cause analysis
I got the same text. I answered them that we are a paying customer and it's their obligation to prove that we are doing wrong, if they block our incoming connector's server. Until they prove things, it is simply a violation of the contract.
The next answer came from the "Technical Lead", see above.
… as we are a break and fix team
Dear M$:
Yes you "break" things, that's for sure.
But how you "fix" things without knowing the cause (hello RCA), is the real magic.
This has been a problem for me as well with server IP 50.116.31.253. Microsoft support has been useless.
I am warning my customers about this:
https://www.htmlvalidator.com/CSS-HTML-Forum/viewtopic.php?p=12739#p12739
And recommending they contact me with a properly working email address like a gmail account.
All efforts to get any helpful/useful response, solution, or results from Microsoft have failed thus far.
What exactly is it that you people expect Linode to do? Nothing is broken on their end. They have nothing to fix. All they can do is beg Microsoft to pull their heads out and how well has that ever worked for anyone?
Following. Having the same issue with all our servers. Coincided with moving a load of clients from one server to another one, so assumed it was down to the IP we were moved over to - but seems its much more widespread than that!
What do we expect Linode to do, @Computerlink (and all the others who seem to think we're being unfair to Linode)?
- Spend more time dealing with abuse (especially spam) on the linode network. http://www.uceprotect.net/en/rblcheck.php (search for the ASN 63949). You can see many level 2 listings within the network, and the network as a whole is listed on level 3. Granted, no one should be using level 3, but its indicative of reputation on the network as a whole.
- Use their relative clout (in comparison to us, their individual customers) as a provider with a reported 560,000+ IPs to pressure Microsoft in to doing something about it. Individually, we get a canned response from Microsoft or at best one of us gets the problem solved. Linode have a much better opportunity to actually get the problem fixed for everyone.
- Provide an SMTP relay (outside of the Linode network) for those still affected, in order to mitigate the problem until it is fixed.
Same problem here, about to setup SMTP relay with duocircle for some of my domains.
I hope this is rectified soon :(
now the linode network is no longer L3 listed on uceprotect, so it should work fine now…nice!
@eriknuds, sadly it's not that simple. As far as I can tell, Linode servers are still blocked by Microsoft
I just got another response from Microsoft on my latest ticket, with a new "twist":
Yes, unblocking using sender.office.com is expected to not work as the IP is not blocked in Office 365's end in the first place.
I replied the question who else is blocking it then…
Let's see where this road ends.
We have one MX hosted at Linode which is (was at the time) listed in UCEPROTECT L3 only and one MX at DigitalOcean which is listed in UCEPROTECT L2, L3 and scientificspam list too. Whereas MX at Linode is blocked the other one at DO can deliver emails to 365 users without any issue (although listed in L2+L3). So I assume it has really something to do with internal Microsoft's reputation algorithm.
BTW both servers are registered in MS SNDS list since last Friday but it doesn't have any impact.
From my experience in these days, IP-s of USA based linodes are able to deliver to MS 365 domains, but get rejected from hotmail.com and outlook.com(possibly other aliases). Europe based linodes, are able to deliver to outlook.com/hotmail.com, but get rejected for MS 365 domains. Quite a Messcrosoft.
Can confirm that this is still an issue for Linode's IPs in Canada as well.
My IP is in a good standing in SDNS, yet I'm a "banned sender".
Also, please stop mentioning UCEPROTECT, nobody in their right mind uses this ransom-demanding "service". I was able to send to Outlook even when Linode was in this list, so MS definitely does not use it.
anybody could get a resoulution to this issue? we're still having the same problem although contacted microsoft & linode multiple times.
I started getting some replies to the tickets, after 5 days, but the IP's are still blocked. Let's hope is the beginning of the end of this nightmare.
Seems like Microsoft is intentionally dragging this, there is no way that could be so incompetent. And that they are able to produce only one useless offtopic response per day. They also deleted discussion at https://docs.microsoft.com/en-us/answers/questions/674558/550-57511-access-denied-banned-sender.html
Those that keep mentioning outlook.com/hotmail deliverability please note that you have additional issue that is not related to 5.7.511. Sign up for jmrp and delist your ips.
What we should do with 5.7.511:
- involve press
- open o365 trials and open alot of tickets
- record phone calls with Microsoft support, will be usefull for press and lawsuit
- action class lawsuit
I was just checking "sendersupport.olc.protection.outlook.com" to see if there were any updates and I found this interesting,
it seems some bloke named Jose is requesting access from 172.105.160.0 to 172.105.191.255
Jose Glz | office2017@kembio.com.mx | 172.105.160.0 | 172.105.191.255 | Pending initial verification
I know its still in "Pending initial verification" but should I be worried in any way? or does Linode have a sideline business making cleaning products in Mexico?
Stu
@interactivesun writes:
Seems like Microsoft is intentionally dragging this, there is no way that could be so incompetent. And that they are able to produce only one useless offtopic response per day. They also deleted discussion at https://docs.microsoft.com/en-us/answers/questions/674558/550-57511-access-denied-banned-sender.html
Grasshopper…you have much to learn… The House of Gates never admits error. To admit error invites unwanted scrutiny.
-- sw
Linode support directed us back to this thread.
Linode IP's in Sydney are also affected.
Microsoft are definitely dragging the chain here. Best solution seems to be to keep submitting tickets to MS and then asking their useless L1 support to escalate the problem.
I can confirm the block at 6:30UCT Jan 12 of a Linode server (in Jose Glz's pool ;-) ) that is no longer listed in the extortionist UCEPROTECT L3, is ok with SNDS and that is reported not to be blocked by sender.outlook.com Sigh.
@lymac where do you report this to M$? I've tried emailing sop many times to delist@messaging.microsoft.com , but no reply on any. Is there a portal we can put a complaint in at on M$'s end?
I don't know if it's related but we've started getting emails from companies that use Microsoft email services saying that Microsoft consider the emails are not trustworthy. The senders are not small companies. We receive emails where the original web links have been stripped and a link inserted at the bottom directing us to https: // account.activedirectory.windowsazure.com/?tenantid=[a long hex id]&login_hint=[our sales email], followed by a Microsoft disclaimer; which is triggering our people to flag it as possible phishing, especially as https: // account.activedirectory.windowsazure.com takes you straight to microsoftonline.com! All this domain obfuscation can't be helping.
Don't know what this means apart from a) they're "reading" emails, and b) maybe something's been released in to the wild before it was properly tested, surely not! and now they are coping with a system running out of control; which may explain the silence and try this / try that approach.
@youradds …
start here … https://sender.office.com/
First the automated tool tells you that the IP is not blocked, but gives you a link that you can use to create a support request.
Click the link, fill in the form. A Level 0 MS tech will then reply with a standard form and tell you there's "apparently" no problem
You then tell MS they are full of shit and it obviously IS their problem. They would know this if they had actually read the returned error message from their server that you already pasted to them. Tell them to "Please escalate this case".
MS will then ignore you for a while, before eventually sending another form email saying that the case has been escalated. They may also tell you to sign up for anti spam services that will do you absolutely no good at all. Ignore them. Keep spamming MS with more complaints. MS will then begrudgingly admit that they're looking into the problem but have no clue whats wrong.
Rinse. Repeat.
@stuangel This Jose Glz with email office2017@kembio.com.mx is also pending verification for 139.162.160.0 through 139.162.191.255. This certainly is no Linode staff member and will not help with 5.7.511 issue. Worst case is that he might be phishing for emails from complaint feed which would reveal email addresses and potentially additional personal information for identity theft. This is a big no no. In case this ever gets validated, go to Access Control and request reauthorisation.
@interactivesun - I also noticed a user called Trust and Safety with the email linodetrust@gmail.com on SNDS, same IP range as Jose Glz, which also seems quite fishy, so I've required a reauthorization, as I don't expect Linode staff to use a gmail account.
On SNDS, I've got
Trust & Safety - linodetrust@gmail.com with Normal access status for 139.162.192.0 - 139.162.223.255.
Jose Glz - office2017@kembio.com.mx with Pending initial verification for 139.162.192.0 - 139.162.223.255, and Reauthorization required, grace period in effect for 178.79.128.0 - 178.79.191.255.
The linodetrust@gmail has been there for quite some time. I'm going to hit Request Reauth, if it's legit, I'm hping Linode staff will pipe up.
Looking at JMRP, I can see
- I have View access Type
- Trust and Safety linodetrust@gmail.com has View
- Jose Glz office2017@kembio.com.mx has Manage
How on earth do I remove Trust and Safety and Jose Glz?
That gmail address was a stopgap we used to address an entirely different problem from Microsoft. You can stop requesting reauthorization for it, it's actually us.
Hey Everybody,
We’re still working with Microsoft regarding the “550 5.7.511 Access denied, banned sender” error and are treating this problem with the most urgent priority. While we cannot control how long it takes for Microsoft to address the issues on their end, we do have potential solutions that we can offer in order to help customers avoid the current “Banned Sender” bounces:
- Our team can swap your current IPv4 address with a new one unaffected by these blocks. If you choose to swap IP addresses and need to update DNS records to use the new address, let us know and we can temporarily add the new address while your records propagate to avoid downtime.
- We can offer you an additional IPv4 address unaffected by these blocks. Additional IPv4 addresses incur a $1/month fee.
- We can route an IPv6 /64 range to your Linode for you to configure for sending email
- This is recommended for customers that wish to use IPv6 whose recipients may be impacted by RBLs that list the /64 subnet containing Linode default SLAAC addresses.
- You can use IPv6 for sending email from your Linode’s SLAAC address.
If you're interested in any of these solutions, please open a Support ticket and someone from our team will be happy to assist you. We still intend on finding a resolution to the original issue, but we'd like to get as many of you up back and running as we can, as soon as possible.
Thanks for this. I've requested a second IPv4. Unfortunately a lot of O365 customers don't have AAAA records setup so it's IPv4 only.
Hello Linode and @_Brian,
How about an unblocked open relay on your network that I (and others) could use to send email until this problem is resolved? Would this work?
Hey @htmlvalidator – that's not something we're considering at the moment.
Still suffering from this issue unfortunately.
The Level 3 UCEPROTECT blacklist has expired (or otherwise went away), but the sending issues do continue. This leads me to think that the UCEPROPTECT listing isn't used directly by Microsoft, which is comforting.
I wonder if, however, they're using a similar 'nuclear' method of assessing which IPs can/cannot send to O365 by blocking entire subnets.
I'm really shocked that this is taking so long. It's been 3 weeks, and the clients on my Linode servers are rightly upset and confused about the situation. It's pretty frustrating.
Anyways I know this is a Linode thread - by has anyone noticed this issue on any of their non-Linode servers?
I wonder if, however, they're using a similar 'nuclear' method of assessing which IPs can/cannot send to O365 by blocking entire subnets.
Most likely they have their own, home-grown reputation-scoring system. The details of which would be an M$ state secret.
-- sw
Before, I nearly constantly saw that my IP was on the Level 3 UCEPROTECT blacklist. MXTOOLBOX monitored me, my reputation decreased by 1 point only. I didn’t had any delivery issues. I also asked linode about it, they told me the reason: your IP is listed because somebody in your IP range did something ( sent spam or similar).
This listing usually resolves itself and than comes back.
For me it seems that the current MS issue is not related to this blacklisting. Neither before neither now. Before I was listed and delivery was perfect, now I’m not and delivery to MS is still critical.
Now I’m using Sendgrid for delivery, changed around ~100 domain’s DNS… Do you know what happened? Their IP also got blacklisted! I’m able to send emails to MS but now my other clients opened a ticket regarding email delivery.
What I’ll do: ask for a +1 clean IP from Linode, set my Postfix to use that for delivering only and keep Sendgrid as a backup.
Hi @_Brian
How do you distinguish between "clean" IPs that you are offering as a replacement, and banned IPs? Is there a test I can apply to my own IPs?
Please note: the IPv6 workaround won't work. IPv6 support for outlook tenants is opt-in; until it is enabled, the MX won't accept email and the AAAA record will not be published in the DNS. Most companies - anecdotally, 100% of recipients we need to deliver to - do not opt in. Since there's no SMTP service to which the traffic could be routed over ipv6, and no (simple, for the purpose of e.g. postfix transport maps) way to distinguish between outlook tenants and everyone else, I don't see how IPv6 could be useful to solve this problem.
@Arklogic, we've configured Postfix to use an SMTP relay to a local hosting provider here in the UK, all's working well at them moment with no more bounces.
We are in and out of Level 3 UCEPROTECT on a fairly regular basis. We had been on their Level 3 warning for some considerable time before I spent a bit of time polishing up our reputation. Now, every time a Shopify marketing campaign is sent we dip in to Level 3 warning and a couple of days later we come back out. Even when we were permanently marked as Level 3 we never had any issues sending emails. In UCEPROTECT own words Level 3 warning is as low as, well as low as telling Microsoft "you're a very naughty boy" whenever it's found guilty in court. We never knew just how much companies had become reliant on Micros**t services until this issue hit. Bit like the Irish potato famine, or all eggs in one basket; all's great until you stumble!
Today i asked again for ticket escalation from Microsoft and i finally got this answer:
Kindly note that the issue have been escalated to the engineering team and they are actively working to resolving it.
Then after a couple of hours i got this:
The engineering team have informed me that issue has been resolved.
Kindly confirm that you able to send emails to Office 365 from the IP: xxx.xxx.xxx.xxx (<-- London datacenter IP)
I tested and they finally solved it!! I am not sure if they fixed the block for my IP only or the entire range.
Please note that i also have another IP in London that is still blocked and i just asked them to fix that too.
PS: Please guys, stop taking Level 3 of UCEPROTECT seriously. Microsoft is definitely not using this.
Still not working on our IP :(
R=dnslookup T=remote_smtp H=starteng-co-uk01c.mail.protection.outlook.com [104.47.21.36] X=TLS1.2:ECDHE_SECP384R1__RSA_SHA256__AES_256_GCM:256 CV=yes: SMTP error from remote mail server after RCPT TO:<sales@start-eng.co.uk>: 550 5.7.511 Access denied, banned sender[178.79.183.93]. To request removal from this list please forward this message to delist@messaging.microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [LO2GBR01FT022.eop-gbr01.prod.protection.outlook.com]
@gruppal
No, i just asked multiple times for escalation. I had a ticket with Office365 Level1 support since 3/Jan. We exchanged a lot of emails since then but the responses was not very helpful and my initial escalation requests were ignored.
Yesterday - after two days of silence - i received this:
Kindly provide status update as regards to the issue of IP address xxx.xxx.xxx.xxx not able to send emails to Office 365.
Your kind feedback will be highly appreciated.
So i asked escalation one more time:
No, the network is still blocked and i am still unable to send messages to my Office365 or any Office365 account.
What actions did you take so far to resolve this issue?
Please escalate the ticket to Level2. 25 days have passed already.
Meanwhile, in the microsoft bubble…
Hello,
Thank you for your response.
We continue to investigate the issue with our escalation team, we will update you once we have more information.
Thank you,
Outlook.com Deliverability Support
Issue seems to be resolved for our part.
172.104.241.*** Europe
I couldn't tell if any actions from our side have had any impact, but we have been pestering Microsoft reps to fix this ever since the 22nd of December.
Still not working:
Linode-Frankfurt/DE
139.162.0.0/16
XXXXXXX.mail.protection.outlook.com[X.X.X.X] said: 550 5.7.511
Access denied, banned sender[139.162.X.X]. To request removal from this
list please forward this message to delist@messaging.microsoft.com.
…bla bla…
Also unable to FWD to delist@messaging.microsoft.com.
That results in:
Your message to delist@messaging.microsoft.com couldn't be delivered.
A custom mail flow rule created by an admin at frontbridge.com has blocked your message.
…bla bla…
custom rule --- see --- custom --- ha-ha-ha---what-a-joke
frontbridge.com should be scrapped and replaced by a real anti-spam solution --- it currently blocks legit emails!
Issue seems to be resolved for our part.
172.104.241.*** Europe
I couldn't tell if any actions from our side have had any impact, but we have been pestering Microsoft reps to fix this ever since the 22nd of December.
Any wisdom for the rest of us?
Any contact emails where we can cry our pain and IP's?
Not only are there no changes here, our third IP (from Dallas DC that still worked normally this morning) just got blocked too…
It's far from over it seems.
@gruppal I'm on the same net, but still blocked :-/
@feIxXfYSlP
I am really sorry, but no. We haven't done anything except for things suggested by others in this thread.
As many things Microsoft, it seems somewhat arbitrary what they react to or not.
@gruppal, @jacrasmussen
Same net, 139.162.x.x still blocked
My 2nd ticket got a response, like a week after I opened it,
Hello,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1533775xxx, which was opened in regard to your delisting request for IP 178.79.xxx.xx
Please ensure that you have resolved any issues generating malicious or abusive traffic from the IP in question and utilize the portal found at https://sender.office.com/ to complete the process of IP removal.
Then please wait for 1-2-hour delay before this change propagates through our entire system. After waiting of 1-2 hour try to send email again.
If you continue to receive Non-Delivery Receipts (NDRs), or "bounce messages," that indicate that the IP address is still blocked by our spam filtering system, please forward one of the most recent and complete error message to us and we will investigate further.
Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.
Sincerely,
Joy OjoMicrosoft Online Services Technical Support
Replied back with sender.office.com says not blocked but if I try to email them back from that IP I get the "sender banned" reply, so it is blocked\banned.
Firewalls\etc aren't that complex - you'd think I\we were asking them to diagnose & fix a neurological condition (over the phone) or something.
If you're interested in any of these solutions, please open a Support ticket and someone from our team will be happy to assist you. We still intend on finding a resolution to the original issue, but we'd like to get as many of you up back and running as we can, as soon as possible.
I saw this and opened Ticket 16779254 almost 2 days ago requesting a new IP for one of my two VMs (and a link to this thread) and I got a response quite soon after asking to make sure I had valid matching rdns and SPF records. Which I already had.
But no further response 40 hours since I last responded in the portal. This is the first time I have been disappointed in the support response time.
I ended up routing SMTP via my home Internet connection in the short term as I can't wait forever for this to be sorted. Certainly wasn't back up and running "as soon as possible".
A few more regular updates from Linode Support on here to the problem and where it is at would also go a long way to help.
@dibsh writes:
Firewalls\etc aren't that complex - you'd think I\we were asking them to diagnose & fix a neurological condition (over the phone) or something.
What M$ has is not a firewall in the iptables sense… What they have is some morbidly obese, "AI"-based, reputation-scoring scheme for external (to O365) senders.
M$ reorganizes frequently. My guess is that this system (whatever it's called) has had hundreds of "owners" over the years and that each owning team has added it's own bells and whistles to justify their own existence (whether or not the bells and whistles made any sense or contributed to the efficacy of the system as a whole). It's the nature of the support business…and it has undoubtedly led to the current Mr Creosote-level of bloat.
There's probably not a single person alive today that understands it all…or can even chart it's history. Consequently, the layers of cruft in these systems are approaching the thickness of the earth's crust. Plus, it's Windows…
M$ writes:
If you continue to receive Non-Delivery Receipts (NDRs), or "bounce messages," that indicate that the IP address is still blocked by our spam filtering system, please forward one of the most recent and complete error message to us and we will investigate further.
Translation: We'll open a new ticket; put you at the end of the queue; and assign it to some off-shore intern who is 8 timezones away. Be seeing you…
Who controls the past controls the future: who controls the present controls the past. -- George Orwell, 1984
-- sw
Hello friends,
The company where I work is one of the lucky ones where our IP for our mail server suddenly a day ago was no longer affected by this Microsoft mess.
I answered @feIxXfYSlPv that I could not remember that we had done anything else that what has already been discussed here, but this morning I did remember one action we took that has not been mentioned yet. Whether or not it had any effect at all I can not say, but at this point I would leave no stone unturned.
As many others here have also done we opened a paid business account at Microsoft Office 365 to get access to a real person for customer service.
What we did different there was that we requested that the first contact be done by phone and not by email. This was an attempt to avoid those silly template answers that only serves to delay a real resolution.
The person who called was very friendly and eager to help, but unfortunately and not surprisingly not anywhere near the level of technical knowhow to resolve to root cause of the issue.
After providing him with mountains of evidence that this was not a singular problem with our account, but in fact a massive issue with serious consequences internationally he stopped answering.
That is where we did something that I have not read about here yet. In the very bottom of his email signature the name of his two supervisors were named and had their emails listed.
What we did was to direct a complaint to the supervisors in very clear language detailing the problem, lack of competence, lack of basic decency towards fellow human beings trying to survive in a difficult economic and also the ridiculous possibility that we might end in court to solve an issue that could easily be solved by someone competent logging in to a server.
After this the supervisor got in touch with us, and then her employee apologised. He tried calling me several times, but I emailed him and told him that I do not wish to waste any more time with futile activities based on generic scripts.
He then assured me that he would (probably for reals this time) escalate the ticket and make sure to check on the status internally until it was solved.
And 2 days after this this problem magically disappeared.
So in summary:
- Create business account at Office 365.
- Open ticket.
- Raise hell at highest possible level.
- Do not accept generic answers.
- Rinse and repeat from 3, or 2 if you need to.
Thanks for the update. This reminds me that we did basically the same back in December. Ticket on paid O365 + contact by phone + further mails in CC to all listed addresses in the footer.
It indeed got resolved back then within 4 days (which sounded incredibly long back then, but seems ultra-fast compared to the situation now).
Unfortunately, the block came back on Jan 4th and couldn't be resolved again yet.
(Footer in mails of my current ticket do not mention the supervisor's mail addresses)
Still blacklisted 172.104.245.*
50.116.31.253 is still blocked too (Dallas) after numerous forwards to delist@messaging.microsoft.com .
<(customer email address)>: host btconnect-com.mail.eo.outlook.com[104.47.6.36]
said: 550 5.7.511 Access denied, banned sender[50.116.31.253]. To request
removal from this list please forward this message to
delist@messaging.microsoft.com. For more information please go to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[VE1EUR02FT023.eop-EUR02.prod.protection.outlook.com] (in reply to RCPT TO
command)
Finally got something back from M$:
Hello,
My name is Deepthi and I work with the Outlook.com Deliverability > > Support Team.
We have implemented mitigation for your IP (178.79.183.xx) and this > process may take 24 - 48 hours to replicate completely throughout our > system.
Sincerely,
Deepthi
Outlook.com Deliverability Support.
It'll be interesting to see if that helps. They must be getting a bit pissed off with all these emails from people by now!
What they're doing is whitelisting your IPs. And if the posts above are any predictor, their whitelists sunset and expire.
Thats what I was thinking. Hopefully they fix it properly, rather than just putting a plaster over it!
Still having issue with ours at 172.104.x.x and 50.116.x.x, we are temporarily re-routing the email through another newly setup postfix relay.
We already have a backup smtp relay in a different location to prepare for this kind of situation, unfortunately the backup smtp relay is also with Linode and looks like all Linode IP got blocked. So we have to setup another with a different provider. We tested a few providers to ensure the new IP isn't blocked.
So far the new relay is working ok, the only problem is some spam filtering system may reject the new IP with reason - shoe spamming suspicious
Hope Linode resolve this asap
It seems my case, that I registered january 3rd, through the following URL, was finally solved:
https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
Please bear in mind that you will likely first get:
Dear Vegard Engen
We have completed reviewing the IP(s) you submitted. The
following table contains the results of our investigation.
Not qualified for mitigation
X.X.X.X
Our investigation has determined that the above IP(s) do not
qualify for mitigation.
You need to reply to this, and not from the email that bounces - I forwarded it to gmail and replied there.
I was pretty persistent in my first reply, stating I had done everything their guides said to do - SPF, DKIM and what not. Because I had, before reporting the case. I also added links to this and a few threads, to give a "+1" to "their blacklist causes problems". It didn't help particularly, I still got into their support-system, having to reply to mails from their support teams every other day.
But the above gave me a reply from an actual person (after a couple of days), so there's that.
When you get the reply, you just have to be persistent, and deal with them like any other support system. It will be annoying, but for me, it eventually paid off.
Yesterday, I got:
Hello,
My name is Mohan and I work with the Outlook.com Deliverability Support Team.
We have implemented mitigation for your IP (139.162.184.189) and this process may take 24 - 48 hours to replicate completely throughout our system.
Sincerely,
Mohan
Outlook.com Deliverability Support.
And today, I could send mail to my SOs work-email without it bouncing, which is what I've been doing to test this.
Do everyone of us need to do this? I hope not, but please: Do so. Unless this becomes an annoyance and too much work for them, they're not going to implement a proper solution. If we are lucky, someone will notice the pattern and that the blocking in itself causes hours spent on support causes, and fix the underlying problem.
My new IP is now being blocked :( Not hitting the same error, getting 550 5.7.1 but still. This is beyond frustrating.
@NachoB I don't think it's just Linode. I've seen complaints about it on several large cloud-based providers.
I'm going to wait till Friday and if there is no fix for my IP or a larger fix from MS - I'm going to have to relay mail through a few different providers (one for each domain - I only have a few domains), so that each domain stays under the free limit per provider (mailjet I think offer 6k emails per month).
It's been 5 days since I've heard anything from MS on the 2nd ticket and my 1st ticket got another fluff reply on 9 Jan:
Hello,
My name is Yaqub and I work with the Outlook.com Deliverability Support Team.
We continue to look into this issue along with the Escalations Team. We understand the urgency of this issue and will provide an update as soon as this is available.
Thank you for your patience.Sincerely,
Yaqub
Outlook.com Deliverability Support
I don't understand why you folks just don't sign up with a $6/mo. ISP that will give you unlimited domains and email… and direct mail via MX records for your domains. That is what we do for our domains (each domain has a fair number of aliases forwards.)
What is M$ providing you that is so essential? I don't get it.
@acanton77 writes:
What is M$ providing you that is so essential? I don't get it.
M$ is not providing anything except headaches. The gist of the complaint here is that M$ is rejecting valid mail destined to Office 365 users.
If, one day, M$ decided they don't like Pair.com's IP address(es) and blacklisted them for no apparent reason (and tells you they can't find the blacklist entries), you'd be complaining too.
-- sw
If, one day, M$ decided they don't like Pair.com's IP address(es) and blacklisted them for no apparent reason (and tells you they can't find the blacklist entries), you'd be complaining too.
Yes, absolutely. But I'd change email vendors in a New York minute. (I grew up in NYC so I know how fast that is!!!)
I have good news and disheartening news.
Good news:
All the IPs in multiple linode accounts that I manage that were getting the 5.7.511 message are now able to send to o365 again.
The disheartening news:
I doubt any single thing I did made a difference when trying to get through to MS.
For one IP I submitted the request to delist@, received the terrible scripted reply that completely ignored the info given (last reply received), replied with a request for escalation (no response), replied again saying I expected a response (no response). I signed up for the snds reporting - it never showed anything. And then, today the IP is allowed to send again . . . yet today is the first day it shows anything on the SNDS page: "Junked due to user complaints or other evidence of spamming"… which is absolutely not the case (this specific linode sends mail from me, to me, and no one outside our own company). But it says 'Blocked: No', so I guess I don't care. Regardless, it means (surprise, surprise!) that what MS says about spam is a complete fabrication.
What makes it worse - I sent nothing for the other IP addresses. I made no effort to do anything to correct the other Linode IPs with the same problem (other than sending a 'me too' for Linode's own tickets). We worked around it with an alternate relay (also at Linode) that wasn't impacted. Those impacted systems are all able to send to o365 directly today, just like the one I spent effort on.
I am and have been an o365 customer; no trickery with creating an account just to get more attention. MS doesn't appear to prioritize folks that give them money more than anyone else.
Our systems were impacted starting Jan 3rd. 15 days later, we appear to be clear.
MS doesn't appear to prioritize folks that give them money more than anyone else.
M$ prioritizes support for ppl/organizations that give them lots of money (on an ongoing basis). I’ll bet your service level would be completely different if you were, say, the CTO of Chase Bank or the Secretary of the Army.
— sw
Update from our side:
Got unblocked last night again. This time it took 14 days until somebody (out of nowhere) declared our ticket "worth to be escalated". Then it took only 24h to unblock the IP.
We meanwhile requested a non-blocked IP from Linode, which took them 4 days to answer. Also very unacceptable, especially as they offered exactly this help specifically in this thread here.
We don't know how long the unblock will last, but we will definitely move on with some of our services.
Meanwhile, after sending them a chaser email as to why nothing after 9 days, I get more of the same fluff:
Hello,
My name is Sai and I work with the Outlook.com Deliverability Support Team.
We continue to look into this issue along with the Escalations Team. We understand the urgency of this issue and will provide an update as soon as it is available.
Thank you for your patience.
Sincerely,
Sai
Outlook.com Deliverability Support
I sent an email to someone whose email is hosted on Office365, didn't get the dreaded NDR so was wondering whether it got delivered.
Just had a reply from them - so looks like things are working. Sadly no idea how long it's going to be working for.
On January 19, I got a reply from Microsoft saying, "We will be escalating this request to our Anti-Spam Team to investigate the IP address's traffic history and current activity. They will then make a decision on whether or not to delist the IP address."
This is in reply to a request to escalate emailed Jan 5 for a ticket originally submitted Dec 24.
The "current activity" is near zero as we've moved critical traffic to a mail-specific provider (not Linode), so it will be interesting to see what they say.
Hey folks. We were finally able to get someone at Microsoft to unblock a tranche of IP addresses – some, but not all. Some customers are reporting they're no longer getting NDR bounces. If you opened a ticket with us in late December to early January and haven't asked us to swap your IP address, try testing this. Some folks have already written to us (here and in tickets) reporting success.
If it works – you're good! If not, no need to follow-up, we're still working with Microsoft to get other addresses unblocked.
@jackley - Do you know what they did to resolve things? Or even how long the unblock will last?
@jackley - Do you know what they did to resolve things? Or even how long the unblock will last?
@jackley is a smart and amazingly talented guy… However, mind-melds with M$ (especially from 3000 miles away) are beyond the scope of most human capability…even those who seem a cut above the rest.
We're talking M$ here…there are no guarantees -- except for those propositions that are beneficial to M$. Just keep reminding yourself of that (sit on a bed of nails or something)…and keep your wallet handy…
-- sw
@dibsh they've told me that they've "delisted" these IPs – my impression is that they've been delisted from some internal blocklist or system.
On the possibility of this happening again, I've asked for information on how we can prevent this from happening in the future. Not sure what will come of that, it really depends on how much they're willing to share.
50.116.31.253 still blocked… can't email my customers with hotmail.com email addresses.
xxx@hotmail.com: host hotmail-com.olc.protection.outlook.com[104.47.57.33]
said: 550 5.7.1 Unfortunately, messages from [50.116.31.253] weren't sent.
Please contact your Internet service provider since part of their network
is on our block list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[SN1NAM02FT0028.eop-nam02.prod.protection.outlook.com] (in reply to MAIL
FROM command)
I removed my workaround and have been able to send mail direct for the past couple of days. Thanks @jackley!
I am concerned about whoever Jose Glz is though (mentioned in a previous post). They managed to get approved to see a range of IPs on SNDS including one I have with Linode.
https://i.imgur.com/i9YafYX.png
I requested reauth but this is the second time I have done it.
Is this someone from Linode? If not, how do we get them removed?
Just to provide a heads-up, as of a couple of days ago hotmail.com, which had fine while the whole O365 issue has been going on, also started blocking one of servers as well with the NDR listed above by @htmlvalidator..
@jackley I still have a Linode IP blocked by a Microsoft's hosted exchange as I post this. Microsoft's free email services and enterprise/edu/govt work for me that I have tested but their hosted business email is returning the same 5.7.11 NDR that has been happening since December. Hopefully they will unblock the rest of the IPs soon. Fortunately it isn't a critical system for me or a busy time but I am constantly in fear of Microsoft blocking other systems I have elsewhere. I feel I dodged a bullet this time.
For all having a ticket with Microsoft. An employee just wrote me this info on how to escalate the deblocking request FAST:
- Delisting through sender.office.com
- Send email to delist@messaging.microsoft.com
- Note the ticket number received from the latter
- Create support ticket for O365 and tell them to escalate the noted ticket number
Then this should reach the correct team fast.
Hope this helps somebody.
172.104.245.* appears to have been fixed now
@htmlvalidator your problem is not the same problem as the one discussed here. In your case you need to pester their support endlessly until someone picks up and does a manual review instead of the bot just responding 'not qualified for mitigation'
@tfw_whargharbl I'm also getting some of these "550 5.7.511 Access denied":
xxx@thechange-project.org: host
thechangeproject-org02c.mail.protection.outlook.com[104.47.1.36] said: 550
5.7.511 Access denied, banned sender[50.116.31.253]. To request removal
from this list please forward this message to
delist@messaging.microsoft.com. For more information please go to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[VE1EUR01FT063.eop-EUR01.prod.protection.outlook.com] (in reply to RCPT TO
command)
It is shocking how much does Microsoft suck. I had several support tickets opened. After about 3 weeks all IPs were finally excluded and 5.7.511 was gone. Almost 1 week after my issues were resolved another Microsoft team shamelessly bullshits on how the ip is totally blacklisted and that they will not be able to do much about it.
Let's sue the shit out of this incompetent evil monopolistic Microsoft.
Let's sue the shit out of this incompetent evil monopolistic Microsoft.
The Feds tried that…and failed to get any kind of meaningful relief in the settlement (after, what, a decade?). M$ has more money in it's legal defense fund than the EEC has money.
-- sw
I first joined Linode over 12 years ago and I have had accounts for work or personal continuously since. In that time I have also tried many other vps hosting systems and I still have multiple systems hosted on other providers.
This is an industry wide issue that needs to be properly addressed and in my opinion Microsoft and their many businesses are some of the notable offenders for indiscriminately blocking IPs. I don't know the particulars of this case and perhaps Linode contributed to the problem but if that was the case then mass blocking traffic from substantially legitimate non-spam senders should have been a method of last resort.
These sort of problems can hit any hosting company. I haven't had many issues with linode but have battled Microsoft blocking continuously on another providers. Outlook.com has always been frustrating as I can have SNDS and zero history of abuse and still regularly need to submit tickets to get servers unblocked. On one system (not Linode) I am sending notifications from an application and the delays in manually processing them pushes the receipt outside the acceptable window. As that system is B2B free email accounts are uncommon but hosted exchange stuff is very common and this sort of problem would have caused a lot of frustration and likely lost customers and hurt my reputation.
Until this sort of behaviour is restrained, either by an industry code, legal action or government regulation it will likely follow me to other providers. I think something more has to be done than simply filing tickets and shifting to different IP addresses.
@shirro5 This is an industry wide issue that needs to be properly addressed and in my opinion Microsoft and their many businesses are some of the notable offenders for indiscriminately blocking IPs.
Microsoft are easily the worst I have had to deal with when it comes to being blocked. When I first setup my outbound email system a decade ago I learned very quickly I needed multiple servers with different providers to avoid being in the situation some are in now.
I now have 4 outbound servers for my clients. One with Linode and the others are with other providers. Normally they all handle outgoing email at the same time but whenever Microsoft play this game I pull the one affected out of service and fight with them until they lift the block.
This round was much harder since it appeared that Microsoft blocked ranges of Linode IPs instead of individual ones.
It really is unfortunate how they operate and sadly there isn't anything we can do about it.
Microsoft run one of the world's largest email systems and most businesses use it. As long as you have redundancy then you give yourself time to fight without it impacting anyone.
If like me you are experiencing financial harm due to Microsoft's actions, I recommend filing a complaint with the Federal Trade Commission:
I feel like I've hit a brick wall with this. Linode aren't responding to my ticket (about 48 hours now). Microsoft aren't responding to my numerous tickets/emails. I'm a paying Office365 customer (have been for some years) but because my Office365 was purchased via GoDaddy, I seem to be unable to go to the Admin section to open a support request with Microsoft - the Admin bit of Office365 just takes me to my GoDaddy control panel. GoDaddy say that it's down to Linode to persuade Microsoft to lift the block. I'm left with two choices at the moment, it seems - move away from Linode (and I really don't want to do that, I've been with Linode since almost the beginning) or use a third party email service to channel my mail through, which I'd really prefer not to do for various reasons.
I'm not blaming Linode, not really, but the fact remains that Microsoft appear to have been blocking Linode ranges for over a month with no particular end in sight, and support (that I theoretically pay for) is hard to come by, from anyone.
139.162.192.0/19 is my range.
Well good news… looks like my IP 50.116.31.253 is finally unblocked… at least for now.
Put in SendGrid smtp relay for our domains because we can't live with this any longer. Not an ideal outcome, but a work around. Now how do I know when MS have removed the block, hmmm?
More importantly how do we prevent MS holding us all to ransom again?
EDIT: So I managed to read up on the thread and seems UCEPROTECT is not the problem.
Hi,
I've been battling with this too and found out through Microsoft support that they are using Validitys Return Path's IP Certification as a subscription service for blocking e-mails.
They are, I think, in turn using other sources.
Putting in the IP of my mail server on http://www.kloth.net/services/dnsbl.php gives this:
Listed in dnsbl-3.uceprotect.net, www.uceprotect.net : 127.0.0.2 : Your ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 106.2. See: http://www.uceprotect.net/rblcheck.php?ipr=XXX.XXX.XXX.XXX - (ttl:2100) [0.0619 sec]
So this might maybe affect Microsofts blocking?
I am battling with micro$oft stupidity as well. My voip company (voip.ms) started bouncing my support emails and replies after the bright idea to move to hosted O365. The techs there aren't smart enough to understand and keep telling me that I have to whitelist my ip… in THEIR hosted exchange.
We need companies like Linode to stand up to the bullies for us. Thanks for all the efforts, but is there any light at the end of the tunnel or does micro$oft just wanna keep rubbing the poo in our faces?
does micro$oft just wanna keep rubbing the poo in our faces?
All it’s going to take is the application of $$$. That’s the only thing M$ understands. Goodwill means nothing to them.
— sw
Hi,
I'm having the same problem for a London IP. In http://www.kloth.net/services/dnsbl.php, I'm getting this:
Listed in dnsbl-3.uceprotect.net, www.uceprotect.net : 127.0.0.2 : Your ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 111.1. See: http://www.uceprotect.net/rblcheck.php?ipr=xxx.xxx.xxx.xxx - (ttl:2100)
I'm running this server since 2013. I had the same problem back in 2017. It is a personal single-user domain, so not much of a problem, but this is getting ridiculous. Microsoft is just breaking the e-mail service worldwide. I never liked Microsoft, now their "reputation" in my personal ledger went to a new low.
How do we convince Microsoft to stop using UCEPROTECT? They're clearly a scam. 90 swiss francs to unlist for 2 years. GTFO.
My understanding is that UCEPROTECT-Level3 warning is the lowest of the low. If they're are using that as the reason for blocking IPs then they have some profound misunderstandings, oh wait, I forgot who we're talking about.
Interesting idea complaining to the FTC, but bear in mind US administrations don't have a great track record when it comes to taking M$ to task.
Still waiting for an update from Microsoft. At this point, I'm calling every day to get updates on our ticket.
Also, just another reminder that (unless something changed in the last 2 months) we don't believe this issue has anything to do with UCEProtect. Our IP ranges have been on and off UCEProtect for years (most recently just a few weeks ago) – we've never had a problem like this.
Chanced upon this and am having the same issue on a VPS of mine in the Atlanta DC, IP 173.230.x.y. The other VPS I have in the Fremont DC, IP 23.239.x.y can send to 365 fine.
Have tried the delisting service to no avail.
Has anyone that has swapped IPv4 address found that it has totally resolved the issue?
Linode have offered to swap me to an IP they claim is totally unaffected [emphasis theirs], but I fail to see how they can know… our IP is being blocked intermittently, so a single test isn't going to be definitive, and if they're so sure its unaffected it would suggest they know which ones are affected, and possibly why?!
I think this has been resolved
Thanks @jackley, @_Brian and other Linode guys that have paid attention to this, I believe that this thread and the efforts of the Linode support team identified and resolved the issue - there was a bit of noise, thanks for working through it
I'm back using linode directly as my gateway with no issue
couple of notes - @BrianSalvador noted he switched to Sendgrid, I wound up there too and found they have major issues with spamcop listings, I put in a fair bit of effort to port to that gateway, disappointing..
https://www.mailgun.com/ - discounted them early, they didn't bounce undeliverables so totally not suitable
and as noted - uceprotect is not involved in anything
Cheers - hope it's fixed for others
Still ongoing for myself. I switched to SendGrid earlier in the month. This is not a perfect solution but have configured Postfix so that all recipients destined for a Microsoft end point are routed through SendGrid, while everything else continues to send direct. This, for now, appears to work the best with few delivery failures.
Regarding a previous note by @vittal_cognidox regarding the new 365 Defender service…
If anyone doesn't know what this service is, it's a new 365 anti-spam engine they have just released.
https://www.microsoft.com/en-au/security/business/threat-protection/microsoft-365-defender
While going through the 365 Exchange admin for a client, the following is displayed when attempting to go to content filters or inbound connection filters….
"This feature has moved to the Microsoft 365 Defender. Create and update connection filter policies on the Anti-spam settings page there. This page has now been retired from Classic Exchange admin center."
This message now appears across the board for all customers I manage on there including licenses for Business Basic, Business Premium, E5 and E3.
Further to this, if you go into the Anti-spam threat policy list of Defender, you may see this message:
"Please go to the quarantine policy page to configure end-user spam notification as we will remove the configuration from the Anti-spam policy by December 2021.Learn more about quarantine policy"
Based on the above, I note that the rollout of this new anti-spam system, while not 100% aligned with the blocks, seems to coincide closely enough to make it a smoking gun.
MS announced this service in November with voluntary trials for select customers. It would appear at some point between then and now that it is an integrated part of 365 at least in part.
Still not fixed for me either as of now. Sending from a 172.105.163.x IP (Sydney, AU).
@sqonk , please could you tell me how you configured Postfix to only relay Micros**t recipients? All I've managed to do is either relay everything or nothing! Any help you can give would be much appreciated.
like @igennus, if you could please @sqonk - how did you selectively relay to microsoft
I use qmail, it has a file called smtproutes, the contents are considered and then it falls through to the default - in my case direct delivery
you make entries in it like (one per line)
@domain.tld:gateway.tld
and it supports
@domain.tld:gateway.tld:port|username|password
but, with Microsoft 365 Business accounts, the domain isn't just hotmail etc, it's frankiesbusiness.com, jonniesbusiness.com - I have to add it one by one .. which is ok, scan log for domains with difficulty and add them …
the routing on qmail is not route via mx, it's route via domain
under postfix - is it the same ?, or have you got some level of more granular control ?
@igennus, @brayworth
sure. The following makes Postfix run a set of filters over an MX lookup of each recipient passing through the system. Assuming you have the config files in /etc/postfix…
- 1) in /etc/postfix make a file called 'smtp_sasl_password_map'. Inside of it place:
[smtp.sendgrid.net]:587 apikey:_your sendgrid API key_
Then run postmap on it, which will generate a hashed version 'smtp_sasl_password_map.db'.
- 2) in /etc/postfix make a file called 'mxtransport'.
Inside of it place:
/outlook\.com$/ FILTER smtp:[smtp.sendgrid.net]:587
- 3) Modify your main.cf, add/make sure you have the following lines:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_password_map
smtp_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_recipient_mx_access pcre:/etc/postfix/mxtransport
The smtp_sasl_security_options = nonanaomymous is important. Without that it won't work.
NOTE: you may also need to install a PCRE extension for postfix if you don't have it.
Also, if you are currently fully relaying out you'll have the following line you'll want to disable:
#relayhost = [smtp.sendgrid.net]:587
- Additional: Originally I had it so it would relay out to 365 only, forcing hotmail.com, outlook.com and live.com to go direct. I've since included the other 3 to go through the relay as well. If you would prefer however to make that distinction you can use the following rules in the mxtransport instead:
/hotmail-com.olc.protection.outlook.com$/ DUNNO
/live-com.olc.protection.outlook.com$/ DUNNO
/outlook-com.olc.protection.outlook.com$/ DUNNO
/protection\.outlook\.com$/ FILTER smtp:[smtp.sendgrid.net]:587
Also still getting this issue on sending from 192.53.169.x IP (Sydney, AU).
Does anyone know if this is fixed? Because I tested sending from my Linode mail server to my Outlook email and it worked! So my email is no longer blocked.
I was using a smtp service, but I have customers reporting emails going into spam, so am keen to switch back to as it was, hence this test. So hope it is fixed.
I had this reply from my support technician at Microsoft:
The issue has been resolved between Microsoft and Linode.
You can rest assured that your emails will be delivered as the block has been removed.
I confirm that the AU datacenter is still banned for us (172.105.189.x) while the US and EU work fine now.
And just after I changed ipv4…. that also worked, btw. Thanks Linode!
I had tried using sendgrid, but they decided to force their customers to buy a smartphone for 2fa versus a simpler desktop/web solution. Certainly not worth 1000 bucks and a monthly cell contract!
We're still banned in London 139.162.221.x
This is ridiculous and embarrassing. And to top it all off, Linode response is to CHARGE ME EXTRA MONEY FOR AN ADDITIONAL IPv4.
I have the very same problem since more than one month ago. Today is February 3 and the problem still persists, since the beginning of 2022 or before. Jackley's last reply, and from any other Linode team member's, is from a week ago. I really can't believe it.
My Linode is on TX DC, 50.116.16.0/24
i have four ips in sydney, three of which are blocked. i am not sure if it is a cooincidence but a 45.xx.xx.xx is ok, but three 172.xx.xx.xx are blocked.
so bloody frustrating!!!
has anyone tried using the ipv6 as the sending ip?
No major updates from our end. I'm calling Microsoft every day or every other day for updates on our ticket. In their last update to us (on February 1st), they stated that our ticket is still with their backend team.
It seems like folks are reporting that their IP addresses are getting unblocked, so I'm hopeful that means Microsoft is slowly working their way through our IP ranges.
Linode offered me a different IP, and I took it. After a half day for DNS changes to propagate, emails are getting through to Outlook365 recipients.
Date: Thu, 03 Feb 2022 19:58:53 +0200
Still not working:
Linode-Frankfurt/DE
139.162.0.0/16
XXXXXXX.mail.protection.outlook.com[X.X.X.X] said: 550 5.7.511
Access denied, banned sender[139.162.X.X]. To request removal from this
list please forward this message to delist@messaging.microsoft.com.
…bla bla…
@jackley, after my IP migration to 192.46.232.0/21 everything worked for a while, my server is again blacklisted at Microsoft. So it seems that Microsoft is also adding new IP blocks to their list.
I changed my v4 ip and now I don't get emails from any lists, linode ticket updates, etc. Only friends and my other vps's can email me.
This is not getting better, I am hobbled now.
UPDATE:
Turns out some of it was a layer 8 issue in the old OSI model. I didn't change all my subdomains to the new ipv4 addy in the DNS panel. DERP… hopefully I'm functioning again in 24hrs.
has anyone tried using the ipv6 as the sending ip?
Unfortunately MS doesn't provide ipv6 MX records, so this isn't possible. That was the first thing I checked when I discovered my IP was blocked by them…
like most people on this thread i am getting pretty frustrated by the apparent lack of action on this.
yes, it seems bewildering that one of the tech giants cannot figure out why some ips and being blocked - probably to thousands clients. how hard are they trying?
this has been going on for weeks and my clients are completely fed up. who knows how much longer this will go on before they are lost to us permanently.
i have been a big fan and customer of linode for a number of years, but i feel their efforts to get this resolved are not up to it. @jackley making a call every day to see how things are going does not really cut it when most of us, i am sure, have spent countless hours trying to resolve the issue, trying workarounds, dealing with clients and trying to unblock the unblockable through the ms systems.
i don't know how senior @jackley is, but very senior people at linode need to get involved find out what is happening and inform us as to the real situation and whether or not it is ever going to be resolved.
if this doesn't happen soon, i can't see that we have any choice but to go elsewhere with our business.
this is simply a reality. why would anyone want to hire services that can't deliver its email reliably?
Our company was severly affected by this back in December and January, but it somehow resolved itself.
But starting today we are getting reports that our clients now are unable to send to Hotmail (not Outlook in general as previously).
Now Microsoft actually directly states that they banned whole ranges and not necessarily a single IP address.
hotmail-com.olc.protection.outlook.com[104.47.73.33] said: 550 5.7.1
Unfortunately, messages from [172...***] weren't sent.
Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[DM6NAM04FT024.eop-NAM04.prod.protection.outlook.com] (in reply to > MAIL FROM command)
@jackley Microsoft are banning entire IP ranges owned by Linode and this can not go on. This is not a technical issue, it is a legal issue that needs to be handled at your highest executive level.
This is not a technical issue, it is a legal issue that needs to be handled at your highest executive level.
It definitely feels like it is being treated as a P3 technical ticket, and I think this is why people are so upset about it.
I am looking elsewhere now for another VPS host, as while I do have a workaround I have to constantly adjust, it is pretty annoying. There is a local equivalent to Linode here in Australia that is significantly cheaper (due to the exchange rate) and because this whole debarcle has now been going on for literally months now, I wouldn't have even bothered investigating other options………
I have to say that today we were actually quite impressed with the swiftness of the responses from Microsoft.
Regarding the latest issue with Hotmail bounces, we filed a ticket at https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
Within a couple of hours we got an automated response that they could not find any blocklist containing our specific idea. We replied that the issue is related to IP ranges and within an hour or so after that a rep from Microsoft confirmed that a mitigation for our IP was in place.
Now all the remains is to see if the mitigation actually happens and solves the issue. They promised that it would be effective within 24-48 hours.
What we have been noticing for the past few days is a big delay in incomming mails from the same servers that were blocking us in January.
Delay last from 15 minutes (from outlook.com) to 4 hours (from 365 servers).
Does anyone else have this new problem?
Server IP range is 139.162.xxx.xxx
Now Microsoft actually directly states that they banned whole ranges and not necessarily a single IP address.
This issue (specifically the error "550 5.7.1
Unfortunately, messages from [172…***] weren't sent") is one we've seen for years. if this happens again, we can usually get your IP address unblocked by Microsoft. Just open a ticket (our method of resolving this is essentially the same, sometimes Microsoft doesn't accept delisting requests from anyone but the IP address owner -- e.g. Linode).
On the banned sender issue: Microsoft finally updated us this week and asked for some additional information, so we're working on getting that compiled and sent over.
As of today I'm unable to send to gmail from my Sydney Linode IP. I wonder if this is unrelated.
Hosting a mail server in today's duopoly of popular hosts seems to be sisyphean!
late last week linode offered me new non-blocked ips which i took them up on. thank you linode.
of course, once i registered them into the snds system (ms hotmail, outlook etc) they were blocked there.
as mentioned previously in this thread, the outlook team are relatively helpful, and whilst it took a little longer than normal and did involved a 6 email exchange, eventually those ips were unblocked for the hotmail systems as well.
may i suggest that linode should be proactively contacting all those customers who have ips that are blocked. who knows how many customers are unaware that this is the cause of their bouncing problems
it only took me 5 weeks to sort out this problem, thinking it must have been something that i had done!
i am not getting any bounces from gmail through my sydney ips. be aware that gmail can identify ipv6 addresses as the sending ip and if you use spf and do not have the ipv6 addresses registered in either your dns record or specifically in your spf record, chances are that the email may be bounced
For those who are still struggling with this, and Microsoft's crappy response…
The bounced messages suggest emailing delist@messaging.microsoft.com to request removal, which you no doubt have all tried only to be told you're not listed.
So you've then followed the instructions to escalate the issue. What I have concluded is that there is almost certainly some automation/AI involved in the responses to emails at this stage, and it's not very intelligent.
I had previously given up on this process because I was getting no positive results.
But it's where you need to be… just keep replying (be careful, they obfuscate the from address with question marks, so you need to keep replacing it with the right one) and attaching the example bounces. I ended up saving the bounces as txt files in order to eliminate potential compatibility issues.
Sometimes I just got replies asking for example of the bounces again (even though I had just sent them). Keep going. Eventually a human will get involved (for me, even at this stage, there's wasn't much detectable intelligence). Just keep sending them the example bounce messages.
Hint for anyone else trying to get this to work. Microsoft are blocking these VPSs at a subnet level, not a host level. If you log a delist request for your host, they will come back and tell you you are not listed and that they see no reason why you cannot send mail in. They will tell you that you are not blocked and that even though their mail server has explicitly rejected the connection, that it cannot be happening as they cannot see any block on your IP and that it "should" work.
They are - strictly speaking - correct, but it's a completely incorrect and useless answer. What you need to do is report the entire IP block you are on. Make it very clear that it is the subnet and not the host that is being blocked and get them to look at that (which is what the error message from their SMTP server actually says). Then they will most likely accept and see the problem and you'll get a more sensible response and possibly be able to make traction.
I had quite a heated exchange with them a few days ago about this very issue.
I was good after the ip change, but the bums have now blocked the new ip, making the whole change an exercise in futility.
Sooo many reasons to hate micro$oft……and I haven't even run their crap since win98.
UPDATE: turns out this time it was windstream support blocking their own customers or having a misconfigured DBEB settings. jeeesh
Ditto, so many emails sent to delist…. so many support tickets raised…..
Chat sessions too.
Phone call….no help at all.
Finally lodged a formal complaint to M$.
I would be good though to have some assistance from Linode staff, putting some pressure on M$ to resolve this.
I've already had to kill a VPS due this issue and the CEO not being very happy about it, and having to spend more money to another provider, who charge per email address.
Linode…help your customers here….PLEASE…..
Hello everyone,
It seems that Microsoft has gone and done this again now as we have been getting reports of rejected emails where the reason is given that the sender IP is part of range of IP adresses where some of them are blocked due to illicit activities.
This is of course a completely unproportional way of dealing with spam and as we all know, Microsoft don’t give a flying **** about small businesses affected by this.
We are therefore preparing a lawsuit against Microsoft with EU legislation and welcome anyone that wants to take part in a class action.
If you are interested in more information please DM for my contact details.
Hi Pascual, I'm interested in joining forces with said lawsuit but I don't see a way for me to send a DM via the linode community forum here.
This has started happening again as of May 2nd 2022. We were in the affected ip space in the Dec 2021 Microsoft ban.
Our IP is in this block:
172.104.0.0/15
Is anyone else in this block currently affected?
I too was blocked around the time of the original discussion, unblocked later, and just recently re-blocked (I think just this week). Sigh. I think that companies like Microsoft are using the spam problem as an excuse to try to create an e-mail server oligopoly -- why else would they say that my linode mail server doesn't qualify for a "sender reputation" because I send too few e-mail messages?
reubenfarrelly, can you tell us how to request delisting for an address range instead of a single address? I tried typing "172.104.0.0/15" when it asks for the IP address but it (quite reasonably) said "invalid IP address". Or is this only possible once we somehow reach a human?
@flaps You'll have to get through to a human, and even that might take a few attempts (first few I emailed back to were clueless, and said I was not blocked even though the message blatently said I was).
I didn't request delisting of an entire block.
The point of my post was, if you talk to them about a single IP within a block they will tell you it is not blocked, even though it is. You need to talk to them about the entire block you are on and then you will get some answers that make sense.
The answers I eventually got back were along the lines that yes it was blocked and MS would need to work with the owner of the IP block to resolve. At that point I realised that with my single IP I wasn't likely to get anywhere more so I let it go (and evenetually left Linode with my two VMs because of it).