News

Problems with Microsoft’s Hopelessly Inept Spam Filtering - UPDATED 2021-11-01

UPDATE 2021-11-01:

After chasing Microsoft for over a week, and getting nearly half a dozen boilerplate assurances that the issue was being "looked into" by their "Escalations Team," they still have not fixed the issue, or even so much as provided any reason (valid or otherwise) for having listed our server in the first place. As a result of Microsoft's ongoing failure to address the issue & evident lack of concern for the problems they've created, we have had to implement a workaround, involving using a third-party mail relaying service for outgoing mail for customers who need to correspond with Hotmail addresses. If your EMail is hosted with us and you are currently experiencing this issue, please contact us and we can enable that workaround for your account.

On a related note, due to both Microsof's consistent inability to provide reliable EMail delivery - and the massive volumes of spam that we receive from Microsoft's servers - we will no longer be accepting any customer contact EMail address hosted through Microsoft's free EMail service (which includes Hotmail.com, Live.com & .ca, Outlook.com, and likely others). Over the next few months, we will be reaching out to any existing customers who have provided a Hotmail contact address, so that they may provide an alternate address.
 

ORIGINAL POST:

Last week we started receiving reports from customers that Microsoft is rejecting all EMail from our servers. We are aware of the issue and, while we regularly monitor spam blacklist/IP reputation services to prevent issues like this, unfortunately Microsoft's spam filtering lacks any sort of transparency - meaning we have no way of knowing when they blacklisted our server, or why they did so, or what (if anything) needs to be done to fix the issue. That said, we do actively monitor for issues with our server's "IP reputation" via general-purposes services like MXToolbox that allow monitoring multiple spam blacklists - as well as being registered for Microsoft's "SNDS" and other equivalent services - none of which indicate any issue with our server itself.

We have repeatedly requested that Microsoft provide an explanation for why they've blacklisted our server, but (in both this and previous instances) they have repeatedly failed to do so, or even so much as acknowledge the request. Therefore, all information we currently have indicates that the issue does not lie with our server itself - and that Microsoft is both rejecting legitimate EMail from our server, and has no valid reason for doing so in the first place. We've informed them that, as a result of this problem, they are preventing their own customers from receiving legitimate EMails from (among others) a Meals on Wheels office, a support/advocacy organization for locating missing & abducted children, and two separate charities devoted to providing services for disabled children & their families - but, unfortunately, that does not appear to be of any concern to them.

When first notified of the issue, we submitted a "delisting" request to Microsoft; after being subjected to their usual run-around (where they appear to reject all delisting requests out-of-hand, and only actually investigate/act on them if you hound them about it), we were told that Microsoft had "implemented mitigation" for our IP (AKA removed our server from their blacklist) and the issue would be resolved within 24-48 hours... and that was on October 20th.

Yet five days (and counting) later, they clearly haven't done so - given that they are still rejecting all mail from our server.

So, to re-cap: Microsoft failed to notify us of whatever issue resulted in them blacklisting our server, they've failed to provide any details of their reason for doing so (assuming they even had one in the first place), then they claimed that they had/would fix the issue, but have failed to do that as well. We will continue chasing them to, hopefully, get the issue resolved and will update this post when (if?) anything changes; but at this point, if outgoing mail that you're trying to send is being rejected by Microsoft's servers, the best thing we can suggest is to contact the recipient via other means, and recommend that they consider switching to an EMail provider that prioritizes reliable delivery of legitimate EMail, because Microsoft clearly does not.

If you're curious about the process involved to try to get this issue resolved, here's a brief run-down:

Here's a short tutorial on the steps to take if you discover that your server's IP address has been blacklisted by Microsoft:

1. Follow the standard best-practices, like registering your server for various feedback-loops/abuse-reporting services, monitor for issues using services like MX Toolbox, and quickly resolve any issues that occur, make sure you have proper SPF records and rDNS in place, and... it won't matter. Not only will that seemingly do nothing to prevent Microsoft from blacklisting your server, but they also don't provide any way of monitoring their blacklist so that you can be aware they've listed a given IP, and chances are that you won't find out about the issue until EMails to Microsoft-hosted Mails start bouncing back.
    
2. Start attempting to fix the problem by clicking the link in the error message... except that's not of any use, because amazingly they fail to include any link to the actual delisting request form, and the link just goes to a generic and largely useless explanation of SMTP error codes. So instead, you'll need to Google the process, which will eventually take you to this link: https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75.
    
3. Fill out and submit the form, and then wait. And wait. And then wait some more - expect it to take at least 24 hours to for Microsoft to respond to the request (longer if you submitted it anywhere near a weekend). Since you presumably run your own mail server, while waiting for a response you'll have plenty of time for things like, oh, say, re-reporting spam that you received from Microsoft's servers and that they likely turned a blind eye to (a practice which would almost certainly result in them blacklisting their own servers if their polices were applied consistently, but I digress).
    
4. When you finally do receive a response from Microsoft, it will almost certainly just be a generic canned response saying that they have "completed reviewing the IP(s) you submitted" and as a result of their "investigation," determined that the IP is "Not qualified for mitigation." No explanation of why, or why it was even blacklisted in the first place, just some more generic information on their EMail policies, and a note saying to reply... with information that would have already been provided with the delisting request to have them investigate further.
    
5. After some more waiting... and waiting... and even more waiting, followed by some waiting, you'll finally get another response - almost certainly the exact same response you received earlier, still with no actual details, and most likely not addressing (or even acknowledging) even the simplest questions. At that point, you might as well just re-send the exact same response you sent previously, because it's not as if it's likely to make any difference - we've literally sent them follow-ups containing nothing but gibberish placeholder text, and STILL received the exact same response.
    
6. Finally, after the 3rd or 4th time going through that same run-around - and probably the better part of a week later - Microsoft will change their minds and decree, seemingly at random/for no apparent rhyme or reason, that your server's IP does now "qualify for mitigation" (of course with no explanation of why they changed their minds). Oh, and be prepared for one last bit of waiting, because apparently they can't even remove IPs from their blacklist in under 24-48 hours.
    
7. Send test messages to verify when/if they actually fix the issue, because Microsoft won't provide any notification - and that's if they even do fix the issue. From our recent experiences (see above), it's by no means certain that they will actually will do anything about - even after they've given specific assurance that they will.
    

Comments