back to article Microsoft to tackle spam by restricting Exchange Online bulk email

For the first time, Microsoft will apply daily restrictions to Exchange Online in an effort to staunch the flow of spam from the service. Starting from January 1, 2025, Exchange Online will begin enforcing an External Recipient Rate (ERR) limit of 2,000 recipients in 24 hours for cloud-hosted mailboxes of all newly created …

  1. Khaptain Silver badge

    28 Years late

    Better late than never I suppose..

    1. Anonymous Coward
      Anonymous Coward

      Re: 28 Years late

      I think when I was in charge of an on-premises exchange server some years back, I'd made an alteration to limit email sending rate. Or that could be wishful remembering.

  2. Anonymous Coward
    Anonymous Coward

    Becase slowing down the individual hosts is obviously the answer

    M$ has configured it's tenants to unintentionally allow DKIM and ARC whitewashing. That and the huge number of corporates addicted to exchange made it a popular resource for spammers. Now with Google and others forcing DMARC the floodgates were thrown open as DMARC overrides SPF(itself no silver bullet if your not very very careful about trusting recursive policies from third parties).

    So instead of fixing how they have their mail system rigged they just slapped leg irons on everyone's tenants. M$ needs to fix it's relaying and whitewashing problems, not just choke it's larger clients from sending mail directly.

    The cynical will notice this won't impact spearphishers much, and general phishers can just spin up more tenants. Of course more tenants mean more spammers paying more M$ tax in hosting fees...

    1. ldo

      Re: just slapped leg irons on everyone's tenants

      No, just on their own—namely, “the huge number of corporates addicted to exchange”. Those with a legitimate (?) need to send out bulk emails will either move away from Exchange, or learn to live within its limits.

      Either way, the problem solves itself.

      1. phuzz Silver badge

        Re: just slapped leg irons on everyone's tenants

        Those with a legitimate (?) need to send out bulk emails will either move away from Exchange, or learn to live within its limits.

        Most of the small/medium companies I've worked with have used external services for their spam marketing emails, (such as Mailchimp). Usually after a particularly spammy overenthusiastically broad email campaign got the whole company blacklisted.

        Funny thing is, I never saw any repercussions for the marketing team, other than a bigger budget...

        1. Terry 6 Silver badge

          Re: just slapped leg irons on everyone's tenants

          There does appear to be a belief within the advertising/spam fraternity that brute force is acceptable and effective. So deluges of spam are encouraged, as are the adverts in YouTube and those small free games that you play on a phone, which can't easily be dismissed within a few seconds, but just persist. They seem to think that forcing this stuff to remain in front of our eyes even after we've decided we're uninterested in their sale pitch will somehow change our minds!

      2. tiggity Silver badge

        Re: just slapped leg irons on everyone's tenants

        Plenty of legit reasons to hit that limit.

        e.g. a small company bills some of their clients on a monthly basis, so most days small amounts of external emails, but a big monthly spike.

        Quite possible to be a small customer and > 2000 external emails of monthly invoices (in many cases invoices go to multiple email addresses, e.g. when billing another small company often at least one (maybe 2 in many cases, work & personal email) to the "contact" you deal with directly and at least 1 more to their accounts department generic address or to an accounts person or people). Certainly not unusual for 1 invoice to have 3 or more recipient email addresses.

        Yes, companies could "stagger" sending of those invoices, but clients can get very irritated if invoices do not arrive on the "usual" expected day.

        In many cases, companies also send out emails confirming payments to their suppliers, workers on a monthly basis, often on same day as invoices are sent out, further adding to the spike (again many employees may well have this sent to a personal (external) email address). Again, suppliers can be grumpy if confirmation email not received on expected day.

        But hey, in the magic world of Microsoft a small company has no legit reason to send many emails.

  3. Anonymous Coward
    Anonymous Coward

    Need to fix DKIM, SPF, ARC and DMARC

    Each of them has unclosed loopholes that allow stuff to slip past. DKIM is still vulnerable to replay attacks, ARC can be whitewashed, and DMARC can't set explicit enforcement to demand that mail pass all three, instead it passes if either SPF or DKIM passes and doesen't check ARC. Most have DNS trust issues as well.

    All of that is fixable, but a wall of aggressive and obstructionist lobbying kicks up whenever email security might get improved.

    Don't believe me? How long has SMIME been left broken in the majority of email platforms?

  4. Ken Hagan Gold badge

    "legitimate bulk commercial email," such as newsletters,

    Sounds like spam to me. Can't these people just put the newsletter on their website?

    1. Anonymous Coward
      Anonymous Coward

      Could do. Though they'd probably want to send people an email to let them know about it.....

      1. Phil O'Sophical Silver badge

        Fine, if they've opted-in to being told. Otherwise it's spam and the sender should be nuked from orbit.

        1. Terry 6 Silver badge

          With that above mentioned one-click unsubscribe.

          I have spam filters that automatically junk certain (otherwise legitimate) senders. Because to unsubscribe from unwanted bulk emailing from their marketing dept you have to log-in to an account you didn't even know you had with a username and password that is a total mystery to you, perform a short but illustrative dance routine, sign an affidavit in blood that you no longer want the emails that you never wanted in the first place and sacrifice a chicken. And then wait for a period slightly less than the heat death of the universe for your "preferences" to take effect.

  5. DavidRa

    Spam can diaf, but this hits actual legitimate senders

    And by legitimate senders I mean things like mailboxes for your helpdesk platform for customers, your CRM etc. Just doing the maths for one app we have, it already has an extended-for-us limit of 2500 external recipients a day and we get to about 30% of the limits on a normal day and 70% on a busy day.

    It's integrated with office 365 because that's where our other mailboxes are.

    And now Microsoft wants more cash for the same function. We could send much more with on prem Exchange when we needed to, but cloud says no. We're not even a huge company - fewer than 20 staff.

    And yes, we'll need to switch to ACS or similar. When the app supports that configuration, which it doesn't now and it isn't on the roadmap - oh yay more development cost because Microsoft wants more profits.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like