NinerNet Communications™
System Status

Server and System Status

NC036: Significant issue with delivery of email to Microsoft-hosted domains

21 June 2024 03:51:33 +0000

Yesterday, 20 June 2024, multiple clients began contacting us to report that email they were sending to certain domains was bouncing. We responded as usual by routing messages to the problem domains via our secondary SMTP server. In other words, this wasn’t an unusual experience, and we mitigated it immediately as we always do.

However, it very quickly became apparent that all of the problem destination domains in these multiple reports were hosted by a single hosting provider: Microsoft … or Outlook, or Hotmail, or however they’d like to be known today.

As we’ve said to our clients for many years, fighting spam is a never-ending battle. It’s a big issue for hosting companies big and small; however, the power of small hosting companies like NinerNet to deal with massive companies like Microsoft, Gmail, Yahoo, etc., is almost non-existent. Actually, it’s not almost non-existent, it is totally non-existent. For many years NinerNet has been (and still is) a member of or participant in the Outlook.com “Smart Network Data Services” system. This was supposed to give small providers like NinerNet access to the decision makers at Microsoft (the so-called postmaster[s]) so that we could work out issues together as if we were all grown-ups. However, it has never actually worked that way. Instead, the big hosting providers listed above treat companies like NinerNet with disdain. After all, we’re competitors, and every client who hosts with NinerNet takes away revenue from the big boys.

The rest of this blog post is lengthy, and goes into a fair bit of detail. The summary is that a huge email hosting provider (Microsoft) has suddenly made sending email to them very difficult for us, but NinerNet has done and is doing everything we can to provide a working service to our clientele.

Today we find we’re in a situation where one of the biggest email hosting companies in the world — owned and run by Microsoft — is refusing email from companies like NinerNet. This is anti-competitive, which you wouldn’t expect from a company headquartered in a country where the competitive marketplace is supposed to trump (pardon the pun) everything else.

The bounce messages generated by the failed deliveries offer a “delisting” service, purely because Microsoft seems to actually realise that they have acted with a very heavy hand in this instance. However, when we tried for the third time to get our mail server’s IP address delisted, the automated response we got was that, “The IP address in question is not currently blocked in our system.” This is interesting.

What we believe has happened here is that Microsoft are using a blacklist that includes every single one of the IP addresses owned by the company where a number of our servers (including our primary mail server) are physically located, and have been located for about eight years. This company is Digital Ocean. Why are all of Digital Ocean’s IP addresses blacklisted? Good question. The summary seems to be that Digital Ocean has no interest in dedicating resources to keeping spammers off of their servers. This results in their telling their customers (like NinerNet) that they should send all email out via third parties. This is a ridiculous and expensive requirement, of course, because that is not how the Internet was designed several decades ago, and it’s not how NinerNet operates or has ever operated. When this requirement was forced on us by another data centre company many years ago (Interland), we refused and moved our business elsewhere. For sometime now we have known that the data centre for our next mail server would not be a Digital Ocean data centre but, strangely enough, Microsoft didn’t give us any notice of this change in their practices. And as you know if you’ve been a NinerNet client for any length of time, moving email hosting to a new server is no small undertaking.

The result of Digital Ocean doing nothing to keep spammers out of their data centres is that their IP addresses (including ours) have been elevated from UCEPROTECT Level 0, to Level 1, to Level 2 and finally (over time) to Level 3. UCEPROTECT describes Level 3 as listing the “IP Space of the worst ASNs”. (An ASN is a “Autonomous System Number”, “an identifier for a collection of IP networks and routers under the control of one entity”. [Wikipedia.]) So NinerNet’s mail server is in a blacklist, not because of something we or one of our clients have done (or not done), but because Digital Ocean fails to do anything to keep spammers off of their systems.

For sometime we have known about the fact that UCEPROTECT has a system by which companies like NinerNet, who have no track record of providing safe harbour to spammers, can have their IP address(es) whitelisted, so that we are essentially excluded from the Level 3 blacklisting of all Digital Ocean IP addresses. Previously we chose not to do this because of the added expense, and we preferred to spend money on other ways (described in the first paragraph of this post) of mitigating this problem. However, we have broken down and paid a fee to UCEPROTECT to have our IP address whitelisted.

Therefore, if we are correct in deducing the cause of the current problem, we expect that email to domains hosted by Microsoft will be delivered without hindrance starting by about 04:18 UTC today, 21 June 2024.


Update, 2024-06-22: We thought that our having paid for an exception to the UCEPROTECT blacklist had solved the problem. And it does seem to have solved the problem, for the most part. However, very oddly, messages to only some Microsoft-hosted domains are still being blocked with the exact same bounce message that directs senders to their article, “External senders – Use the delist portal to remove yourself from the blocked senders list and address 5.7.511 Access denied errors” at http://go.microsoft.com/fwlink/?LinkID=526655, which redirects to https://learn.microsoft.com/en-gb/defender-office-365/external-senders-use-the-delist-portal-to-unblock-yourself?redirectedfrom=MSDN. (The 5.7.511 error in the title does not appear to apply to the messages bounced from our server, as those errors are 5.7.1.) However, every time we try to have our mail server’s IP address delisted, the response we receive is, “The IP address in question is not currently blocked in our system.” So why are messages being blocked?!

This seems to be a ridiculous game of cat-and-mouse that Microsoft are playing instead of being open with people about what they are doing, and companies like NinerNet cannot do anything to counter that. It makes absolutely no sense, and doesn’t serve Microsoft, their customers, or NinerNet or our customers.

So in these circumstances, if you’re still having messages to Microsoft-hosted domains bounced — you will know if you see references to Outlook(.com) and Microsoft(.com) in the bounce message — please forward the bounce message(s) to NinerNet support and we will add the problem domains to the mail server configuration that redirects messages sent to those domains via our secondary SMTP server. This is the same procedure that we followed previously, but we were hoping to avoid that procedure by buying our way out of the UCEPROTECT blacklist. However, at least now the number of Microsoft-hosted domains that we have to add to our mail server configuration should be far less than previously.

Again, we apologise to you, our clients, for this non-consensual position in which Microsoft has put us and many small hosting companies around the world.

Update, 2024-06-28: Over the last week we have added a grand total of 21 domains to our mail server’s configuration to redirect outgoing messages to them via our secondary mail server. In that time we have learned that there is no consistency to the problem. Sometimes mails that are blocked are delivered five minutes later if the sender retries, without our adding that domain to our mail server’s configuration. And delivery succeeds to some Microsoft-hosted domains consistently without any intervention by us. There’s nothing more frustrating than an inconsistent problem that is not possible to troubleshoot.

So at this point it seems that we are back to the point we were at before this incident started. Here is a summary of what has transpired:

  • All emails to Microsoft-hosted domains started bouncing.
  • We paid to be removed from a blacklist that we thought might be the cause.
  • This seemed to help to some extent, but over the course of the next few days we added 21 destination domains to our mail server’s configuration to direct messages to those domains via our secondary mail server.
  • We are still exploring alternative ways of automatically determining the MX record of destination domains and automatically redirecting mail to Microsoft-hosted domains via our secondary mail server.
  • We are also still looking for ways to contact Microsoft to determine the cause of this issue, but we hold out little hope of doing that.
  • This server will be replaced in the near term. To that end we will be looking for a data centre where we won’t run into the issue of all of their IP addresses being blacklisted as is the case where our primary mail server is currently located on a Digital Ocean IP address.

As always, if you have mail you send bounced by Microsoft, please forward the bounce message to support and we will add the destination domain to our mail server’s configuration. We appreciate your patience and continued patronage.

NC036: Planned data centre maintenance

15 February 2024 05:14:21 +0000

There is planned network maintenance, “to improve performance and scalability”, for the data centre in Amsterdam where server NC036 (our primary mail server) is located. This maintenance is not expected to result in any downtime, but if any issues arise “affected [servers] may experience increased latency or a brief disruption in network traffic.” This will take place on Tuesday 27 February 2024 from 16:00 to 20:00 UTC. This is 08:00 to 12:00 Pacific Time and 18:00 to 22:00 Central Africa Time on the same date.

If you’d like to calculate this for any other location, please use the World Time Server.

We only post this to ensure you’re aware of the reason for any possible issues in advance. However, based on previous experience, we don’t anticipate any issues.

If you have any questions, please do contact NinerNet support. Thank-you.

All servers: Company SSL/TLS certificates on all servers renewed and updated

15 January 2024 04:24:46 +0000

The *.niner.net wildcard SSL/TLS certificate has been renewed and updated across our entire infrastructure, although we apologise for being about four hours late. This should be seamless for all our clients. However, should you run into a situation in the next 24 hours where you’re told that the certificate has expired, please log out and reload whatever it is you’re trying to do. You may need to reboot, but this would be very unusual. Simply forcing a reload should clear things up. Via FTPS you may need to re-trust our certificate depending on your FTP client.

This doesn’t affect certificates on your own domain on your website, just NinerNet services such as control panels and connecting to the mail and FTP servers.

If you have any questions or concerns, please do contact NinerNet support with any error messages you may be seeing. Thank-you.

All servers: Company SSL/TLS certificates on all servers renewed and updated

14 January 2023 23:27:28 +0000

The *.niner.net wildcard SSL/TLS certificate has been renewed and updated across our entire infrastructure. This should be seamless for all our clients. However, should you run into a situation in the next 24 hours where you’re told that the certificate has expired, please log out and reload whatever it is you’re trying to do. You may need to reboot, but this would be very unusual. Simply forcing a reload should clear things up. Via FTPS you may need to re-trust our certificate depending on your FTP client.

This doesn’t affect certificates on your own domain on your website, just NinerNet services such as control panels and connecting to the mail and FTP servers.

If you have any questions or concerns, please do contact NinerNet support with any error messages you may be seeing. Thank-you.

NC033: Data centre maintenance

22 March 2022 09:31:57 +0000

The data centre at which server NC033 (our primary nameserver, ns1.niner.net) is housed will be undergoing some maintenance tomorrow, 23 March, between 05:00 and 08:00 UTC. The work is on the data centre’s network infrastructure, and not on this server itself. The data centre released this statement:

These upgrades are designed and tested to be seamless and we do not expect any impact to customer traffic due to this maintenance. Should an unexpected issue arise, a possible outcome would be temporary loss of connectivity …. We will endeavour to keep any such impact to a minimum.

The data centre managers have had a good reputation for reliability in the six years we have been using them, so we do not anticipate any issues. However, if there are, we expect they will be very brief.

If you have any questions or concerns, please contact NinerNet support. Thank-you.

NC041: Maintenance post-mortem

8 February 2022 07:39:37 +0000

Our apologies for not following up this issue within the promised 48 hours.

This issue was traced to a problem with a single website hosted on this server, and the modifications made to this website’s file system. What was done within one account’s file system should not have affected the whole server though, and as a result we have filed a bug report with the control panel vendor.

We do again apologise for this issue, and will endeavour to ensure that it does not become an issue again.

If you have any questions at all about this maintenance, please let us know by contacting NinerNet support. Thank-you for your patience, and continued patronage.

NC041: Primary web server back online

24 January 2022 05:51:20 +0000

The primary web server (NC041) is again online. It was down for 39 minutes between 05:05 and 05:44 UTC. We’re investigating why this incident happened, and will post further details here within the next 48 hours. Our apologies for the inconvenience.

NC041: Primary web server is currently down

24 January 2022 05:11:56 +0000

The primary web server (NC041) is currently down following maintenance. We are investigating. This does not affect email.

All servers: Company SSL/TLS certificates on all servers renewed and updated

14 January 2022 12:26:04 +0000

The *.niner.net wildcard SSL/TLS certificate has been renewed and updated across our entire infrastructure. This should be seamless for all our clients. However, should you run into a situation in the next 24 hours where you’re told that the certificate has expired, please log out and reload whatever it is you’re trying to do. You may need to reboot, but this would be very unusual. Simply forcing a reload should clear things up. Via FTPS you may need to re-trust our certificate depending on your FTP client.

This doesn’t affect certificates on your own domain on your website, just NinerNet services such as control panels and connecting to the mail and FTP servers.

If you have any questions or concerns, please do contact NinerNet support with any error messages you may be seeing. Thank-you.

NC036: Maintenance port-mortem

16 October 2021 10:41:00 +0000

As stated previously, the maintenance on server NC036 is complete, and has been successful.

That said, it had to be carried out earlier than scheduled because disk space on the server was the issue that was causing a problem. To be clear, the disk space used by email accounts was not and is not the issue (that’s on a separate disk), it was the disk space used by the operating system and the logs in particular. When this problem was noticed earlier this week we projected that addressing the issue during our regular weekend maintenance window on Saturday evening UTC would be sufficient. Well, we were wrong. As soon as it became clear that our temporary mitigation efforts were failing to keep up with the rate at which disk space was being consumed (mostly by the aforementioned logs), we immediately implemented the maintenance that we had planned and already practised on a test server. This practice paid off, as instead of allowing an hour for the maintenance to complete, we were done in four minutes, including a server reboot.

That said, the lack of disk space on the server did cause disruption in the rate at which mail was processed, that led to some of you getting errors when sending email, and some incoming email being delayed. For this we apologise. The backed-up mail queue was fully processed by 09:18 UTC.

Had our prediction held up and the maintenance been carried out this evening as scheduled, we wouldn’t even have needed to post this detail. However, in order to clear up any concern, we have.

Early in 2022 server NC036 is due to be considered for replacement. The experience of this issue and other issues we have run into in recent months will inform our decisions about where to locate the replacement server (hint: it won’t be in the current data centre) and various configuration improvements we can make. We’ll also, of course, be using a more current version of the control panel.

If you have any questions at all about today’s maintenance, please let us know by contacting NinerNet support. Thank-you for your patience, and continued patronage.

NinerNet home page

Systems at a Glance:


Loc.SystemStatusPing
Server NC023, London, United Kingdom (Relay server), INTERNAL.NC023InternalUp?
Server NC028, Vancouver, Canada (Monitoring server), INTERNAL.NC028InternalUp?
Server NC031, New York, United States of America (Web server), INTERNAL.NC031InternalUp?
Server NC033, Toronto, Canada (Primary nameserver), OPERATIONAL.NC033OperationalUp?
Server NC034, Lusaka, Zambia (Phone server), INTERNAL.NC034InternalUp?
Server NC035, Sydney, Australia (Secondary nameserver), OPERATIONAL.NC035OperationalUp?
Server NC036, Amsterdam, Netherlands (Mail server), OPERATIONAL.NC036OperationalUp?
Server NC040, Toronto, Canada (Web server), INTERNAL.NC040InternalUp?
Server NC041, New York, United States of America (Web server), OPERATIONAL.NC041OperationalUp?
Server NC042, Seattle, United States of America (Status website), OPERATIONAL.NC042OperationalUp?

Subscriptions:

RSS icon. RSS

Twitter icon. Twitter

Search:

 

Recent Posts:

Archives:

Categories:

Links

Tags:

.co.zm domains .com.zm domains .zam.co domains back-up bounce messages browser warnings connection issues control panel database dns dos attack dot-zm domains down time email email delivery error messages ftp hardware imap mail mailing lists mail relay mail server microsoft migration nameservers network networking performance php phplist pop reboot shaw shaw communications inc. smtp spam spamassassin ssl ssl certificate tls tls certificate viruses webmail web server

Resources:

On NinerNet: