Microsoft is limited to receiving 100 emails per day?
-
I had the follow conversation with someone at our ISP a while back.
From: abuse@isp.com
To: admin@customer.com
Subject: Internet Abuse Complaint -- IP address 1.2.3.4
Attention Customer,
There has been a complaint received by our security team indicating that an IP address traced back to your cloud instances. Blah blah blah, make sure your machines are not compromised... refer to the report below.
The Report:
ISP has received reports of unusual mail activity coming from your connection. Over 90% of mail to certain domains are being flagged as Spam. This is likely due to malicious software running on a pc behind your router.
IP Address: 1.2.3.4
For period: 1/8/2018 1:00 AM to 1/9/2018 12:00 AM
Potential Spam Attempts: 106
Message Recipients: 106Me: Oh crud... I keep on top of security updates and have monitoring on that server. This can't be right.
From: quijibo@customer.com
To: abuse@isp.com
That IP address is our main external mail server that handles all contact with our customers. If ISP is doing any monitoring of network traffic that would be expected as we are in the middle of a seasonal increase in sales.
That said, I do understand that abuse of servers to send spam is serious so I will investigate immediately.
Do you have access to any emails (with headers) that were reported as spam to the abuse team?Their reply:
From: abuse@isp.com
To: quijibo@customer.com
The report you received is forwarded to ISP from Microsoft’s Smart Network Data Services (SNDS). The SNDS is a service provided by Microsoft which is responsible for analyzing and reporting on spam sent to mail hosted by Microsoft, such as Hotmail, MSN and Live accounts.
Please note: SNDS reports are created and compiled by Microsoft. ISP does not create these reports nor determine what content is considered spam. Because of this, ISP is unable to request removal from SNDS or provide samples of the alleged spam.So I dig into that server and look for anything usual and I found nothing obviously wrong. I counted up the number of going emails to @hotmail.com addresses. We sent receipts to 114 customers who provided an @hotmail.com address. That doesn't count all of the other domains that Microsoft owns.
I sent that information back to our ISP, letting them know that we can easily send 100+ emails a day to customers who sign up for services on our site. They didn't reply to my follow-up. So that's the end of that, right? Hah!
A week later...
From: abuse@isp.com
To: admin@customer.com
Subject: Internet Abuse Complaint -- IP address 1.2.3.4
Attention Customer,
There has been a complaint received by our security team indicating that an IP address traced back to your cloud instance has been abused in some way affecting other servers or users. You will find more information in the attached document.
(Attached Word file:)
ISP has received reports of unusual mail activity coming from your connection. Over 90% of mail to certain domains are being flagged as Spam. This is likely due to malicious software running on a pc behind your router.
IP Address: 1.2.3.4
For period: 1/15/2018 6:00 AM to 1/16/2018 1:00 AM
Potential Spam Attempts: 105
Message Recipients: 105Okay, I'm beginning to see the pattern here.
From: quijibo@customer.com
To: abuse@isp.com
To whom it may concern,
The report indicates that we sent 105 emails to Microsoft servers on January 15. As I explained before, we have 10,000 active users on our site, so sending 105 emails to Microsoft servers in a day is not unusual or malicious, and certainly not enough traffic to "affect other servers or users".
Please provide direct contact information from the originator of these reports so that we can verify what specific activity is triggering the report, or whitelist our IP addresses with ISP's security team so that we do not continue to receive these erroneous claims.The response:
From: abuse@isp.com
To: quijibo@customer.com
The report you received is forwarded to ISP from Microsoft’s Smart Network Data Services (SNDS). The SNDS is a service provided by Microsoft... blah blahWord-for-word identical to last time. My solution? Prevent users from using a Hotmail email address when they purchase services on our site. Problem solved.
But seriously, 100 emails sent to Hotmail in one day triggers an alert from Microsoft? And no one at our ISP can comprehend how ridiculously low that number is, and therefore take that alert as a sign of a compromised server.
-
I don't think preventing Hotmail addresses would be enough, as there are other domains that go to the Hotmail servers, eg. @live.com, @outlook.com, including domains with the country-level code (@live.co.uk).
A quick search turned up some similar results about Outlook and Gmail send limits,but also this from https://postmaster.live.com/snds/FAQ.aspx
IP Address
This is the IP address of the machine that caused the activity displayed. In some cases, this may be the public address of a Network Address Translation (NAT) system, in which case there may be one or more machines behind that IP and there's no practical way for our systems to distinguish them. Be aware that mail traffic and spam data may not be present for IPs which sent less than 100 messages on the given day.From https://postmaster.live.com/pm/services.aspx#Section1, to me it sounds like warnings are only generated when a significant number of emails you've sent are being marked as junk
Smart Network Data Services
A free service that provides high-level insight on how users are rating the email they receive and the health of your IP space as viewed by the Outlook.com system- Provides easy online registration and access to data
- Improves understanding of how our filters rate your email
- Reveals how many users complained about your email
- Learn more at [
the link is missing. Seems like it's meant to be http://postmaster.live.com/snds, as below in the ISP Section]
Seeing as it's free, you could possibly sign up on SNDS and get access to better reports/data on why you're getting the warnings. While not the best solution, I get the feeling that having additional SMTP servers at other (different public) IP addresses would skirt around the issue.
-
Do your emails have the usual stuff like DKIM and SPF?
-
@wft said in Microsoft is limited to receiving 100 emails per day?:
Do your emails have the usual stuff like DKIM and SPF?
Unfortunately (and despite their claims to the contrary) that doesn't seem to help with Microsoft.
I have similar problems delivering to Microsoft addresses. Mail tends to vanish into a black hole, despite DKIM, SPF and DMARC. SNDS has never reported a problem. I don't have any difficulties with other mail destinations, only Microsoft.
I've given up and just advise the minority of my users with Microsoft addresses to use a different email provider.
-
May (or may not) be relevant:
-
This post is deleted!
-
@spencer said in Microsoft is limited to receiving 100 emails per day?:
I don't think preventing Hotmail addresses would be enough, as there are other domains that go to the Hotmail servers, eg. @live.com, @outlook.com, including domains with the country-level code (@live.co.uk).
We actually disallow @hotmail. , @live. , @outlook. , @skype. which covers most of the variants for Hotmail addresses. So far that has been enough to keep our ISP from complaining again.
A quick search turned up some similar results about Outlook and Gmail send limits,but also this from https://postmaster.live.com/snds/FAQ.aspx
IP Address ...
The IP address that the ISP sent to us is the public IP of our external mail server. It is behind a 1:1 NAT so no other systems will start outgoing connections from that public IP.
From https://postmaster.live.com/pm/services.aspx#Section1, to me it sounds like warnings are only generated when a significant number of emails you've sent are being marked as junk
Smart Network Data Services ...
We only send receipts to our customers when they pay for a service. That email contains their username and where log in to get started (but presumably they know to go back to our site to log in). Some users may tag that email as junk but I doubt that most have.
What is most likely happening is that Microsoft's spam filter is automatically tagging our receipts as junk because they all look similar to each other, and even worse SNDS then uses the feedback from their spam filter false positives to trigger on.
You can't use one bad filter's output to train another filter on what is spam or not. That's why I asked for specific emails that users have submitted and not what some filter thinks is spam (before getting the reply about SNDS).
Seeing as it's free, you could possibly sign up on SNDS and get access to better reports/data on why you're getting the warnings. While not the best solution, I get the feeling that having additional SMTP servers at other (different public) IP addresses would skirt around the issue.
Why should that be my problem to figure out why SNDS is alerting our ISP? If I am confident that our server is not sending spam (and I realize that there are lot of servers that do get compromised) then I don't really care if my ISP wants to subscribe to SNDS. Just stop forwarding them on to me and everyone is happy.
-
@wft said in Microsoft is limited to receiving 100 emails per day?:
Do your emails have the usual stuff like DKIM and SPF?
We have SPF but not DKIM. As @japonicus also said, it doesn't seem to matter in my experience. I know for many years now a few of our emails get lost in Hotmail accounts (like when replying to someone who has emailed our support address). But that situation is rare and for the most part if people use Hotmail and need to interact with us everything seems fine.
-
@quijibo said in Microsoft is limited to receiving 100 emails per day?:
We only send receipts to our customers when they pay for a service. [...] What is most likely happening is that Microsoft's spam filter is automatically tagging our receipts as junk because they all look similar to each other, and even worse SNDS then uses the feedback from their spam filter false positives to trigger on.
Implying Microsoft's spam filter has never seen a receipt before. Or a newsletter. Or any other legit templated email.
That's why I asked for specific emails that users have submitted and not what some filter thinks is spam (before getting the reply about SNDS).
Why should that be my problem to figure out why SNDS is alerting our ISP? If I am confident that our server is not sending spam (and I realize that there are lot of servers that do get compromised) then I don't really care if my ISP wants to subscribe to SNDS. Just stop forwarding them on to me and everyone is happy.
These two statements seem incongruous with each other. Either you want to know why your emails are being considered spam, or you don't. I daresay a number of your potential customers may not have an alternative, non-Hotmail address and may be frustrated enough at not being allowed to use (and having to set up another somewhere else) it that they'd take their sale elsewhere. It literally costs you nothing but a little time to sign up, you'd get to learn why they're being filtered and improve your service for everyone. Not to mention bragging rights within your company for being the one that worked it out.
-
@spencer said in Microsoft is limited to receiving 100 emails per day?:
It literally costs you nothing but a little time to sign up
I tried just now. I guess I'm just special because I happen to use shared hosting, but it's literally impossible to sign up, therefore it costs infinite time to sign up.
Granted, this is not the same situation as @quijibo, but "literally costs" is very subjective here.
-
@tsaukpaetra said in Microsoft is limited to receiving 100 emails per day?:
@spencer said in Microsoft is limited to receiving 100 emails per day?:
It literally costs you nothing but a little time to sign up
I tried just now. I guess I'm just special because I happen to use shared hosting, but it's literally impossible to sign up, therefore it costs infinite time to sign up.
Granted, this is not the same situation as @quijibo, but "literally costs" is very subjective here.
"Literally costs nothing" because the service is free. Do we still flag posts for pedantry around here?
Anyway, shared hosting is fine. From the Access Control page
So, other than
I don't see what's preventing you.
-
@spencer said in Microsoft is limited to receiving 100 emails per day?:
Anyway, shared hosting is fine. From the Access Control page
So, other than
I don't see what's preventing you.
How about "None of the DNS-authoritative contact addresses goes to me, because shared hosting"?
-
@spencer said in Microsoft is limited to receiving 100 emails per day?:
It literally costs you nothing but a little time to sign up, you'd get to learn why they're being filtered and improve your service for everyone.
I would like to know why mail is being blocked, I am signed up to SNDS, but it has never given me any information about delivery problems - it always reports that everything is fine.
-
@japonicus said in Microsoft is limited to receiving 100 emails per day?:
I would like to know why mail is being blocked, I am signed up to SNDS, but it has never given me any information about delivery problems - it always reports that everything is fine.
Yeah, MS is fucking awful
with their email. I worked for abuse@ at one of Europe's largest ISPs shortly after most big ISPs introduced Feedback Loops—when one of their users marked something as spam that they had originally gotten from you, it would promptly be returned to a special email account so you could dissect the header and LART the sender. Really effective concept and quite popular, only MS didn't participate because they're special. And they tried the same shit with their templated standard mails on us until our mail admins started bouncing their customers' mails for a couple of hours with a message saying something like "sorry, mail from Hotmail to this account is currently not deliverable, please contact MS customer service".
That escalated quickly, then we got a contact address with an actual human behind it ^^
-
@spencer said in Microsoft is limited to receiving 100 emails per day?:
Implying Microsoft's spam filter has never seen a receipt before. Or a newsletter. Or any other legit templated email.
Not so. If our receipts look spammy because of some words used, formatting, or whatever triggers their spam filter, then that is what it is. Other receipts, newsletters, or whatever else may not look like spam. But you have to know "for sure" that you are looking at spam or ham (based on whatever your definition of spam is) before training your SNDS alert to fire off a report saying "I think I have seen 100+ spam messages from you and therefore your server is compromised".
Why should that be my problem to figure out why SNDS is alerting our ISP? If I am confident that our server is not sending spam (and I realize that there are lot of servers that do get compromised) then I don't really care if my ISP wants to subscribe to SNDS. Just stop forwarding them on to me and everyone is happy.
These two statements seem incongruous with each other. Either you want to know why your emails are being considered spam, or you don't. I daresay a number of your potential customers may not have an alternative, non-Hotmail address and may be frustrated enough at not being allowed to use (and having to set up another somewhere else) it that they'd take their sale elsewhere. It literally costs you nothing but a little time to sign up, you'd get to learn why they're being filtered and improve your service for everyone. Not to mention bragging rights within your company for being the one that worked it out.
I think you are assuming that I care why SNDS is alerting my ISP and therefore should sign up for SNDS. I don't care why it is sending out reports. False positives are a fact of life, they aren't a big enough problem to impede our ability to sell services, and there is an acceptable work-around, which is for the customer to look in their junk folder.
Of course the big-wigs have discussed this topic already and have decided that it is not worth the time to investigate further after that first report. There is always a cost of time input to solving the problem. Furthermore, even if we did sign up for SNDS, there is no guarantee that we can solve whatever is causing them.
TLDR: I don't want the SNDS reports and for now don't care why Microsoft is complaining. We took the first complaint from our ISP seriously and now that I am sure we are not spamming (aside from false positives), I don't want our ISP to keep forwarding false alarms to me.
-
@quijibo said in Microsoft is limited to receiving 100 emails per day?:
Not so. If our receipts look spammy because of some words used, formatting, or whatever triggers their spam filter, then that is what it is. Other receipts, newsletters, or whatever else may not look like spam. But you have to know "for sure" that you are looking at spam or ham (based on whatever your definition of spam is) before training your SNDS alert to fire off a report saying "I think I have seen 100+ spam messages from you and therefore your server is compromised".
I wouldn't be too surprised if they're flagging it all as spam based on 'We've had 100 emails from that domain this week, and they're all effectively identical'.
-
@pleegwat said in Microsoft is limited to receiving 100 emails per day?:
@quijibo said in Microsoft is limited to receiving 100 emails per day?:
Not so. If our receipts look spammy because of some words used, formatting, or whatever triggers their spam filter, then that is what it is. Other receipts, newsletters, or whatever else may not look like spam. But you have to know "for sure" that you are looking at spam or ham (based on whatever your definition of spam is) before training your SNDS alert to fire off a report saying "I think I have seen 100+ spam messages from you and therefore your server is compromised".
I wouldn't be too surprised if they're flagging it all as spam based on 'We've had 100 emails from that domain this week, and they're all effectively identical'.
If they were encrypted they wouldn't be identical
Office 365 Takes Aim at Spoofers but Users See Warnings About Fraudulent Messages - Petri IT Knowledgebase
