Re: [mailop] Microsoft spam folder issue (Forefront?) for a specific IP

2017-04-27 Thread Michael Wise via mailop 



For Office365 issues, I will try to assist where I can, but must be … vague in 
some instances.
For Hotmail issues, step #0 is always to fill out the form.
Them’s the rules.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Open a HotMail 
Ticket<http://go.microsoft.com/fwlink/?LinkID=614866>?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Stefano Bagnara
Sent: Thursday, April 27, 2017 12:36 AM
To: mailop <mailop@mailop.org>
Subject: Re: [mailop] Microsoft spam folder issue (Forefront?) for a specific IP

On 26 April 2017 at 22:43, John Stephenson 
<johnstephenso...@gmail.com<mailto:johnstephenso...@gmail.com>> wrote:
I've only recieved templated, non-responsive responses from Microsoft's 
ticketing system over the past two months.  Replying with additional detail and 
requesting escalation does not appear to be effective.

Michael W. kindly helped me off-list, thanks!

Turned out I was looking at "the last straw"/"the last drop" while the main 
"junk-classification" cause is not the IP but a domain shared between the 2 IPs.

Stefano

On Wed, Apr 26, 2017 at 12:27 PM, Stefano Bagnara 
<mai...@bago.org<mailto:mai...@bago.org>> wrote:
Hi all,

I have an issue with email *delivered* but to the *spam folder* to Microsoft 
(both Hotmail/Outlook.com and Office365/Exchange online platforms).

I already used the form (Microsoft ticket is SRX1383552039ID) but I keep 
receiving human but "standard" responses asking me the SMTP error (even if I 
start telling them the email is delivered to their spam folder and I also 
attach full message headers) or telling me to use SNDS and JMRP (that I already 
use).

I send the very same email from 2 completely different IPs, one IP deliver it 
correctly, the other, instead, ends up in the spam folder.

Microsoft replied that the IP is not listed/blocked in any way from them but 
they didn't provide any hint why one IP is able to deliver it in inbox while 
the other is not able to do that (they both delivered to inbox in past).

The IPs are transactional, have less than 500 messages per day (to microsoft) 
and are "Green" and with no complaint and no spam traps in the last 90 days in 
the SNDS report. SNDS in "IP Status" says "All of the specified IPs have normal 
status."

I see the one delivered to inbox have the following headers added by microsoft:
SpamDiagnosticOutput: 1:5
SpamDiagnosticMetadata: Default:2
X-Microsoft-Antispam-Mailbox-Delivery:
  
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;dest:I;WIMS-SenderIP:213.XXX.189.13;WIMS-SPF:app%2eredacted%2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted%2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);

While the one being classified as spam has this header:
SpamDiagnosticOutput: 1:22
SpamDiagnosticMetadata: Default
X-Microsoft-Antispam-Mailbox-Delivery:
  
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;dest:J;WIMS-SenderIP:188.XXX.188.64;WIMS-SPF:app%2eredacted%2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted%2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140)(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;

On office365 I see

X-Forefront-Antispam-Report: 
IP:213.XXX.189.13;IPV:NLI;CTRY:IT;EFV:NLI;SFV:NSPM;SFS:(8196002)(3158022)(300031)(106034)(438002)(596005)(286005)(189002)(199003)(47976999)(429011)(54356999)(43066003)(7636002)(50986999)(2501003)(400107014)(356003)(110446001)(85226003)(146002)(19627405001)(966004)(19618635001)(106466001)(1096003)(7846003)(74482002)(84326002)(125075)(606005)(7906003)(53416004)(6486002)(118246002)(7596002)(6392003)(733005)(42882006)(6916009)(7066003)(6506006)(34003)(564073)(1981051)(33646002)(9686003)(345071)(53346004)(173073)(25786009)(8676002)(6306002)(236005)(500011)(110136004)(6512007)(2351001)(54896002)(956001)(50919006);DIR:INB;SFP:;SCL:1;SRVR:DB6P193MB0232;H:ms13.redacted.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms13.redacted.it=02%7C01%7Cmichael.wise%40microsoft.com%7C04d520c0dc5344ee311d08d48d41b58e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288760735538336=AcWt8LMzLaIPpHCkxRxmOttDT%2Fu%2FSpIozPCfAzHKTnI%3D=0>;FPR:;SPF:Pass;MLV:nov;MX:1;A:1;PTR:ms13.redacted.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms13.redacted.it=02%7C01%7Cmichael.wise%40microsoft.com%7C04d520c0dc5344ee311d08d48d41b58e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288760735538336=AcWt8LMzLaIPpHCkxRxmOttDT%2Fu%2FSpIozPCfAzHKTnI%3D=0>;LANG:it;

vs

X-Forefront-Antispam-Report: 
CIP:188.XXX.188.64;IPV:NLI;CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8046002)(3158022)(106034)(300031)(438002)(286005)(596005)(189002)(199003)(125075)(42901000

Re: [mailop] Microsoft spam folder issue (Forefront?) for a specific IP

2017-04-27 Thread Stefano Bagnara 
On 26 April 2017 at 22:43, John Stephenson 
wrote:

> I've only recieved templated, non-responsive responses from Microsoft's
> ticketing system over the past two months.  Replying with additional detail
> and requesting escalation does not appear to be effective.
>

Michael W. kindly helped me off-list, thanks!

Turned out I was looking at "the last straw"/"the last drop" while the main
"junk-classification" cause is not the IP but a domain shared between the 2
IPs.

Stefano

On Wed, Apr 26, 2017 at 12:27 PM, Stefano Bagnara  wrote:
>
>> Hi all,
>>
>> I have an issue with email *delivered* but to the *spam folder* to
>> Microsoft (both Hotmail/Outlook.com and Office365/Exchange online
>> platforms).
>>
>> I already used the form (Microsoft ticket is SRX1383552039ID) but I keep
>> receiving human but "standard" responses asking me the SMTP error (even if
>> I start telling them the email is delivered to their spam folder and I also
>> attach full message headers) or telling me to use SNDS and JMRP (that I
>> already use).
>>
>> I send the very same email from 2 completely different IPs, one IP
>> deliver it correctly, the other, instead, ends up in the spam folder.
>>
>> Microsoft replied that the IP is not listed/blocked in any way from them
>> but they didn't provide any hint why one IP is able to deliver it in inbox
>> while the other is not able to do that (they both delivered to inbox in
>> past).
>>
>> The IPs are transactional, have less than 500 messages per day (to
>> microsoft) and are "Green" and with no complaint and no spam traps in the
>> last 90 days in the SNDS report. SNDS in "IP Status" says "All of the
>> specified IPs have normal status."
>>
>> I see the one delivered to inbox have the following headers added by
>> microsoft:
>>
>>> SpamDiagnosticOutput: 1*:5*
>>> SpamDiagnosticMetadata: Default*:2*
>>> X-Microsoft-Antispam-Mailbox-Delivery:
>>>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
>>> *dest:I*;WIMS-SenderIP:213.XXX.189.13;WIMS-SPF:app%2ered
>>> acted%2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%
>>> 2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted
>>> %2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);
>>
>>
>> While the one being classified as spam has this header:
>>
>>> SpamDiagnosticOutput: 1:*22*
>>> SpamDiagnosticMetadata: *Default*
>>> X-Microsoft-Antispam-Mailbox-Delivery:
>>>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
>>> *dest:J*;WIMS-SenderIP:*188.XXX.188.64*;WIMS-SPF:app%2eredacted
>>> %2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%
>>> 2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted
>>> %2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140)
>>> *(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;*
>>
>>
>> On office365 I see
>>
>> X-Forefront-Antispam-Report: IP:213.XXX.189.13;IPV:NLI;CTRY:IT;EFV:NLI;
>>> *SFV:NSPM*;SFS:(8196002)(3158022)(300031)(
>>> 106034)(438002)(596005)(286005)(189002)(199003)(
>>> 47976999)(429011)(54356999)(43066003)(7636002)(50986999)(2501003)(
>>> 400107014)(356003)(110446001)(85226003)(146002)(
>>> 19627405001)(966004)(19618635001)(106466001)(1096003)(
>>> 7846003)(74482002)(84326002)(125075)(606005)(7906003)(
>>> 53416004)(6486002)(118246002)(7596002)(6392003)(733005)(
>>> 42882006)(6916009)(7066003)(6506006)(34003)(564073)(
>>> 1981051)(33646002)(9686003)(345071)(53346004)
>>> (173073)(25786009)(8676002)(6306002)(236005)(500011)(110136004)(
>>> 6512007)(2351001)(54896002)(956001)(50919006);DIR:INB;SFP:;*SCL:1*
>>> ;SRVR:DB6P193MB0232;H:ms13.redacted.it;FPR:;SPF:Pass;MLV
>>> :nov;MX:1;A:1;PTR:ms13.redacted.it;LANG:it;
>>
>>
>> vs
>>
>> X-Forefront-Antispam-Report: CIP:188.XXX.188.64;IPV:NLI;CTRY:IT;EFV:NLI;
>>> *SFV:SPM*;SFS:(8046002)(3158022)(106034)(
>>> 300031)(438002)(286005)(596005)(189002)(199003)(
>>> 125075)(429011)(7066003)(43066003)(53346004)(
>>> 606005)(42882006)(1981051)(6916009)(956001)(500011)(
>>> 110136004)(6506006)(236005)(6306002)(146002)(733005)(
>>> 564073)(6512007)(54896002)(9686003)(356003)(966004)(
>>> 8676002)(7596002)(32003)(7906003)(1096003)(173073)(
>>> 6392003)(50986999)(7846003)(54356999)(400107014)(
>>> 7636002)(6486002)(110446001)(74482002)(2501003)(345071)
>>> (25786009)(84326002)(33646002)(47976999)(53416004)(85226003)
>>> (2351001)(106466001)(19627405001)(118246002)(
>>> 50919006)(69026009);DIR:INB;SFP:;*SCL:5*;SRVR:AM5P193MB0225;H:mx64.
>>> redacted.it;FPR:;SPF:Pass;MLV:nov;MX:1;A:1;PTR:mx64.redacted.it;
>>> *CAT:SPM*;LANG:it;
>>>
>>
>> Both IP are used since more than an year, with almost constant volume and
>> the first IP was working "fine" until a couple of days ago.
>>
>> From the 2 couple of headers I guess the problem is the IP itself but
>> Microsoft support simply told me something like they "don't see anything
>> 'offhand' that would prefent email from my IP from reaching

Re: [mailop] Microsoft spam folder issue (Forefront?) for a specific IP

2017-04-26 Thread John Stephenson 
I've only recieved templated, non-responsive responses from Microsoft's
ticketing system over the past two months.  Replying with additional detail
and requesting escalation does not appear to be effective.

On Wed, Apr 26, 2017 at 12:27 PM, Stefano Bagnara  wrote:

> Hi all,
>
> I have an issue with email *delivered* but to the *spam folder* to
> Microsoft (both Hotmail/Outlook.com and Office365/Exchange online
> platforms).
>
> I already used the form (Microsoft ticket is SRX1383552039ID) but I keep
> receiving human but "standard" responses asking me the SMTP error (even if
> I start telling them the email is delivered to their spam folder and I also
> attach full message headers) or telling me to use SNDS and JMRP (that I
> already use).
>
> I send the very same email from 2 completely different IPs, one IP deliver
> it correctly, the other, instead, ends up in the spam folder.
>
> Microsoft replied that the IP is not listed/blocked in any way from them
> but they didn't provide any hint why one IP is able to deliver it in inbox
> while the other is not able to do that (they both delivered to inbox in
> past).
>
> The IPs are transactional, have less than 500 messages per day (to
> microsoft) and are "Green" and with no complaint and no spam traps in the
> last 90 days in the SNDS report. SNDS in "IP Status" says "All of the
> specified IPs have normal status."
>
> I see the one delivered to inbox have the following headers added by
> microsoft:
>
>> SpamDiagnosticOutput: 1*:5*
>> SpamDiagnosticMetadata: Default*:2*
>> X-Microsoft-Antispam-Mailbox-Delivery:
>>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
>> *dest:I*;WIMS-SenderIP:213.XXX.189.13;WIMS-SPF:app%2ered
>> acted%2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%
>> 40gmail%2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2e
>> redacted%2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);
>
>
> While the one being classified as spam has this header:
>
>> SpamDiagnosticOutput: 1:*22*
>> SpamDiagnosticMetadata: *Default*
>> X-Microsoft-Antispam-Mailbox-Delivery:
>>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
>> *dest:J*;WIMS-SenderIP:*188.XXX.188.64*;WIMS-SPF:app%2eredacted
>> %2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%
>> 40gmail%2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2e
>> redacted%2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140)
>> *(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;*
>
>
> On office365 I see
>
> X-Forefront-Antispam-Report: IP:213.XXX.189.13;IPV:NLI;CTRY:IT;EFV:NLI;
>> *SFV:NSPM*;SFS:(8196002)(3158022)(300031)(106034)(
>> 438002)(596005)(286005)(189002)(199003)(47976999)(429011)(54356999)(
>> 43066003)(7636002)(50986999)(2501003)(400107014)(
>> 356003)(110446001)(85226003)(146002)(19627405001)(966004)(
>> 19618635001)(106466001)(1096003)(7846003)(74482002)(
>> 84326002)(125075)(606005)(7906003)(53416004)(6486002)(
>> 118246002)(7596002)(6392003)(733005)(42882006)(6916009)(
>> 7066003)(6506006)(34003)(564073)(1981051)(
>> 33646002)(9686003)(345071)(53346004)(173073)(
>> 25786009)(8676002)(6306002)(236005)(500011)(110136004)
>> (6512007)(2351001)(54896002)(956001)(50919006);DIR:INB;SFP:;*SCL:1*
>> ;SRVR:DB6P193MB0232;H:ms13.redacted.it;FPR:;SPF:Pass;
>> MLV:nov;MX:1;A:1;PTR:ms13.redacted.it;LANG:it;
>
>
> vs
>
> X-Forefront-Antispam-Report: CIP:188.XXX.188.64;IPV:NLI;CTRY:IT;EFV:NLI;
>> *SFV:SPM*;SFS:(8046002)(3158022)(106034)(300031)(
>> 438002)(286005)(596005)(189002)(199003)(125075)(
>> 429011)(7066003)(43066003)(53346004)(606005)(42882006)(
>> 1981051)(6916009)(956001)(500011)(110136004)(
>> 6506006)(236005)(6306002)(146002)(733005)(564073)(
>> 6512007)(54896002)(9686003)(356003)(966004)(8676002)(
>> 7596002)(32003)(7906003)(1096003)(173073)(6392003)(
>> 50986999)(7846003)(54356999)(400107014)(7636002)(
>> 6486002)(110446001)(74482002)(2501003)(345071)(25786009)
>> (84326002)(33646002)(47976999)(53416004)(85226003)(2351001)(
>> 106466001)(19627405001)(118246002)(50919006)(69026009);DIR:INB;SFP:;
>> *SCL:5*;SRVR:AM5P193MB0225;H:mx64.redacted.it;FPR:;SPF:Pass;MLV:nov;MX:1;
>> A:1;PTR:mx64.redacted.it;*CAT:SPM*;LANG:it;
>>
>
> Both IP are used since more than an year, with almost constant volume and
> the first IP was working "fine" until a couple of days ago.
>
> From the 2 couple of headers I guess the problem is the IP itself but
> Microsoft support simply told me something like they "don't see anything
> 'offhand' that would prefent email from my IP from reaching their
> customers" or "per their research, my IP is currently not under any active
> block lists from their end".
>
> Both IP are listed in RFC-Clueless because the reverse domain has its own
> email hosted on GSuite  and RFC clueless list all of them (but they are
> both listed).
>
> The only public blocklist where the first IP is listed while the second is
> not listed is webiron and specifically

[mailop] Microsoft spam folder issue (Forefront?) for a specific IP

2017-04-26 Thread Stefano Bagnara 
Hi all,

I have an issue with email *delivered* but to the *spam folder* to
Microsoft (both Hotmail/Outlook.com and Office365/Exchange online
platforms).

I already used the form (Microsoft ticket is SRX1383552039ID) but I keep
receiving human but "standard" responses asking me the SMTP error (even if
I start telling them the email is delivered to their spam folder and I also
attach full message headers) or telling me to use SNDS and JMRP (that I
already use).

I send the very same email from 2 completely different IPs, one IP deliver
it correctly, the other, instead, ends up in the spam folder.

Microsoft replied that the IP is not listed/blocked in any way from them
but they didn't provide any hint why one IP is able to deliver it in inbox
while the other is not able to do that (they both delivered to inbox in
past).

The IPs are transactional, have less than 500 messages per day (to
microsoft) and are "Green" and with no complaint and no spam traps in the
last 90 days in the SNDS report. SNDS in "IP Status" says "All of the
specified IPs have normal status."

I see the one delivered to inbox have the following headers added by
microsoft:

> SpamDiagnosticOutput: 1*:5*
> SpamDiagnosticMetadata: Default*:2*
> X-Microsoft-Antispam-Mailbox-Delivery:
>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
> *dest:I*;WIMS-SenderIP:213.XXX.189.13;WIMS-SPF:app%
> 2eredacted%2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%
> 2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted
> %2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);


While the one being classified as spam has this header:

> SpamDiagnosticOutput: 1:*22*
> SpamDiagnosticMetadata: *Default*
> X-Microsoft-Antispam-Mailbox-Delivery:
>   abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;
> *dest:J*;WIMS-SenderIP:*188.XXX.188.64*;WIMS-SPF:app%2eredacted
> %2eit;WIMS-DKIM:gmail%2ecom;WIMS-822:redacted2%40gmail%
> 2ecom;WIMS-PRA:sender%2bredacted2%2eredacted%2eit%40app%2eredacted
> %2eit;WIMS-AUTH:PASS;ENG:(5061607094)(102400140)
> *(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;*


On office365 I see

X-Forefront-Antispam-Report: IP:213.XXX.189.13;IPV:NLI;CTRY:IT;EFV:NLI;
> *SFV:NSPM*
> ;SFS:(8196002)(3158022)(300031)(106034)(438002)(596005)(286005)(189002)(199003)(47976999)(429011)(54356999)(43066003)(7636002)(50986999)(2501003)(400107014)(356003)(110446001)(85226003)(146002)(19627405001)(966004)(19618635001)(106466001)(1096003)(7846003)(74482002)(84326002)(125075)(606005)(7906003)(53416004)(6486002)(118246002)(7596002)(6392003)(733005)(42882006)(6916009)(7066003)(6506006)(34003)(564073)(1981051)(33646002)(9686003)(345071)(53346004)(173073)(25786009)(8676002)(6306002)(236005)(500011)(110136004)(6512007)(2351001)(54896002)(956001)(50919006);DIR:INB;SFP:;
> *SCL:1*;SRVR:DB6P193MB0232;H:ms13.redacted.it
> ;FPR:;SPF:Pass;MLV:nov;MX:1;A:1;PTR:ms13.redacted.it;LANG:it;


vs

X-Forefront-Antispam-Report: CIP:188.XXX.188.64;IPV:NLI;CTRY:IT;EFV:NLI;
> *SFV:SPM*
> ;SFS:(8046002)(3158022)(106034)(300031)(438002)(286005)(596005)(189002)(199003)(125075)(429011)(7066003)(43066003)(53346004)(606005)(42882006)(1981051)(6916009)(956001)(500011)(110136004)(6506006)(236005)(6306002)(146002)(733005)(564073)(6512007)(54896002)(9686003)(356003)(966004)(8676002)(7596002)(32003)(7906003)(1096003)(173073)(6392003)(50986999)(7846003)(54356999)(400107014)(7636002)(6486002)(110446001)(74482002)(2501003)(345071)(25786009)(84326002)(33646002)(47976999)(53416004)(85226003)(2351001)(106466001)(19627405001)(118246002)(50919006)(69026009);DIR:INB;SFP:;
> *SCL:5*;SRVR:AM5P193MB0225;H:mx64.redacted
> .it;FPR:;SPF:Pass;MLV:nov;MX:1;A:1;PTR:mx64.redacted.it;*CAT:SPM*;LANG:it;
>

Both IP are used since more than an year, with almost constant volume and
the first IP was working "fine" until a couple of days ago.

>From the 2 couple of headers I guess the problem is the IP itself but
Microsoft support simply told me something like they "don't see anything
'offhand' that would prefent email from my IP from reaching their
customers" or "per their research, my IP is currently not under any active
block lists from their end".

Both IP are listed in RFC-Clueless because the reverse domain has its own
email hosted on GSuite  and RFC clueless list all of them (but they are
both listed).

The only public blocklist where the first IP is listed while the second is
not listed is webiron and specifically their CABL list: AFAICT they are
currently listing the whole OVH network and my IP is from OVH (even if it
is an Assigned PA).

I'd appreciate any on-list or off-list contact by Microsoft or simply a
feedback/suggestions from other users that already saw something similar.

Stefano
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop