Identifying possible email sending / relay security breach

Discussion in 'Server Operation' started by tfboy, Dec 1, 2021.

  1. tfboy

    tfboy Member

    I have my server running ISPConfig with multiple domains and emails. All had been working OK.
    As of a couple of days ago, all of a sudden, I appear to have been blacklisted by Microsoft's email servers with emails bouncing, returning with
    550 5.7.511 Access denied, banned sender
    I have already been through the process of de-listing my server's IP from the banned list. When I completed, it said IP wasn't on the banned list which has left me confused.
    I left if for a day, but emails are still being rejected. I have now opened another ticket.

    As far as I'm aware, my server is "secure" in that it's not an open relay (following the secure perfect server guides), and I certainly haven't done anything to be flagged. My server's IP and all the domains I host are not on any of the blacklists in

    But as I have several customers with domains and email boxes, it could be that one of their email accounts is used a lot suddenly which has caused the red flag, maybe sending out mailing lists to hundreds of people, or some emails have been received and the recipient has decided to flag as spam and MS has now blocked my IP?
    Is there an easy way of troubleshooting and identifying potentially compromised email accounts without having to ask the owners' permission? Is there anything else I should be looking at?
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    join their junk email reporting programme, and smart network data services.
    will give some insight into what is getting classed as spam etc. (which is when you find out your entire mailserver is banned from sending to them for sending a grand total of 9 possible spam emails (not 100% spam, just possibly spam) over a 12 month period. :mad:)

    other than that, install and configure pflogsumm, that'll give you daily reports of the mail going through your mailserver, so you can identify high volume senders. or keep an eye on your mailqueues for spikes, or large queues. see if what's in the queue is all coming from, or going to the same domain. if you do identify a high volume sender in your mailqueue, then looking at the headers (postcat -q <queue id> should show you where the mail was created.
    tfboy likes this.
  3. tfboy

    tfboy Member

    Thank you for the detailed answer. I'll look into that.

    I have just received a human response from MS:


    Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number x which was opened in regards to your delisting request.
    The IP address you submitted was placed on our block list due to a high volume of spam-like traffic destined to our customers.
    We will be escalating this request to our Anti-Spam Team to investigate the IP address's traffic history and current activity. They will then make a decision on whether or not to delist the IP address. This process typically takes one business day.
    We will contact you again once we have the results of the Anti-Spam Team's investigation.
    Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.

    I'd really love to know what triggered their spam. I was in an ongoing email conversation which was fine and the ona further reply from me, it bounced having been blacklisted. I have emailed some other people also using o365 for email and it's working so it looks like the ban is selective or people have different levels set, I don't know...
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I know from my own experience with delisting systems from Microsoft Blacklists that MS seems to have at least two completely independent antispam systems, one is for hotmail (and probably some other consumer mail / free mail services) and one seems to be for corporate o365 users.

Share This Page