Hotmail's antispam measures snuff out legit emails, too

No warning, little recourse


Hotmail users and email server admins, beware: you may be unknowingly caught in the crossfire of Microsoft's war on spam. Unintended casualties include legitimate emails from domains with well-established reputations, which are systematically blocked with absolutely no notice and little recourse.

The chief culprit is the inaptly named SmartScreen, a proprietary spam control technology the software Goliath rolled out to great fanfare several years ago. While the filtering mechanism appears to be making some headway in eradicating Viagra come-ons and nasty phishing attempts, the victory comes at a price: an untold number of legitimate emails are blocked with no warning to either sender or intended recipient.

Compounding the indignity in this well-intentioned campaign, these aggrieved admins say, are Microsoft support people who offer canned responses that acknowledge a domain's email is being blocked but lack the resources to fix the problem.

The complaints come as the spam epidemic continues to fester, with unsolicited email comprising as much as 80 percent of all email, according to some studies. The price we pay in lost worker productivity and increased expenses for network providers are well documented. Less understood is the toll spam is taking on perfectly legitimate communications that go missing with nary a word. Microsoft managers say the spam threat requires they take drastic action and they are working to ensure their new techniques don't block benign messages.

El Reg has corresponded with two admins affected by SmartScreen and has run web searches - here, here and here - that suggest there are plenty others who are experiencing the same problem. In the cases we've checked, these servers are behind domains that are a year or more old, are correctly listed in the DNS and have solid SPF records - excluding the most common reasons a mail server might get blacklisted. They also run on a variety of platforms (including Sendmail and hMailServer), suggesting technical problems with a particular server are not the cause.

One of the admins is James Firth, founder of a UK-based IT consultancy, who began noticing emails sent from his company's relay were uniformly failing to be delivered to recipients with Hotmail accounts.

"They weren't going to a user's Junk mail box, nor were they being bounced," Firth says. "They were simply disappearing!"

So Firth began corresponding with Hotmail support people. After five days of back and forth, a Microsoft employee named Bobbi confirmed that emails sent from Firth's domain, daltonfirth.co.uk, were being "hard filtered" by SmartScreen. And not because they violated some documented technical requirement or contained suspicious phrases that triggered content filters. Rather, they failed to pass conditions buried deep inside SmartScreen that support people declined to share with Firth - out of concern the disclosures would allow spammers to bypass the defenses.

The support team suggested Firth confirm the emails complied to Hotmail technical standards. Firth checked, and they did. The support people also suggested Firth consider enrolling in a fee-based, third-party accreditation service called Sender Score Certified (price tag, according to a different source: $1,400 for the first year). He declined because Microsoft made no guarantees that doing so would solve his problems. More than a week after first discovering the problem, Firth still can't send emails to customers with Hotmail addresses.

"I simply can' believe that someone thought that this was a good idea, and think Hotmail users should be warned that Microsoft are choosing not to send their emails to them!" he says.


Other stories you might like

  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022