Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return Microsoft appears to have delivered the unwanted Christmas gift of email blocklisting to Linode IP addresses, and two weeks into 2022 the company does not seem ready to relent. Problems started as large chunks of the world began packing up for the festive period. Complaints cropped up on Linode's support forums when customers …
While of of the reasons for the range block may be down to the use of servers for things Micrsoft doesn't approve of (pop-up servers are just as likely to be used for spam as they are for load balancing or VPNs), there's no doubt that Microsoft is keen to drive as many people as possible towards its increasingly proprietary mail service. This probably isn't the cause here but you can imagine the Microsoft support droids telling people that the problems wouldn't happen if they used Microsoft 365…
Unless you are a convicted monopolist operating under an agreement with the feds and you block a competitor to a service that you have just announced in your latest financials as a major profit center.
Then you can expect a distinctly different look from the judges compared to Spamhaus - especially if you sue them in th eeu
I have been asking them to remove my block (can't send to hotmail, office.com) for a year, my IP has been clean all this year, and yet they refuse and won't remove it.
So I don't find this is temporary. It is arbitrary and capricious, that is an easy way to be detrimental to independent mail servers, and force them to use third party services to send email.
Sure, in fact I recommended that to the EFF as Microsoft under the pretense to control spam, blocks most IP addresses from competitors like Digital Ocean, Linode, OVH and similar companies.
Microsoft is so dirty on its practices, that you can get blocked even when your IP is clean in overr 50 SBL, DBL and Spam Lists like SpamHaus. Don't even try to ask for removal in Microsoft Block Lists, they won't do it.
I don't know. My OVH server ended up in a blocklist because of the "bad neighbourhood" network I was connected to. I contacted the MS Postmaster, went through their resolution process, described what mitigations I had on my specific dedicated IP, and it was unblocked in 48 hours (although other ip's on the subnet I knew of remained blocked), so for me that specific process works.
Now, what doesn't work is when Microsoft Defender on Office 365 decides your mails that get into a MS managed inbox (either via O365 or Outlook.com) have links that "contain viruses" because you have a redirected link. Even if your link is clean, your systems clean, in no blocklists, all security scans you can imagine come up negative, you complain on the O365 forums about a false positive, get sent to the postmaster, who tells you "we don't manage Defender, so we can't help you", and you can't do anything while all your clients are raising hell but wait and hope that they fix their false positive on their own...
I think Linode is one of the lower risk VPS providers. Their default is ot block outgoing connections on ports needed to send email, and they require proper DNS config and manual intervention to allow it. I was actually thinking of moving to Linode as less likely to get blocked!
MS are the main problem for people running their own mail servers. I have been running my own mail server for the last few months and MS have been the only problem I have had to deal with. If you look at forums where people ask for help with blocks, its almost always MS that seem to block people who are not spamming, and often sending low volumes.
In my case I seem to be blocked by Hotmail but not by MS 365, so its not that bad.
Very accurate your Microsoft depiction, MS is totally arbitrary on this issue. Their support forums are full of situations like you mention, even their own customers are reporting that without reason, suddenly they are being blocked and MS refuses to remove them from their list.
Micorsoft are the worst of the big Clouds on this issue and totally opaque on their motives.
Flame on...
Not really, I doubt whether there's anyone who'd seriously disagree. (Hope is a different matter.) The problem will come when "big" becomes "very big" or even "top <N> for single digit N". One would hope there would be an anti-trust/monopoly action against the big providers before that happens, but that's in the lap of the gods or the pockets of the politicians (and I don't believe in either).
"How many thousands of spam complaints did Linode ignore before getting blocked? A quick search shows that they have active problems."
You can't run a service where users can send out packets of any kind without getting people sending spam. I'm sure they do have spammers using their systems. However, this doesn't mean they're unusually helpful to spammers. Microsoft also has spammers using their systems, but I doubt they would be very happy to have Azure's IP blocks shadow-banned.
Office 365, Outlook.com and Hotmail.com utilise Azure. And not some small, reasonable section earmarked for email traffic, but the _entire_ Azure netblock. Spammers also utilize Azure. Funny that you cannot block the Azure netblock for SPAM without automatically killing off Hotmail & Office 365. Almost like MS wants that spammy business...
I reported SPAM from Linode IP's for months and didn't even get any response from Linode at all. Same IP's over and over again.
Linode created this problem. Having an abuse group to look into SPAM and other ToS/AUP violations costs money. Not having one costs nothing....in the beginning. Eventually it causes issues and then it a lot harder to fix the problem as it has gotten so big.
The same can be said for Microsoft IP's and SPAM. Microsoft has at least three different groups you can report abuse too, but they each only handle certain Microsoft products/services. So if you send to the wrong group, nothing will get done. The Whois information is also not accurate for which is the correct abuse group to contact.
The best is Microsoft blocking SPAM reports as they view the message as SPAM but they were more than happy to accept the message in the first place and not treat it as SPAM.
Well, if this is the case, make sure that you have an IT consultant on-board to assist when things go wrong.
Which incidentally takes us full-circle. The reason to go with Big Provider appears often to be so you can ditch your IT consultant(s).
Going back to my opening para. One of my customers who bought a "toy" (your word, not mine) email server from me was having problems receiving email from one of their customers (a global name, let's call them Big Company). I got involved in trouble-shooting and found that Big Company had out-sourced their email to Big Provider. By the sounds of it Big Provider provided no support as to potential mail sending/delivery problems... Thank you for your subscription, you are now on your own... I pointed out a glaring error in their config which meant that it was touch and go as to whether their emails would be successfully received or not - so it might have taken some time before they sussed out something was wrong. Having rectified that I got a nice thank you email from them.
This is the danger. When Big Providers are all the choice that is available, who is going to point out and fix the problems as they arise?
In our company we have had to buy a mail gateway from GOOG and one from MSFT. It costs more to pocess the GOOG and MSFT invoices than what the products themselves cost, but whatever.
Our MTA is now configured :
- mail goes to MSFT managed mail => routed via paid MSFT mail gateway
- mail goes to GOOG managed mail => routed via paid GOOG mail gateway
- mail goes to self-hosted managed mail => routed via our SMTP
We thought this solution would solve our problems, we hoped.
Now, our legitimate mail spamness score is downgraded because the MSFT gateway estimates that we don't send enough emails, so this looks suspicious, and the IP address of the GOOG mail gateway has itself a very much fluctuating intra-day trust ratio, so the spam filters on the receiving end send legitimate mails into the SPAM Inbox.
This is very, very frustrating to say the least without employing any curse word appropriate to the situation.
Yup, had to register a company mail name at Outlook and GMail, as currently less than 50% of business customers appear to receive emails.
There are zero bounce messages. Some go into spam folders, but others just disappear.
It doesn't seem to matter whether they come via my hosting or via the telecoms fibre ISP.
DKIM doesn't seem to have helped.
I assume that this reflects companies using one of the two to provide the email service, and those two have been ratcheting up a default policy to reject anything that originates from all other servers. The commercial interest in enforcing a duopoly is pretty evident.
My domain name hosting partner offloads mail handing to a ?big? aggregate provider. Despite my domains impeccable reputation, my email to folks on Hotmail sometimes gets blocked (by Hotmail) because of the bad behaviour of others using the same provider at the IP address level of that provider. Not much to be done except moan to domain name provider and send email again in a few days when the landscape changes. I only send about 10 emails per day but the reputation of the sending domains seems to count for nothing.
Until someone on a different IP but in the same block sends out a lot of spam, and someone decides to ban the whole ASN or subnet. It's not a logical thing to do, but it happens all the time. The same way some people will firewall off an entire country just because they get bots running from those addresses; it's opening a nut by driving over it but sometimes people are too lazy to do it properly.
Yes, MS seems to have difficulty getting its servers into the DNS, and does not seem to care that the SMTP RFC requires that machines sending email are in the DNS. Some of MS's servers are in the DNS, so not all emails get rejected by Gmail, and by other providers which enforce the letter of the RFC. The random nature of the problem makes testing difficult.
Strangely @work, which only recently transitioned to O365, does not think that this is an issue at all.
As someone else running their own server, I've found that enforcing DNS accuracy will result in lots of legitimate mail being rejected because there's an awful lot of supposedly professional IT and Network people out there who can't cope with the basics. And if you try and report the problem, often you'll come up against people who take the attitude that because it works with "real" email services (i.e. Google and Microsoft) then it must be my server that's at fault regardless of any evidence you point them to which says otherwise.
> MS seems to have difficulty getting its servers into the DNS, and does not seem to care that the SMTP RFC requires that machines sending email are in the DNS.
Not malicious, just incompetent. Incompetent, incompetent, incompetent!
As msobkow says, MicroSoft has never taken email -or- DNS seriously. (Not invented here?)
Back in the 2006 era, my university started enforcing DNS back-match on incoming email, and about 5% of MS-box emails were being rejected. Users thought _I_ was blocking them! (I didn't even touch the servers, just desktop support.)
This was in a spam epidemic (we didn't yet know how bad spam would get) so blocking un-DNS IPs was a very valid thing to do, to take load off our tightly funded mail server.
Over several weeks, the university postmaster and I documented a large block of MS IPs that were sending email but not registered in DNS.
My impression was that MS was replacing about 5% of their email machines every month, but NOT putting the replacements on the old IP (one logical process). When someone eventually noticed that only 99% of emails went through (maybe 1 in 5 destinations were checking IP/DNS) they appointed a geek to try to figure it out. And frequently they fixed the ONE machine the geek had found, and ignored the larger problem. (I did once see ~~200 MS DNS updates at once, but that geek musta been promoted {or left} because it never happened again.)
My off-the-record advice to senders was "skip MS-Mail, use Gmail." Not that Gmail is fault-free but they do think about things like DNS and IPs. MS may have lost many email customers in that period.
My website and email are hosted by a small company (with which I have excellent first-name relations) who are in turn hosted by Linode. During 2020 my emails to Gmail and other Google-managed addresses was going astray, with no error reports or accessible blacklist. My hosting company gave me advice but couldn't fix it, so I re-routed my outgoing email. I don't know whether Google has yet un-blacklisted this IP address.
Google has a regular issue with 250 OK'ing incoming mails but silently dropping them between their incoming gateway and the inbox, even when the mail is clean, with a years long reputation on a dedicated IP range that has never given problems in the past and no suspicious activity at all. All we can do is get our deliv team to try to talk to Google's postmaster, and get the client to contact Google's support with the 250 OK acceptation from google and ask WTF.
Getting assistance is marginally better if you are a gsuite client, but it's still touch and go...
Sending email directly from a cloud-hosted server isn't the best practice. You're better off going with a reputable mass email provider because enforcing very strict policies on emailing will mostly prevent this from happening. With Linode, you could be sharing IP address ranges with any number of bad actors, but with an email provider, they watch and make sure their customers aren't sending mass scam emails and the like so you'll much less likely to have this issue.
I know you are taking the piss but there is no reason to show any ankle to a connection. Mine all say something like:
220 smtp.example.co.uk OK
They don't list OS, mailer daemon name, version and inside leg measurement.
My weapon of choice is Exim and I see it runs (or did in the past) on z/OS from a quick search 8)
There's no blue suit icon but this looks appropriate ------------------------------->
I have a server that can send emails or act as a VPN endpoint. It has a dedicated IP. I'm the only one who can use it. It shouldn't matter what the person who controls my IP + 1 is doing. If they're spamming, block that address, not the address block or the hosting provider altogether.
Also, you may be overestimating how much other providers are monitoring to prevent spam. I don't get a lot of spam, but it often comes in from addresses controlled by email systems rather than home-run mailservers. Sometimes it's basic GMail addresses. Sometimes it's from an Office 365 account they've gotten access to. Often, it's from a domain provider they've just used to set up the endpoint for the phishing link. In each case, it's a place that can't be blocked because too many other users use it. Because of this overeager approach to spam prevention, the spammers can still do their thing, but individual mailservers are restricted. This is harmful and unproductive.
I can narrow that down. That number is in the range from 750 to below 900.
We (our company) were since october under a persistent spam/virus attack from MS asian datacenters / O 365 IPs. That averaged to about 1 million connection attempts per day (about 10 times of our normal load, but not hindering, we are used to some interesting load surges). Sometimes way more, some day less. Automatic scoring got about 10000 IP addresses per day to "will not accept" levels.
Geolocation rate limiting had to be enabled for all countries in the asian MS datacenter vicinity. They even used up IPv6 at an astonishing rate. MS support was asleep on the helm.
And then shortly after log4j hit us -- it stopped. All affected countries dropped of the daily top 50 list and that has never happened in the last 10 years. And I had just gotten permission to let our DDOS provider handle it (their approch is more ham fisted, but sometimes you need a sledge hammer)
Log4j gave is much grief, but this was a good side effect.
The only email traffic I ever receive from Linode is SMTP auth attempts and spam attempts to non-existent accounts. In an ongoing process I am slowly gathering all of their network ranges and blocking them from making any sort of email connection to my systems. Not once have I ever had a legitimate email from any Linode host.
You don't say whether it a personal server or to do with business. But to say you haven't received any legitimate email from a Linode server, does not mean you won't every do so in future.
What if in the future an important email from some who does use Linode to send their email can't get through because you have blocked it?
So I'm supposed to leave my systems open to SMTP auth and spamming attempts from Linode hosts to allow for a maybe one day in the future I might get a legitimate email from there? In YEARS I have never received even one useful legitimate email from a Linode host. I will cross the hypothetical problem if and when I encounter it. That's my problem, not yours.
The basic problem with cheap VPSs from companies like Linode is that management of many of these systems is in the hands of people who lack the knowledge and experience to manage a UNIX (or UNIX-like) system. They have bought into (or have been sold) the idea that Linux is magically secure, and that keeping their systems secure is as easy as apt-something or yum-something. The result of this blatant miss-selling of Linux is compromised hosts used to send spam, used to make SMTP auth attempts, etc. That is what I see. For somebody knows how to manage a UNIX system, Linode is a good solution.
Welcome to El Reg; the home of cynical sysadmins the world around and congratulations on your first two posts.
Do you actually individually check the IP for each and every email you've ever received and if it's spamming or not? Because I have to say that running my own spam filter myself that appears like an immensely huge amount of work to go through and find all emails from a particular IP range and then determine that they are all spam, as that's going to have to be done manually and banning IP ranges is always subject to a high level of false positives.
What tools did you use to do the checking?
>> Do you actually individually check the IP for each and every email you've ever received and if it's spamming or not?
Not for spam attempts, but we do for SMTP auth attempts. As far as I'm concerned that is in a different category from spamming, because somebody is deliberately trying to compromise an account on our systems. Even a tiny shell script doing whois lookups will show you this is not such a big task, and the network ranges are then extracted and used to create firewall rules for the ranges.
We have never had a false positive for a SMTP auth attempt. We can identify every case of this. Not one of our customers or end users is using a Linode box to try and send authenticated SMTP email via our systems. We did try using automated blacklists for SMTP auth failures (actually we still use them), but it's pointless for Linode. As I keep on pointing out, we have never had even one legitimate email from a Linode box. Not a single one. So it's easier for us to block them all and then ignore them.
"So I'm supposed to leave my systems open to SMTP auth and spamming attempts from Linode hosts to allow for a maybe one day in the future I might get a legitimate email from there?"
That's what I would recommend. Use something more targeted to deal with the spammers themselves. Fail2ban is a good starting point, and you can build on that or custom-build your system if it's not good enough. That locks individuals out without having to ban everything. Your system should be secure enough that you don't need to eliminate bot probes to keep them out, and assuming it already is, then you don't need to go nuclear on background noise.
Then you're not going to get email from me, since my personal domain (25+ years now) is hosted in Linode and I run a clean domain on an IP address which is pretty damn static.
Yes, I understand your frustration, but I'm not the problem!!!! Sheesh.
Use postscreen, do temporary blocks.
Now I do admit in a fit of honesty that I should probably put my DNS into Linode's hands so that I can get the forward and reverse DNS entries to match up. That would hopefully help.
But honestly, I'm don't generate spam, I'm a 90% incoming only server, if not higher.
Don't bother curating your own lists. Use a proper job like "Lashback" which is a monster, so if you load it into a firewall, make sure you have enough RAM allocated for a whopper of an ipset.
pfSense has the magnificent pfblocker-ng (use the devel version) which makes managing IP and DNS lists quite easy.
I have a small mail server running on a Linode VPS. It was up and down as to whether emails got delivered. Google, Microsoft and Apple were the most likely to refuse delivery. I traced the block to UCEPROTECTL3. I looked into their policy, as all the other blacklist sites were fine. Turned out that although MY IP address was clean, as were all other in the subnet, I still get marked as spam because I'm with Linode. They are asking for £20pm to whitelist my IP. Sounds like a protection racket to me. Thankfully, the server is so low volume I can use a reputable mail forwarder for next to nothing.
Rant over
That sounds like a fine admission of guilt should someone decide to take MS to task over it. Banning a whole competitor and then offering to unblock their clients for a fee is ... beyond dodgy, especially given some of the legal undertakings they made to make their previous legal problems go away.
As much as people will love to bash Microsoft for this, it's been going on for years. Someone will have reported an IP or range of IPs and it will have gone on to a blocklist without anyone ever checking why it was reported or if it's a genuine spammer.
I used to see this about once every 6 months, common issues were a malicious report of a BT smarthost IP to the usual blacklist providers, or after that when cloud providers started to become a thing both Message Labs and GFI MaxMail were also very quick to block IPs for a single report and very reluctant to take them back off again.
@idiot taxpayer
I recollect fax-spam was a problem back pre-millennium. Is that still a thing?
I actually miss the days when I could run everything off a phone and a fax (voluntary sector).
I'm assuming that your business must be in a good niche and that you have long term customers. Best of luck with it.
I run a server with just ONE email user – a friend of mine with a small business – who sends no more than a few emails a day in total. Despite this, about every six months Microsoft blocks the IP address, citing unspecified bad behaviour.
We've got DKIM and SPF set up. Searching the server logs reveals nothing suspicious. Microsoft flat-out refuses to tell us anything at all about why we've been blocked. No other spam blocklist shows us as blocked, and even Microsoft's own tools (JMRP and SNDS) give us the all-clear.
The only way to get unblocked is to follow a back-and-forth dance through the Microsoft help system (they always refuse to do anything at first, you have to send an annoyed reply) and wait a few days.
I suspect that the reason is that our IP address sends so few emails, it's being reclassified as a newly-in-service IP address. But Microsoft won't tell us anthing, so that's just a guess.
Long thread here: https://github.com/MicrosoftDocs/microsoft-365-docs/issues/592
The reputable, responsible blockers can give you the time and date when you triggered their block, without giving too much away.
Your friend might be falling foul of a "backscatter" event to a honeypot, for example.
Same, I run and small web/email host for some small business's in a small town in northern ontario. Running since 2006, no issues with email. All setup with DKIM, SPF, DMARC, the works. Using an open source spam solution (mailcleaner) for years, prior to that Barracuda Email Security.. Never had an issue.
One day, users report issue with emails, same issue as the article. Event offered to have the agents remotely connect to show the issue, they remoted in, and proceeded to uninstall my antivirus saying it was causing the issue. After months of back and forth, frustrated customer, I was forced to change external Ip's for clients, and the host in general. Still working on IP rep now, daily battle to get back to the stability I had before. I had logs, proof of an MS Issue, but they refused to look at it or work with me.
I'm going to use the "Secret List" that was mentioned, archiving this article as ammo for my next battle with MS.
>"Requesting to delist via their automated portal doesn't work as it claims the IPs aren't blocked,"
I've often found (and I'm sure other have) when systems (especially Windows 10) do this a good option is to throw the switch to force an update down the chain ie. get all the ducks in a row, and then throw the switch back again to force another update cascade.
That won't work except with a very small number of tech savvy users - small enough that MS won't g.a.s.
MS customer contacts MS to complain. MS tell then that the problem is with the sender's system. Unless the user is both tech savvy AND persistent, that's as far as it will get and it will still be down to you to fixfind a workaround for MS's sh*t.
Perhaps some email providers should - even if only for an hour - ban Office365 emails, with an autoresponder stating, "Your email has not been delivered because you are using Office 365" and an explanation of why. Also stating, "Please contact Microsoft to get your email address unblocked".
Might get their attention for their incompetence and anti-competitive tactics.
Whatever happened to simply just sending messages to the spam folder?
And what do you really think will happen ?
Customer complains, MS tells then that it's a fault with your service, unless a tech savvy user who is very persistent, then they'll simply take MS's word for it and assume you don't know your SMTP from your USB. So you look bad in the minds of your customers.
I've had this problem in the past with AOL - blanket block for all "residential" and "dynamic" ranges. I was in a group and one of the group members was with AOL. The fact that I could not send email to him was my fault - not his fault to get AOL to unbreak their system, but my problem to sort out. Because fo the nature of the group, "sorry, can't communicate with you" was not an option. For a long time I did have a reject for anything AOL that told the sender to ask AOL to unbreak their system (not that I dealt with anyone else on AOL). IIRC it was a couple of years before (yet another) session browsing around their user-unfriendly help pages found me a method for asking for my IP to be unblocked.
As for the spam folder, you may well ask.
Many people I know simply assume that if it's in that folder then it's spam. Select all, delete - or just right click and empty (whatever their MUA does). But it would be one step better than accept it with a "yes, we'll deliver that" SMTP response before silently deleting it. But that latter is what ALL the big players do, it's fundamentally broken, but they've persuaded enough of the population that it's "a good idea" that people don't understand just how broken it is.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
