1. Visit https://olcsupport.office.com/ and submit the complaint.
2. Wait for the auto-reply, followed by the "Nothing was detected" email.
3. Reply to the latter with "Escalate" in the body.
Within a day, they hammer shit in place and the block is removed.
We have implemented mitigation for your IP (51.15.2.26) and this process may take 24 - 48 hours to replicate completely throughout our system.
So thanks to the federated/decentralized design of email, is totally possible to be part of the network without any special privileges.
We are sending millions of emails every day though, which is quite different to sending a couple hundred personal emails a week. If you’re running this on a cloud host, expect to be blocked by default. However if you can find a small vps provider you’ll have better luck on sending yourself.
But it was really not that much work again. Just unfortunate, because one big Mail provider just discarded instead of rejecting my mails. After this was settled, everything works quite nice again. Important to me is keeping spf, dkim, dmarc and now also mts up to date. See mail-checker.com e.g.
I still wonder though, why some big mail providers do not do dkim/dmarc? I happen to realize this when I started to fight spam and gave incoming mails without dkim/dmarc a high spam score.
A product like this is exactly what I've been looking for with pretty great pricing.
The one thing that this (and most providers) are missing is making email easy to test. I'm about to launch a product where email is critical, and there's no way to send an example email (with a non-test email address) to your service and see that you receive it, without it being sent to the To address.
Better yet, the few providers that do support it charge as if it were a real email, when none of the delivery costs exist on their end (there are infrastructure costs, sure, but there is none of the reputation risk nor need for clean IPs, the reason people use transactional services like these in the first place).
Eventually, most people realize that their Outlook/Hotmail email service is defective because they're not receiving emails, and they migrate to another email service.
Or people realise that DO's current anti-abuse is very insufficient and will move to something else.
DigitalOcean on the other hand started blocking SMTP by default for new customers since June/2022 [1], and thus significantly reduced the amount of spam coming out of their network. That said, they're still not doing enough to stop spam from their network, and they're still a source of spam [2].
I can cryptographically prove the identity of the server (and thus its reputation), and there's no justified reason to block mails based only on the network's IP address, while ignoring all the other factors.
1. https://www.digitalocean.com/blog/smtp-restricted-by-default
They generate a lot of phishing emails (rather than conventional spam). I used to diligently report it to their abuse contact, but they don't seem to care or do anything about it in the slightest.
This is exactly what I've begun telling people and warning friends and family members about. I run my own email... well I run my own ISP at this point and we have our own dedicated block of IPv6 addresses but still rely on IPv4 addresses from our cloud providers and I've started to grow frustrated by the lack of movement by the incumbent email providers that I've started just straight up telling people don't expect any email delivery from me if you're using any provider that still lacks proper IPv6 on their SMTP servers.
It's no longer my problem and I will happily tell people that their email provider is defective and that they need to find a new host. If that is too much for them, to bad so sad not my problem. I did everything I could do. At some point you have to stop trying to work around "Big Cloud" and their nonsense.
Microsoft blocking a mail server and DO being blocked aren't necessarily the same thing.
I service a number of MS accounts (hosted domain and O/H/live.com) and they block mail from small servers I manage - and from (non-major) online services I work with. There are forums frequent that send verification mails to MS addys that never arrive.
Past that: My last time blocking mail server attacks from DO IPs is today. It's always today and has been years and years. Not just DO. OVH, Psychz and a at least doz more attack with that consistency.
[edit: Post below mentions DO SMTP changes in 2022. DO is still attacky but less attacky is possible. Not sure.]
And not that far behind, Amazon. Amazon is a lot harder because unlike the above, I regularly get legit traffic from them.
This is from DO's own site based on a quick search:
"I am being BOMBARDED, and I mean BOMBARDED with spam from Digital Ocean over 5 spams a day all from the same bunch of domains, all hosted on DigitalOcean and coming from your IPs.
In the last 2 weeks I’ve emailed your abuse mailbox 20+ times and filled in the contact abuse form 10+ times.
NOTHING is being done about it. My next plan of action is to keep posting here until Digital Ocean takes action.
Do you even have an abuse team? are they doing any work at all? I can provide 30 more samples if needed."
Absolutely pathetic - all major providers should blackhole email from DO.
Note that this contrasts to AWS. I was on AWS from flat network days (where folks were running scans internally etc. AWS respond with a ticket usually to abuse reports and then usually a bit later a note that things have been taken care of.
How does AWS which is FAR larger in IP address space than DO have so much LESS spam coming from their IP address space? Perhaps because they pay a tiny bit of attention to the issue.
* Latency: Hetzner's ping latency is more than double for me
* Switching costs: migrating hosting providers can be time consuming
That said, I agree that DigitalOcean isn't good value for money anymore.
I solved the problem by paying for a next hop SMTPS server as an upstream smarthost for non-local mails. That means my mails come from a subnet that fronts TONS of other servers/domains. That makes it a bigger headache for MS to block.
Sad but there you go. I do not use the external service for inbound. Inbound mails come direct to my server per the MX.
Mailgun has been very good to me, highly recommended.
As it happens, I noticed my mails have gone through just fine in the last months, at least to companies using Microsoft services without me doing anything specific, after I threw the towel with Outlook. I did switch VPS providers almost a year ago, though to a provider that I expect to be more filtered (ovh).
Several times per year—I can practically guarantee it’ll happen sometime in December, and indeed had to deal with this just five days ago—I end up with a bunch of users whose email notifications stop working because Microsoft have started blocking the entire netrange where my server lives. I don’t have control over other Linode customers, guys! I even wrote extra code to stop sending mail to addresses that start bouncing specifically to avoid blacklisting, so after MS finally processes a blacklist mitigation request, someone also has to go in and re-enable those accounts.
SPF, DKIM, DMARC are all configured; I’ve sent from the same IP address for about a decade; I’ve not once received an email abuse report; mail volume is low (most days, volume does not reach the minimum threshold for SNDS to report data[0]). I’ve never had any other mail provider blacklist my server. SNDS always says everything is OK as I am S3150s. What is even the purpose of SNDS at this point when it lies about what is going on?
[0] P.S. The janky SNDS calendar widget resets the month to the current month every time you click on a date, even if the date being viewed is in a previous month. I don’t have any hope that anyone will ever touch SNDS code again since it was clearly designed in the early 2000s and the copyright on the site is now ten years old, but this is a pretty silly bug.
About the calendar widget thing… man am I glad I our team doesn’t own that. No one ever touches legacy stuff cause they’re afraid it’ll break or no one will update but the trick is to file it as an accessibility bug since that gets someone to actually prioritize it since it shows up in reports that the execs read. But dude good luck getting that off the backlog, the one engineer we have who is good at UX stuff (i.e, can code with both quality and velocity instead of just one) has her hands full as is.
You do have control over being a Linode customer though. If Linode isn't doing enough to prevent abuse, they deserve to be blocked.
a) if a mail sever looks like it’s gonna send spam, then you gotta block it. I personally have philosophical hang ups about this, like it’d be wrong to sentence someone to prison for crimes they didn’t commit just because a system added up some points and made a prediction with high confidence, but in real life, you absolutely need to be proactive. b) there is literally no way to do this that wont immediately get abused. Trust me we’ve tried. We make it nearly impossible to get unlocked on purpose because if it was easy, then it’d be like 1 innocent person using it and 99 attackers due to the adversarial incentive structures.
Now ofc there’s more nuance here, we really do want to get it wrong less often, and you do pay us so it’s not fair to blame it all on the bad guys, so I’m grateful for the feedback but I think you should give me even more detailed feedback since there’s not much I can do except give a vague high level explanation unless you help me by being specific.
Why? Why can Microsoft not learn that an IP has been healthy and spam-free for 10+ years and only bother me when there is actual spam is being sent?
…I think this is just a systemic issue beyond my ability to comprehend, let alone solve, and— I hope I’m wrong about this but honestly when I look ahead it seems the future is only going to get worse for people like you. Which I wish I could phrase in a way that was more kind and respectful, it’s not what anyone wants, these unthinking scars inflicted on email as a medium.
But what I can do is make sure that it’s not worse for you, specifically. If I was perfect I’d attack this rot at its core, but I’m not, so I’ll just solve the problem in front of me even though I know it doesn’t scale and hope God forgives me. Get in touch with me directly and I’ll figure out how to make sure you don’t have to jump through those hurdles again.
What's the rationale there?
Eg. Known bad domains, known bad IP addresses, incorrectly setup DKIM / SPF, no reverse DNS, non-matching reverse DNS, and that's before even looking at content to determine whether spam.
My hot take is that this prolly won’t last because every org descends to doing a creepy level of data collection eventually so I have a textbook on privacy preserving ML downloaded for when we join the “surveillance but we found a way to make it technically legal” squad. We haven’t done that yet though.
What do you mean by tiers, exactly?
Does MS ignore IP reputation in cases where the domain has a good reputation?
How would you go about getting a new domain and an IP address from a public cloud provider working consistently?
I've had issues with outlook when it comes to new domains and IPs, but after some time it works. I do however usually have more email than a personal server so what's the best way - if such a thing exists - for a personal server that has much lower volume of mail to be trusted?
There isn’t a quick way, by design. You need to wait a minimum period and meet some predicates, and the organized scammers already know what the period is via empirical testing but I’m not comfortable disclosing details of those predicates for disorganized scammers to use. More so because I’d definitely get into trouble for it than due to any belief in security via obscurity. Cushy job makes you risk averse.
Since I can’t share any of the tricks, some general advice— the main thing that matters is a long track record of good behavior. You can end up in a vicious cycle where you fight the system when it punishes you and then it doubles down on the beatings— this is bizarre and kafkaesque and happens all the time. What you want is for there to be two-way communication, if it’s unbalanced with traffic being broadcast but no one engaging with it, that’s going to be cracked down on sooner than if recipients reply.
> Delivery to xxx@outlook.com failed with error: outlook-com.olc.protection.outlook.com. said:...
He got error messages? I get mail silently dropped.
MS drops mail from my reputable mail servers - and from rep svs that send mail to MS accts I manage.
I've been using the same /29 network for over 15 years now. There's no nearby adjacent networks that are on any blacklists.
I monitor blacklists on a regular basis.
No marketing. The domains I run are strictly personal and projects. I monitor volume and all kinds of stuff. I know there's nothing like spam or any kind of marketing going outbound.
It's astonishing how honest Microsoft is when I send them an email telling them to unblock. They literally just admit that they never had reason to block the domain/IP and they unlist it for a few years and then it goes back on their list.
It's become apparent that they blacklist by default.
Fortunately I only run into the occasional idiot who uses Hotmail or live.com.
How can we as ESPs respond to them appropriately with removal of these people who don't want our emails anymore, if we don't know who the user is?
If there are any GMAIL service team members here, I would LOVE to know why a feedback loop was never implemented like the other providers.
Yes, it "works" for most people, but it also has the effect of entrenching the incumbent large email providers and preventing more independent providers from cropping up.
The current method is very lazy and collectively punishes a lot of innocent email providers for the crimes of the abusers.
1. Don't send spam
2. ???
3. Profit!
Literally _all_ email that I've blocked has been from companies where I uncheck the box "send spam to me" and the company sends it anyway, or where the company thinks "oh this guy bought stuff from us, we can now send our daily/weekly/fuckly marketing spam!" or "we got your email from whatever shady place, and now we're sending you our information because you're in our industry" or stupid shit like that.
Gmail does not have a "block everything from this domain feature". I would love to block whole domains from my gmail account. Alas, I run my own email server to achieve it.
In my opinion, the internet would be much better if none of the big players ever entered it, including Google, Facebook, Yahoo, etc, and it would allow for many more decentralized and valuable commons like email.
When I last helped manage a mail server for a small business (late 2000's) SPAM was an absolute mess. You can really see why Azure etc has consumed on-premise Exchange.
The massive downside is they are the deciders of who gets through their gates, and if you're on their shitlist, goodluck.
We've been spammed and scammed into thinking this is true. Sadly, Gmail is actually worse than competitors and especially worse than running your own email server.
This means we need organizations to host e-mail for people. In a capitalist system, that means companies, and it leads to consolidation and monopolization. So far, governments have been seemingly uninterested in going after the large e-mail providers for anticompetitive practices; maybe that should change. But as long as those anticompetitive practices only really affect individual hobbyists who wanna host their own e-mail, while business interests are unaffected, I don't see this changing.
I think the government SHOULD go after consolidation such as Google, and that traditional anti-trust law is insufficient to combat the dangers of large tech companies.
This is precisely because traditional anti-trust laws only look after large PROPORTIONS. In today's modern economy, due to its size, we have a danger that we've never seen before: large ABSOLUTE size, which was never a problem in history as it is today.
Therefore, we need new laws that go after absolute size, as well as large proportions (traditional anti-trust).
No, a "capitalist system" does not lead to consolidation and monopolization.
What? Spam existed long before the big tech was around (admittedly the first Spam was probably from DEC, but before 'big internet tech' existed anyway) - it grew because of the amount of people/consumers on the internet. And credit where credits due: getting rid of spam was very time consuming until Google came out with one of the first effective filters.
How this could have been possible? Like there must have been some outside regulations in the late 90s/early 2000s. Maybe as an effect of the dotcom bubble?
Also it’s a good theory but doesn’t fit the capitalist picture at all.
If there had been significant populations with sufficient upload capacity, and ipv6, then there could have been a market for network devices that operated out of people’s homes under their own control.
Not that this would have ensured that big players would not exist, but it could have technically allowed a solution to be innovated.
The other option I can think of is a federal government provided email utility using post offices for identity verification and stiff penalties for spam/malware, to create a “trusted“ network, as opposed to using opaque processes from Google/Apple/Microsoft/Meta to create a “trusted” network.
I now use AWS SES to handle mail delivery. It's free for up to 200 daily messages which is fine for me.
It is also not uncommon for companies to either have a local Exchange Server or use the mail service at their hosting provider. If everything is configured correctly, delivery works fine.
Experiences obviously differ, but it’s unclear where the differences stem from, apart from long-term IP reputation.
It is potentially more of those with problems are more likely to speak up than everyone else just posting "works fine for me" a thousand times over.
I haven't had much deliverability problems with self-hosted things. I set it up right, and I get the emails I expected to get. So there's now two of us saying "works fine for me."
> have one at a smaller mail provider
a) [hosted] Mail provider
b) Server (colo/dedicated/VPS/whatever) provider
> not uncommon for companies to either have a local Exchange Server
Yes and it's PITA to pull it out of the lists of some shitheads, like SpamHaus.
Source: guess it
There are actually horrid lists like BackScatterer and UCEProtect that you can't even properly contact. So in comparison SH is super pleasant.
- Self hosting is a bit elitist - not for the masses.
- A paid-for option (proton, tutta,…) would be cataloged as elitist. People perceive email as free.
- A free option provided by a Corporate player will gravitate towards monopolies and lack of privacy.
- A free for life government issued, easy to recover digital point of contact where all your government interactions are pointed towards would be a great step. You could still have a separate one if you don’t trust big brother, but at least your “recovery” address would be secure for life.
You could create a public alias of the form firstname.lastname.n@eesti.ee, but creation of those was ended in 2018 and they were shutdown in November 2023. [1]
[0] https://www.eesti.ee/en/using-the-state-portal/terms-of-noti... [1] https://www.eesti.ee/en/closing-alias/closing-alias
When your marital status changes, isn't that a notification that goes from you to the government, and not the other way around?
I don't know how you can make something like this "easy to recover" without introducing giant security problems.
The problem is that the SSN is treated as a password when it should be treated as username.
Knowing first.last at gmail.com gives you nothing much, security-wise. Knowing I'm 123456789 at ssn.usps.com wouldn't be that much different, though given the limited search space, it would be an easy target for spammers. (Perhaps expanding from nine digits to something bigger (16+, see perhaps ISO/IEC 7812) would be useful, though there'd have to be a lot of work to update systems, even though they're not short of numbers.)
In a similar way for instance that you would recover a lost, stolen, or accidentally destroyed US passport (but presumably cheaper).
Whatever mess you think SSNs have caused by their unintended use outweighs the previous system. The simple test for that is, why do people use SSNs as it's not legally required for anything but USG interactions.
You’ll have a lot of distrustful Americans commenting how terrible this idea is and the government can’t be trusted. They’d rather get it from a corporation and be subjected to unlimited surveillance capitalism and manipulation.
The idea was to put guarantees like identity, delivery receipts and stuff into an email system, so it can be used for legally binding communication.
However it failed for various reasons (privacy concerns as it purposely had no e2e, usability restrictions, cost, ...)
[1]: https://techcrunch.com/2016/08/24/encryption-under-fire-in-e...
At least in my country I know for a fact that data which should be legally private is used by political party plans and by the police.
But I do freak out about loosing my domain name where my email is hosted, or access to an iCloud / gmail account that a lot of services are anchored about.
Two months ago LinkedIn did not like me changing my 2FA client, and locked me out for a month. I have over 5.000 contacts and was chasing a few leads to change jobs. I can tell you is cold outside. Nobody provides support. I had to leverage a friend who knew someone at LinkedIn to sort it out. I hear being locked out of Google, MS and Meta is also bad.
I have an .ac account for life that is my “last resort” recovery, but having a government provided email for secure recovery purposes would feel reassuring.
The era of Pii as a commodity is coming to a close. The writing is on the wall for this.
Once that happens, free email will vanish. Poof. Gone. So will many other "free" online things.
This period of most people getting free email is really quite short historically. A decade.
(Many people used to get email addresses from their ISP, which were part of their paid plan)
I wonder what will happen when gmail goes paid. It's going to happen, and I expect so regionally (eg, not the EU zone or some such) within 5 years.
A lot of people depend upon said free email, and as much as I dislike Google, they have absolutely zero obligation to give anything away.
They've spent the last few years moving classes of accounts to paid. They've been closing down accounts which seem dormant.
Soon... a year maybe?, I think we'll see some sort of precursor change. A reduction of storage for free accounts, or number of emails you can send, or something.
I do agree from a long perspective free email has been somewhat short. But I'm not sure about scoping it to just a decade. It was easy to get a Gmail account in 2004, that's close to 20 years ago. And Gmail wasn't even the first free email host, loads of people used other free email services like Yahoo (1997), Hotmail (1996), Lycos (1997), and others. 1996-2024 is 28 years, close to three decades.
Is it? Most people, including nomads & unhoused, seem to have smartphones these days (at risk of theft, but arguably easily replaceable). And 4/5G/PublicWifi connectivity in urban areas is so saturated.
I wonder, is it reasonable for me to want government investment and legislation (but no other state interference) into some open source server project that we can run on our phones for this? (heck, give us mesh network functionality too while you're at it).
And am I reasonable in my (left-leaning thought) that, like sexual health consumables, mobile phones should be subsidised by tax revenue, along with other necessities/'empowering tools'?
1) Permanent allocation of names and numbers
2) Interoperability standards and rights allowing us to link names and numbers to service contracts.
Once these issues are regulated in a consumer/citizen friendly way (like they did with phone numbers in the UK), governments could provide some sort of default service on top of it, but in my view this is not the most important part.
Just like a "free" government option?
It's mostly intended for receiving anyway.
This way you can sign up to a third party email service and use your permanent and guaranteed government one as a recovery address
Can you provide a link?
Now, of course, you shouldn't be organizing a criminal conspiracy or in general much anti-government protests over the mail or government-downed email. But the majority of communication is quite benign, and so having a government email for the 80% use case (bills, party invites, holiday wishes, etc) would be great. You can use a separate service for your more sensitive communication.
The reality is that it is about as exciting as getting your paper postal mail delivered in your physical mailbox.
https://epic.org/postal-service-surveillance-program-targete...
You can complain on the forums about how unfair life is, how incompetent companies are, fight every provider to prove your reputation until cows come home,… Or you can pay someone to handle that for you. It’s a no-brainer. The whole discussion is moot.
You pay your plumber to plumb, your builder to build, and email delivery company to deliver your emails. Trying to DYI everything is a waste of everyone’s time.