On 2022-11-22 at 05:54:21 UTC-0500 (Tue, 22 Nov 2022 11:54:21 +0100)
Cyril - ImprovMX via mailop <cy...@improvmx.com>
is rumored to have said:
Hi!
I would appreciate your help on a bad issue we are having.
We are facing a very large amount of connections from Outlook, in the
order
of 50k connections per minute (whereas the second "most active" server
is
at 100).
Upon investigation, we discovered that one of our users is a
mass-sending
email service (such as Mailgun; it seems legit in itself),
LOL.
Mailgun sends a LOT of spam. I reject their traffic by default. No
complaints.
"Seems legit" is obviously in the eye of the beholder...
and they created
one domain per client to handle bounce reports, such as
sp-bounce.{client's
domain}.
Is that within the bounds of your service terms for that customer?
If not, and/or if you're not able to deliver all of those bounces to
them (AS YOU SHOULD) then you need to talk to them about changing their
behavior or finding a provider willing and able to abet their behavior.
Since the MX of these domains points to our server, any bounce report
sent
is sent to our server. (Our service is a forwarding email, so once we
get
the email, we forward it to the above user). (I'll add a comment on
this
right after)
The problem is that I don't see how we can stop Outlook from sending
all
these bounce reports to us. I thought about updating the SPF to block
that
sender from including us, but we don't manage their DNS.
Right now, what we've done is to stop accepting connections from a
sender
(in this case, Outlook) after an abnormal amount of connections per a
given
period, but this doesn't avoid the fact that Outlook still tries to
connect
to us massively, and also impact our regular users that receive emails
from
Outlook sender legitimately.
That's very bad.
Your customer should be accepting and dealing with every single one of
those bounces. If part of that is your job, you are preventing them
from the most basic good practice for senders. If you can't handle it,
you shopuld tyell your customer that honestly. What you are doing now is
harming their reputation as a sender, and they may (or may not) care a
lot about that.
What I'm hoping by reaching out to you is to hope someone has already
faced
something similar and has some suggestions on how to mitigate - or
ideally
block - this.
Firing customers is sometimes necessary. It is better for everyopne
involvedf than quietly providing shoddy service, as you are now.
This could be a pretty well DDoS attack done by mail servers.
Yes. It may even be intentional. Or just ignorant. Talk to your
customer.
On the comment above regarding the bounce report being sent: That is
my
suspicion, by looking at the domain names (sp-bounce), the email it
receives, and the sender activity. But maybe there is another logical
explanation I'm missing!
I mean, to have 50k connections per minute to deliver bounce reports
means
that the running campaign must be in the order of millions of emails
just
for Outlook!
No. It could well mean that they have terribly dirty lists and have
convinced MS that none of their mail should be delivered because they
are spamming. In some cases, MS365 rejections for spamminess happen
after MS accepts the message at their boundary but reject when
attempting final delivery due top customer-specfiic filters. You may be
seeing a broad judgement from the people youyr customer is spamming.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
