Exchange Online blacklisted


(K Papalia) #1

For the past two weeks an ISP has been blocking all email from our domain. The ISP insists we’ve been blacklisted but won’t tell me where. Microsoft disagrees. Instead they believe it’s a random entry in the ISP’s content filter.

Today a second ISP started blocking our email.

Now that two ISPs are blocking us, I’m more convinced we have been blacklisted. I’ve checked a bunch of blacklist tools and can only find two old references on something called clueless.org. I’ve resubmitted for evaluation. Hopefully they will be resolved.

Is there anyone out there that could help me figure things out - either by recommending blacklist tools I can check or helping me interpret my results? I started by checking the lists referenced by this article. https://sendgrid.com/blog/blacklisted-check-7-popular-blacklists-keep-reputation-intact/

I’ve dealt with black lists in the past when we hosted our own mail server and could affect the change required by the list but haven’t had to worry about that since we moved to Office 365.

I would appreciate any help anyone can provide.


(Alex Conner) #2

In my experience, this is always related to social media or web links inside a signature.


(Alex Conner) #3

To clarify, Exchange Online uses pools of IP addresses - you aren’t given a dedicated IP. In the event an IP in the pool gets blacklisted, that percolates down to a user or tenant level outbound quarantine and the IP is removed from service until the issue can be resolved.

You are likely getting hit on a content match and that content is usually a link to a low reputation URL like a links shortener or other social media property - but occasionally can be a link to your website or other innocuous location.


(K Papalia) #4

The count of ISPs blocking every one of my users is now up to 4. I don’t believe it is content because we’ve reduced our email to plain text and sent simple messages (Subject: Test / Body: Test) and those are blocked too.

I still think we’re being blacklisted but I can’t find it anywhere.


(Alex Conner) #5

If you have an NDR it should tell you what’s causing the blockage.


(Andy Baker) #6

You might take a look at MX Toolbox. There free version will help a lot and there are also different tiers if you need to see more and are willing to pay.

https://mxtoolbox.com/

It could be rogue accounts that are sending as @yourdomain.com to hundreds or thousands of email addresses. We had to reign that in and increase security to only allow email be sent from our domain from either Office 365 and Ministry Platform. Do you use SPF and DKIM?


(James McIlhargey) #7

Check your outbound messages and make sure that none of your accounts has been compromised. I have had accounts with generic passwords compromised and used to forward lots of spam and only noticed the issue when we became blacklisted.

I agree MX Toolbox is a great resource.


(Andy Baker) #8

Oh and the other account we allow to send as @mychurchdomain.com is the Mailchimp account that our Media/Communications manages.
We found that a lot of ministries had their own mailchimp accounts and others sending as theirchurchemail@ourchurchdomain.com.


(Andy Baker) #9

I agree James, it could very well be a compromised account or accounts.


(K Papalia) #10

Thank you for your response. What is an NDR?

MxToolbox domain health errored on on

SMTP banner check - The SMTP banner issued by your email server did not contain the host name we resolved for your servers IP address

SMTP TLS your SMTP server does not advertise support for TLS

DNS SOA expire value A name server will no longer consider itsself authoritative if it hasn’t been able to refresh zone data in the time limit declared in this value

DNS SOA serial number format is invalid

There is a DMARC error

But I don’t know who to take any of this up with.


(K Papalia) #11

Microsoft does not believe were blacklisted. They said that if we had a compromised account they would blacklist us themselves and this is not the case.


(Andy Baker) #12

An NDR is a non-delivery report. You may have heard it referenced as a “bounceback” message from an email that was not delivered. You will find diagnostic information in the body of that NDR that should help in diagnosing why mail is not being delivered.
This should point you in the right direction for the SMTP Banner Check issue.
https://mxtoolbox.com/problem/smtp/smtp-banner-check
MxToolbox suggests as a best practice to manager DMARC, DKIM, and SPF. They offer a product called Delivery Center that will help you work through many of the issues you reported.


(Brad Crawley) #13

I concur with Alex. We used to have our social media links and website link in our Exclaimer signatures and all of a sudden our emails were being sent to SPAM and being blocked left and right. After spending a day trying to figure it out and a conference call with Microsoft, our ISP, Exclaimer, and one of the companies blocking us we finally figured out the links were the issue. We removed them and have not had any issues. It stinks that we can’t use any links in auto-generated signatures, but at least we are no longer blocked.

www.mxtoolbox.com can help you figure out if you are actually blacklisted or not.


(Dave Lopez) #14

Check out Talos… https://www.talosintelligence.com/reputation_center

I’ve had domains/IPs get stuck on their lists that didn’t show anywhere else. It appears that their lists feeds into all sorts of web firewalls too, so getting blacklisted by them can be a real problem.